1. Introduction
This document defines a simple API for browsers that enables the collection of aggregated, differentially-private metrics.
The primary goal of this API is to enable attribution for advertising.
1.1. Attribution
In advertising, attribution is the process of identifying actions that precede an outcome of interest, and allocating value to those actions .
Actions that are of interest to advertisers are primarily the showing of advertisements (also referred to as impressions ). Other actions include ad clicks (or other interactions) and opportunities to show ads that were not taken.
Desired outcomes for advertising are more diverse, as they include any result that an advertiser seeks to improve through the showing of ads. A desirable outcome might also be referred to as a conversion , which refers to "converting" a potential customer into a customer. What counts as a conversion could include sales, subscriptions, page visits, and enquiries.
For this API, actions and outcomes are both events: things that happen once. What is unique about attribution for advertising is that these events might not occur on the same site . Advertisements are most often shown on sites other than the advertiser’s site.
The primary challenge with attribution is in maintaining privacy. Attribution involves connecting activity on different sites. The goal of attribution is to find an impression that was shown to the same person before the conversion occurred.
If attribution information were directly revealed, it would enable unwanted cross-context recognition , thereby enabling tracking .
This document avoids cross-context recognition by ensuring that attribution information is aggregated using an aggregation service . The aggregation service is trusted to compute an aggregate without revealing the values that each person contributes to that aggregate.
Strict limits are placed on the amount of information that each browser instance contributes to the aggregates for a given site. Differential privacy is used to provide additional privacy protection for each contribution.
Details of aggregation service operation is included in § 7 Aggregation . The differential privacy design used is outlined in § 8 Differential Privacy .
1.2. Background
From the early days of the Web, advertising has been widely used to financially support the creation of sites.
One characteristic that distinguished the Web from other venues for advertising was the ability to obtain information about the effectiveness of advertising campaigns.
Web advertisers were able to measure key metrics like reach (how many people saw an ad), frequency (how often each person saw an ad), and conversions (how many people who saw the ad then later took the action that the ad was supposed to motivate). In comparison, these measurements were far more timely and accurate than for any other medium.
The cost of measurement performance was privacy. In order to produce accurate and comprehensive information, advertising businesses performed extensive tracking of the activity of all Web users. Each browser was given a tracking identifier, often using cookies that were logged by cross-site content. Every action of interest was logged against this identifier, forming a comprehensive record of a person’s online activities.
Having a detailed record of a person’s actions allowed advertisers to infer characteristics about people. Those characteristics made it easier to choose the right audience for advertising, greatly improving its effectiveness. This created a strong incentive to gather more information.
Online advertising is intensely competitive. Sites that show advertising seek to obtain the most money for each ad placement. Advertisers seek to place advertising where it will have the most effect relative to its cost. Any competitive edge gained by these entities—and the intermediaries that operate on their behalf—depends on having more comprehensive information about a potential audience.
Over time, actions of interest expanded to include nearly every aspect of online activity. Methods were devised to correlate that information with activity outside of the Web. An energetic trade has formed, with multiple purveyors of personal information that is traded for various purposes.
1.3. Goals
The goal of this document is to define a means of performing attribution for advertising that does not enable tracking.
1.4. End-User Benefit
The measurement of advertising performance creates new cross-site flows of information. That information flow creates a privacy risk or cost—of [cross-context recognition=]—that needs to be justified in terms of benefits to end users.
Any benefits realized by end users through the use of attribution are indirect.
End users that visit a website pay for "free" content or services primarily through their attention to any advertisements the site shows them. This "value" accrues to the advertiser, who in turn pays the site. The site is expected to use this money to support the provision of their content or services.
Participation in an attribution measurement system would comprise a secondary cost to Web users.
Support for attribution enables more effective advertising, largely by informing advertisers about what ads perform best, and in what circumstances. Those circumstances might include the time and place that the ad is shown, the person to whom the ad is presented, and the details of the ad itself.
Connecting that information to outcomes allows an advertiser to learn what circumstances most often lead to the outcomes they most value. That allows advertisers to spend more on effective advertising and less on ineffective advertising. This lowers the overall cost of advertising relative to the value obtained. [ONLINE-ADVERTISING]
Sites that provide advertising inventory, such as content publishers and service providers, indirectly benefit from more efficient advertising. Venues for advertising that are better able to show ads that result in the outcomes that advertisers seek can charge more for ad placements.
Sites that obtain support through the placement of advertisements are better able to provide quality content or services. Importantly, that support is derived unevenly from their audience. This can be more equitable than other forms of financial support. Those with a lower tendency or ability to spend on advertised goods obtain the same ad-supported content and services as those who can afford to pay. [EU-AD] [COPPACALYPSE]
The ability to supply "free" services supported by advertising has measurable economic benefit that derives from the value of those services. [FREE-GDP]
1.5. Collective Privacy Effect
The use of aggregation—if properly implemented—ensures that information provided to sites is about groups and not individuals.
The introduction of this mechanism therefore represents collective decision-making, in line with the idea of collective privacy .
Participation in attribution measurement carries a lower privacy cost when the group that participates is larger. This is due to the effect of aggregation on the ability of sites to extract information about individuals from aggregates. This is especially true for central differential privacy , which is the mathematical basis for the privacy design used in this specification.
Larger cohorts of participants also produce more representative—and therefore more useful—statistics about the advertising that is being measured.
If attribution is justified, both these factors motivate the enablement of attribution for all users.
Acting to enable attribution measurement by user agents will not be positively received by some people. Different people perceive the costs and benefits that come from engaging with advertising differently. The proposed design allows people the option of appearing to participate in attribution without revealing that choice to sites; see § 4.6.1 Optional Participation .
1.6. Attribution Using Histograms
Attribution attempts to measure correlation between one or more ad placements ( impressions ) and the outcomes that an advertiser desires.
When considered in the aggregate, information about individuals is not useful. Actions and outcomes need to be grouped.
The simplest form of attribution splits impressions into a number of groupings according to the attributes of the advertisement and counts the number of conversions. Groupings might be formed from attributes such as where the ad is shown, what was shown (the "creative"), when the ad was shown, or to whom.
These groupings and the tallies of conversions attributed to each form a histogram. Each bucket of the histogram counts the conversions for a group of ads.
Different groupings might be used for different purposes. For instance, grouping by creative (the content of an ad) might be used to learn which creative works best.
Adding a value greater than one at each conversion enables more than simple counts. Histograms can also aggregate values, which might be used to differentiate between different outcomes. The value that is allocated to impressions is called a conversion value . A higher conversion value might be used for larger purchases or any outcome that is more highly valued. A conversion value might also be split between multiple impressions to split credit, though this capability is not presently supported in the API.
2. Overview of Operation
The Attribution API provides aggregate information about the association between two classes of events: impressions and conversions .
An impression is any action that an advertiser takes on any website. The API does not constrain what can be recorded as an impression. Typical actions that an advertiser might seek to measure include:
- 
Displaying an advertisement. 
- 
Having a user interact with an advertisement in some way. 
- 
Not displaying an advertisement (especially for controlled experiments that seek to confirm whether an advertising campaign is effective). 
For the API, a conversion is an outcome that is being measured. The API does not constrain what might be considered to be an outcome. Typical outcomes that advertisers might seek to measure include:
- 
Making a purchase. 
- 
Signing up for an account. 
- 
Visiting a webpage. 
The remainder of this section describes how the Attribution API operates in conjunction with an aggregation service to produce an aggregate attribution measurement. That operation is illustrated in the following figure.
When an impression occurs, the saveImpression() method can be used to request that the browser save information. This includes an identifier for the impression and some additional information about the impression. For instance, advertisers might use additional information to record whether the impression was an ad view or an ad click.
At conversion time, a conversion report is created. A conversion report is an encrypted histogram contribution that includes information from any impressions that the browser previously stored.
The measureConversion() method accepts a simple query that is used to tell the browser how to construct a conversion report . That includes a simple query that selects from the impressions that the browser has stored, a conversion value that is allocated to the selected impression(s), and other information needed to construct the conversion report .
The histogram created by the conversion report is constructed as follows:
- 
If the query found no impressions, or the privacy budget for the site is exhausted, a histogram consisting entirely of zeros (0) is constructed. 
- 
If one or more matching impressions is found, the browser runs the last-n-touch attribution logic to select the relevant impression(s). The provided conversion value is added to a histogram at the bucket that was specified at the time of the attributed impression(s). All other buckets are set to zero. 
The browser updates the privacy budget store to reflect the reported conversion.
The resulting histogram is prepared for aggregation according to the requirements of the chosen aggregation service and returned to the site. This minimally involves encryption of the histogram.
A site that invokes this API will always receive a valid conversion report. As a result, sites learn nothing about what happened on other sites from this interaction.
The site can collect the encrypted histograms it receives from calls to this API and submit them to the aggregation service.
Upon receiving a set of encrypted histograms from a site, the aggregation service:
- 
confirms that it has not previously computed an aggregate from the provided inputs and that there are enough conversion reports, 
- 
adds the histograms, including sufficient noise , to produce a differentially-private aggregate histogram, and 
- 
returns the aggregate to the site. 
3. API Usage
A site using the Attribution API will typically register either impressions or conversions , but in some cases the same site may do both.
To register an impression, a site calls saveImpression() . No preparation is required to use this API beyond collecting parameter values, although it may be useful to examine the supported aggregationServices in deciding whether to use the Attribution API.
It
is
also
possible
to
register
an
impression
by
including
the
`
Save-Impression
`
header
in
the
HTTP
response
when
serving
a
resource
to
the
user
agent.
To
request
a
conversion
report,
a
site
calls
measureConversion()
.
Before
calling
this
API,
a
site
must
select
a
supported
aggregation
service
.
The
page
may
select
any
of
the
supported
services
found
in
aggregationServices
.
The
name
of
the
selected
service
must
be
supplied
as
the
aggregationService
member
of
the
AttributionConversionOptions
dictionary
when
calling
the
measureConversion()
method.
3.1. Site Identities
This API relies on the HTML definition of site as the primary scope over which it operates. Three types of sites are recognized:
- 
An impression site is the site that registers an impression. This impression site is derived from the top-level origin of the relevant settings object at the time that saveImpression()is invoked to store an impression .
- 
A conversion site is the site where a conversion occurs. The conversion site is derived from the top-level origin of the relevant settings object at the time that measureConversion()is invoked.
- 
An intermediary site is a site that calls the API from any cross-site frame, such as an iframe . The intermediary site is derived from the origin of the relevant settings object at the time that either saveImpression()ormeasureConversion()is invoked, unless this origin is same site with the impression site or conversion site , respectively.
This API uses site rather than origin because it depends on associating all activity that might have privacy consequences with a single entity. Features like cookies allow privacy-relevant information to be exchanged freely by same site origins , which could otherwise be used to exceed privacy budgets .
3.2. Navigator Interface
All
functionality
for
this
API
is
attached
to
the
attribute.
navigator
.
attribution
partial interface Navigator { [SecureContext ,SameObject ]readonly attribute Attribution ; };attribution 
This provides three key functions:
- 
A list of browser-supported aggregation functions ( § 3.3 Finding a Supported Aggregation Service ) 
- 
A means of asking the browser to save impressions ( § 3.4 Saving Impressions ) 
- 
A method to request conversion measurement ( § 3.5 Requesting Attribution for a Conversion ) 
3.3. Finding a Supported Aggregation Service
The
aggregationServices
attribute
contains
a
set
of
aggregation
services
supported
by
the
user
agent
.
The
page
must
select
and
specify
one
of
these
services
when
calling
the
measureConversion()
method.
It
may
also
be
useful
to
query
the
supported
services
before
registering
an
impression,
but
that
is
not
required,
and
impressions
are
not
scoped
to
a
single
aggregation
service.
A site might have a preference order for the aggregation services that it uses. The following code iterates over a preference list and finds one that the user agent supports.
const preferredServices= [ "https://aggregator.example/tee" , "https://aggregator.example/dap" , "https://example.com/aggregator" , ]; const supportedServices= navigator. attribution? . aggregationServices; const serviceUrl= preferredServices. find( url=> supportedServices? . has( url)); 
If
the
user
agent
supports
the
URL
and
if
it
includes
one
of
the
preferred
services,
the
first
preferred
service
is
saved
in
a
variable
named
serviceUrl
.
Otherwise,
serviceUrl
will
remain
undefined
.
enum AttributionAggregationProtocol {"dap-15-histogram" ,"tee-00" };dictionary {AttributionAggregationService required DOMString protocol ; }; [SecureContext ,Exposed =Window ]interface {AttributionAggregationServices readonly maplike <USVString ,AttributionAggregationService >; }; [SecureContext ,Exposed =Window ]interface {Attribution readonly attribute AttributionAggregationServices aggregationServices ; };
The aggregationServices attribute is a mapping from URLs that identify an aggregation service to metadata about that service:
- 
protocol, of type DOMString
- 
The
protocolthat the aggregation service uses. Different versions of the same protocol use different values. Even if a single service provider supports multiple protocols, each needs to use a different URL. This ensures that each can be uniquely identified by URL without also specifying the choice of protocol.
The
URL
is
passed
as
the
aggregationService
parameter
to
measureConversion()
to
select
the
identified
aggregation
service.
The
AttributionAggregationProtocol
describes
the
submission
protocol
used
by
different
aggregation
services
.
This
document
defines
two
protocols:
- 
dap-15-histogram
- A DAP-based protocol [DAP] that uses MPC ; see § 7.1 Multi-Party Computation Aggregation .
- 
tee-00
- A protocol for submission to a TEE ; see § 7.2 Trusted Execution Environments .
3.4. Saving Impressions
The saveImpression() method requests that the user agent record an impression in the impression store .
In
this
case,
the
site
saves
the
impression
directly,
identifying
the
advertiser
(
advertiser.example
)
and
including
information
that
is
negotiated
by
the
advertiser.
In
the
following
example,
this
includes
the
matchValue
value
(2)
that
the
advertiser
might
later
use
to
select
this
advertisement,
the
index
of
the
histogram
(
histogramIndex
=
3)
into
which
to
include
any
attributed
value,
and
a
retention
period
(
lifetimeDays
=
7)
that
is
at
least
as
long
as
the
advertiser
requires.
navigator. attribution. saveImpression({ histogramIndex: 3 , matchValue: 2 , conversionSites: [ "advertiser.example" ], lifetimeDays: 7 , }); 
Alternatively, an intermediary, such as a Supply-Side Platform (SSP) or Demand-Side Platform (DSP), might call the same API from an iframe . Making the same API call from a frame results in saving the intermediary site identity with the impression.
dictionary {AttributionImpressionOptions required unsigned long histogramIndex ;unsigned long matchValue = 0;sequence <USVString >conversionSites = [];sequence <USVString >conversionCallers = [];unsigned long lifetimeDays = 30;long priority = 0; };dictionary { }; [AttributionImpressionResult SecureContext ,Exposed =Window ]partial interface Attribution {Promise <AttributionImpressionResult >saveImpression (AttributionImpressionOptions ); };options 
The arguments to saveImpression() are as follows:
- 
histogramIndex, of type unsigned long
- If measureConversion() matches this impression with a subsequent conversion , the conversion value will be added to the histogram bucket identified by this index.
- 
matchValue, of type unsigned long , defaulting to0
- An optional piece of metadata associated with the impression. The value can be used to identify which impressions may receive attribution from a conversion .
- 
conversionSites, of type sequence< USVString >, defaulting to[]
- The top-level conversion sites where conversions for this impression may occur, identified by their domain names. The measureConversion() method will only attribute to this impression when called by one of the indicated sites. If empty, any conversion site will match.
- 
conversionCallers, of type sequence< USVString >, defaulting to[]
- The intermediary sites or conversion sites that are able to select this impression for conversion , identified by their domain names. The measureConversion() method will only attribute to this impression when called by one of the indicated sites. This option includes both conversion sites and intermediary sites . If empty, any site that invokes the API will match.
- 
lifetimeDays, of type unsigned long , defaulting to30
- A positive "time to live" (in days) after which the impression can no longer receive attribution. The user agent should impose an upper limit on the lifetime, and silently reduce the value specified here if it exceeds that limit.
- 
priority, of type long , defaulting to0
- An integer used to sort impressions during attribution.
3.5. Requesting Attribution for a Conversion
The measureConversion() method requests that the user agent perform attribution for a conversion , and return a conversion report .
The measureConversion() method always returns a conversion report, regardless of whether matching impression(s) are found. If there is no match, or if differential privacy disallows reporting the attribution, the returned conversion report will not contribute to the histogram, i.e., will be uniformly zero.
To
request
the
creation
of
an
encrypted
measurement,
the
site
invokes
the
measureConversion()
method.
This function takes four different types of input:
- 
The selected aggregation service, which is identified using a URL. The example process for selecting an aggregation service shows how to select a service that the browser supports. const serviceDetails= { aggregationService: serviceUrl, }; 
- 
Details of the aggregated measurement. These values will be consistent for all invocations of the API across multiple browsers. This includes the size of the histogram and the amount of privacy budget that might have been expended. const aggregatedMeasurementDetails= { histogramSize: 20 , epsilon: 1 , }; 
- 
A set of attributes, all optional , that select the impressions to consider. This includes how old impressions can be ( lookbackDays), the impression sites that might have saved impressions (impressionSites), the intermediary sites that might have saved impressions (impressionCallers), and the choice ofmatchValues.const selectionDetails= { lookbackDays: 14 , impressionSites: [ "publisher.example" , "other.example" ], impressionCallers: [ "ad-tech.example" ], matchValues: [ 2 ], }; 
- 
The attribution logic parameters. const attributionDetails= { // top impression's histogram index gets 50% of value, the next two 25% each credit: [ .5 , .25 , .25 ], value: 3 , maxValue: 7 , }; 
Once these values are decided, the site invokes the API to obtain an encrypted conversion report .
const measurement= await navigator. attribution. measureConversion({ ... serviceDetails, ... aggregatedMeasurementDetails, ... selectionDetails, ... attributionDetails, }); sendReportToServer( measurement. report); 
This report can be collected, along with other reports from this browser and other browsers. Collected reports can then all be submitted to an aggregation service to obtain an aggregate histogram .
dictionary {AttributionConversionOptions required USVString aggregationService ;double epsilon = 1.0;required unsigned long histogramSize ;unsigned long lookbackDays ;sequence <unsigned long >matchValues = [];sequence <USVString >impressionSites = [];sequence <USVString >impressionCallers = [];sequence <double >credit ;unsigned long value = 1;unsigned long maxValue = 1; };dictionary {AttributionConversionResult required Uint8Array ; }; [report SecureContext ,Exposed =Window ]partial interface Attribution {Promise <AttributionConversionResult >measureConversion (AttributionConversionOptions ); };options 
The arguments to measureConversion() are as follows:
- 
aggregationService, of type USVString
- A selection from the aggregation services that can be found in aggregationServices .
- 
epsilon, of type double , defaulting to1.0
- The amount of privacy budget to expend on this conversion report .
- 
histogramSize, of type unsigned long
- The number of histogram buckets to use in the conversion report .
- 
lookbackDays, of type unsigned long
- 
A
positive
integer
number
of
days.
Only
impressions
occurring
within
the
past
lookbackDaysmay match this conversion . If omitted, it is equivalent to the maximum lookback .
- 
matchValues, of typesequence<unsigned long>, defaulting to[]
- A set of match values that can be used to select this impression .
- 
impressionSites, of type sequence< USVString >, defaulting to[]
- A set of impression sites. Only impressions recorded where the impression site is in this set are eligible to match this conversion . If empty, any site will match.
- 
impressionCallers, of type sequence< USVString >, defaulting to[]
- A set of sites, both impression sites and intermediary sites , that might have called the saveImpression() API. If not empty, only impressions recorded by one of the listed sites are eligible to match this conversion .
- 
credit, of type sequence< double >
- A list of numbers.
- 
value, of type unsigned long , defaulting to1
- The conversion value . If an attribution is made and privacy restrictions are satisfied, this value will be encoded into the conversion report .
- 
maxValue, of type unsigned long , defaulting to1
- The maximum conversion value across all contributions included in the aggregation. Together with epsilon, this is used to calibrate the distribution of random noise that will be added to the outcome. It is also used to determine the amount of privacy budget to expend on this conversion report .
3.6. Role of Intermediaries
This API has support for its operation by intermediaries on behalf of top-level sites . Advertising is frequently delegated to independent operators that are responsible for placement, bidding, and measurement.
Impressions that are saved by an intermediary record the identity of the intermediary site . When selecting impressions for conversion measurement , the intermediary site identity can be used to select impressions.
3.7. Histogram Construction
Conceptually, each saved impression has a single histogram definition. Each impression has a single Histogram Index attribute that determines where the value allocated to that impression appears in the resulting histogram .
Each
invocation
of
measureConversion()
therefore
needs
to
select
impressions
that
have
the
same
histogram
definition.
Though
this
applies
to
all
uses
of
the
API,
consistent
definition
of
histograms
is
especially
important
when
impressions
are
saved
and
measured
by
multiple
intermediaries
.
All
impressions
that
might
be
selected
when
invoking
measureConversion()
need
to
use
the
same
histogram
definition.
The
API
provides
several
tools
for
ensuring
that
only
the
right
impressions
are
chosen.
For saved impressions :
- 
Match values can be used to separate impressions by histogram definition. 
- 
Use of an impression for conversion can be restricted to be visible only to measureConversion()on a set of conversion sites .
- 
Use of an impression for conversion can be restricted to be visible only to measureConversion()invoked by a set of sites .
As part of common matching logic at the point of conversion :
- 
a set of match values , limits the set of impressions . 
- 
A set of Impression Sites , restricts the impression sites where impressions were saved. 
- 
A set of Impression Callers , restricts the set of conversion sites or intermediary sites that saved impressions . 
These
options
provide
sites
with
flexibility
in
how
attribution
selects
histograms.
It
does
not
preclude
the
use
of
different
histograms
by
a
conversion
site
.
Multiple
impressions
can
be
saved
with
different
histogram
definitions
provided
that
measureConversion()
invocations
never
select
impressions
with
different
histogram
definitions.
This
ensures
that
conversions
can
be
attributed
to
multiple
histograms
by
invoking
measureConversion()
multiple
times.
3.8. Permissions Policy Integration
The ability to delegate to an intermediary is controlled by Permission Policy .
This specification defines two policy-controlled features :
- 
Invocation of the saveImpression() API, identified by the string " save-impression
- 
Invocation of the measureConversion() API, identified by the string " measure-conversion
The
default
allowlist
for
both
of
these
features
is
*
.
Having separate permissions for saveImpression() and measureConversion() allows pages that do both to limit subresources to the expected kind of activity.
Enabling permissions by default simplifies the task of integrating external services.
Permissions policy provides only all-or-nothing control; it does not enable delegation of a portion of privacy budget.
4. API Internals
4.1. Impression Store
The impression store is used by the measureConversion() method to find matching impressions .
Though this API enables the storage of data by sites, the impression store does not use a storage key .
4.1.1. Contents
The impression store is a set of impressions :
| Match Value | The 
matchValue
passed
to
saveImpression()
. | 
|---|---|
| Impression Site | The impression site where saveImpression() was called. | 
| Intermediary Site | The
intermediary
site
that
called
saveImpression()
,
or 
undefined
if
the
API
was
invoked
by
the
impression
site
. | 
| Conversion Sites | The set of conversion sites that were passed to saveImpression() . | 
| Conversion Callers | The set of sites, either conversion sites or intermediary sites , that can select this impression when invoking measureConversion() . | 
| Timestamp | The time at which saveImpression() was called. | 
| Lifetime | The duration an impression remains eligible for attribution, either from the call to saveImpression() , or a user agent -defined limit. | 
| Histogram Index | The histogram index passed to saveImpression() . | 
| Priority | An integer used to sort impressions during attribution. | 
4.1.2. Maintenance
The user agent should periodically use the timestamp and lifetime values to identify and delete any impressions in the impression store that have expired.
It is not necessary to remove impressions immediately upon expiry, as long as measureConversion() excludes expired impressions from attribution . However, the user agent should not retain expired impressions indefinitely.
4.1.3.
Clear-Site-Data
Integration
The
`
Clear-Site-Data
`
field
[CLEAR-SITE-DATA]
gives
sites
the
ability
to
remove
state
maintained
by
a
user
agent
.
The
`
"impressions"
`
type
is
added
to
the
list
of
recognized
types,
defined
in
Clear
Site
Data
§ 3.1
The
Clear-Site-Data
HTTP
Response
Header
Field
.
When
the
clear
site
data
for
response
algorithm
is
invoked,
if
the
list
of
types
contains
`
"impressions"
`,
the
clear
impressions
for
a
conversion
site
is
invoked,
passing
the
origin
.
- 
If origin is not a tuple origin with a scheme of https ,, return.
- 
Let site be the value returned by invoking obtain a registrable domain , passing theorigin ’s hostpart of the origin tuple .part.
- 
For each impression impression of the impression store : - 
If impression has an’s Intermediary Site isundefinedand its Impression Site is equal to site , remove impression from the impression store and continue .
- 
If impression has a Conversion Sites set that does not containan Intermediary Sitethe valueequal to site , remove impression from the impression store and continue .
- 
If the size ofimpression ’s Conversion Sitesis greater than one, removecontains site :- Remove site from impression ’s Conversion Sites . 
- If impression ’s Conversion Sites is empty , remove impression from the impression store and continue . 
 
