Consider routing reports through an (untrusted) ingestion server #2
Comments
|
I think this is a good idea for enhancement. There is definitely an interesting question on who should host the mailbox since conversion measurements from the advertiser may give timing information to the ad-tech or publisher if they were to receive that information. As an initial straw man for the anti-replay logic: the MPC nodes should be able to keep a small state regarding e.g. the last time they ran an aggregation and the reports consumed since then. Each report would then have a timestamp in the encrypted information for the MPC so that the MPC could ignore events created on the device before the closed aggregation period. I imagine more nuance may be needed... |
|
I would also want to discuss data retention time guarantees for such an ingestion system. One of the things that browsers will be able to specify is their trust in a particular set of nodes conducting an aggregation. Having (even encrypted) user data journaled somewhere for long periods of time becomes another attack surface. |
Rather than sending reports directly to the MPC system, I want to consider routing them through an ingestion server, e.g. operated by the advertiser / publisher / ad tech. I believe this does not regress the security or privacy stance of this API, and it comes with a number of benefits:
We should figure out what anti-replay state management would look like in this system, but I think it will end up overall simplifying the system and making it more flexible.
The text was updated successfully, but these errors were encountered: