efficiently manage privacy on-device for private advertising APIs
As major browsers phase out third-party cookies, emerging advertising APIs offer an opportunity to improve web privacy. Cookie Monster enhances existing advertising measurement APIs from major tech companies with more efficient differential privacy (DP) budgeting. By using an individual form of DP, our approach enables more accurate private measurement queries, with additional benefits in terms of user transparency and control. We prototyped Cookie Monster in Chrome, and our design has been incorporated into Mozilla’s draft for standardization at the W3C Private Advertising Technology Working Group.
Big Bird, currently under review and available on arXiv, builds on Cookie Monster to clarify per-site budget semantics and introduce a global budgeting system grounded in resource isolation principles. We implemented Big Bird in Firefox, using pdslib, our generic Rust library for on-device DP budgeting.
References
2025
Big Bird: Privacy Budget Management for W3C’s Privacy-Preserving Attribution API
Pierre Tholoniat, Alison Caulfield, Giorgio Cavicchioli, Mark Chen, Nikos Goutzoulias, Benjamin Case, Asaf Cidon, Roxana Geambasu, Mathias Lécuyer, and Martin Thomson
Privacy-preserving advertising APIs like Privacy-Preserving Attribution (PPA) are designed to enhance web privacy while enabling effective ad measurement. PPA offers an alternative to cross-site tracking with encrypted reports governed by differential privacy (DP), but current designs lack a principled approach to privacy budget management, creating uncertainty around critical design decisions. We present Big Bird, a privacy budget manager for PPA that clarifies per-site budget semantics and introduces a global budgeting system grounded in resource isolation principles. Big Bird enforces utility-preserving limits via quota budgets and improves global budget utilization through a novel batched scheduling algorithm. Together, these mechanisms establish a robust foundation for enforcing privacy protections in adversarial environments. We implement Big Bird in Firefox and evaluate it on real-world ad data, demonstrating its resilience and effectiveness.
@inproceedings{bigbird,title={Big {{Bird}}: {{Privacy Budget Management}} for {{W3C}}'s {{Privacy-Preserving Attribution API}}},shorttitle={Big {{Bird}}},author={Tholoniat, Pierre and Caulfield, Alison and Cavicchioli, Giorgio and Chen, Mark and Goutzoulias, Nikos and Case, Benjamin and Cidon, Asaf and Geambasu, Roxana and L\'ecuyer, Mathias and Thomson, Martin},year={2025},doi={10.48550/arXiv.2506.05290},url={http://arxiv.org/abs/2506.05290},booktitle={arXiv preprint},keywords={Computer Science - Cryptography and Security}}
2024
Cookie Monster: Efficient On-Device Budgeting for Differentially-Private Ad-Measurement Systems
Pierre Tholoniat, Kelly Kostopoulou, Peter McNeely, Prabhpreet Singh Sodhi, Anirudh Varanasi, Benjamin Case, Asaf Cidon, Roxana Geambasu, and Mathias Lécuyer
In Proceedings of the ACM SIGOPS 30th Symposium on Operating Systems Principles, 2024
With the impending removal of third-party cookies from major browsers and the introduction of new privacy-preserving advertising APIs, the research community has a timely opportunity to assist industry in qualitatively improving the Web’s privacy. This paper discusses our efforts, within a W3C community group, to enhance existing privacy-preserving advertising measurement APIs. We analyze designs from Google, Apple, Meta and Mozilla, and augment them with a more rigorous and efficient differential privacy (DP) budgeting component. Our approach, called Cookie Monster, enforces well-defined DP guarantees and enables advertisers to conduct more private measurement queries accurately. By framing the privacy guarantee in terms of an individual form of DP, we can make DP budgeting more efficient than in current systems that use a traditional DP definition. We incorporate Cookie Monster into Chrome and evaluate it on microbenchmarks and advertising datasets. Across workloads, Cookie Monster significantly outperforms baselines in enabling more advertising measurements under comparable DP protection.
@inproceedings{cookiemonster24,author={Tholoniat, Pierre and Kostopoulou, Kelly and McNeely, Peter and Sodhi, Prabhpreet Singh and Varanasi, Anirudh and Case, Benjamin and Cidon, Asaf and Geambasu, Roxana and L\'{e}cuyer, Mathias},title={Cookie Monster: Efficient On-Device Budgeting for Differentially-Private Ad-Measurement Systems},year={2024},isbn={9798400712517},publisher={Association for Computing Machinery},address={New York, NY, USA},url={https://doi.org/10.1145/3694715.3695965},doi={10.1145/3694715.3695965},booktitle={Proceedings of the ACM SIGOPS 30th Symposium on Operating Systems Principles},pages={693--708},numpages={16},keywords={differential privacy, budgeting, measurement},location={Austin, TX, USA},series={SOSP '24},}