- 
Otherwise,If impression ’s Conversion Callers contains site :- Remove site from impression ’s Conversion Callers . 
- If impression ’s Conversion Callers is empty , remove impression from the impression store and continue . 
 
 
- 
This process does not remove impressions that are saved with an empty set of Conversion Sites .
4.1.4. Site Names
The impression store saves information about three types of site : the impression site , an optional intermediary site , and a set of conversion sites .
These
sites
MUST
all
be
in
scheme-and-host
form,
with
a
scheme
of
"
https
".
This
means
that
a
simple
string
serialization
of
a
host
is
sufficient
to
identify
the
site.
The
API
is
therefore
able
to
use
a
simple
string
to
represent
sites
.
It is also possible for an implementation to internally represent sites using just the host part of the tuple.
- 
Let host be the value returned by invoking host parser , passing input . 
- 
If host is failure, return failure. 
- 
Let site be the value returned by obtain a registrable domain , passing host . 
- 
If site is null, return failure. 
- 
Return a scheme-and-host tuple of (" https", site ).
This
algorithm
successfully
produces
a
site
from
strings
that
contain
more
domain
labels
than
the
registrable
domain
.
For
example,
"
extra.example.com
"
is
parsed
as
"
example.com
".
4.2. State For Privacy Budget Management
User agents maintain three pieces of state that are used to manage the expenditure of privacy budgets :
- 
The privacy budget store records the state of the per- site and per- epoch privacy budgets . It is updated by deduct privacy budget . 
- 
The epoch start store records when each epoch starts for conversion sites . This store is initialized as a side effect of invoking measureConversion() . 
- 
A singleton last browsing history clear value that tracks when the browsing activity for a site was last cleared. 
Like the impression store , the privacy budget store does not use a storage key . These stores have some additional constraints on how information is cleared; see § 10.6 Clearing API State for details.
The safety limits need to be described in more detail. Some references to clearing the impression store may need to be updated to refer to the privacy budget store as well.
4.2.1. Privacy Budget Store
The privacy budget store is a map whose keys are privacy budget keys and whose values are 32-bit unsigned integers . These integers store a value in units microepsilons . A microepsilon is one-millionth of the unitary epsilon value used in differential privacy [DP] .
The choice of a 32-bit integer restricts the setting of epsilon to be less than or equal to the maximum epsilon of 4294. This should be more than sufficient for implementations.
A privacy budget key is a tuple consisting of the following items:
- epoch index
- 
An epoch index 
- site
- 
A site 
- 
If the privacy budget store does not contain key , set its value of key to be a user agent -defined value, plus 1000. The addition of 1000 to this value ensures that the rounding errors added by this algorithm do not cause the budget to be exceeded unnecessarily after multiple invocations. The privacy loss from the additional one-thousandth of an epsilon is trivial. 
- 
Let currentValue be the result of getting the value of key in the privacy budget store . 
- 
Let sensitivity be l1Norm if l1Norm is non-null, 2 * value otherwise. 
- 
Let noiseScale be 2 * maxValue / epsilon . 
- 
Let deductionFp be sensitivity / noiseScale . 
Single epoch attributions — the only case that l1Norm is non-null — do not cause any cascading effects across epochs. Attribution that involves multiple epochs consumes double the budget because of the potential for one change to affect attribution across epochs. Doubling the deduction assumes that Laplace noise proportional to maxValue / epsilon is added to the aggregated histogram.
- 
If deductionFp is negative or greater than maximum epsilon , set the value of key in the privacy budget store to 0 and return false. 
- 
Let deduction be deductionFp * 1000000, rounded towards positive Infinity. 
- 
If deduction is greater than currentValue , set the value of key in the privacy budget store to 0 and return false. 
- 
Set the value of key in the privacy budget store to currentValue − deduction and return true. 
4.2.2. Epoch Start Store
An epoch starts at a randomly-selected time for each conversion site . This ensures that any bias in aggregates that arises from a privacy budget reaching zero is averaged across all the contributions from all users .
The epoch start store is a map keyed by site and contains values that are moments from the wall clock .
A privacy budget epoch (or epoch ) identifies a period of time. The length of an epoch is fixed at one week or 7 days , where a day is defined as 86400 seconds.
The exact time span for an epoch is different for each combination of user agent and site . The start time for a given pair of user agent and site is chosen randomly by the user agent when an epoch is first needed—as a side effect of invoking the get the current epoch algorithm. The epochs for a given site will change if the user agent clears browsing history; see § 10.6.2 Clearing Browsing History .
An epoch index is an integer that refers to a given epoch . An epoch index is used to access the impression and epoch start stores.
Epoch indices are stored as integers relative to a set reference point. The epoch indices in this specification use the values from the epoch start store as a reference point. A user agent could choose to use a different moment to indicate a "zero" or reference epoch .
The algorithms in this specification all use concrete epoch indices , rather than the more abstract epoch . Points in time are translated to an epoch index for the corresponding epoch using the get the current epoch algorithm.
- 
If the epoch start store does not contain site , set its value to t , minus a duration that is randomly selected from between 0 (inclusive) and period (exclusive). 
- 
Let start be the result of getting the value of site from the epoch start store . 
- 
Let elapsed be ( t − start ) / period . 
- 
Return elapsed as an integer, rounded towards negative Infinity. 
4.2.3. Last Browsing History Clear Time
The last browsing history clear is a moment using the wall clock that tracks when browsing history was last cleared. The last browsing history clear value is updated to the current coarsened wall time when any site -level state is cleared at the request of a user . The value is initially unset.
As an optional optimization, updating the last browsing history clear can be skipped if all of the following are true:
- 
All interactions that are cleared are with sites that have other uncleared interactions. 
- 
All cleared interactions occurring during epochs where other interactions with the same site were retained. 
- 
All affected sites have a value in the epoch start store . 
If all three conditions are true, the last browsing history clear does not need to be updated. Instead, the privacy budget store must be updated by setting a value of 0 for all privacy budget key combinations that can be formed from every affected site and epoch (using the corresponding epoch index ).
This optimization relies on the user agent having retained information about interactions with affected sites in the affected epochs . This only works because any of the retained interactions could have resulted in exhausting the budget. Resetting the budget is necessary to ensure that no information about the gap in browsing history is exposed.
- 
Let earliestEpochIndex be the result of get the current epoch with site and now − the maximum lookback days . This ensures that all possible impressions can be queried. 
- 
Let startEpoch be earliestEpochIndex . 
- 
If the last browsing history clear is set, perform the following steps: - 
Let clearEpoch be the result of get the current epoch with site and the value of last browsing history clear . This use of get the current epoch can return a negative value. This is because the value in epoch start store is likely to be set to a time after history was last cleared. 
- 
Set clearEpoch to clearEpoch + 2. Adding two is necessary so that the epoch does not overlap with an epoch before browsing history—and the epoch start store —was cleared. 
- 
If clearEpoch is greater than startEpoch , return clearEpoch . 
 
