As major browsers phase out third-party cookies, emerging advertising APIs offer an opportunity to improve web privacy. Cookie Monster enhances existing advertising measurement APIs from major tech companies with more efficient differential privacy (DP) budgeting. By using an individual form of DP, our approach enables more accurate private measurement queries, with additional benefits in terms of user transparency and control. We prototyped Cookie Monster in Chrome, and our design has been incorporated into Mozilla’s draft for standardization at the W3C Private Advertising Technology Working Group.
References
2024
-
Cookie Monster: Efficient On-Device Budgeting for Differentially-Private Ad-Measurement Systems
Pierre Tholoniat, Kelly Kostopoulou, Peter McNeely, Prabhpreet Singh Sodhi, Anirudh Varanasi, Benjamin Case, Asaf Cidon, Roxana Geambasu, and Mathias Lécuyer
In Proceedings of the ACM SIGOPS 30th Symposium on Operating Systems Principles, 2024
With the impending removal of third-party cookies from major browsers and the introduction of new privacy-preserving advertising APIs, the research community has a timely opportunity to assist industry in qualitatively improving the Web’s privacy. This paper discusses our efforts, within a W3C community group, to enhance existing privacy-preserving advertising measurement APIs. We analyze designs from Google, Apple, Meta and Mozilla, and augment them with a more rigorous and efficient differential privacy (DP) budgeting component. Our approach, called Cookie Monster, enforces well-defined DP guarantees and enables advertisers to conduct more private measurement queries accurately. By framing the privacy guarantee in terms of an individual form of DP, we can make DP budgeting more efficient than in current systems that use a traditional DP definition. We incorporate Cookie Monster into Chrome and evaluate it on microbenchmarks and advertising datasets. Across workloads, Cookie Monster significantly outperforms baselines in enabling more advertising measurements under comparable DP protection.