Intent to Experiment: Protected Audience Bidding & Auction Services

2,107 views
Skip to first unread message

Paul Jensen

unread,
Oct 12, 2023, 6:40:45 PM10/12/23
to blink-dev, Russ Hamilton

Contact emails

paulj...@chromium.org, beham...@google.com


Explainer

Chrome:  https://github.com/WICG/turtledove/blob/main/FLEDGE_browser_bidding_and_auction_API.md

Services: https://github.com/privacysandbox/fledge-docs/blob/main/bidding_auction_services_api.md

Note that this explainer has a helpful onboarding section for setting up the services.


Specification

May be influenced by Origin Trial feedback, so not yet started.  Protected Audience auctions running on Bidding & Auction Services provide functionality very similar to existing on-device auctions so much of the existing spec applies.


Summary

The Protected Audience API (formerly known as FLEDGE) is a Privacy Sandbox proposal to serve remarketing and custom audience use cases, designed so third parties cannot track user browsing behavior across sites. This proposal, the Protected Audience Bidding & Auction Services proposal, outlines a way to allow Protected Audience computation to take place on cloud servers in a Trusted Execution Environment (TEE), rather than running locally on a user's device. Moving computation to cloud servers can help optimize the Protected Audience auction, and free up computational cycles and network bandwidth for a device.


Blink component

Blink>InterestGroups


TAG review

The parent proposal, Protected Audience, is still pending: https://github.com/w3ctag/design-reviews/issues/723


TAG review status

Pending


Risks

Interoperability and Compatibility

None. This is an optional new feature of the Protected Audience API. Ad techs can use this new feature by calling navigator.getInterestGroupAdAuctionData() and specifying values for new fields in the auction config. Without invoking the new function or explicit values for those new fields, there's no functional behavioral change as a result of this feature.


Gecko & WebKit: No signal on parent proposal, Protected Audience.  Asked in the Mozilla forum here, and in the Webkit forum here.


Web developers: Extensive interest in this feature from adtechs, evidenced by the myriad of discussions on Protected Audience’s issue tracker and weekly WICG calls.


Goals for experimentation

Operating Bidding and Auction services in TEEs represents a major shift from running Protected Audience auctions inside the browser.  During this Origin Trial we’d like to gain confidence that this is possible to do at scale and in a performant manner.  We want feedback on new API surfaces and how these servers are operated.


Debuggability

On-device API surfaces should be debuggable in Chrome DevTools, and we’ve added extensive mechanisms for debugging Bidding and Auction services.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

It will be supported on all platforms that support Protected Audience, so all but WebView.


Is this feature fully tested by web-platform-tests?

No. More web-platform-test coverage is expected when the specification is closer to completion.


Flag name on chrome://flags

Overall control is not possible via chrome://flags, though the consented debugging support is controlled via chrome://flags/#protected-audience-debug-token


Finch feature name

FledgeBiddingAndAuctionServerAPI


Requires code in //chrome?

Only for UI for the consented debugging support.


Estimated milestones

We hope to start the Origin Trial sometime during M119 beta. We plan to continue the Origin Trial for at least three milestones to give developers time to test the API and provide feedback. Once we are confident that the APIs are working properly, we will transition the OT from beta to stable channel.


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/4649601971257344


Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABQTWrnSdvf7RgK2wxsmC6rWc8eRoqDZOvgwVFuEx1r2nqmAJg%40mail.gmail.com


This intent message was generated by Chrome Platform Status.

Chris Harrelson

unread,
Oct 13, 2023, 1:46:22 PM10/13/23
to Paul Jensen, blink-dev, Russ Hamilton
Please fill out and start the reviews for Privacy, Security and Debuggability in your chromestatus entry, thanks.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABQTWr%3D7Cfcv00pao_rDJeT2-67jfRNzk%2BgTHQ13eCUyguPcfA%40mail.gmail.com.

Mike Taylor

unread,
Oct 18, 2023, 12:04:30 PM10/18/23
to Chris Harrelson, Paul Jensen, blink-dev, Russ Hamilton

Hi Paul,

Can you clarify what the proposed end milestone will be?

thanks,
Mike

Paul Jensen

unread,
Oct 19, 2023, 11:42:27 AM10/19/23
to Mike Taylor, Chris Harrelson, blink-dev, Russ Hamilton
> Please fill out and start the reviews for Privacy, Security and Debuggability in your chromestatus entry, thanks.
These are all in review now.  Sorry, I forgot about this new step.

> Can you clarify what the proposed end milestone will be?
I hope the Origin Trial to last M119 through M121, though I strongly suspect I'll need to extend this further to provide sufficient time to test.

Mike Taylor

unread,
Oct 19, 2023, 2:31:39 PM10/19/23
to Paul Jensen, Chris Harrelson, blink-dev, Russ Hamilton

LGTM to experiment from M119 to M121 (inclusive). Extending another 3 milestones if needed will be fairly mechanical, given our current policy on OT length.

Russ Hamilton

unread,
Apr 4, 2024, 12:19:28 PMApr 4
to blink-dev, Paul Jensen

Influenced by Origin Trial feedback, so work has just started.  Protected Audience auctions running on Bidding & Auction Services provide functionality very similar to existing on-device auctions so much of the existing spec applies.


Summary

We propose extending the Bidding and Auction Services origin trial currently operating on 1% stable. We have decided to extend the experiment given developers need more time to onboard and to keep experimenting with new features. We would like to request extending the end milestone from M124 to M127.


Blink component

Blink>InterestGroups


TAG review

For Protected Audience: https://github.com/w3ctag/design-reviews/issues/723


TAG review status

Completed for Protected Audience, resolved unsatisfied.

Vladimir Levin

unread,
Apr 5, 2024, 11:19:56 AMApr 5
to Russ Hamilton, blink-dev, Paul Jensen
On Thu, Apr 4, 2024 at 12:19 PM 'Russ Hamilton' via blink-dev <blin...@chromium.org> wrote:

Contact emails

paulj...@chromium.org, beham...@google.com


Explainer

Chrome:  https://github.com/WICG/turtledove/blob/main/FLEDGE_browser_bidding_and_auction_API.md

Services: https://github.com/privacysandbox/fledge-docs/blob/main/bidding_auction_services_api.md

Note that this explainer has a helpful onboarding section for setting up the services.


Specification

Influenced by Origin Trial feedback, so work has just started.  Protected Audience auctions running on Bidding & Auction Services provide functionality very similar to existing on-device auctions so much of the existing spec applies.


Is there an available summary of the OT feedback, or a summary of changes that the feedback has influenced? 


Summary

We propose extending the Bidding and Auction Services origin trial currently operating on 1% stable. We have decided to extend the experiment given developers need more time to onboard and to keep experimenting with new features. We would like to request extending the end milestone from M124 to M127.


Blink component

Blink>InterestGroups


TAG review

For Protected Audience: https://github.com/w3ctag/design-reviews/issues/723


TAG review status

Completed for Protected Audience, resolved unsatisfied.


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/4649601971257344


Links to previous Intent discussions

Intent to prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABQTWrnSdvf7RgK2wxsmC6rWc8eRoqDZOvgwVFuEx1r2nqmAJg%40mail.gmail.com


Intent to Experiment:

https://groups.google.com/a/chromium.org/g/blink-dev/c/2bwMHd3Yz7I

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Mike Taylor

unread,
Apr 8, 2024, 11:41:06 AMApr 8
to Russ Hamilton, Paul Jensen, blink-dev

Hi Russ,

Could you summarize progress on the following, per the extension process:

Draft spec (early draft is ok, but must be spec-like and associated with the appropriate standardization venue, or WICG)
TAG review
bit.ly/blink-signals requests
Outreach for feedback from the spec community
WPT tests

I recognize some of this is touched on in your email - but having it explicitly in one spot would be helpful, thanks.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Russ Hamilton

unread,
Apr 9, 2024, 4:12:59 PMApr 9
to Mike Taylor, Paul Jensen, blink-dev

Specification

We are just beginning writing the spec. We're drafting a WICG spec for the browser components and an IETF spec for the server interface.