- 
- 
Return startEpoch . 
- 
If forgetVisits is false: - 
Assert : sites is not empty . 
- 
For each site in sites : - 
Let startingEpoch be the result of invoking get the starting epoch for attribution given site and now . 
- 
Let currentEpoch be the result of invoking get the current epoch given site and now . 
- 
For each epoch in the inclusive range from startingEpoch to currentEpoch : - 
Let key be the privacy budget key formed from site and epoch . 
- 
Set privacy budget store [ key ] to 0. 
 
- 
 
- 
- 
Return. 
 
- 
- 
If sites is empty : - 
Clear the impression store . 
- 
Clear the privacy budget store . 
- 
Clear the epoch start store . 
 
- 
- 
If sites is not empty : - 
For each impression in the impression store , if sites contains impression ’s impression site , remove impression from the impression store . 
- 
For each key in the keys of the privacy budget store , if sites contains the site component of key , remove privacy budget store [ key ]. 
- 
For each key in the keys of the epoch start store , if sites contains key , remove epoch start store [ key ]. 
 
- 
- 
Set the last browsing history clear to now . Setting the last browsing history clear while only clearing state for some sites (that is, when sites is not empty ) will make some impressions unreachable for sites that are not present in that set. 
4.3. Save Impression Algorithm
saveImpression(
options
)
method
steps
are:
- 
Let realm be this ’s relevant realm . 
- 
If this ’s relevant global object ’s associated Document is not allowed to use the policy-controlled feature named " save-impression", return a promise rejected with a"NotAllowedError"DOMExceptionin realm .
- 
Let settings be this ’s relevant settings object . 
- 
Collect the implicit API inputs from settings : - 
Let timestamp be settings ’ current wall time . 
- 
The impression site site is set to the result of obtaining a site from the top-level origin . 
- 
The intermediary site intermediarySite is set to - 
a value of undefinedif the origin is same site with the top-level origin ,
- 
otherwise, the result of obtaining a site from settings ’ origin . 
 
- 
 
- 
- 
Validate the page-supplied API inputs: - 
If options . histogramIndexis greater than or equal to the implementation-defined maximum histogram size , return a promise rejected with aRangeErrorin realm .
- 
If options . lifetimeDaysis 0, return a promise rejected with aRangeErrorin realm .
- 
Clamp options . lifetimeDaysto the maximum lookback .
- 
If the size of options . conversionSitesis greater than an implementation-defined maximum value, return a promise rejected with aRangeErrorin realm .
- 
Let conversionSites be the set that is the result of invoking parse a site for each value in options . conversionSites.
- 
If any result in conversionSites is failure, return a promise rejected with a "SyntaxError"DOMExceptionin realm .
- 
If the size of options . conversionCallersis greater than an implementation-defined maximum value, return a promise rejected with aRangeErrorin realm .
- 
Let conversionCallers be the set that is the result of invoking parse a site for each value in options . conversionCallers.
- 
If any result in conversionCallers is failure, return a promise rejected with a "SyntaxError"DOMExceptionin realm .
 
- 
- 
Run the following steps in parallel : - 
Construct impression as a saved impression comprising: - Match Value
- 
options . matchValue
- Impression Site
- 
site 
- Intermediary Site
- 
intermediarySite 
- Conversion Sites
- 
conversionSites 
- Conversion Callers
- 
conversionCallers 
- Timestamp
- 
timestamp 
- Lifetime
- 
options . lifetimeDaysdays
- Histogram Index
- 
options . histogramIndex
- Priority
- 
options . priority
 
- 
If the Attribution API is enabled , save impression to the impression store . 
 
- 
- 
Let result be a new AttributionImpressionResult.
- 
Return a promise resolved with result in realm . 
saveImpression() does not return a status indicating whether the impression was recorded. This minimizes the ability to detect when the Attribution API is disabled . Similarly, resolution of the returned promise is not predicated on saving impression to the impression store in order to avoid timing side channels related to the number of existing impressions and whether the API is enabled.
4.4. Measure Conversion Algorithm
The measureConversion() method completes asynchronously, queuing work on the Attribution task source .
measureConversion(
options
)
method
steps
are:
- 
Let realm be this ’s relevant realm . 
- 
If this ’s relevant global object ’s associated Document is not allowed to use the policy-controlled feature named " measure-conversion", return a promise rejected with a"NotAllowedError"DOMExceptionin realm .
- 
Let settings be this ’s relevant settings object . 
- 
Collect the implicit API inputs from settings : - 
Let now be settings ’ current wall time . 
- 
Let topLevelSite (the conversion site ) be the result of obtaining a site from the top-level origin . 
- 
Let intermediarySite be: - 
a value of undefinedif the origin is same site with the top-level origin ,
- 
otherwise, the result of obtaining a site from settings ’ origin . 
 
- 
 
- 
- 
Let validatedOptions be the result of validating options , returning a promise rejected with any thrown reason. 
- 
Let promise be a new promise in realm . 
- 
Run the following steps in parallel : - 
Let report be the result of invoking create an all-zero histogram with validatedOptions ’ histogram size . 
- 
If the Attribution API is enabled , set report to the result of do attribution and fill a histogram with validatedOptions , topLevelSite , intermediarySite , and now . 
- 
Let aggregationService be validatedOptions ’s aggregation service . 
- 
Switch on the value of aggregationService . protocol:- 
dap-15-histogram
- 
Perform the following steps: - 
Let encryptedReport be the result of invoking construct a DAP report , given validatedOptions , topLevelSite , now , and report . 
 
- 
- 
tee-00
- 
Perform the following steps: - 
TODO: see #130 
 
- 
 
- 
- 
Let result be a AttributionConversionResultwith the following items:- 
report
- 
encryptedReport 
 
- 
- 
Queue a task on the Attribution task source to resolve promise with result . 
 
- 
- 
Return promise . 
Validated conversion options is a struct with the following fields:
| Aggregation Service | An
instance
of 
AttributionAggregationService
. | 
|---|---|
| Epsilon | A finite positive number. | 
| Histogram Size | A 32-bit unsigned integer . | 
| Lookback | A positive duration . | 
| Match Values | A set of 32-bit unsigned integers . | 
| Impression Sites | A set of sites . | 
| Impression Callers | A set of sites . | 
| Credit | A list of numbers. | 
| Value | A 32-bit unsigned integer . | 
| Max Value | A 32-bit unsigned integer . | 
AttributionConversionOptions
options
:
- 
If aggregationServices does not contain an entry with a key of options . aggregationService, throw aReferenceError.
- 
Let aggregationService be the result of getting the value from AttributionAggregationServices, given options .aggregationService.
- 
If options . epsilonis less than or equal to 0 or is greater than maximum epsilon , throw aRangeError.
- 
If options . histogramSizeis 0 or greater than the implementation-defined maximum histogram size , or is greater than the maximum aggregation-service histogram size , if any, for options .aggregationService, throw aRangeError.
- 
If options . valueis 0, throw aRangeError.
- 
If options . valueis greater than options .maxValue, throw aRangeError.
- 
Let credit be options . creditif it exists , «1» otherwise.
- 
If credit is empty , throw a RangeError.
- 
If any of the items of credit are less than or equal to 0, throw a RangeError.
- 
If the size of credit exceeds an implementation-defined maximum, throw a RangeError.
- 
Let lookback be options . lookbackDaysdays if it exists , the maximum lookback days otherwise.
- 
Set lookback to the maximum lookback days if it is larger than that maximum. 
- 
If lookback is 0 days , throw a RangeError.
- 
If the size of options . matchValuesis greater than an implementation-defined maximum value, throw aRangeError.
- 
Let matchValues be the result of running creating a set with options . matchValues.
- 
If the size of options . impressionSitesis greater than an implementation-defined maximum value, throw aRangeError.
- 
Let impressionSites be the set that is the result of invoking parse a site for each value in options . impressionSites.
- 
If any result in impressionSites is failure, throw a "SyntaxError"DOMException.
- 
If the size of options . impressionCallersis greater than an implementation-defined maximum value, throw aRangeError.
- 
Let impressionCallers be the set that is the result of invoking parse a site for each value in options . impressionCallers.
- 
If any result in impressionCallers is failure, throw a "SyntaxError"DOMException.
- 
Return a validated conversion options with the following fields: - Aggregation Service
- 
aggregationService 
- Epsilon
- 
options . epsilon
- Histogram Size
- 
options . histogramSize
- Lookback
- 
lookback 
- Match Values
- 
matchValues 
- Impression Sites
- 
impressionSites 
- Impression Callers
- 
impressionCallers 
- Credit
- 
credit 
- Value
- 
options . value
- Max Value
- 
options . maxValue
 
4.4.1. Attribution Logic
Attribution logic determines how the conversion value is allocated to histogram buckets.
undefined
intermediarySite
,
and
moment
now
:
- 
Let currentEpoch be the result of get the current epoch with topLevelSite and now . 
- 
Let startEpoch be the result of get the starting epoch for attribution with topLevelSite and now . 
- 
Let earliestEpoch be the result of calling get the current epoch , passing topLevelSite and ( now − options ’ lookback ). 
- 
Let singleEpoch be true if currentEpoch is equal to earliestEpoch , false otherwise. 
- 
If singleEpoch is true: - 
Set matchedImpressions to the result of invoking common matching logic with options , topLevelSite , intermediarySite , currentEpoch , and now . 
 
- 
- 
If singleEpoch is false: - 
For each epoch from startEpoch to currentEpoch , inclusive: - 
Let impressions be the result of invoking common matching logic with options , topLevelSite , intermediarySite , epoch , and now . 
- 
If impressions is not empty : - 
Let key be a privacy budget key whose items are epoch and topLevelSite . 
- 
Let budgetOk be the result of invoking deduct privacy budget with key , options ’ epsilon , options ’ value , options ’s max value , and null. 
- 
If budgetOk is true, extend matchedImpressions with impressions . 
 
- 
 
- 
 
- 
- 
If matchedImpressions is empty , return the result of invoking create an all-zero histogram with options ’ histogram size . 
- 
Set histogram to the result of fill a histogram with last-n-touch attribution with matchedImpressions , options ’ histogram size , options ’ value , and options ’ credit . 
- 
If singleEpoch is true: - 
Let l1Norm be the sum of the items in histogram . 
- 
Let key be a privacy budget key whose items are currentEpoch and topLevelSite . 
- 
Let budgetOk be the result of deduct privacy budget with key , options ’ epsilon , options ’ value options ’s max value , and l1Norm . 
- 
If budgetOk is false, set histogram to the result of invoking create an all-zero histogram with options ’ histogram size . 
 
- 
- 
Return histogram . 
4.4.2. Common Impression Matching Logic
undefined
intermediarySite
,
epoch
index
epoch
,
and
moment
now
:
- 
For each impression in the impression store : - 
Let impressionEpoch be the result of calling get the current epoch , passing topLevelSite and impression ’s timestamp . 
- 
If impressionEpoch is not equal to epoch , continue . 
- 
If now is after impression ’s timestamp plus impression ’s lifetime , continue . 
- 
If now is after impression ’s timestamp plus options ’ lookback , continue . 
- 
If impression ’s conversion sites is not empty and does not contain topLevelSite , continue . 
- 
Let conversionCaller be intermediarySite if it is not undefined, topLevelSite otherwise.
- 
If impression ’s conversion callers is not empty and does not contain conversionCaller , continue . 
- 
If options ’ match values is not empty and does not contain impression ’s match value , continue . 
- 
If options ’ impression sites is not empty and does not contain impression ’s impression site , continue . 
- 
Let impressionCaller be impression ’s intermediary site if it is not undefined, impression ’s impression site otherwise.
- 
If options ’ impression callers is not empty and does not contain impressionCaller , continue . 
- 
Append impression to matching . 
 
- 
- 
Return matching . 
4.4.2.1. Last-N-Touch Attribution
- 
Let sumCredit be the sum of credit ’s items . 
- 
Let roundedCredit be a new list . 
- 
For each item of credit : - 
Let normalizedCredit be value * item / sumCredit . 
- 
Append normalizedCredit to roundedCredit . 
 
- 
- 
Let idx1 be 0. 
- 
For each n of get the indices of roundedCredit , removing the first item : - 
Let idx2 be n . 
- 
Let frac1 be roundedCredit [ idx1 ] − floor( roundedCredit [ idx1 ]). 
- 
Let frac2 be roundedCredit [ idx2 ] − floor( roundedCredit [ idx2 ]). 
- 
If frac1 and frac2 are both equal to zero, continue . 
- 
If frac1 + frac2 is greater than 1, let incr1 be 1 − frac1 and incr2 be 1 − frac2 . 
- 
Otherwise, let incr1 be − frac1 and incr2 be − frac2 . incr1 denotes the amount to increment roundedCredit [ idx1 ] so that it is integral, and similar for incr2 and idx2 . Note that these values can be negative. 
- 
Let p1 be incr2 / ( incr1 + incr2 ). The value p1 denotes the probability that the item in idx1 is rounded to an integer. Divide by zero occurs when incr1 + incr2 is 0, which is only possible if both frac1 and frac2 are integers (either both 0 or 1 exactly). In this case idx2 does not need to be rounded, so we just skip it. 
- 
Let r be a random double between 0 and 1 (inclusive). 
- 
If r is less than p1 , let incr be incr1 and swap the values of idx1 and idx2 . 
- 
Otherwise, let incr be incr2 . 
- 
Increment roundedCredit [ idx2 ] by incr . 
- 
Decrement roundedCredit [ idx1 ] by incr . 
 
- 
- 
Let integerCredit be the result of converting every item from roundedCredit into an integer by rounding to the nearest integer, and rounding halfway cases away from zero. 
- 
Return integerCredit . This final rounding step is only here in cases where tiny floating-point addition and subtraction errors do not completely remove the fractional part for roundedCredit [ idx1 ]. The rounding mode at half will never actually occur, and is chosen to match C++ std::roundbehavior for ease of implementation.The algorithm aims to 1) allocate exactly value total value across assignments, 2) maintain the property that the expected value of integerCredit is exactly equal to the normalized credit (i.e. credit * value / sumCredit where * denotes element-wise multiplication) 3) never incur an error greater than 1 to any assignment. 
- 
Let sortedImpressions be matchedImpressions , sorted in descending order by priority , then by timestamp . 
- 
Let N be the minimum of the size of credit , and the size of sortedImpressions . 
- 
Let lastNImpressions be the first N entries of sortedImpressions . 
- 
Remove all but the first N entries of credit . 
- 
Let normalizedCredit be the result of fairly allocating credit with credit and value . 
- 
Let histogram be the result of invoking create an all-zero histogram with histogramSize . 
- 
For each i of the indices of lastNImpressions : - 
Let impression be lastNImpressions [ i ]. 
- 
Let value be normalizedCredit [ i ]. 
- 
Let index be impression ’s histogram index . 
- 
If index is less than histogram ’s size , increment histogram [ index ] by value . 
 
