From 58385186807c327791ef4a5f769102a4e34c340f Mon Sep 17 00:00:00 2001
From: "Benjamin M. Case" <35273659+bmcase@users.noreply.github.com>
Date: Wed, 3 Sep 2025 12:16:02 -0400
Subject: [PATCH 1/5] add dp assumptions
DP assumptions for formal proofs
---
api.bs | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/api.bs b/api.bs
index d3b170b..33345ac 100644
--- a/api.bs
+++ b/api.bs
@@ -2338,6 +2338,35 @@ for a number of reasons:
Without allocating [=privacy budget=] for new data,
sites could exhaust their budget forever.
+We operate the system with [=site=] in the [=privacy unit=], but theoretically proving
+DP guarantees for this privacy unit requires additional assumptions.
+Since different sites are interacting with the same user over time there is not
+complete independence between privacy units maintained for the same user which is necessary
+for proving the formal DP guarantees. These assumptions capture what would need to be assumed
+for these privacy units to be independent and under which the DP guarantees can be proven rigorously.
+* Assumption 1: Siloed adaptive data generation. The data stream of the user's impressions
+and conversions able to be queried by one site is generated independently from the past query
+results of other sites.
+* Assumption 2: No leakage through safety limits. The queries from one site do not impact
+which reports get filtered for any other site.
+
+Both of these assumptions are technically not met by the system. By stating them here we
+are saying that the API does not protect against privacy leakages that result from them.
+
+Assumption 1 is a consequence of multiple sites interacting with the same user over time and
+changing the ads they show to users based on their use of this system. For example, one advertiser
+might learn how to make one of their ads more effective which results in the user converting on
+their site rather than on a different site. This impacts the data the other site has available to
+query and introduces across site adaptive dependency in how data is generated.
+
+Assumption 2 is a consequence of having safety limits that span across multiple sites.
+If the safety limits are never triggered there is no change in the data available to
+be queried across all sites covered by the safety limit. But if as a result of some
+sites’ queries causing the safety limit to be reached and start filtering out reports
+sent to other sites, there is now a dependence introduced across the data queried under
+ the separate privacy units.
+
+See [cite paper] for more details on the formal DP proofs and in depth discussion of these assumptions.
### Browser Instances ### {#dp-instance}
From 2e27352d5f6f572f9bcb35046f36f8c8308d920c Mon Sep 17 00:00:00 2001
From: "Benjamin M. Case" <35273659+bmcase@users.noreply.github.com>
Date: Thu, 4 Sep 2025 11:24:39 -0400
Subject: [PATCH 2/5] update DP assumptions text
---
api.bs | 86 ++++++++++++++++++++++++++++++++++++++--------------------
1 file changed, 57 insertions(+), 29 deletions(-)
diff --git a/api.bs b/api.bs
index 33345ac..86e07a9 100644
--- a/api.bs
+++ b/api.bs
@@ -2338,35 +2338,46 @@ for a number of reasons:
Without allocating [=privacy budget=] for new data,
sites could exhaust their budget forever.
-We operate the system with [=site=] in the [=privacy unit=], but theoretically proving
-DP guarantees for this privacy unit requires additional assumptions.
-Since different sites are interacting with the same user over time there is not
-complete independence between privacy units maintained for the same user which is necessary
-for proving the formal DP guarantees. These assumptions capture what would need to be assumed
-for these privacy units to be independent and under which the DP guarantees can be proven rigorously.
-* Assumption 1: Siloed adaptive data generation. The data stream of the user's impressions
-and conversions able to be queried by one site is generated independently from the past query
-results of other sites.
-* Assumption 2: No leakage through safety limits. The queries from one site do not impact
-which reports get filtered for any other site.
-
-Both of these assumptions are technically not met by the system. By stating them here we
-are saying that the API does not protect against privacy leakages that result from them.
-
-Assumption 1 is a consequence of multiple sites interacting with the same user over time and
-changing the ads they show to users based on their use of this system. For example, one advertiser
-might learn how to make one of their ads more effective which results in the user converting on
-their site rather than on a different site. This impacts the data the other site has available to
-query and introduces across site adaptive dependency in how data is generated.
-
-Assumption 2 is a consequence of having safety limits that span across multiple sites.
-If the safety limits are never triggered there is no change in the data available to
-be queried across all sites covered by the safety limit. But if as a result of some
-sites’ queries causing the safety limit to be reached and start filtering out reports
-sent to other sites, there is now a dependence introduced across the data queried under
- the separate privacy units.
