Intent to Ship: Protected Audience Bidding and Auction Services: Allow trusted bidding signals to trigger interest group updates

Russ Hamilton

unread,

Nov 22, 2024, 3:46:23 PMNov 22

to blink-dev

Contact emails

paulj...@chromium.org, beham...@google.com

Explainer

For the Protected Audience feature that this extends to Bidding and Auction Services: https://github.com/WICG/turtledove/pull/1095

Specification

Web platform: https://github.com/WICG/turtledove/pull/1294.

Services protocol: https://github.com/privacysandbox/draft-ietf-bidding-and-auction-services/pull/12

Summary

The Protected Audience API allows bidders to store information, called an interest group, from a single site in the browser that can only be read later in the context of an auction. Today, interest groups can be updated by fetching new values from a server. We recently launched a feature that enables bidders to indicate a subset of interest groups they’d like to update in the real-time signals response from the bidders’ key-value servers. This proposal extends that capability to include auctions run on a Trusted Execution Environment (TEE) based server using Bidding and Auction Services by passing the list of interest groups to be updated from the bidders' key-value servers back to the browser in the encrypted response from Bidding and Auction Services.

Blink component

Blink>InterestGroups

TAG review

For Protected Audience Bidding and Auction Services: https://github.com/w3ctag/design-reviews/issues/1009

TAG review status

Declined

Risks

Interoperability and Compatibility

Feature represents optional new behavior that shouldn’t break existing usage.

Gecko & WebKit: For Protected Audiences in general - Negative from Mozilla. No signal from Webkit.

Edge: Edge is running an Origin Trial of the Ad Selection API which shares a Web API and services protocol with Protected Audience.

Web developers: Feature requested by Microsoft in GitHub issue.

Debuggability

Updates show up in the Application -> Storage -> Interest Groups DevTools pane.

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

It will be supported on all platforms that support Protected Audience, so all but WebView.

Is this feature fully tested by web-platform-tests?

Yes

Flag name on chrome://flags

None

Finch feature name

EnableBandATriggeredUpdates

Requires code in //chrome?

False

Anticipated spec changes

No web-visible changes expected.

Estimated milestones

Shipping to all applicable platforms in M132.

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/6305338270416896

Mike Taylor

unread,

Nov 26, 2024, 6:43:06 PMNov 26

to Russ Hamilton, blink-dev

Could you please request the various review bits in your chromestatus entry?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAG-DU1RP23hoifvgyYojkGZGP%3D%2Bccw-MqLss5AyG5zSUEfz8g%40mail.gmail.com.

Vladimir Levin

unread,

Dec 3, 2024, 8:38:37 PM (8 days ago) Dec 3

to Mike Taylor, Russ Hamilton, blink-dev

On Tue, Nov 26, 2024 at 6:42 PM Mike Taylor <mike...@chromium.org> wrote:

Could you please request the various review bits in your chromestatus entry?

On 11/22/24 3:45 PM, 'Russ Hamilton' via blink-dev wrote:

Contact emails

paulj...@chromium.org, beham...@google.com

Explainer

For the Protected Audience feature that this extends to Bidding and Auction Services: https://github.com/WICG/turtledove/pull/1095

Specification

Web platform: https://github.com/WICG/turtledove/pull/1294.

Services protocol: https://github.com/privacysandbox/draft-ietf-bidding-and-auction-services/pull/12

Summary

The Protected Audience API allows bidders to store information, called an interest group, from a single site in the browser that can only be read later in the context of an auction. Today, interest groups can be updated by fetching new values from a server. We recently launched a feature that enables bidders to indicate a subset of interest groups they’d like to update in the real-time signals response from the bidders’ key-value servers. This proposal extends that capability to include auctions run on a Trusted Execution Environment (TEE) based server using Bidding and Auction Services by passing the list of interest groups to be updated from the bidders' key-value servers back to the browser in the encrypted response from Bidding and Auction Services.

My understanding is that this intent is to allow updateIfOlderThanMs to be used in TEE. However, because TEE architecture is itself complicated, is it possible to put together an explainer (with hopefully a couple of diagrams) of how this flow is going to happen?

Specifically, it isn't clear to me when we would query bidders' key-value servers in order to update the interest group in the TEE context. Is this happening during an auction or some other time? Is the response from TEEs going to apply the changes to interest groups that are still stored in the browser in this case? I also assume there would be no "verification" at this stage, given that this is a _trusted_ execution environment. Is that right?

Thanks,

Vlad

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/ca267644-3e78-4c4c-929f-2bea1f598e20%40chromium.org.

Russ Hamilton

unread,

Dec 4, 2024, 12:05:41 PM (7 days ago) Dec 4

to Vladimir Levin, Mike Taylor, blink-dev

Thanks, I have requested the review bits on the status entry.

There is a detailed explainer for the TEE system here: https://github.com/privacysandbox/protected-auction-services-docs/blob/main/bidding_auction_services_system_design.md

As shown in the diagram, the TEE performs the fetch to the Key-Value servers as part of running the auction. The TEE collects and forwards the updateIfOlderThanMs portion of the response back to Chrome in its response. As you guess there is no additional verification since this is a trusted server and we trust that the server performed its own verification (such as using TLS on the connection to the Key-Value server).

Best,

--Benjamin "Russ" Hamilton

Vladimir Levin

unread,

Dec 4, 2024, 3:46:47 PM (7 days ago) Dec 4

to Russ Hamilton, Mike Taylor, blink-dev

Thank you for the explainer pointer, this clarifies things for me.

It doesn't seem like there is any additional privacy implication for the TEE case.

LGTM1

Alex Russell

unread,

Dec 5, 2024, 1:37:56 AM (7 days ago) Dec 5

to Vladimir Levin, Russ Hamilton, Mike Taylor, blink-dev

LGTM2

To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXd2OZ5ANxswx-sfsiJjZN93eMkkiX5%3DjWmaHrC3TjG3MBWA%40mail.gmail.com.

Russ Hamilton

unread,

Dec 10, 2024, 3:57:11 PM (yesterday) Dec 10

to Mike Taylor, Vladimir Levin, Alex Russell, blink-dev

Thanks for your review. We have all of the other bits in the Chrome status entry. Mike, could you take another look at this?

Thanks,

--Benjamin "Russ" Hamilton

Mike Taylor

unread,

Dec 10, 2024, 4:30:05 PM (yesterday) Dec 10

to Russ Hamilton, Vladimir Levin, Alex Russell, blink-dev

LGTM3 - thanks for the ping. I reviewed this on the airplane the other day, but got busy after and lost track.

Reply all

Reply to author

Forward