Re: [private-measurement] Strawman: Target privacy constraints (#17) from benjaminsavage via GitHub on 2022-06-23 (public-patcg@w3.org from June 2022)

From: benjaminsavage via GitHub <sysbot+gh@w3.org>
Date: Thu, 23 Jun 2022 06:02:31 +0000
To: public-patcg@w3.org
Message-ID: <issue_comment.created-1163986266-1655964149-sysbot+gh@w3.org>

> Regarding privacy unit / privacy grain, I think what is written now is stronger even than IPA which has a privacy unit of user x site. Did you intend to propose full user-level privacy here: "total amount of cross-site/cross-app information a caller can learn about a given person". We should try to be very precise about this.

This is super difficult to explain. I agree we should try to be very precise. Let me try again and see if I can do better on try 3 =).

So here is what I wrote:

> In each "epoch" (strawman: each week), a private measurement API should provide some upper bound, or limit, on the total amount of cross-site/cross-app information a caller can learn about a given person. That limit should be low enough that it does not in effect leak browsing history.

I used the term "a caller" without defining it. I think this is where I need to be more precise.

- Let's assume that in order to utilize a private measurement API, entities have to "sign up", perhaps providing a payment instrument to pay for processing their queries consume. Let's call each entity that "signs up" an "API User".
- Let's assume that each app/website is allocated a per-user privacy budget.
- Let's assume each app/website can either opt to make "privacy preserving measurement queries" on their own, or can contract with some measurement partner, delegating this responsibility to them. The choice is up to the app / website.

In the paragraph I wrote, I had each "app / website" in mind when I wrote the words "a caller".

This is one way in which we could achieve an upper bound on the total per-user information leakage to a given app/website.

As @martinthomson alluded to above, an alternative way to achieve the same goal would be to do a data analysis to see how many apps / website the P95 user actually interacts with, and based on that decide on a pairwise privacy budget (i.e. a separate budget per source-site x trigger-site combo). This seems to me like it would incur more noise due to the uneven distribution of sites visited per user.

--
GitHub Notification of comment by benjaminsavage
Please view or discuss this issue at https://github.com/patcg/private-measurement/issues/17#issuecomment-1163986266 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 23 June 2022 06:02:32 UTC