TAG review

For Protected Audience: https://github.com/w3ctag/design-reviews/issues/723.


TAG review status

Completed for Protected Audience, resolved unsatisfied.


Interoperability and Compatibility


Gecko & WebKit: No signal on parent proposal, Protected Audience.  Asked in the Mozilla forum here, and in the Webkit forum here.


WPT Tests


We have not started on WPT tests for this feature.

Mike Taylor

unread,
Apr 12, 2024, 1:24:58 PMApr 12
to Russ Hamilton, Paul Jensen, blink-dev

Russ and I had a conversation offline about the progress here - mind summarizing, Russ?

Russ Hamilton

unread,
Apr 12, 2024, 2:52:58 PMApr 12
to Mike Taylor, Paul Jensen, blink-dev

To follow up on my previous email, I’d like to add some more details to clarify the state and progress of the Origin Trial:

In the past 6  months the server has added support for event-level reporting, multiple coordinators, currencies, multi-seller auctions, and hybrid on-device/on-server Protected Audience auctions. We've made 20+ changes to Chrome in the past 6 months to support new features for Bidding and Auction Services and address issues discovered during testing. 

The discussions needed to begin the specification work represent significant progress relative to where we were before, as now we have a plan and work has started on implementation.

The TAG review for Protected Audience finished in February. 

Although we haven't heard from Webkit or Gecko, Microsoft has proposed their Ad Selection API (https://github.com/WICG/privacy-preserving-ads/tree/main) as a similar TEE on-server auction API. That API looks like it would have an identical Web Platform API as the Bidding and Auction Services API. We have biweekly meetings with Microsoft, and are open to collaborating on specifying the API.

Although we don't have WPT, we have been working on integration testing with the existing implementation. Also, there is a substantial barrier to writing effective WPTs in our case due to the use of Hybrid Public Key Encryption (HPKE) in sending requests and responses. That said, we are thinking about ways to extend WPTs to make it possible to improve test coverage.

Mike Taylor

unread,
Apr 12, 2024, 4:02:09 PMApr 12
to Russ Hamilton, Paul Jensen, blink-dev

Thanks Russ.

LGTM to extend another 3 milestones. I would like to see draft specifications and progress on making this testable via WPTs, at the very least, before any further extensions are requested.

Russ Hamilton

unread,
Jun 20, 2024, 2:03:42 PMJun 20
to Mike Taylor, Qingxin Wu, Paul Jensen, blink-dev

A work-in-progress pull request on the Protected Audience spec describes some of the changes to the W3C spec. We are reaching out to the IETF ART Area Directors for assistance beginning the standardization process for some of the server-side aspects of this API.


Summary

We propose extending the Bidding and Auction Services origin trial currently operating on 1% stable. 

Recent changes:

  • Prompted by developer concerns about scalability, we have recently added support in M127 for limiting the size of the Bidding and Auction request payload

  • We also added controls to enable sellers to select which buyers are included in the payload when it doesn’t affect the outwardly visible size of the encrypted data.

  • Additionally the Bidding and Auction server has recently added support for features such as buyerReportingId and bid currency.

We have decided to extend the experiment to give developers time to experiment with the new features. We would like to request extending the end milestone from M127 to M130.


Blink component

Blink>InterestGroups


TAG review

For Protected Audience: https://github.com/w3ctag/design-reviews/issues/723


TAG review status

Completed for Protected Audience, resolved unsatisfied.


Interoperability and Compatibility

Gecko & WebKit: No signal on parent proposal, Protected Audience.  Asked in the Mozilla forum here, and in the Webkit forum here.

Edge: Microsoft has proposed their Ad Selection API (https://github.com/WICG/privacy-preserving-ads/) as a similar TEE on-server auction API. That API looks like it would have an identical Web Platform API as the Bidding and Auction Services API. We have biweekly meetings with Microsoft, and are open to collaborating on specifying the API.

