Cookie Monster: Efficient On-device Budgeting for Differentially-Private Ad-Measurement Systems

TL;DR

Cookie Monster introduces an efficient differential privacy budgeting system for on-device ad measurement, improving privacy guarantees and measurement accuracy in privacy-preserving advertising APIs.

Contribution

It presents a novel DP budgeting approach tailored for on-device ad measurement, enhancing privacy guarantees and efficiency over traditional methods.

Findings

Significantly outperforms baselines in measurement accuracy.

Enables more measurements under the same privacy constraints.

Successfully integrated into Chrome for real-world evaluation.

Abstract

With the impending removal of third-party cookies from major browsers and the introduction of new privacy-preserving advertising APIs, the research community has a timely opportunity to assist industry in qualitatively improving the Web's privacy. This paper discusses our efforts, within a W3C community group, to enhance existing privacy-preserving advertising measurement APIs. We analyze designs from Google, Apple, Meta and Mozilla, and augment them with a more rigorous and efficient differential privacy (DP) budgeting component. Our approach, called Cookie Monster, enforces well-defined DP guarantees and enables advertisers to conduct more private measurement queries accurately. By framing the privacy guarantee in terms of an individual form of DP, we can make DP budgeting more efficient than in current systems that use a traditional DP definition. We incorporate Cookie Monster into Chrome and evaluate it on microbenchmarks and advertising datasets. Across workloads, Cookie Monster significantly outperforms baselines in enabling more advertising measurements under comparable DP protection.