Skip to content

Commit 91ff900

Browse files
Merge pull request #438 from w3c/timg-histogram-trust-model
Improve discussion of the inter-site trust relationships
2 parents 618f463 + 52307d1 commit 91ff900

1 file changed

Lines changed: 61 additions & 16 deletions

File tree

api.bs

Lines changed: 61 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -3497,32 +3497,77 @@ be released through attribution.
34973497
privacy budgets to mitigate this possibility.
34983498

34993499

3500-
## Ad Fraud ## {#security-ad-fraud}
3500+
## Controlling Cross-Site Participation ## {#site-trust-model}
35013501

3502-
As with many technologies,
3503-
advertising on the web
3502+
In order to produce an aggregate histogram,
3503+
multiple sites need to cooperate.
3504+
Every [=impression site=] needs to produce consistent values
3505+
for the [=impressions=] it saves.
3506+
A [=conversion site=] needs to trust
3507+
impression sites to record correct values.
3508+
3509+
The API provides a number of filtering options
3510+
for sites to help manage the risk of unwanted impressions
3511+
that could pollute aggregates.
3512+
3513+
* An [=impression site=] can target specific [=conversion sites=]
3514+
using {{AttributionImpressionOptions/conversionSites}}.
3515+
3516+
* Impressions can be restricted to specific [=intermediary site|intermediaries=]
3517+
that operate on [=conversion sites=]
3518+
using {{AttributionImpressionOptions/conversionCallers}}.
3519+
3520+
* A [=conversion site=] can limit the [=impression sites=]
3521+
it queries as part of attribution
3522+
using {{AttributionConversionOptions/impressionSites}}.
3523+
3524+
* Conversion can also limit queries impressions
3525+
to those saved by specific [=intermediary site|intermediaries=]
3526+
using {{AttributionConversionOptions/impressionCallers}}.
3527+
3528+
Filtering options are useful
3529+
in limiting which sites are able to participate in attribution,
3530+
which reduces the set of entities that are able to poison aggregate results.
3531+
Effective use of these options is especially useful
3532+
in preventing some accidental inclusion of unwanted impressions.
3533+
3534+
These filtering options are limited in their efficacy
3535+
against malicious attempts to poison results.
3536+
Trust is rarely as strictly binary as these controls expect.
3537+
An impression site that is listed might mix
3538+
impressions that are genuine from the perspective of the conversion site
3539+
with falsified or erroneous impressions.
3540+
Erroneous impressions represent what is considered InValid Traffic (IVT),
3541+
some of which might be regarded as fraudulent.
3542+
3543+
3544+
### Ad Fraud ### {#security-ad-fraud}
3545+
3546+
Advertising on the web
35043547
has been the subject of various kinds of fraud.
3548+
A site might seek to conduct impression fraud using this API
3549+
to create the impression that value
3550+
is misattributed to ads placed with them.
35053551

35063552
Fraudulent registration of impressions
3507-
is a particular concern with the Attribution API,
3553+
is a particular concern with this API,
35083554
because impressions are stored only on the device.
35093555
It is not possible to apply server-side intelligence
35103556
to identify fraudulent impressions and exclude them
3511-
from attribution. Conversely, even though [=conversion reports=]
3512-
are encrypted, because the reports are sent
3513-
to a server, the server can make a determination that
3514-
the conversion is likely fraudulent and exclude it from
3515-
aggregation.
3516-
3517-
An important mitigation against malicious use
3518-
of the Attribution APIs is the explicit specification
3519-
of eligible conversion sites when registering an impression,
3520-
and of eligible impression sites and [=impression/histogram indexes=]
3521-
when registering a conversion.
3522-
This prevents impressions on arbitrary malicious sites
3557+
from attribution.
3558+
3559+
The only direct mitigation against malicious impressions
3560+
is the site-level filtering options.
3561+
This prevents impressions on wholly-untrusted sites
35233562
from interfering with attribution to the intended set
35243563
of candidate impressions.
35253564

3565+
Conversely, even though [=conversion reports=] are encrypted,
3566+
because the reports are sent to the [=conversion site=],
3567+
the conversion site can make a determination
3568+
that the conversion is likely fraudulent
3569+
and exclude it from aggregation.
3570+
35263571

35273572
# Privacy Considerations # {#privacy}
35283573

0 commit comments

Comments
 (0)