Meta and Mozilla have proposed a new browser-based attribution system for web ads that they’re calling Privacy-Preserving Attribution.
The goal is to track how advertising leads to conversion with less privacy risk to users.
Unfortunately, while PPA appears to solve an interesting math problem, if applied to real-world advertising, it will increase privacy risks for users.
Brands have better alternatives.
How PPA works
With PPA, the browser and a new aggregation service work together to provide aggregated information to the advertiser. First, JavaScript on an “impression site” asks the browser to record an impression. The browser keeps track of impressions across many sites. Later, when a user buys something, the “conversion site” where the sale happened can request an encrypted “conversion report” from the browser. The browser responds with a data blob that the site can’t decode.
To get usable information, the conversion site must save up “conversion reports” and pass them to an aggregation service. The aggregation service then returns information in a way that does not reveal whether any individual who bought something ever saw an ad or visited any particular site. Meta and Mozilla propose using a multi-party computation system, using two independent service providers, to fill the role of the aggregation service.
PPA’s privacy advantage and vulnerability
Because no individual person can be tracked from ad impression to conversion, PPA appears to have a privacy advantage. But it has a vulnerability to attribution fraud. The PPA specification states: “Fraudulent registration of impressions is a particular concern with the Private Attribution API, because impressions are stored only on the device. It is not possible to apply server-side intelligence to identify fraudulent impressions and exclude them from attribution.”
Attribution fraud: A persistent challenge
Attribution fraud is nothing new. The Honey browser extension recently achieved internet fame for what the MegaLag YouTube channel alleges is an Influencer Scam – detecting when a user is about to order something and changing an influencer’s affiliate code to its own. However attribution gets tracked, some sneaky perpetrator will try to “steal” credit for conversions.
Getting a conversion the honest way is really hard. First, someone has to make a site where people visit, pay attention and look at the ads. Then someone needs to sell advertising – which is either a personal process, a complex programmatic setup or some of both. And even if the site does everything right, the advertiser needs to make an ad that sells.
By comparison, attribution fraud is easy for those who have some view into user behavior that will help them predict when a sale is about to happen and get credit for having helped make it.
Attribution fraud can be more than just a sneaky way to transfer value away from content creators to fraud hackers. PPA, where the browser cooperates in hiding fraud, makes attribution fraud into a privacy risk for users, too. That’s because a dishonest intermediary with surveillance data that can predict sales can claim attribution by saving PPA impressions on random sites that had nothing to do with the sale.
And unlike with simpler fraud, PPA vanishes the evidence into the mathematical oblivion of the aggregation service. PPA is good for privacy in the same way a dealer who buys copper wire with no questions asked is good for the environment. Theoretically, they’re recycling, but they’re creating incentives for people to destroy infrastructure. By providing an undetectable cash-out for fraud, PPA creates more incentives to do more surveillance on users.
PPA and transparency problems
Another privacy risk is PPA’s transparency problems, which work against some state laws with “right to know” (RtK) that lets users obtain info that companies have on them. Although an individual’s data is hard to interpret, consumer organizations can do research that aggregates many volunteers’ data to look for privacy harms like algorithmic discrimination.
By obfuscating data to make user RtKs harder or impossible, PPA would incentivize and conceal the kinds of privacy issues that users are concerned about, just to give users some kind of mathematical win. (Martin et al. found that users don’t consider on-device tracking to be any better for privacy than third-party tracking.)
Some PPA proponents claim that PPA could be extended in the future to solve some of these issues. However, PPA will always be at a development velocity disadvantage because of its mathematical overhead and connection to browser releases. Not only do the adversaries have a faster, easier development task, but they’re also able to see the PPA side’s work in the form of browser code.
Although Meta proposes PPA for the open web, nobody at Meta has proposed giving up the company’s own attribution reporting based on tracking individual users. Even without the privacy threat it would introduce, PPA would disadvantage the open web.
ADMAP: A better alternative
A workable alternative to PPA is already available: ADMAP from the IAB Tech Lab. While ADMAP is simpler mathematically than PPA, it can provide much more actual privacy protection to real users. In ADMAP, although the core functionality is encrypted, the advertiser and publisher still have the information needed to track down fraud and respond to user RtKs.
Although not every advertiser will take advantage of all fraud-fighting features available to them, the presence of those features will help deter fraud in ADMAP. Besides privacy advantages, ADMAP’s architecture keeps anti-fraud OODA loops tight by not relying on time-consuming browser changes that can be analyzed and worked around by fraud hackers. Although PPA is unworkable, a step back does teach us something: in the future, pay more attention to user research and to legit stakeholders like web publishers and legit advertisers.
“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Follow Raptive and AdExchanger on LinkedIn.
For more articles featuring Don Marti, click here.
