From 5ef223f3b2588f5597ea944af70b7ca85a937025 Mon Sep 17 00:00:00 2001 From: Charlie Harrison Date: Mon, 3 Feb 2025 22:33:26 -0600 Subject: [PATCH 1/4] initial budgeting spec --- api.bs | 54 +++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 45 insertions(+), 9 deletions(-) diff --git a/api.bs b/api.bs index bbef101..c2c18cc 100644 --- a/api.bs +++ b/api.bs @@ -724,16 +724,47 @@ that "just tell me how to implement" goes in the API section. But I'd also be fine with putting this in the DP section. --> -The privacy budget store records the state -of the per-[=site=] [=privacy budgets=], and of any -[=safety limits=]. It is updated by [=deduct privacy budget=]. +The [=privacy budget store=] records the state +of the per-[=site=] [=privacy budgets=]. +It is updated by [=deduct privacy budget=].

-The [=privacy budget store=] needs to be described in more detail. -Some references to clearing the impression store may need to be +The [=safety limits=] need to be described in more detail. +Some references to clearing +the impression store may need to be updated to refer to the privacy budget store as well. +A privacy budget key is a [=struct=] consisting of the folowing items: + +

+: epoch +:: A [=privacy budget epoch=] +: site +:: A [=site=] + +
+ +The privacy budget store is a [=map=] whose keys are +[=privacy budget keys=] and whose values are [=floats=]. + +To deduct privacy budget given a [=privacy budget key=] |key|, +[=float=] |epsilon|, integer |sensitivity|, and integer |globalSensitivity|: + +1. If the [=privacy budget store=] does not [=map/contain=] |key|, [=map/set=] + its value of |key| to be a user agent defined value. + +1. Let |currentValue| be the result of [=map/get|getting the value=] of |key| + in the [=privacy budget store=] + +1. If |currentValue| is less than or equal to 0, return false. + +1. Let |newValue| be |currentValue| - |epsilon| * |sensitivity| / |globalSensitivity| + +1. [=map/set|Set=] the value of |key| in the [=privacy budget store=] to |newValue| + +1. Return whether |newValue| is greater than or equal to 0. + ## Attribution Logic ## {#s-logic} A site that measures conversions can specify attribution logic, @@ -753,7 +784,8 @@ after the [=common matching logic=] is applied, and privacy budgeting occurs. To do attribution and fill a histogram, given - |options|: + |options|, and + a [=site=] |topLevelSite|. 1. Initialize |matchedImpressions| to the empty [=set=]. @@ -767,8 +799,12 @@ To do attribution and fill a histogram, given 1. If |impressions| is not empty: + 1. Let |key| be a [=privacy budget key=] whose items are |epoch| and |topLevelSite|. + 1. Let |budgetOk| be the result of [=deduct privacy budget=] - with |epoch| and |options|.{{PrivateAttributionConversionOptions/epsilon}}. + with |key|, |options|.{{PrivateAttributionConversionOptions/epsilon}}, + |options|.{{PrivateAttributionConversionOptions/value}}, + and |options|.{{PrivateAttributionConversionOptions/maxValue}}. 1. If |budgetOk| is true, [=set/extend=] |matchedImpressions| with |impressions|. @@ -1193,7 +1229,7 @@ changes that might occur days or weeks in the future. ## Privacy Budgets ## {#dp-budget} -Browsers maintain a privacy budget, +Browsers maintain privacy budgets, which is a means of limiting the amount of privacy loss. This specification uses an individual form @@ -1219,7 +1255,7 @@ the budget for the [=privacy budget epoch=] in which those impressions were save If the privacy budget for that [=privacy budget epoch|epoch=] is not sufficient, the impressions from that [=privacy budget epoch|epoch=] are not used. -The details of how to deduct privacy budget is given below ... WIP +The details of how to [=deduct privacy budget=] is given below ... WIP
In the following figure, From cfdfe7fe8310fb4629d48fbbc63311c114bb3543 Mon Sep 17 00:00:00 2001 From: Charlie Harrison Date: Tue, 4 Feb 2025 09:01:24 -0600 Subject: [PATCH 2/4] Apply suggestions from code review Co-authored-by: Andrew Paseltiner --- api.bs | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/api.bs b/api.bs index c2c18cc..2f7f94f 100644 --- a/api.bs +++ b/api.bs @@ -731,7 +731,7 @@ It is updated by [=deduct privacy budget=].