-
-See [cite paper] for more details on the formal DP proofs and in depth discussion of these assumptions.
+### Formal Analysis of Privacy Properties and Their Limitations ### {#formal-analysis}
+The paper [[PPA-DP-2]] provides formal analysis of the mathematical privacy guarantees
+afforded by per-site budgets and by safety limits . Per-site
+budgets include [=site=] in the [=privacy unit=], whereas safety limits exclude it
+thereby enforcing a global individual DP guarantee.
+
+The analysis shows that per-site individual DP guarantees hold under a restricted system
+ model that makes two assumptions, which may not always be satisfied in practice:
+
+1. No cross-site adaptivity in data generation. A site’s queryable data stream (impressions
+and conversions) must be generated independently of past DP query results from other sites.
+2. No leakage through cross-site shared limits. Queries from one site must not affect which
+reports are emitted to others.
+
+Assumption 1 is necessary because the system involves multiple sites that could interact
+with the same user over time and change the ads they show to the user, or impact the
+conversions the user has, based on each other’s DP measurements. For example, if one advertiser
+learns, from DP measurements, to make an ad more effective, a user may convert on their site
+rather than a competitor’s. In this case, the first site’s DP outputs -- counted only against
+its own per-site budget -- alter the data (or absence of data) visible to the competitor, yet
+this impact is not reflected in the competitor’s per-site budget. When Assumption 1 is violated,
+the analysis shows that per-site guarantees cannot be achieved.
+
+Assumption 2 is necessary when we have shared limits that span multiple sites. An example of
+such shared limits are the global safety limits that aim to provide a global DP guarantee.
+If queries from some sites cause a shared limit to be reached, reports to other sites may be
+filtered, creating dependencies across separate per-site privacy units and affecting the validity
+of the per-site guarantees. Thus, care must be taken when introducing any new shared limit, such
+as cross-site rate limiters on privacy loss. If only Assumption 2 is violated, it is unknown whether
+per-site guarantees can still be preserved, for example via special designs of the shared limits.
+
+These results suggest that per-site protections should be regarded as theoretically grounded approximations
+of an ideal per-site individual DP guarantee that can be established only under certain assumptions.
+The extent to which privacy protection from per-site budgets may be impacted in practice remains unknown.
+
+By contrast, the analysis shows that safety limits -- which operate at global level,
+excluding [=site=]
+from the [=privacy unit=] -- can be implemented to deliver sound global individual DP guarantees
+regardless of whether either assumption is satisfied.
+
### Browser Instances ### {#dp-instance}
@@ -3167,6 +3178,23 @@ spec:structured header; type:dfn; urlPrefix: https://httpwg.org/specs/rfc9651;
"href": "https://arxiv.org/abs/2405.16719",
"title": "Cookie Monster: Efficient On-device Budgeting for Differentially-Private Ad-Measurement Systems",
"publisher": "SOSP'24"
+ },
+ "ppa-dp-2": {
+ "authors": [
+ "Pierre Tholoniat",
+ "Alison Caulfield",
+ "Giorgio Cavicchioli",
+ "Mark Chen",
+ "Nikos Goutzoulias",
+ "Benjamin Case",
+ "Asaf Cidon",
+ "Roxana Geambasu",
+ "Mathias Lécuyer",
+ "Martin Thomson"
+ ],
+ "href": "https://arxiv.org/abs/2506.05290",
+ "title": "Big Bird: Privacy Budget Management for W3C's Privacy-Preserving Attribution API",
+ "publisher": "arXiv"
},
"prio": {
"authors": [
From 6fe5c2a14bf7905ebff09cdf37792124d2bd594e Mon Sep 17 00:00:00 2001
From: "Benjamin M. Case" <35273659+bmcase@users.noreply.github.com>
Date: Thu, 4 Sep 2025 11:27:30 -0400
Subject: [PATCH 3/5] Update DP assumptions text
---
api.bs | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/api.bs b/api.bs
index 86e07a9..463124b 100644
--- a/api.bs
+++ b/api.bs
@@ -2374,9 +2374,8 @@ of an ideal per-site individual DP guarantee that can be established only under
The extent to which privacy protection from per-site budgets may be impacted in practice remains unknown.
By contrast, the analysis shows that safety limits -- which operate at global level,
-excluding [=site=]
-from the [=privacy unit=] -- can be implemented to deliver sound global individual DP guarantees
-regardless of whether either assumption is satisfied.
+excluding [=site=] from the [=privacy unit=] -- can be implemented to deliver sound global individual
+DP guarantees regardless of whether either assumption is satisfied.
