Big Bird: Resilient Privacy Budgeting Across Untrusted Web Domains

TL;DR

Big Bird introduces a global privacy-budget management system for web advertising measurement that ensures sound differential privacy guarantees across multiple untrusted domains, addressing Sybil attacks and preserving utility.

Contribution

It proposes Big Bird, a novel privacy-budget manager enforcing global device-epoch IDP, resilient to depletion attacks and compatible with real-world ad-tech systems.

Findings

Big Bird provides rigorous global device-epoch IDP guarantees.

It demonstrates resilience to Sybil depletion attacks.

Empirical evaluation shows maintained utility under attack.

Abstract

The W3C Attribution API is an emerging standard for privacy-preserving advertising measurement. Its current privacy architecture enforces individual differential privacy (IDP) independently for each domain (e.g., an advertiser) issuing queries. We show that this guarantee is unsound under realistic system behavior: it fails under cross-querier data adaptivity and can also fail when shared limits are enforced across queriers. The issue is not the on-device accounting model itself -- device-epoch IDP -- but treating each querying domain in isolation. We propose Big Bird, a privacy-budget manager that makes global device-epoch IDP -- enforced jointly across all domains -- both sound and deployable for Attribution. Big Bird addresses the main obstacle to global enforcement in open multi-querier systems: denial-of-service depletion of a shared global budget by Sybil web domains. Its key insight is that benign Attribution workloads have a stock-and-flow structure: impressions create potential privacy loss, conversions realize it, and meaningful budget consumption should be tied to genuine user actions across distinct web domains. Big Bird enforces this structure with privacy-loss-based quotas on impression and conversion sites and a per-user-action cap on how many quotas can be activated, ensuring that adversarial impact scales with genuine user interactions rather than with the number of Sybil domains. We implement Big Bird in Rust, integrate it into Firefox's Attribution prototype, and evaluate it theoretically and empirically on real ad-tech data. We show that Big Bird provides rigorous global device-epoch IDP, formal resilience to depletion attacks, and utility for benign queriers under attack.