Facebook and Mozilla propose alternative to browser control of ad measurement and privacy; LMC’s NewsPassID reports pilot results




A fundamental twist in efforts to maintain effective advertising alongside personal privacy was unveiled this week. It would take control away from browser software such as Google Chrome and Apple Safari and turn processing over to a governed cloud service.  The twist came a week after Google scrapped a key idea within its “Privacy Sandbox” and proposed a new one, “TOPICS”  (see links, below).

Engineers from the Mozilla Foundation and Meta’s Facebook together unveiled a server-based approach to managing user identity and profiling for advertising called “Privacy Preserving Attribution for Advertising” or “Interoperable Privacy Attribution” (IPA). It involves the use of privacy-enhancing Multi-Party Computation (MPC) servers.

In a virtual discussion on Thursday, Google representatives peppered proponents with questions, asking, for example, if the initiative would be too expensive to implement.

In a 56-slide presentation, two engineers from Meta’s Facebook and one from the Mozilla Foundation revealed details of their idea — to have web, app and TV clicks, taps or views to advertisements — and any resulting purchase attributions — be sent and logged to a common server (or two servers).  But the identity of each individual user would be double-encrypted. In theory, only the logging service would be able to connect a view to an individual purchase.


Advertisers could obtain (presumably for a price) trustworthy “conversion reports” from the service — absent  any user-identifying information. “Attribution is how advertisers know if their advertising campaigns are working,” observes Mozilla’s Martin Thomson in a Feb. 8 blog post about the PPA/IPA proposal, adding: “We hope this contribution will help make privacy-preserving attribution a reality.”

Importantly, nothing appears in the proposal about who would own or control the logging and conversion-tracking service — a key trustworthiness challenge. But the important point is that advertisers would no longer have to rely upon proprietary logging or conversion services of multiple independent networks such as Google, Apple or Meta.  Also unclear in the proposal is what would happen if browser makers boycotted the reporting of clicks and other events to the MPC servers. “Will they confirm they will not interfere with solutions that do not require them to make changes?” Zucker-Scharff asked in one comment thread.

After at least two years of fussing about how to eliminate third-party cookies and improve web privacy at the same time, the proposal represents somewhat of an about face. And it’s noteworthy to have it come from Facebook and Mozilla, rather than from Google, Apple or Microsoft, the dominant browser software makers.

First discussions about the PPA/IPA scheme came Feb. 9-10 (AGENDA) during the first virtual meeting (MINUTES) of a new World Wide Consortium (W3C) discussion forum, the “Privacy Advertising Technology Community Group” or PATCG.  The co-chairs are Aram Zucker-Scharff of The Washington Post, and a veteran Internet Engineer Task Force (IETF) consultant, Sean Turner.  The Post is owned personally by Jeff Bezos, founder of Amazon, and is fielding its own advertising management system for publishers, called Zeus.

It is more typical for W3C groups to have browser makers among group chairs, rather than a publisher. And typically few publishers or advertisers participate in a W3C group. Notably absent so far are originators of two leading efforts at network user identity management, The Trade Desk (UID2) and the Local Media Consortium (NewsPassID). Nevertheless, PATCG already has 216 member participants including:

  • Advertisers/Agencies: Procter & Gamble, Omnicom Group, DPG Media, Meredith Corp., Ford Motor Company, Dentsu Group, Taboola, CafeMedia
  • Publishers: The Washington Post, The New York Times, Axel Springer, British Broadcasting Corp.
  • Major tech and ad-tech platforms: Google, Microsoft, Amazon, Mozilla Foundation, Twitter, Yahoo, CafeMedia, SalesForce, Facebook, Cisco, eyeo GmbH, MediaMath, AT&T, IAB Tech Lab, Duck Duck Go, Epsilon, LiveRamp, OpenX, Adobe, Salesforce, 51Degrees, Brave Software, Cloudflare, Magnite, IndexExchange, Criteo
  • NGOs: News Media Alliance, Future of Privacy Forum, Digital Advertising Alliance, Information Trust Exchange Governing Association, Wesleyan University.

The group’s stated mission: “[T]o incubate web features and APIs that support advertising while acting in the interests of users, in particular providing strong privacy assurances.” It says it won’t consider “non-technical” solutions supporting privacy, which may explain why ownership and governance of the logging/attribution service were not discussed.





Newspaper group LMC reports NewsPassID identity-sharing tag lifts “cookie-less” advertising rates 90%

A trade association of U.S. news publishers, the Local Media Consortium (LMC), says in a report this week that piloting of a new user-identity sharing service, NewsPassID, showed a “90% uplift in revenue in most cookieless environments.”  LMC is trying to find ways to stop the disintermediation of publishers in the ad-tech stack, while maintaining a privacy brand promise. NewsPassID is part of an overall “NewsNext” initiative.

“As the local news industry prepares for the elimination of the third-party cookie in 2023, NewsPassID provides a promising new path for generating revenue in a privacy-compliant way,” said Fran Wills, CEO of the LMC. Among the “cookieless” environments tested were Apple’s Safari browser and iPhones and Google’s AMP service.

The trial results and LMC’s next steps are outlined in a news release and accompanying 11-page white paper by ad-tech veteran Scott Cunningham, an LMC consultant.

