FLEDGE + aggregate Attribution Reporting API #289
Comments
|
Thank you for filing this issue. The newest iteration of the Attribution Reporting API is configured using response headers. I wonder if we can take advantage of that with the existing FLEDGE reporting system. Currently
A server receiving this ping gets the join of this information. One way to send that information to the Attribution subsystem is to have the site response to the This technique would work for both event and aggregate registration. Here are the gaps I see:
Let me cc @linnan-github, @shivanigithub, and @johnivdel as well. It seems like this has benefits over the approach outlined for event-level reports (#281) in that this one doesn't require a server-side join and also supports aggregation keys combining contextual and ads-specific. |
|
One possible concern with the above formulation is that there may be parties interested in aggregate reporting that aren't present on the beacon's redirect chain, but are present within the Fenced Frame. On first glance, this seems like it makes the event-level solution more appealing: anyone in the FF can use it! However, for third parties that want a combination of contextual and per-ad signals, there is no getting around the coordination required with the buyer/seller I think. In this design: entities getting Given that this coordination seems (somewhat) fundamental, I think this design feels better overall to me. |
|
Hi Charlie, It seems this approach could work for the event-level case. For the aggregate case, though, the problem would be that In general, it seems to me that a solution based on a ping to a buyer's server will not work for the aggregate case: the signals available in the request would have to be limited to preserve privacy - and that defeats the main advantage of aggregates over event-level reports. (Being able to use more signals for source registration than are available in event-level reporting is really the main point of this issue.) Let me know if this makes sense, it'd also be interesting to hear from the Chrome team that works on FLEDGE, if this is also how they see it. |
|
I see, thanks. Essentially the issue with the design I outlined is that the beacon URL will not contain enough information because it is only configurable from within I suppose what I outlined is still a measurable improvement over just raw aggregatable attribution reports configured from within the fenced frame (which is the proposed solution using the event-level attribution reports), in that you get fenced frame information and all the (limited) information within |
|
Hey @jonasz I have a strawman proposal to kick off the discussion here. Let me know what you think. The high level idea is:
function generateBid(...) {
// ... generate bid code
attributionReporting.registerPendingAggregatableSource({
// What kind of event will finalize this source’s registration. If multiple events
// need different metadata, you can pre-register separate sources.
eventType: "click",
// Matches the Attribution-Reporting-Register-Source header more or less.
attributionSrc: {
destination: "https://advertiser.example",
aggregation_keys: {
key1: "0x123",
key2: "0x456",
},
priority: "[64-bit signed integer]",
aggregatable_expiry: "[64-bit signed integer]",
filter_data: {...},
...
},
}
return {...};
}These sources will be actually registered when an accompanying event comes from the Fenced Frame. // Within Fenced Frame. Should not require user activation.
window.fence.registerAttribution("click");At this point, the source associated with the “click” event will be registered according to the FLEDGE buyer’s origin, i.e. the origin of Let me know what you think! I'd also be happy to discuss this in either of the WICG calls for {ARA, FLEDGE}. |
|
Hello @csharrison,
|
|
Hey @fhoering , I actually put this on the agenda for today's FLEDGE discussion in 1.5 hours (agenda doc). I'm also happy to discuss it in another venue if you can't make it. A few brief responses:
We are thinking through more advanced uses of the Private Aggregation API beyond what is in the explainer currently. For now I'd prefer to keep the discussions separate and focus just on ARA for this issue. I do think there is room for alignment here on API surface though.
Just to clarify, these are metrics that you want in an ARA report, right? I'd need to think more about metrics like PreviousDisplays / PreviousClicks. These seem innocent enough but the privacy model quickly gets hard to reason about. With those metrics in a FLEDGE ARA report, suddenly a report embeds information from arbitrarily many other sites (e.g. other sites the ad showed up on). We will need to analyze this to make sure it's OK to release. For reach, can you explain the use-case with respect to ARA? |
Let's say I do a retargeting campaign to an advertisers buyers. |
The Attribution Reporting API is all about joining together the the purchase and the ad view in one report, so reach measurement is out of scope for it at the moment. I think those use-cases are best considered for the Private Aggregation API. |
|
We discussed this on the call today and it seemed like there might be a few use-cases where a slightly more sophisticated API in the fenced frame could be useful. Two mentioned on the call were fraud signals and "which product got clicked". As a strawman, here's a slight augmentation to the proposal above which captures these use-cases: This allows the fenced context to bit-wise OR a bunch of keys associated to the pending report for the "click" event. This should allow for use-cases like injecting a product ID or fraud signals. My only concern with this (beyond the added complexity to the API) is in considering the untrusted fenced frame case, since this allows the fenced frame to trash your registration and give you bad data. The simplest way to mitigate this would be a per-pending-source permission to allow or ignore future mutations. Something like this: I didn't include this in the original strawman due to the added complexity, but if it's really useful we can consider it. |
Unless we made the policy more granular, e.g. an origin-level policy, there is ample opportunity for 3Ps within a creative to mess with the registration. One idea would be to require the script calling From a security perspective, it would also be stronger to require this to be called from a same-origin context (which could be an iframe within the fenced frame, or the fenced frame itself if it is to a bidders origin). This also solves the pre-existing problem of a rogue script triggering registration without the reporting origin's consent. Another idea: You could imagine reversing the data flow where the Fenced Frame is responsible for the source registration itself, but allow them to "insert" data that was declared as part of the auction. Something along the lines of within the auction call: Within the FencedFrame, we would support traditional registration via HTTP headers but allow a source to optionally register with: This may also allow for more interop between the bidder and 3P trackers in the frame if they can standardize on the key pieces. |
I like this restriction. I guess the big question is how many FLEDGE users are going to be running ads in fenced frames where this is easy to do.
