Incorporating a trusted server into FLEDGE could safeguard privacy, give publishers more control of segments, and save the browser the headaches of auction mechanics. Here’s how this optional modification could work.
Why it matters — A trusted intermediary with a privacy gatekeeping function that sits between a device and ad tech buyers could be a game changer for publishers in a post-third-party-cookie world. As the industry debates the road ahead, incorporating the option of a Trusted Audience Server into the current version of Google Chrome’s FLEDGE proposal could produce significant upsides for multiple stakeholders. For example, auctions could be run on this trusted server rather than in the browser, and audience segments could also be stored on this server.
How will online ad auctions function and preserve privacy after the third-party cookie is phased out? No one knows yet, but many in the industry are thinking hard about the possibilities.
One approach is to add an optional extension to Chrome’s FLEDGE (First Locally-Executed Decision over Groups Experiment), a proposal that is part of Google’s Privacy Sandbox basket of initiatives.
Publishers have indicated that they are interested in the idea of being able to create audiences and decide how those audiences are used within the FLEDGE ecosystem rather than outside of it. This proposal remixes how much processing lives on a user’s device and how much is off-device in a trusted server.
A trusted intermediary called a Trusted Audience Server positioned between a device, and ad tech buyers could benefit publishers, users, and even Chrome itself.
New Opportunities for FLEDGE
The tweaks pertain to two facets of FLEDGE. For starters, consider that FLEDGE’s privacy model centers the creative as the grain of privacy control. The model assumes that information about the creative is the most crucial privacy consideration, rather than information about the user or the user’s attributes.
The grain of privacy metering shouldn’t be the creative but rather the segment information about a user. For example:
- Did the user see a creative?
- Why did a user see the creative?
- Who thinks the user is, say, a dad of two?
- Who learns that the user saw the creative?
There’s a way to do this where the element controlled in an auction is the segment unit.
Secondly, FLEDGE prohibits the creator of an audience segment from allowing other entities to make use of its segment. For instance, with FLEDGE, a home goods retailer publisher couldn’t let a smaller retailer advertise to the publisher’s visitors who have looked at rugs recently. This aspect should be modified as well.
The Roles a Trusted Server Can Play
A trusted server is a computer partner that holds information about a user’s domain or site-scoped identity but can be trusted to maintain that data in a way that restricts outside parties from reconstituting it and gaining a picture of a user.
These trusted servers could be owned by publishers through data management platforms (DMPs) or supply-side platforms (SSPs) and maintain all the privacy guarantees of an ad being self-contained and malware-free.
In addition, segments could live on the trusted server rather than in the browser. Publishers would control these segments. For example, with a trusted server, that home goods publisher could allow the smaller retailer to purchase a segment of rug shoppers.
How an Extension of a Trusted Audience Server Would Work
Although the current version of FLEDGE has notions of trusted signals on the seller side and bidding signals for the buy side, it ultimately relies very little on an external trusted server.
Here’s how a Trusted Audience Server could work in FLEDGE:
- First, publishers would create segments in the trusted server with a publisher-scoped ID and segment IDs of their choice.
- They would later get segments from the server, which decides which segments it is allowed to reveal in an auction.
It can consider whether an ID is used on other sites and is therefore not allowed, for example. It can offer k-Anonymity for minimum group size. It can also ensure differential privacy so potential attackers can’t discern whether or not an individual is a group member.
- Publishers could choose to run an auction off-device on the trusted server instead of on the browser.
So, rather than asking Chrome to run an auction and put the winning ad in the slot, as FLEDGE would currently, an ad tech company could follow an optional route: “For this given ad slot, here’s the ad bundle that has won an auction. Please insert it.” This could happen if the FLEDGE API is extended with something like navigator.renderWinningad instead of runAdAuction.
A Beneficial Tweak That Preserves Core Guarantees
The proposal permits—but doesn’t require—auction mechanics outside of the browser. However, most benefits, including for Chrome, derive from running the auction off-device.
What advantages would Chrome gain by not being the auctioneer?
- It wouldn’t have to manage millions of segments.
- It wouldn’t need to worry that segments stored on the user’s browser could slow it down.
- It wouldn’t need to provide auction mechanics debugging support or build debugging tools that could be abused.
- It could focus on privacy, improving speed, and the user’s web experience.
Meanwhile, even if the browser doesn’t run the auction, it still receives a self-contained ad WebBundle and remains wholly responsible for rendering and attributing the ad. In addition, the ad continues to render in a FencedFrame that prohibits communication between the ad and the publisher and prevents publisher and advertiser collusion.
A Trusted Server Can Do the Heavy Lifting While Safeguarding Privacy
There are substantial advantages in running auctions on a trusted server and storing segments on the server rather than in the browser.
To sum up, a Trusted Audience Server would have these responsibilities:
- Logging publisher-scoped segments
- Permitting and metering access to those segments from publishers that created them or publishers’ agents
- Ensuring no cross-site identifiers or identities are being used or produced
- Running a privacy-preserving auction
- Providing basic reporting on auction results
A version of FLEDGE with a trusted server could be the alternative publishers seek for the post-cookie world.
