Skip to content

Randomized Response for Private Advertising Analytics

Moritz Haller edited this page Dec 4, 2020 · 4 revisions
Clone this wiki locally

Measuring and attributing campaign performance is critical for marketers and advertisers. The introduction of Brave Ads included our anonymous-but-accountable ad event confirmation reporting protocol, providing advertisers with the ability to measure awareness and engagement for their campaigns from first impressions, through successful conversions.

We have received consistent requests from advertisers for additional features related to forecasting available inventory across groups of content categories and intent segments to assist with media planning. While Brave Ads are opt-in, there's an ongoing need to continuously optimize and enhance our reporting and forecasting capabilities to learn which brands our users have an interest in, and for brands to plan their media spend most effectively with our platform. This need becomes increasingly important as Brave continues to scale into a broader overall desktop and mobile audience, in addition to Brave Ads now being supported in over 190 countries.

As a privacy-preserving ad platform, unlike other advertising models, Brave Ads does not send user profiles to the cloud or put users at risk by exposing them to real-time online bidding. We employ a form of local differential privacy (LDP) called Randomized Response which scrambles user data before leaving the device. LDP guarantees that recipients of the data can’t infer anything with certainty about individual users. In aggregation, however, it enables meaningful statistical insight. The full protocol involves three steps:

  • Analogous to P3A any question has to be posed in a low resolution and multiple-choice-like format.
  • Before the answer leaves a user’s device the report will be scrambled by sending a random non-truthful answer roughly 75% of the time and sending the true answer only 1 in 4 times (the code is open source and can be inspected on GitHub).
  • In addition to client-side LDP, a reverse proxy (Cloudflare Spectrum) will blind our server from user IP addresses and establish unlinkability of the randomized reports.

The described mechanism ensures that Brave will never receive any linkable user-level data that could be revealed or analysed by Brave or a third party. This mechanism is enabled only after opting-in to Brave Ads.

The current set of questions is measuring the composition of ad opportunities and impressions with respect to their top-level advertising segments: Architecture, Arts & Entertainment, Automotive, Business, Careers, Cellphones, Crypto, Education, Family & parenting, Fashion, Folklore, Food & Drink, Gaming, Health & Fitness, History, Hobbies & Interests, Home, Law, Military, Other, Personal Finance, Pets, Real-estate, Science, Sports, Technology & Computing, Travel and Weather (full list on GitHub).