I considered something like this but I am nervous about long-term solutions which rely on network working in the Fenced Frame, given that it is considered temporary:
If we're not using header-based solutions, we'd need 3ps to register with JS in their own security context (e.g. iframe) which is a tough lift. In any case, I think 3Ps will need the bidding signals, which implies extremely tight coordination with the buyer. If we have that tight coordination as a precondition, there may be other techniques we can consider. |
|
Hi, To follow up on the last FLEDGE call, let me reiterate that this looks very promising in my view. I'd like to make sure I understand the proposed API well. For context, let me list some example use cases:
I was thinking about how to best use the proposed API to satisfy these example use cases, and that leads me to a couple questions:
When it comes to the "untrusted FF" problem - if I understood your concerns correctly - FWIW, in our case, we are working with renderUrls (Fenced Frame's source) that match the biddingUrl's origin. Best regards, |
|
a. You may register multiple sources, but they will "compete" for attribution in that we only pick a single source to attribute when there is a matching trigger. This may be tolerable in some cases (e.g. you register both a view-through and a click-through, with the expectation that the click-through will be the last-touch / highest priority source). We suggest using multiple aggregation keys to measure multiple use-cases for the same source. b. Currently there is no limit on the number of triggers a source can match with. The effective limit is imposed by the overall value contribution bound, which is tracked per source. Once that budget runs out then further triggers are effectively no-ops. This allows the ad-tech to choose to trade-off variance vs. bias, in that for so-called "many-per-click" models, running out of budget is like data truncation, but capturing more conversions leads to more effective noise per conversion. For aggregatable reports, we don't in the browser have a strong distinction between click and view (i.e. the privacy mechanism is the same). This is a more important distinction for event-level reports. c. Good question, I think it's up in the air right now :) Can you elaborate on why use-case (1) requires this?
Thanks this is a useful data point. |
|
BTW @jonasz you mentioned in the meeting that as currently written you'd register a lot of pending sources with a lot of redundancy. Would you mind sharing an example? I am currently brainstorming options for reducing redundancy and it would help me. |
|
a. When it comes to competing for attribution, could that be addressed with filters? (Each use case could get its specific filter value, both on source and trigger side?) b. Makes sense, thanks. c. In case 1, we have no way of coordinating between product fenced frames, so we have no way to check if registerAttribution has already been called from a different fenced frame. I think it's necessary to specify what happens when we call it multiple times. Let me think about it some more, and see if we have a preference here. When it comes to redundancy - this is exactly the case 1 - we'd potentially have to register a pending source for each product. It seems that the mechanism with supplying a |
|
a. No, attribution filters as they are currently specified do not affect which source matches the trigger. See 10.6.5 in the spec which happens prior to filtering. This is done for privacy reasons, because allowing a rich declarative language to determine how attribution could work can leak unexpected data, especially in the event-level case (you can imagine choosing an event-level source out of many based on the advertiser's user data). c. Ack gotcha.
A mechanism that just supplies a single keypiece has the problem that we need to know how to apply it to a list of keys, unless we apply it indiscriminately to all of them, but I think I understand the use-case (something like aggregate splits by product) |
|
@jonasz mentioned in the FLEDGE call today that any solution we have in @jonasz : does that work for you? cc @alexmturner |
|
Hi Charlie, sorry for the delay. One potential issue is that generateBid may time out between the call to From the functional perspective, it'd be useful to ensure we can also remove a pending source. (Maybe overwrite with a null as the value?) Best regards, |
for reportEvent beacon. If "AttributionReportingCrossAppWeb" feature is enabled, Attribution-Reporting-Support header is also added. This change is a part of the solution for Github Issue 289[1] and 281[2] on Attribution Reporting and FLEDGE Explainer[3]. [1]: WICG/turtledove#289 [2]: WICG/turtledove#281 [3]: https://github.com/WICG/attribution-reporting-api/blob/main/EVENT.md#registering-attribution-sources Change-Id: Id4c8cc00dcb48a65b36900572653aa2c407ef3cf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4175473 Reviewed-by: Shivani Sharma <shivanisha@chromium.org> Commit-Queue: Xiaochen Zhou <xiaochenzh@chromium.org> Reviewed-by: Nan Lin <linnan@chromium.org> Cr-Commit-Position: refs/heads/main@{#1096966}
JensenPaul
added
the
Non-breaking Feature Request
|
Hi, BR, |
Hi,
This is a follow up to #281, I'd like to start the discussion on how aggregate ARA could work with FLEDGE.
In terms of priorities, note that for RTB House the general ability to perform aggregate reporting from generateBid (on win/loss/imp/click events, as proposed in pull194@416) is critical before third party cookies go away (see also #93, #177). The FLEDGE-agg ARA compatibility discussed in this issue would be below that in terms of priorities, but still important.
The high level question I'd like to ask is:
The motivation behind this would be to unlock analysis and optimization of conversions based on bidding signals. (Note that "conversions" are used quite broadly here, and may actually mean any objectives that are measured on the advertiser's side.)
The solution discussed in #281, while satisfactory for the event-level case, would not work here - the bidding signals are not accessible in the Fenced Frame.
I anticipate there will be some technical details to work out (e.g. how to manage the privacy budget across win/loss/imp/click and conversion reporting), but I think it's best to start with a high level discussion on the general idea.
Best regards,
Jonasz
The text was updated successfully, but these errors were encountered: