Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Combining joinAdInterestGroup Calls #188

Closed
jeffkaufman opened this issue May 27, 2021 · 9 comments
Closed

Combining joinAdInterestGroup Calls #188

jeffkaufman opened this issue May 27, 2021 · 9 comments

Comments

@jeffkaufman
Copy link
Contributor

The spec currently reads:

Successive calls to joinAdInterestGroup() will overwrite the previously-stored values for any interest group properties, like the group's user_bidding_signals or list of ads.

This would allow someone to build up an interestGroup across visits to multiple sites. For example, on one site they could set userBiddingSignals, on another trustedBiddingSignalsKeys, and on another dailyUpdateUrl, all with the same owner and name.

Our understanding was that this was not compatible with the privacy model; this is why #162 proposes generateBid be called once per pair of site and owner, and not once per owner.

Perhaps partial overwriting behavior should be limited to successive calls on the same site? Or simply removed?
@jeffkaufman jeffkaufman mentioned this issue May 27, 2021
Merged
@taymonbeal taymonbeal mentioned this issue May 28, 2021
Open
@vincent-grosbois
Copy link

From my understanding, successive calls to joinAdInterestGroup will reset and overwrite all the fields, so you can't accumulate infos over successive calls

@jeffkaufman
Copy link
Contributor Author

That's possible, though if that were the case I would expect the explainer to read something like "Successive calls to joinAdInterestGroup() will overwrite the previously-stored interest group"

@vincent-grosbois
Copy link

vincent-grosbois commented Jun 4, 2021
edited
Loading

My message above was more in reference to the actual Chromium implementation (as far as I could check), where successive calls to JoinAdInterestgroup seem to overwrite all fields.
However I'm not sure what is the intention here when calling UpdateAdInterestgroup (cf #190 ) .
I agree with you it's a security problem if an interest group can have some infos coming from a given domain and be updated with infos from another domain. Probably the knowledge of just owner is not enough in that case, and Fledge should have the knowledge of the actual domain where we execute the script (this info is never saved currently)

@MattMenke2
Copy link
Contributor

In terms of the current implementation, subsequent calls overwrite all previous data (though updates do not). It's not entirely clear to me if this is actually needed for privacy - if we make sure ads, script requests, and reports are all k-anonymous, and we trust the trusted server, is being able to combine cross-site data in a single InterestGroup's worklet concerning in terms of privacy? I'm not sure it is.

@vincent-grosbois
Copy link

Hello @MattMenke2 @michaelkleber !
Could we have more some kind of "official" confirmation / infirmation on the claim made above ?

Basically imagine the following setup:

  • Advertiser on Domain A is owned by Owner O, creates IG "ig1", with user bidding signal {"is from domain A" : 1}
  • Advertiser on Domain B is owned by Owner O, calls "update interest group" with IG name "ig1", with user bidding signal {"is from domain B" : 1}

What would be the content of user bidding signal for "ig1" ? Would it be a merged version of both or would the latest version overwrite the initial version ?

thanks !

@jeffkaufman
Copy link
Contributor Author

@vincent-grosbois if by "update interest group" you mean navigator.updateAdInterestGroups(), that doesn't take user bidding signals?

It's not clear to me from your question whether you are asking about (a) two calls to JoinAdInterestGroup() with the same IG owner+name but different values or (b) one call to JoinAdInterestGroup() and then the result of the browser fetching dailyUpdateUrl?

@vincent-grosbois
Copy link

if by "update interest group" you mean navigator.updateAdInterestGroups()

I meant that one yes
Sorry I missed that it doesn't take as argument user bidding signals.
However we can imagine the exact same scenario with trusted bidding signals:

  • Advertiser on Domain A is owned by Owner O, creates IG "ig1", with trusted bidding signal key "is from domain A"
  • Advertiser on Domain B is owned by Owner O, calls "update interest group" with IG name "ig1", with trusted bidding signal key "is from domain B"
    What would be the content of trusted bidding signal keys for "ig1" ? Would it be a merged version of both or would the latest version overwrite the initial version ?

@jeffkaufman
Copy link
Contributor Author

@vincent-grosbois navigator.updateAdInterestGroups() doesn't take any arguments at all. Not user bidding signals, but also not trusted bidding signals.

@brusshamilton brusshamilton mentioned this issue Jul 21, 2021
Merged
@JensenPaul
Copy link
Collaborator

Closing as I believe joinAdInterestGroup() and updateAdInterestGroups() should be well defined in the spec. Feel free to reopen or file another issue if you have further questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeffkaufman @vincent-grosbois @JensenPaul @MattMenke2