Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Beyond Per-Querier Budgets: Rigorous and Resilient Global Privacy Enforcement for the W3C Attribution API

Pierre Tholoniat, Alison Caulfield, Giorgio Cavicchioli, Mark Chen, Nikos Goutzoulias, Benjamin Case, Asaf Cidon, Roxana Geambasu, Mathias Lécuyer, Martin Thomson

TL;DR

This work critically reevaluates the Attribution API’s reliance on per-querier device-epoch IDP budgets, showing that data adaptivity across queriers and shared multi-querier limits break the formal guarantees. It introduces Big Bird, a global-budget manager that enforces a device-epoch IDP guarantee across all queriers while embedding Denial-of-Service resilience via stock-and-flow quotas tied to intentional user actions. The authors provide a formal model, prove global DP guarantees, and implement a prototype (pdslib) with Firefox integration, evaluated on a real-world Criteo dataset to demonstrate benign workload utility and DoS resilience. The paper concludes that tight per-querier budgets should be complemented with loosely configured global budgets to preserve both utility and robust privacy in practical deployments. This work thus bridges theoretical DP guarantees with operational budget management for web-scale privacy-preserving attribution standards.

Abstract

We analyze the privacy guarantees of the Attribution API, an upcoming W3C standard for privacy-preserving advertising measurement. Its central guarantee--separate individual differential privacy (IDP) budgets per querier--proves unsound once data adaptivity across queriers is considered, a condition we argue is unavoidable in practice. The issue lies not with IDP or its device-epoch unit, but with the per-querier enforcement model, which has also appeared in other DP systems; we show formally that no per-querier accounting scheme, under either individual or traditional DP, remains sound under adaptivity, a gap missed by prior analyses. By contrast, a global device-epoch IDP guarantee remains sound, and we introduce Big Bird, a privacy budget manager for the Attribution API that enforces this guarantee. The challenge is that a global budget shared across many untrusted queriers creates denial-of-service (DoS) risks, undermining utility. Building on prior work that treats global budgets as a computing resource, we adapt resource isolation and scheduling techniques to the constraints of IDP, embedding DoS resilience into the budget management layer. Our Rust implementation with Firefox integration, evaluated on real-world ad data, shows that Big Bird supports benign workloads while mitigating DoS risks. Still, achieving both utility and robustness requires global budgets to be configured more loosely than per-site budgets; we therefore recommend that the Attribution API continue using tight per-site budgets but clarify their limited formal meaning, and complement them with global budgets tuned for benign load with added slack for DoS resilience.

Beyond Per-Querier Budgets: Rigorous and Resilient Global Privacy Enforcement for the W3C Attribution API

TL;DR

This work critically reevaluates the Attribution API’s reliance on per-querier device-epoch IDP budgets, showing that data adaptivity across queriers and shared multi-querier limits break the formal guarantees. It introduces Big Bird, a global-budget manager that enforces a device-epoch IDP guarantee across all queriers while embedding Denial-of-Service resilience via stock-and-flow quotas tied to intentional user actions. The authors provide a formal model, prove global DP guarantees, and implement a prototype (pdslib) with Firefox integration, evaluated on a real-world Criteo dataset to demonstrate benign workload utility and DoS resilience. The paper concludes that tight per-querier budgets should be complemented with loosely configured global budgets to preserve both utility and robust privacy in practical deployments. This work thus bridges theoretical DP guarantees with operational budget management for web-scale privacy-preserving attribution standards.

Abstract

We analyze the privacy guarantees of the Attribution API, an upcoming W3C standard for privacy-preserving advertising measurement. Its central guarantee--separate individual differential privacy (IDP) budgets per querier--proves unsound once data adaptivity across queriers is considered, a condition we argue is unavoidable in practice. The issue lies not with IDP or its device-epoch unit, but with the per-querier enforcement model, which has also appeared in other DP systems; we show formally that no per-querier accounting scheme, under either individual or traditional DP, remains sound under adaptivity, a gap missed by prior analyses. By contrast, a global device-epoch IDP guarantee remains sound, and we introduce Big Bird, a privacy budget manager for the Attribution API that enforces this guarantee. The challenge is that a global budget shared across many untrusted queriers creates denial-of-service (DoS) risks, undermining utility. Building on prior work that treats global budgets as a computing resource, we adapt resource isolation and scheduling techniques to the constraints of IDP, embedding DoS resilience into the budget management layer. Our Rust implementation with Firefox integration, evaluated on real-world ad data, shows that Big Bird supports benign workloads while mitigating DoS risks. Still, achieving both utility and robustness requires global budgets to be configured more loosely than per-site budgets; we therefore recommend that the Attribution API continue using tight per-site budgets but clarify their limited formal meaning, and complement them with global budgets tuned for benign load with added slack for DoS resilience.

Paper Structure

This paper contains 44 sections, 23 theorems, 108 equations, 6 figures, 3 tables, 10 algorithms.

Table of Contents

  1. Introduction
  2. Background on Attribution API
  3. Architecture
  4. From Cookie Monster to Attribution API
  5. Queriers and privacy guarantees
  6. This paper’s perspective
  7. Contribution 1: Per-Querier DP Analysis
  8. Formal model of multi-querier system
  9. Impact of adaptive data generation
  10. Impact of shared limits
  11. Siloing assumption
  12. Contribution 2: Global IDP with Big Bird
  13. DoS depletion threat model
  14. Candidate approaches
  15. Principles and stock-and-flow insight
  16. ...and 29 more sections

Key Result

Theorem 1

Consider Alg. alg:adaptivity_model_simplified, with $K = n+1$ queriers, where each $\mathcal{F}^k$ is a pure-DP filter with capacity $\epsilon > 0$, and where $\mathcal{L}$ always outputs TRUE ( i.e., no shared limit). Denote by $V^{n+1,(b)}$ the view of $\mathcal{Q}^{n+1}$ on challenge bit $b$. Th

Figures (6)

  • Figure 1: Attribution architecture.
  • Figure 2: Depletion attack examples. Sybil queriers deplete the global budget from a single user action, by acting as (a) conversion sites or (b) intermediaries. Per-querier and global budgets are depicted as batteries (filled = available, empty = drained).
  • Figure 3: Stock-and-flow pattern of global-budget consumption in Attribution. (a) Normal use is expected to follow this pattern, where user actions on impression sites creates stock and user actions on conversion sites trigger flows. (b) Attacks break this pattern by automatically creating many stocks and triggering flows from very few user actions.
  • Figure 4: Big Bird architecture. Enforces stock-and-flow quotas at impression and conversion sites, and limits the creation of new quota budgets per user action. Depicts quota budget structure for a single epoch, though in reality quota budgets exist for each epoch.
  • Figure 5: Quota system evaluation. (a), (b): Query error and its root causes in a benign case. (c), (d): Benign-query error and root causes under attack.
  • ...and 1 more figures

Theorems & Definitions (52)

  • Theorem 1: Per-querier guarantees are unsound under adaptive data generation
  • Theorem 2: Per-querier guarantees are unsound under adaptive query budgets with shared limits
  • Theorem 3: Siloing assumption
  • Theorem 4: Resilience to DoS depletion -- proof in \ref{['appendix:online-algorithm:dos-proofs']}
  • Theorem 5: Graceful degradation -- proof here
  • proof
  • Theorem 6: Global IDP Guarantee -- proof in §\ref{['appendix:online-algorithm:privacy-proofs']}
  • Theorem 1: \ref{['thm:data-adaptivity']}
  • proof
  • Theorem 2: \ref{['thm:shared-limit']}
  • ...and 42 more