WPT Tests

We have started to implement some tests, but work is still ongoing.

Intent to Extend Experiment:

https://groups.google.com/a/chromium.org/g/blink-dev/c/2bwMHd3Yz7I/m/xaJHFJ_uAAAJ


Thanks,


–Benjamin “Russ” Hamilton

Russ Hamilton

unread,
Jun 20, 2024, 2:53:09 PMJun 20
to blink-dev
(Now *To* blink-dev instead of just CC)

Mike Taylor

unread,
Jun 26, 2024, 1:53:56 PMJun 26
to Russ Hamilton, blink-dev

Hi Russ,

I'm trying to refresh my memory on the history of this experiment.

Experiment first approved on 10/19/23 for M119 to M121, https://groups.google.com/a/chromium.org/g/blink-dev/c/2bwMHd3Yz7I/m/BzI3_qoCAwAJ

Request on 4/4/24 to renew from M124 to M127, https://groups.google.com/a/chromium.org/g/blink-dev/c/2bwMHd3Yz7I/m/xaJHFJ_uAAAJ

Approved 4/12/24 (“for another 3 milestones”), https://groups.google.com/a/chromium.org/g/blink-dev/c/2bwMHd3Yz7I/m/Pm842qm_AAAJ

Requesting M127 to M130 on 6/20/24, https://groups.google.com/a/chromium.org/g/blink-dev/c/2bwMHd3Yz7I/m/RigQFZilAgAJ

Question: what happened between M122 and M124? Was the experiment not running?

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Paul Jensen

unread,
Jun 28, 2024, 2:00:10 PMJun 28
to blink-dev, Mike Taylor, blink-dev, beham...@google.com
Mike,

It looks like we did continue the OT during M122-124 before sending the first I2EE, despite initially only asking for approval for M119-121.  I wonder if someone went off of the current OT policy of "An initial origin trial or experiment for a feature may only run for 6 milestones" without knowing my initial ask was for just 3 milestones.  I apologize for that and am going to seek updating internal processes to add a check to prevent this oversight from happening again, even if the initial I2EE is "fairly mechanical" as you said originally.

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Mike Taylor

unread,
Jul 1, 2024, 10:37:56 AMJul 1
to Paul Jensen, beham...@google.com, blink-dev

I see - thanks for the info Paul. It seems like an unintentional mixup.

When I approved the previous extension I wrote: "I would like to see draft specifications and progress on making this testable via WPTs"

Russ thanks for linking to https://pr-preview.s3.amazonaws.com/brusshamilton/turtledove/pull/1200.html - based on this draft PR. You wrote that it describes _some_ of the changes, can you speak to what is missing (that you will presumably spec ahead of an I2S)?

And thanks for beginning to land WPTs.

Russ Hamilton

unread,
Jul 17, 2024, 5:38:14 PMJul 17
to blink-dev, mike...@chromium.org, blink-dev, Paul Jensen, Russ Hamilton
The draft PR describes the basic API. There are some options we've recently added to navigator.getInterestGroupAdAuctionData()` to provide more control over what gets put in the encrypted request (see the explainer pull request here: https://github.com/WICG/turtledove/pull/1183) which are not yet included in the draft spec. 

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Mike Taylor

unread,
Jul 19, 2024, 12:04:07 PMJul 19
to Russ Hamilton, Paul Jensen, blink-dev

OK - thanks. It sounds like the majority of the API is specced, with some options to go (I hope I'm interpreting that correctly).

LGTM to extend from M127 to M130 inclusive.

If there's a further extension request, I would expect all the spec work to be finished and merged, and significantly more WPT coverage. If WPT needs support for PA to be more testable, I would strongly recommend you start thinking about webdriver/testdriver.js extensions to make that possible.

Mike Taylor

unread,
Jul 19, 2024, 12:05:44 PMJul 19
to Russ Hamilton, Paul Jensen, blink-dev

Apologies - I mean to approve from M127 to M129 inclusive (math is hard).

Reply all
Reply to author
Forward
0 new messages