The LMC’s statement said it built the NewsPassID technology and A-B tested it with LMC members McClatchy, Lee Enterprises, E.W. SCripps and Tegna in real-time bidding advertising auctions.  “NewsPassID provides a scalable way for local media to e-establish the value of their audiences, reposition their standing in the online ecosystem and accelerate the growth of their digital businesses,” Media News Group (MNG) chief digital officer Chris Loretto said in a statement. MNG, the second-largest U.S. newspaper chain, is an LMC member. “We are really encouraged by these positive results and look forward to deployment for all LMC members.”

DigiDay reporter Max Willens wrote  the biggest lift “came in cookieless environments including Safari and AMP, where the NEwsPassID impressions sold at CPMs 90% higher than control ones.”  Tested against cookies, however, NewsPassID faces significant hurdles, Willens wrote. LMC said it tested 45%-50% “revenue uplift” in cookie-supporting environments.




EU and UK news on three fronts makes major changes in data-privacy and advertising likely; a Meta EU exit?

Sea changes in the handling of privacy and advertising seem likely in the European Union and the United Kingdom after a set of legal and regulatory decisions this month. And the impacts could spread worldwide eventually.  The big question: Will the changes just make the U.S. ad-tech platforms (Google, Meta/Facbook and Amazon) stronger in the long run?

The developments:

  • Belgium’s data authority found the ad industry’s way of handling privacy consent is illegal. An industry group, IAB Europe, threatened legal action.
  • Facebook/Instagram threatened to leave Europe if they can’t put personal data on U.S. servers
  • Google and the U.K.’s data-privacy authority agreed on terms for eliminating third-party cookies

Belgium DPA Chairman of the Litigation Chamber Hielke Hijmans said IAB Europe’s current version of TCF is “is incompatible with the GDPR, due to an inherent breach of the principle of fairness and lawfulness.”  He added:  “People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalized ads,” Hijmans said. “Although it concerns the TCF, and not the whole real time bidding system, our decision today will have a major impact on the protection of the personal data of internet users. Order must be restored in the TCF system so that users can regain control over their data.”

“We reject the finding that we are a data controller in the context of the TCF,” according to IAB Europe’s statement. “We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.”










Explaining the privacy approach of Multi-Party Computation: A Facebook/Mozilla challenge to Google Chrome identities?

  • Engineers from the Mozilla Foundation and Meta’s Facebook this week together unveiled a server-based approach to managing user identity and profiling for advertising called “Privacy Preserving Attribution for Advertising” or “Interoperable Privacy Attribution” (IPA). It involves the use of privacy-enhancing Multi-Party Computation (MPC) servers.  The following are edited excerpts from a joint 56-slide presentation.

“In designing IPA, we set out to find a win-win-win solution for cross platform conversion measurement that met our goals across privacy, utility, and competition. Our privacy goal is to limit the total amount of information IPA releases about an individual over a given period of time. Our utility goal is to support all the major aggregate conversion measurement use-cases. Our competition goal is to ensure equal function for all existing and new ad-tech players . . . .

“[IPA] would allow businesses to see the conversions from ad impressions to purchases, without sharing the personal data of customers . . . With IPA, we can level the playing field so that every ad tech provider can get data on cross device conversions, not just the large companies.

“When ad-buyers spend across multiple ad-platforms, multiple companies may take credit for the same conversion.  This makes it difficult to understand and compare effectiveness of ad campaigns . . . Customers may see multiple ads for a product before they purchase it.Which ad impression should get the credit?  . . .  [T]he IPA proposal could potentially enable cross-publisher attribution; while preserving individual privacy. 

“With ‘multi-touch attribution’, everyone gets a fraction of the credit. If Jane saw an ad on Instagram, a newspaper article and Google search, each of those services might get a third of the credit. In the current system, this is hard to impossible. But with IPA, it might be feasible. With IPA, ad buyers can run their own queries to measure their ad conversions. Because everything is connected there is no double counting. Ad buyers can choose how to apportion credit in cases of multiple touch points. This means one interface to get reporting across all your channels and less need to trust the results an ad-platform tells you.

“After decryption, values from the same person still match up, but since the values are scrambled their identity is unknown . . . The actual values of the match-keys are hidden from the MPC [server] itself. “With IPA, businesses would see accurate ad reporting without sharing personal data with ad-tech companies or anyone else . . . . 

“In this system, instead of sending personal data directly to ad-tech companies, impression and conversion reports with match keys are encrypted using asymmetric encryption and sent to a trusted server . . . The server decrypts the data and matches events up to count how many times someone saw an ad and then made a purchase. They share that count with the ad-tech companies but keep the personal data secret.”

“An ad impression / conversion event that has been encrypted appears as undecipherable ciphertext to ad tech companies . . . In this system, when the server receives the encrypted data, they first apply a ‘blinding factor’, changing the encrypted numbers. Now they decrypt the data – but it has already been changed. So even once decrypted, the server can’t see the original match key . . . “

“Events originating from the same person still have the same value of the blinded match key, so it’s still possible to match up ad impressions and purchases from the same person, but the value of the blinded match key is un-linkable to that person’s identity….Blinding encrypted data is a way for servers to alter user data so that it is still useful, but can no longer identify people personally . . .

?Can we avoid having a single trusted server?  With double encryption, two servers can process the data without either seeing the identity of the user. One solution is to intentionally add a small amount of randomness to the results . . . IPA ensures individual purchase values are never visible to anyone.”

ABOUT PRIVACY BEATPrivacy Beat is a weekly email update from the Information Trust Exchange Governing Association in service to its mission. Links and brief reports are compiled, summarized or analyzed by Bill Densmore and Eva Tucker.  Submit links and ideas for coverage to newsletter@itega.org.