- 
- 
Return histogram . 
4.5. Setting Implementation-Defined Values
This specification identifies several implementation-defined values. This section includes some recommendations for implementations regarding how to best set those values.
An
implementation
sets
an
implementation-defined
maximum
lookback
for
lifetimeDays
and
lookbackDays
.
It
is
a
positive
integer
number
of
days
.
There
is
no
point
to
having
different
maximum
values
for
these
values
as
the
smaller
of
the
two
values
will
determine
which
saved
impressions
are
available
for
conversions.
Deciding on a value for differential privacy parameters is hard and therefore TBD.
4.6. User Control and Visibility
Consider merging this section with § 10.2 Disabling the Attribution API .
4.6.1. Optional Participation
- 
Users should be able to opt out. Opt out should be undetectable. 
This mechanism may be a dedicated control for the Attribution API, or it may be a consolidated privacy control that applies to multiple features, including Attribution. Further, user agent developers should consider interaction of other privacy modes with the Attribution API. For example, attribution might be disabled in a private browsing mode, or it might be disabled if the user has opted out of collection of diagnostic data.
4.6.2. Visibility
- 
User ability to view the impression store and past report submissions. 
5. HTTP API
`
Save-Impression
`
is
a
Dictionary
Structured
Header
set
on
a
response
requesting
that
the
user
agent
invoke
the
saveImpression()
API.
Save-Impression: conversion-sites=("advertiser.example"), conversion-callers=("intermediary.example"), histogram-index=2, match-value=12, lifetime-days=7
The
following
keys
are
defined,
corresponding
to
the
members
of
the
AttributionImpressionOptions
dictionary
passed
to
saveImpression()
.
- 
conversion-sites
- Value of conversionSites , an inner list containing strings . Each string value includes a domain name using A-labels only; Internationalized Domain Names therefore need to use punycode . This key is optional. If not supplied, an empty set is saved for Conversion Sites .
- 
conversion-callers
- Value of conversionCallers , an inner list containing strings . Each string value includes a domain name using A-labels only; Internationalized Domain Names therefore need to use punycode . This key is optional. If not supplied, an empty set is saved for Conversion Callers .
- 
histogram-index
- Value of histogramIndex , a non-negative integer . This key is required.
- 
priority
- Value of priority , an integer . This key is optional.
- 
match-value
- Value of matchValue , a non-negative integer . This key is optional. If not supplied, a value of 0 is saved for Match Value .
- 
lifetime-days
- Value of lifetimeDays , a positive integer . This key is optional. If not supplied, 30 days is saved for Lifetime .
Save-Impression
header
given
a
header
value
input
,
run
these
steps:
- 
Let dict be the result of parsing structured fields with input_bytes set to input and field_type set to " dictionary".
- 
If parsing failed, return an error. 
- 
If dict [" histogram-index"] does not exist or is not an integer or is less than 0, return an error.
- 
Let histogramIndex be dict [" histogram-index"].
- 
Let conversionSites be dict [" conversion-sites"] with default an empty inner list .
- 
If conversionSites is not an inner list , or if any of conversionSites ’ items is not a string , return an error. 
- 
Let conversionCallers be dict [" conversion-callers"] with default an empty inner list .
- 
If conversionCallers is not an inner list , or if any of conversionCallers ’ items is not a string , return an error. 
- 
Let matchValue be dict [" match-value"] with default 0.
- 
If matchValue is not an integer or is less than 0, return an error. 
- 
Let lifetimeDays be dict [" lifetime-days"] with default 30.
- 
If lifetimeDays is not an integer or is less than or equal to 0, return an error. 
- 
Let priority be dict [" priority"] with default 0.
- 
If priority is not an integer , return an error. 
- 
Return a new AttributionImpressionOptionswith the following items:- 
histogramIndex
- 
histogramIndex 
- 
matchValue
- 
matchValue 
- 
conversionSites
- 
conversionSites 
- 
conversionCallers
- 
conversionCallers 
- 
lifetimeDays
- 
lifetimeDays 
- 
priority
- 
priority 
 
- 
6. Implementation Considerations
- 
Management and distribution of values for the following: - 
Histogram size 
 
- 
7. Aggregation
An aggregation service takes multiple pieces of attribution information and produces an aggregate metric.
User agent implementations will have different requirements for aggregation. However, the aggregation process has some common elements.
Firstly, user agents will need to be configured with, or otherwise obtain, information about the aggregation service. This includes the aggregation methods that are supported and any configuration that is required.
Each aggregation method needs to define how a histogram is:
- 
prepared for aggregation, 
- 
encrypted, 
- 
annotated with any necessary metadata, and 
- 
submitted to the aggregation service for aggregation. 
The aggregation method also needs to define how the aggregated result is obtained by a site.
7.1. Multi-Party Computation Aggregation
A Multi-Party Computation (MPC) system is one that involves multiple independent entities that cooperatively compute an agreed function.
This specification uses an MPC system based on Prio [PRIO] and the Distributed Aggregation Protocol (DAP) [DAP] . This is a two-party MPC system that is characterized by its reliance on client-provided proofs of correctness for inputs. This allows for very efficient MPC operation at a modest cost in the size of submissions to the system.
An aggregation service that uses MPC comprises two or more independent services that cooperate to compute a predefined function.
The basic guarantee provided by MPC is that only the defined outputs of a function, plus well-defined leakage, is revealed to any entity.
The MPC guarantees hold only to the extent that a subset of the entities that participate are honest. For the two-party MPC used in Prio, privacy—that is, the confidentiality of inputs—is maintained as long as either MPC operator remains honest. This MPC configuration does not protect against the corruption of the outputs by either MPC operator.
7.1.1. Prio and DAP
The
dap-15-histogram
aggregation
method
uses
Prio
[PRIO]
and
the
Distributed
Aggregation
Protocol
(DAP)
[DAP]
.
Specifically,
this
aggregation
method
uses
the
Prio3L1BoundSum
instantiation
[PRIO-L1]
of
the
Prio3
Verifiable
Distributed
Aggregation
Function
(VDAF)
[VDAF]
.
DAP and the Prio3L1BoundSum instantiation define how a report is prepared, encrypted, and submitted for aggregation. DAP also defines how an aggregate is obtained and what configuration is necessary for a user agent to obtain about the aggregation service.
In using Prio3L1BoundSum , reports contain a distributed zero-knowledge proof that allows the nodes that participate in the MPC to confirm that the sum of the submitted histogram is less than a set value. Prio3L1BoundSum can only validate that the histogram sum is strictly less than a power of two. That is, proofs confirm that the sum is less than 2 n for positive integer values of n .
To
construct
a
report,
proofs
are
generated
based
on
a
value
that
is
the
next
power
of
two
greater
than
maxValue
.
This
means
that
the
aggregation
service
is
unable
to
reject
reports
between
maxValue
and
the
next
power
of
two.
Consequently,
a
malicious
user
agent
might
generate
a
report
that
contributes
as
much
as
double
the
value
of
maxValue
to
the
aggregate
histogram.
The
proof
ensures
that
there
is
no
opportunity
for
excess
contributions
when
maxValue
is
equal
to
2
n
−
1;
the
relative
effect
of
any
such
attack
can
be
reduced
by
setting
maxValue
as
close
to
2
n
−
1
as
other
constraints
allow.
7.1.2. DAP Extensions
Several extensions to DAP [DAP-EXT] are necessary for this application:
- 
Late task binding ( late_binding) improves the ability of a site to collect reports and aggregate them as needed.
- 
Privacy budget ( privacy_budget) ensures that the aggregation service does not aggregate reports that received less privacy budget than the aggregation task was configured with.
- 
Requester identity ( requester_identity) is critical to ensure that differential privacy protections are effective. This prevents a malicious actor that is able to correlate user identity across multiple sites from exceeding the sensitivity bounds for that user by aggregating reports from multiple sites together.
User agents include all of these extensions in reports that they generate.
7.1.3. Report Encryption For DAP
- 
Let field be Field128, as defined in Section 6.1.3 of [VDAF] . 
- 
Let length be the size of histogram . 
- 
Let bits be the base-2 logarithm of options . max value , rounded toward positive Infinity. 
- 
Let chunkLength be the square root of ( bits + 1) * length , rounded to the nearest integer. 
- 
Let vdaf be a new PrioL1BoundSum VDAF [PRIO-L1] instance, passing field , length , bits , and chunkLength . 
- 
Let taskID be the byte sequence from the hex string b13e8440f1cdb4da51eed3967e0a2652d27f5005bc35f751daf188b4b746708b[DAP-EXT] .
- 
Let ctx be the byte sequence formed by concatenating the encoded string dap-15and taskID , as defined in Section 4.5.2 of [DAP] .
- 
Let reportID be 16 bytes sampled from a cryptographically-secure random source [RFC4086] . 
- 
Let rand be 128 bytes sampled from a cryptographically-secure random source [RFC4086] . 
- 
Let publicShare , inputShares be the result of invoking vdaf . shard(), as defined in Section 4.1 of [VDAF] , with ctx , histogram , reportID (as the VDAF "nonce" parameter), and rand .
- 
Let time be now as a duration since the Unix epoch , divided by a duration of 5 seconds. 
- 
Let extensions be a map of 16-bit unsigned integers to byte sequences , comprised of: - 
The extension codepoint for late task binding , mapped to an empty byte sequence . 
- 
The extension codepoint for privacy budget , mapped to the value of encodedEpsilon , derived as follows: - 
Let scaledEpsilon be the 32-bit unsigned integer that is options . epsilon , multiplied by 1,000,000, then rounded toward positive Infinity. 
- 
Let encodedEpsilon be the result of invoking NumericToRawByteswith UINT32 , scaledEpsilon , andfalse(forisLittleEndian).
 
- 
- 
The extension codepoint for requester identity , mapped to the encoded value of topLevelSite [1]. 
 
- 
- 
Let reportMetadata be encoded DAP ReportMetadatagenerated from reportID , time , and extensions .
- 
For each share of inputShares , follow the method for encrypting shares described in Section 4.5.2 : - 
Let pkR be the public key of the corresponding role from the aggregation service HPKE configuration obtained for the aggregation service indicated by options . Aggregation Service . The URL for "dap-15-histogram" is expected to identify the DAP Leader role. Implementations need to obtain HPKE configuration for both Aggregators statically. The HPKE configuration must not be fetched on demand, as the time that takes will leak information to callers of measureConversion() . 
- 
Let serverRole be 2 for the first item (the Leader) and 3 for the second (the Helper role). 
- 
Let info be the byte sequence formed by concatenating: the encoded value of the string dap-15 input share, a byte with the value 0x01, and serverRole .
- 
Let inputShareAAD be constructed from taskID , reportMetadata , and publicShare , following the structure for InputShareAad.
- 
Let hpke be an HPKE [RFC9180] configuration that is based on the same HPKE configuration . 
- 
Let encryptedShare be the result of invoking hpke . Seal<mode_base>(), passing pkR , info , inputShareAAD , and share .
- 
Append encryptedShare to encryptedInputShares . 
 
