Description
Problem
Browsers are now working to prevent cross-site user tracking, including by partitioning storage and removing third-party cookies. There are a range of API proposals to continue supporting legitimate use cases in a way that respects user privacy. Many of these proposals, including Shared Storage and TURTLEDOVE, plan to isolate potentially identifying cross-site data in special contexts, which ensures that the data cannot escape the user agent.
Relative to cross-site data from each user, aggregate, noisy data can leak less information about individual users, and yet would be sufficient for a wide range of use cases that rely on third-party cookies today (e.g. reach measurement).
Proposal summary
This API proposal introduces a generic mechanism for measuring aggregate, cross-site data in a privacy-preserving manner. In particular, this would be available in isolated contexts that have access to cross-site data (such as a Shared Storage worklet).
The potentially identifying cross-site data is encapsulated into ‘aggregatable reports’. To prevent leakage, this data is encrypted, ensuring it can only be processed by an aggregation service (e.g. this proposal) that will aggregate the reports, add noise and limit how many queries can be performed. This service was originally proposed for use by the Attribution Reporting API, but allowing more general aggregation would support additional use cases.
Explainer
More detail about the proposal is available in an explainer. I’d be happy to move this explainer to the PATCG Individual Drafts org (once I have the necessary permissions).