The [=safety limits=] need to be described in more detail. Some references to clearing -the impression store may need to be +the [=impression store=] may need to be updated to refer to the privacy budget store as well. @@ -752,16 +752,16 @@ To deduct privacy budget given a [=privacy budget key=] |key|, [=float=] |epsilon|, integer |sensitivity|, and integer |globalSensitivity|: 1. If the [=privacy budget store=] does not [=map/contain=] |key|, [=map/set=] - its value of |key| to be a user agent defined value. + its value of |key| to be a user-agent-defined value. 1. Let |currentValue| be the result of [=map/get|getting the value=] of |key| - in the [=privacy budget store=] + in the [=privacy budget store=]. 1. If |currentValue| is less than or equal to 0, return false. -1. Let |newValue| be |currentValue| - |epsilon| * |sensitivity| / |globalSensitivity| +1. Let |newValue| be |currentValue| - |epsilon| * |sensitivity| / |globalSensitivity|. -1. [=map/set|Set=] the value of |key| in the [=privacy budget store=] to |newValue| +1. [=map/set|Set=] the value of |key| in the [=privacy budget store=] to |newValue|. 1. Return whether |newValue| is greater than or equal to 0. From 2c83620184b5dc4ab393f54bfd093339dc6b9dbd Mon Sep 17 00:00:00 2001 From: Charlie Harrison Date: Tue, 4 Feb 2025 09:02:17 -0600 Subject: [PATCH 3/4] Make privacy budget key a tuple --- api.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api.bs b/api.bs index 2f7f94f..501fd25 100644 --- a/api.bs +++ b/api.bs @@ -735,7 +735,7 @@ the [=impression store=] may need to be updated to refer to the privacy budget store as well. -A privacy budget key is a [=struct=] consisting of the folowing items: +A privacy budget key is a [=tuple=] consisting of the folowing items:

: epoch From 80ba0b8e7a326f46834410d14888a74607a72069 Mon Sep 17 00:00:00 2001 From: Charlie Harrison Date: Mon, 10 Feb 2025 08:34:05 -0600 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: Andrew Paseltiner --- api.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/api.bs b/api.bs index 501fd25..e7cdf20 100644 --- a/api.bs +++ b/api.bs @@ -732,7 +732,7 @@ It is updated by [=deduct privacy budget=]. The [=safety limits=] need to be described in more detail. Some references to clearing the [=impression store=] may need to be -updated to refer to the privacy budget store as well. +updated to refer to the [=privacy budget store=] as well. A privacy budget key is a [=tuple=] consisting of the folowing items: @@ -752,7 +752,7 @@ To deduct privacy budget given a [=privacy budget key=] |key|, [=float=] |epsilon|, integer |sensitivity|, and integer |globalSensitivity|: 1. If the [=privacy budget store=] does not [=map/contain=] |key|, [=map/set=] - its value of |key| to be a user-agent-defined value. + its value of |key| to be a [=user-agent=]-defined value. 1. Let |currentValue| be the result of [=map/get|getting the value=] of |key| in the [=privacy budget store=]. @@ -784,8 +784,8 @@ after the [=common matching logic=] is applied, and privacy budgeting occurs. To do attribution and fill a histogram, given - |options|, and - a [=site=] |topLevelSite|. + |options| and + a [=site=] |topLevelSite|: 1. Initialize |matchedImpressions| to the empty [=set=].