- 
- 
Let report be an encoded DAP Reportgenerated from reportMetadata , publicShare , encryptedInputShares (the two values being the leader and helper encrypted input shares respectively), and aggregation service HPKE configuration obtained from the DAP aggregators.
- 
Return report . 
7.2. Trusted Execution Environments
A Trusted Execution Environment (TEE) uses specialized hardware to ensure that computation is isolated from other programs that run on the same hardware.
TODO
7.3. Anti-Replay Requirements
Conversion reports generated by browsers are bound to the amount of privacy budget that was expended by the site that requested the report.
An aggregation service MUST guarantee that it does not accept the same report more than once.
8. Differential Privacy
This design uses the concept of differential privacy as the basis of its privacy design. [PPA-DP]
Differential privacy is a mathematical definition of privacy that can guarantee the amount of private information that is revealed by a system. [DP] Differential privacy is not the only means by which privacy is protected in this system, but it is the most rigorously defined and analyzed. As such, it provides the strongest privacy guarantees.
Differential privacy uses randomized noise to hide private data contributions to an aggregated dataset. The effect of noise is to hide individual contributions to the dataset, but to retain the usefulness of any aggregated analysis.
To apply differential privacy, it is necessary to define what information is protected. In this system, the protected information is the impressions of a single user profile, on a single user agent , over a single epoch , for a single website that registers conversions . § 8.1 Privacy Unit describes the implications of this design in more detail.
This attribution design uses a form of differential privacy called individual differential privacy . In this model, user agents are each separately responsible for ensuring that they limit the information that is contributed.
The individual differential privacy design of this API has three primary components:
- 
User agents limit (using the privacy budget ) the amount of information about impressions that leaves the device through conversion reports . § 8.2 Privacy Budgets explores this in greater depth. 
- 
Aggregation services ensure that any given conversion report is only used in accordance with the privacy budget that was accounted for it by the user agent. § 7.3 Anti-Replay Requirements describes requirements on aggregation services in more detail. 
- 
Noise is added by aggregation services . § 8.3 Differential Privacy Mechanisms details the mechanisms that might be used. 
Together, these measures place limits on the information that is released for each privacy unit .
8.1. Privacy Unit
An implementation of differential privacy requires a clear definition for what is protected. This is known as the privacy unit , which represents the entity that receives privacy protection.
This system adopts a privacy unit that is the combination of three values:
- 
A user agent profile. That is, an instance of a user agent, as used by a single person. 
- 
The site that requests information about impressions (the conversion site ). The sites that register impressions (the impression site ) are not considered. Those sites do not receive information from this system directly. 
- 
The current epoch . 
A change to any of these values produces a new privacy unit, which results in a separate privacy budget . Each site that a person visits receives a bounded amount of information for each epoch .
Ideally, the privacy unit is a single person. Though ideal, it is not possible to develop a useful system that guarantees perfect correspondence with a person, for a number of reasons:
- 
People use multiple browsers and multiple devices, often without coordination. 
- 
A unit that covered all websites could be exhausted by one site, denying other sites any information. 
- 
Advertising is an ongoing activity. Without allocating privacy budget for new data, sites could exhaust their budget forever. 
8.1.1. Browser Instances
Each browser instance manages a separate privacy budget .
Coordination between browser instances might be possible, but not expected. That coordination might allow privacy to be improved by reducing the total amount of information that is released. It might also improve the utility of attribution by allowing impressions on one browser instance to be converted on another.
Coordination across different implementations is presently out of scope for this work. Implementations can perform some coordination between instances that are known to be for the same person, but this is not mandatory.
8.1.2. Per-Site Limits
The information released to websites is done on the basis of site . This aligns with the same boundary used in other privacy-relevant functions.
A finer privacy unit, such as an origin , would make it trivial to obtain additional information. Information about the same person could be gathered from multiple origins. That information could then be combined by exploiting the free flow of information within the site, using cookies [COOKIES] or similar.
§ 8.2.2 Safety Limits discusses attacks that exploit this limit and some additional safety limits that might be implemented by user agents to protect against those attacks.
8.1.3. Privacy Budget Epochs
Sites receive a separate differential privacy budget that is used to query impressions recorded in each privacy budget epoch (or epoch ).
This budget applies to the impressions that are registered with the user agent and later queried, not conversions .
From the perspective of the analysis [PPA-DP] each epoch of impressions forms a separate database. A finite privacy budget is enforced across all the queries made on each database.
Having a conversion report produced from impressions that span multiple epochs has privacy consequences. A single visit to a website can give that site information about activities across many epochs . This only requires that the conversion site is identified as the destination for impressions over that entire period. The number of epochs that can be queried is limited by user agents .
The goal is to set an epoch that is as large as feasible. A longer period of time allows for a better privacy/utility balance because sites can be allocated a larger overall budget at any point in time, while keeping the overall rate of privacy loss low. However, a longer interval means that it is easier to exhaust a privacy budget completely, yielding no information until the next refresh.
The decision to set the epoch duration to a week is largely arbitrary. One week is expected to be enough to allow sites some flexibility to make decisions about how to spend privacy budgets without careful planning that needs to account for changes that might occur days or weeks in the future.
§ 8.2 Privacy Budgets describes the process for budgeting in more detail.
8.2. Privacy Budgets
Browsers maintain privacy budgets , which are a means of limiting the amount of privacy loss.
This specification uses an individual form of (ε, δ)-differential privacy as its basis. In this model, privacy loss is measured using the value ε. The δ value is handled by the aggregation service when adding noise to aggregates.
Each user agent instance is responsible for managing privacy budgets.
Each conversion report that is requested specifies an ε value that represents the amount of privacy budget that the report consumes and a maximum on the value that can be returned in the conversion report.
8.2.1. Privacy Budget Deduction
When searching for impressions for the conversion report, the user agent deducts the specified ε value from the budget for the privacy budget epoch in which those impressions were saved. If the privacy budget for that epoch is not sufficient, the impressions from that epoch are not used.
Each time a conversion site invokes measureConversion() the privacy budget is deducted for epochs from which the attribution logic selected impressions .
A conversion report might be requested at the time marked with "now". That conversion report selects impressions marked with black circles, corresponding to impressions from Sites B, C, and E.
As a result, privacy budget for the conversion site is deducted from epochs 1, 3, 4, and 5. No impressions were recorded for epoch 2, so no budget is deducted from that epoch .
How a user agent manages exhaustion of a privacy budget depends on the attribution logic that was chosen.
8.2.2. Safety Limits
The basic privacy unit is vulnerable to attack by an adversary that is able to correlate activity for the same person across multiple sites .
Groups of sites can sometimes coordinate their activity, such as when they have shared ownership or strong agreements. A group of sites that can be sure that particular visitor is the same person—using any means, including something like FedCM [FEDCM] —can combine information gained from this API.
This can be used to increase the rate at which a site gains information from attribution, proportional to the number of sites across which coordination occurs. The default privacy unit places no limit on the information released in this way.
To counteract this effect, user agents can implement safety limits , which are additional privacy budgets that do not consider site. Safety limits might be significantly higher than per-site budgets, so that they are not reached for most normal browsing activity. The goal would be to ensure that they are only effective for intensive activity or when being attacked.
Like the per-site privacy budget, it is critical that sites be unable to determine whether their request for a conversion report has caused a safety limit to be exceeded.
8.3. Differential Privacy Mechanisms
The specific mechanisms that are used depend on the type of aggregation service .
9. Security Considerations
9.1. Impression Store
The impression store used by the Attribution API holds information related to browsing activity and persists across browsing sessions. Although the flow of information through the impression store is strictly controlled, it carries some amount of information across origins.
The following measures limit the possibility of harmful information flow through the impression store:
- 
Websites cannot read from the impression store. Information from the impression store is released only via encrypted conversion reports . Differential privacy , provided by a combination of functionality in the user agent and in the aggregation service , provides a rigorous bound on the probability that the aggregated information output by the aggregation service is distinguishable from the value it would have absent any user’s contribution. 
- 
Users can explicitly clear stored impressions . 
- 
It is recommended that user agents limit how long data can persist in the impression store, even absent explicit user action, by imposing a maximum value of lifetimeDays . 
9.2. API Implementation
The Attribution APIs must be implemented carefully to maintain the required security and privacy properties. A site calling the APIs must not be able to learn:
- 
Whether the Attribution APIs are enabled . 
- 
Whether an attribution occurred. 
- 
Whether the privacy budget is exhausted. 
- 
Whether the conversion report reflects a non-zero conversion value . 
- 
Which histogramIndex is assigned the conversion value . 
Note that explicit return values or thrown exceptions are not the only way that a site can learn from the Attribution APIs. It may be possible to infer sensitive information from side channels like:
- 
Variation in the time it takes for the APIs to complete. 
- 
Consumption of memory or storage by the API, if that consumption is somehow observable by the site. 
While complete elimination of all side channels is impractical, implementations must make reasonable efforts to prevent leakage of sensitive information from the attribution APIs. Strategies to prevent leakage include:
- 
Fully validating all API inputs, even when the API is disabled. 
- 
Avoiding conditional logic. For example, measureConversion() should always go through the full process of constructing a conversion report, even when the conversion value to be reported is zero. 
9.3. Aggregation Services
Although not part of the web platform, security of aggregation services is quite important to the overall security of the Attribution mechanism. Conversion reports produced by measureConversion() are encrypted using cryptographic key(s) of the aggregation service. Thus, much of the potential for disclosure of the information contained in these reports depends on the details of the aggregation service.
User agent developers should carefully consider the design of an aggregation service and the trustworthiness of the aggregation service operator before adding it as a supported service for the Attribution API. Additional discussion of these issues may be found in § 7 Aggregation and § 10 Privacy Considerations .
9.4. Combining Reports from Multiple Sites
The privacy mechanisms in the Attribution API operate primarily at the granularity of sites . A malicious operator may attempt to register impressions for multiple sites, thus exceeding the amount of information that would otherwise be released through attribution. § 8.2.2 Safety Limits discusses establishing additional cross-site privacy budgets to mitigate this possibility.