### Browser Instances ### {#dp-instance}
From c997c37839a10eddb8bb46a59058dde35d2cbb88 Mon Sep 17 00:00:00 2001
From: "Benjamin M. Case" <35273659+bmcase@users.noreply.github.com>
Date: Thu, 4 Sep 2025 11:40:21 -0400
Subject: [PATCH 4/5] fix format
---
api.bs | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/api.bs b/api.bs
index 463124b..9afffb1 100644
--- a/api.bs
+++ b/api.bs
@@ -2340,16 +2340,16 @@ for a number of reasons:
### Formal Analysis of Privacy Properties and Their Limitations ### {#formal-analysis}
The paper [[PPA-DP-2]] provides formal analysis of the mathematical privacy guarantees
-afforded by per-site budgets and by safety limits . Per-site
+afforded by *per-site budgets* and by *safety limits*. Per-site
budgets include [=site=] in the [=privacy unit=], whereas safety limits exclude it
thereby enforcing a global individual DP guarantee.
-The analysis shows that per-site individual DP guarantees hold under a restricted system
+The analysis shows that *per-site individual DP guarantees* hold under a restricted system
model that makes two assumptions, which may not always be satisfied in practice:
-1. No cross-site adaptivity in data generation. A site’s queryable data stream (impressions
+1. *No cross-site adaptivity in data generation.* A site’s queryable data stream (impressions
and conversions) must be generated independently of past DP query results from other sites.
-2. No leakage through cross-site shared limits. Queries from one site must not affect which
+2. *No leakage through cross-site shared limits.* Queries from one site must not affect which
reports are emitted to others.
Assumption 1 is necessary because the system involves multiple sites that could interact
@@ -2373,9 +2373,9 @@ These results suggest that per-site protections should be regarded as theoretica
of an ideal per-site individual DP guarantee that can be established only under certain assumptions.
The extent to which privacy protection from per-site budgets may be impacted in practice remains unknown.
-By contrast, the analysis shows that safety limits -- which operate at global level,
-excluding [=site=] from the [=privacy unit=] -- can be implemented to deliver sound global individual
-DP guarantees regardless of whether either assumption is satisfied.
+By contrast, the analysis shows that *safety limits* -- which operate at global level,
+excluding [=site=] from the [=privacy unit=] -- can be implemented to deliver *sound global individual
+DP guarantees* regardless of whether either assumption is satisfied.
### Browser Instances ### {#dp-instance}
From 5b54331cddca4d9f0300b23ae7b982d5f3e4291c Mon Sep 17 00:00:00 2001
From: "Benjamin M. Case" <35273659+bmcase@users.noreply.github.com>
Date: Tue, 9 Sep 2025 08:30:20 -0400
Subject: [PATCH 5/5] fmt fixes
---
api.bs | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/api.bs b/api.bs
index 9afffb1..29b9d8b 100644
--- a/api.bs
+++ b/api.bs
@@ -2345,11 +2345,11 @@ budgets include [=site=] in the [=privacy unit=], whereas safety limits exclude
thereby enforcing a global individual DP guarantee.
The analysis shows that *per-site individual DP guarantees* hold under a restricted system
- model that makes two assumptions, which may not always be satisfied in practice:
+model that makes two assumptions, which may not always be satisfied in practice:
1. *No cross-site adaptivity in data generation.* A site’s queryable data stream (impressions
and conversions) must be generated independently of past DP query results from other sites.
-2. *No leakage through cross-site shared limits.* Queries from one site must not affect which
+1. *No leakage through cross-site shared limits.* Queries from one site must not affect which
reports are emitted to others.
Assumption 1 is necessary because the system involves multiple sites that could interact
@@ -3178,7 +3178,7 @@ spec:structured header; type:dfn; urlPrefix: https://httpwg.org/specs/rfc9651;
"title": "Cookie Monster: Efficient On-device Budgeting for Differentially-Private Ad-Measurement Systems",
"publisher": "SOSP'24"
},
- "ppa-dp-2": {
+ "ppa-dp-2": {
"authors": [
"Pierre Tholoniat",
"Alison Caulfield",
@@ -3193,7 +3193,6 @@ spec:structured header; type:dfn; urlPrefix: https://httpwg.org/specs/rfc9651;
],
"href": "https://arxiv.org/abs/2506.05290",
"title": "Big Bird: Privacy Budget Management for W3C's Privacy-Preserving Attribution API",
- "publisher": "arXiv"
},
"prio": {
"authors": [