Per-reporting-site privacy budgeting

[csharrison]

I want to consider moving privacy budgeting in ARA to be per-site (eTLD+1), rather than a mix of per-site and per-origin budgeting. There are a few reasons to do this:

• The site is typically a more natural unit of privacy than the origin
• It avoids abuse potential for cases of things like wildcard domains which are (arguably) easier to mint than domains to exceed privacy limits

The relevant limits in the spec that consider origins are:

1. Max destinations covered by unexpired sources: x unique destinations per (source site, reporting origin)
2. Max attributions per rate-limit window: x attributions per (source site, attribution destination, reporting origin, time window)
3. Max attribution reporting endpoints per rate-limit window: x reporting origins per (source site, attribution destination, time window) counted per attribution
4. Max source reporting endpoints per rate-limit window: x reporting origins per (source site, attribution destination, time window) counted per source registration

If we just modify all origins to be sites, (1) and (2) are tightened and (3) and (4) are loosened. For this reason, I propose we keep (3) and (4) per-origin to avoid regressing privacy. Note that this change may have a negative utility impact, for cases where a given publisher / advertiser pair is using many reporting origins which share a site. In my mind, this isn’t a legitimate use-case to achieve more privacy budget, though we're certainly open to feedback if this change puts at risk legitimate use-cases.

cc @arturjanc

[bmayd]

Can you clarify what you mean when you refer to "site"?

[csharrison]

Updated the comment, I am referring to a site as an eTLD+1 matching this spec definition: https://html.spec.whatwg.org/multipage/browsers.html#site