Rate limits on calls to the Attribution APIs could also be an effective mechanism to prevent harvesting information through overuse of the APIs.
9.5. Ad Fraud
As with many technologies, advertising on the web has been the subject of various kinds of fraud.
Fraudulent registration of impressions is a particular concern with the Attribution API, because impressions are stored only on the device. It is not possible to apply server-side intelligence to identify fraudulent impressions and exclude them from attribution. Conversely, even though conversion reports are encrypted, because the reports are sent to a server, the server can make a determination that the conversion is likely fraudulent and exclude it from aggregation.
An important mitigation against malicious use of the Attribution APIs is the explicit specification of eligible conversion sites when registering an impression, and of eligible impression sites and histogram indexes when registering a conversion. This prevents impressions on arbitrary malicious sites from interfering with attribution to the intended set of candidate impressions.
10. Privacy Considerations
The main privacy goal of this API is to ensure that providing sites with the ability to perform attribution does not improve their ability to perform cross-site recognition .
This section provides more information about the protections necessary to achieve this goal. Additional discussion talks about secondary privacy goals, such as the prevention of same-site recognition .
10.1. Information Exposed by the Attribution API
The impression store and privacy budget store contain information about a cross-section of browsing activity. As use of the API increases, so does the scope of this information. However, most of the information written to these stores is never disclosed. Because attribution is performed on the device ( on-device attribution ), only information about attributed conversions is exposed by the Attribution API. This contrasts with other schemes in which information about both impressions and conversions is sent to the aggregation service for off-device attribution . In the latter class of schemes, the amount of information that could be revealed in a compromise of the aggregation service (or in a compromise of communication with the aggregation service) is significantly larger.
When the Attribution API makes an attribution, information about that attribution is released from the device only to the extent the differential privacy restrictions allow.
While the Attribution API is intended to measure the association of relatively infrequent conversion events with a limited set of related impression candidates, it is important to consider how the API might be misused for larger-scale data collection. The requirement that impressions enumerate the possible conversion sites (and vice-versa) has an important role in preventing misuse of the API for mass data collection, and in making attempts at such misuse more visible.
It is unclear whether the privacy budget store should be cleared whenever the impression store is cleared. On one hand, it contains information about browsing activity, so it is desirable to include it when clearing browsing activity. On the other hand, it is only possible to strictly adhere to the requirements of the differential privacy mechanism if information about a fully- or partially- depleted privacy budget is maintained until that budget is no longer relevant (i.e. the end of the privacy budget epoch ).
10.2. Disabling the Attribution API
The Attribution API is designed to reveal only aggregate information. The use of differential privacy limits the chance of determining whether any particular user contributed to the aggregated output. However, some users may still prefer not to participate in attribution measurement. As discussed in § 4.6.1 Optional Participation , the user agent must provide a mechanism for the user to disable the Attribution API.
To minimize the risk of fingerprinting , and to prevent discrimination against users who choose to disable the Attribution API, sites must not be able to detect that the API is disabled. Specifically, all calls to the Attribution API that are otherwise valid must complete successfully, even when the API is disabled. The only difference in behavior is that conversion reports returned when the API is disabled will never report any conversion value . Because the reports are encrypted, this difference cannot be detected by the site receiving the conversion report.
10.3. Unconfigured Browsers
This API assumes that user agent instances have all of the configuration necessary to answer requests to measureConversion() .
If the aggregation service configuration necessary for invoking measureConversion() is either absent or out of date, that could be observable to sites.
If the retrieval of configuration could delay the resolution of a call to measureConversion() , this creates a timing side channel. If a fake response is generated instead, differences between a response from a properly configured user agent and a fake response might be observable. This might be the use of key identifiers or other unencrypted metadata. A difference in ciphertext length might also reveal changes to what is encrypted or changes in choice of algorithm.
Detecting stale or absent configuration might be used to fingerprint the user agent .
A user agent should therefore prioritize the acquisition of aggregation service configuration in a way that is not observable to sites. This might be achieved by obtaining configuration at startup, before starting to load any content.
If the necessary configuration cannot be obtained, or is obviously stale, an implementation might choose to immediately reject when measureConversion() is invoked. This leaks information, but it could leak less than attempting to generate a fake value.
10.4. Including Identifying Information with Saved Impressions
Sites
are
able
to
encode
some
amount
of
data
in
impressions,
using
matchValue
or
other
fields.
The
API
does
not
prevent
sites
from
encoding
user
identifiers
in
these
fields.
The
attribution
process
can
use
this
data
when
constructing
a
conversion
report
,
which
implies
some
risk
of
that
identifying
information
becoming
available
to
the
site
that
receives
that
report.
The
following
measures
mitigate
this
risk:
- 
The impression store cannot be read directly. Thus, identifiers are only usable for tracking to the extent information about them is revealed in conversion reports . 
- 
The information in conversion reports is only revealed after aggregation and the addition of noise. 
- 
Users have the ability to clear the impression store . 
- 
No impressions are saved to the impression store when the Attribution API is disabled . 
10.5. Use in Third-party Contexts
The Attribution API is available even in third-party contexts. In particular, a third-party iframe may call saveImpression() . Note, however, that the impression is recorded with the site of the top-level navigation context, not the origin of the iframe.
While the availability of the API in third-party contexts carries some increase in privacy risk, this support is deemed necessary because iframes are commonly used to display advertisements.
10.6. Clearing API State
A user agent might present the option to clear storage. These exist for two reasons:
- 
Privacy toward sites, so that the sites cannot recognize the user in future interactions (that is, to prevent same-site recognition ). 
- 
Removing traces of activity locally, so that other users of a computer cannot access browsing history. 
Clearing the state that tracks privacy budget expenditure has an adverse effect on privacy toward sites. Sites would then be able to gain more information from attribution.
A user agent may clear data from the privacy budget store and epoch start store when the API is disabled . In that case, if the API is re-enabled, there is no way to determine what budget was expended prior to the API being disabled . In that case, a user agent can update the value of last browsing history clear to ensure that privacy budgets are not inadvertently exceeded.
10.6.1. Clearing Site Data
When clearing site data at the request of a user , but retaining browsing history, a user agent invokes clear browsing history for attribution , given the set of affected sites , false (for forgetVisits ), and the time that the action was taken. This sets the privacy budget for that site to zero, preventing any use of conversion measurement on that site. This does not remove saved impressions from the impression store ; logically, impressions are transferred to the conversion site at the time they are saved.
When
clearing
site
data
at
the
request
of
a
site
,
through
the
use
of
the
`
Clear-Site-Data
`
header,
a
user
agent
only
removes
impressions
,
without
altering
either
the
privacy
budget
store
or
the
epoch
start
store
for
affected
sites
.
10.6.2. Clearing Browsing History
Updating the privacy budget store is insufficient when clearing browsing history. Retaining per- site information necessary to prevent privacy loss toward sites leaves information about visits to sites for other users of a computer to discover when removing browsing history.
A user agent that clears browsing history invokes clear browsing history for attribution , given the set of affected sites , true (for forgetVisits ), and the time that the operation was initiated.
When clearing browsing history, user agents need to remove all per- site privacy budget information (that is, remove entries from both the privacy budget store and the epoch start store ). User agents also need to ensure that any subsequent privacy budget expenditure cannot cause privacy loss in excess of configured limits as a result of losing that information.
This can be achieved by disabling attribution for a period between one and two epochs from the point that browsing history is discarded. Otherwise, a site that expends its budget immediately prior to the clearing of history would be able to learn more through the API than it could without the clearing of state.
This disables the API for up to two epochs for affected sites . Because the epoch start store is cleared, the start of any newly-defined epoch for that site becomes unknown. Any new epoch will start at a fresh randomly-selected time , which cannot overlap with any epoch that might have been defined before history was cleared.
A user agent remembers when history was last cleared in the last browsing history clear value. This is used to prevent budget expenditure until it is guaranteed that a site cannot exceed the user agent -chosen maximum allowed privacy budget .
The get the starting epoch for attribution algorithm ensures that a conversion site cannot query impressions from any epoch that starts within one epoch duration from when state is cleared.
10.6.3. Clearing Impressions
A mechanism must be provided to clear the impression store . For example, the impression store could be cleared upon activation of the control that disables the Attribution API.
It is recommended that any mechanism a user agent provides to clear stored data (history, cookies, etc.) be extended to cover the impression store. § 10.6 Clearing API State provides more detailed information on the clearing of stored data.
A user agent that clears state for a site must discard all saved impressions that were saved during the affected period with a matching impression site or conversion site . For an impression site , these impressions relate to activity that was cleared. A conversion site that has had state cleared will not be able to use these impressions .
Impressions that have a matching intermediary site may be retained.
10.7. Choice of Clock
This API uses a wall clock as its basis for time. This is primarily because the API relies on a persistent notion of time. A monotonic clock is only defined during a single execution of a user agent , so it has no guarantee of consistency if a user agent is restarted.
A wall clock can be adjusted to account for errors that might accumulate due to clock drift. A wall clock therefore is not guaranteed to always advance at a consistent rate, including the possibility that it might sometimes decrease.
Decreases in the wall clock do not affect the privacy guarantees that this API provides. Only increases in the clock , can have an adverse privacy effect. Increases above the normal progress of time might result in the renewal of privacy budget more quickly than intended.
For a clock that undergoes corrections within each epoch , clock adjustments will have no privacy effect. A single correction that is sufficiently large might cause privacy budgets to be renewed ahead of schedule, resulting in a one-time increase in privacy loss. Continuous large corrections have the most serious effect on privacy, as each transition between epochs will release additional privacy budget .
A very large increase in time that skips entire epochs does not result in additional privacy loss. No privacy loss is possible unless an impression can be saved .
Of course, any user agent that has a need for large or continuous corrections to its clock will likely be highly identifiable as a result of the time that it reports. That alone is likely enough to enable unwanted cross-site recognition .
11. Acknowledgements
This specification is the result of a lot of work from many people. The broad shape of this level of the API is based on an idea from Luke Winstrom. The privacy architecture is courtesy of the authors of [PPA-DP] .