With the impending removal of third-party cookies from major browsers and the introduction of new privacy-preserving advertising APIs, the research community has a timely opportunity to assist industry in qualitatively improving the Web's privacy. This paper discusses our efforts, within a W3C community group, to enhance existing privacy-preserving advertising measurement APIs. We analyze designs from Google, Apple, Meta and Mozilla, and augment them with a more rigorous and efficient differential privacy (DP) budgeting component. Our approach, called Cookie Monster, enforces well-defined DP guarantees and enables advertisers to conduct more private measurement queries accurately. By framing the privacy guarantee in terms of an individual form of DP, we can make DP budgeting more efficient than in current systems that use a traditional DP definition. We incorporate Cookie Monster into Chrome and evaluate it on microbenchmarks and advertising datasets. Across workloads, Cookie Monster significantly outperforms baselines in enabling more advertising measurements under comparable DP protection.

翻译：随着主流浏览器即将移除第三方Cookie以及新型隐私保护广告API的推出，研究界正面临协助产业界实质性提升网络隐私的适时机遇。本文阐述了我们在W3C社区小组中为增强现有隐私保护广告测量API所做的努力。我们分析了来自Google、Apple、Meta和Mozilla的设计方案，并通过更严谨高效的差分隐私预算组件对其进行增强。我们提出的Cookie Monster方法能强制执行明确定义的差分隐私保证，使广告商能够更私密地执行精准的测量查询。通过采用个体化差分隐私的隐私保证框架，我们的预算管理机制比当前使用传统差分隐私定义的系统更为高效。我们将Cookie Monster集成至Chrome浏览器，并在微基准测试与广告数据集上进行评估。在所有工作负载中，在可比的差分隐私保护条件下，Cookie Monster在支持更多广告测量任务方面显著优于基线系统。