Introduce PTEROSAUR proposal

[gjlondon]

This pull request introduces "PTEROSAUR": a new proposal for privately measuring the effectiveness of digital brand advertising.

Please see the text of the proposal for details.

Feedback, questions, and suggestions are welcome.

[csharrison]

Hey George, thanks for the proposal! I wanted to point out an explainer @shivanigithub on my team recently published that I think could be used to simplify this design: Fenced Frames This is an idea very similar to the 3P Private Lift Measurement proposal for hidden iframes.

It is designed with TURTLEDOVE in mind and provides one key functionality that I think surveys can take advantage of: network access after user activation / interaction. I think by using this we may avoid the need to use aggregate reporting in some cases. By completing the survey the user will cause the fenced frame to activate and enable the use of the the network. Once that happens the survey can simply fire off a normal request with the survey results and the associated interest group.

Note that due to the user interaction requirement, you would still need aggregate reporting if you wanted to measure surveys which were not interacted with.

[gjlondon]

Hey @csharrison! Thanks for your quick response.

I just read through the fenced frames proposal and it sounds very promising. A survey that's not taken doesn't have much value so so it should be no problem to require user interaction before reporting any results. (If anything, we like the privacy stance that "no information should be collected about anyone who doesn't volunteer to take a survey").

There are some key questions that'll need to be answered around exactly what information is kept in storage (and thus made accessible for us to include in any reporting done over the network). As discussed in the proposal, we need to report 1) which survey was conducted 2) what the survey answers were 3) whether the respondent was an exposed or control 4) impression metadata from the impressions within the measured campaign.

If we can set interest groups via the ads and use those groups to participate in the TURTLEDOVE auction, and then we can run our surveys in a fenced frame and report the above information when a survey is completed - then we're well on our way to a complete solution. And it looks like it would require a pretty minimal amount of browser-side work beyond what's already required for "Private Lift Measurement" and "TURTLEDOVE". But of course the devil is in the details about exactly what information is made reportable.

How stabilized is the fenced frame proposal? I'm happy to rework this proposal to be based on it, but I'd prefer to defer investing a lot of time until I can build on reasonably solid ground.

Assuming we do adapt this proposal to use fenced frames, what would be the right venue to discuss what information from TURTLEDOVE and Private Lift Measurement would be made available?

[csharrison]

There are some key questions that'll need to be answered around exactly what information is kept in storage (and thus made accessible for us to include in any reporting done over the network). As discussed in the proposal, we need to report 1) which survey was conducted 2) what the survey answers were 3) whether the respondent was an exposed or control 4) impression metadata from the impressions within the measured campaign.

I think (1), (2), and (3) can be done simply with this alternative as long as expose/control is encoded in the interest group, but I don't know about (4). Knowing the exposure history as you say seems difficult without leaking privacy and would likely need to be done in an aggregated fashion.

How stabilized is the fenced frame proposal? I'm happy to rework this proposal to be based on it, but I'd prefer to defer investing a lot of time until I can build on reasonably solid ground.

It is a new document, so not stable. However it is something we are actively working on and it is our attempt at a technical solution for multiple use-cases along a very similar vein as the Private Lift Measurement blind rendering proposal.

Assuming we do adapt this proposal to use fenced frames, what would be the right venue to discuss what information from TURTLEDOVE and Private Lift Measurement would be made available?

@michaelkleber and @shivanigithub for thoughts. My thinking is that this repo will be fine for discussion on a design that uses the TURTLEDOVE / fenced frames / Private Lift Measurement, but you should file issues in the dedicated project repos if there are issues you want to open / feature requests / etc.

[gjlondon]

@csharrison thanks for your response. The discussion around fenced frames on last week's call sounded promising. My inclination at this point is for us to wait a bit for the fenced frames proposal to solidify, file issues there if it starts to evolve in a direction that sounds incompatible with this proposal, and then rework this proposal once that one is starting to feel stable.

Re: the information transmission points - it's great to hear that you think 1, 2, and 3 are manageable in a straightforward fashion. On #4, the way our statistical algorithms work makes it difficult (perhaps impossible) for us to work with aggregated exposure data. (I'm happy to get into the details of why if it's relevant). So I am very much hoping we can find a privacy-safe way to collect anonymized but non-aggregated exposure history. As discussed in the document under "Reporting Results" and "Privacy Considerations", my analysis suggests that although releasing exposure histories may intuitively seem privacy unfriendly, with sufficient care it should be possible to do it in a way that is actually sufficient privacy-safe (even without aggregation).

Do you have particular concerns about the line of thinking there? If so, what would be the easiest way for us to discuss (and hopefully work through) your concerns?