Private Click Measurement

1. Introduction

This section is non-normative.

A popular business model for the web is to get attribution and payment for clicks, for instance ad clicks that result in purchases or sign-ups. Traditionally, such attribution has been facilitated by user or device identifying cookies sent in cross-site HTTP requests. However, the same technology can be and has been used for privacy invasive cross-site tracking of users.

The technology described in this document is intended to allow for click attribution, such as ad click attribution, while disallowing arbitrary cross-site tracking.

1.1. Goals

• Support click attribution or measurement of clicks across websites.

• Preserve user privacy, specifically prevent cross-site tracking of users.

1.2. Terminology

click

This document will use the term “click” for any kind of user gesture on web content that invokes the navigation to a link destination, such as clicks, taps, and use of accessibility tools.

attribution

A user action on one website is attributed to a preceding click, meaning that the source of the click should receive attribution for the user action.

The four parties involved in this technology are:

user

They click, end up on a destination website, and perform an action that triggers attribution, such as a purchase.

user agent

The web browser that acts on behalf of the user and facilitates click attribution.

click source website

The first-party website where the user clicks.

attribution destination website

The destination website where the user performs an action that triggers attribution.

The data consumed by the user agent to support private click measurement is:

attribution source id

An eight-bit decimal value identifying the content that was clicked to navigate to the destination. This means support for 255 unique pieces of content, such as ads, per attribution destination on the click source. Example: merchant.example can run up to 255 concurrent ad campaigns on search.example. The valid decimal values are 0 to 255.

trigger data

A four-bit decimal value encoding the user action that triggers the attribution. This value may encode things like specific steps in a sales funnel or the value of the sale in buckets, such as less than $10, between $10 and $50, between $51 and $200, above $200, and so on. The valid decimal values are 00 to 15.

optional trigger priority

An optional six-bit decimal value encoding the priority of the triggering event. The priority is only intended for the user agent to be able to pick the most important trigger data if there are multiple. One such case may be after the user has taken step 1 through 3 in a sales funnel and the third step is the most important to get attribution for. The valid decimal values are 00 to 63.

The final step in private click measurement results in an:

attribution report

An report comprised of the click source website, attribution source id, attribution destination website, and trigger data.

1.3. A High Level Scenario

A high level example of a scenario where the described technology is intended to come into play is this:

1. A user searches for something on search.example's website.

2. The user is shown an ad for a product and clicks it.

3. The click source website, search.example, informs the user agent (see § 2 Click Source Link Format):

   • That it will want attribution for this click.

   • What the intended attribution destination website is.

   • What the attribution source id is.

4. The user agent navigates and takes note that the user landed on the intended attribution destination website.

5. The user’s activity on the attribution destination website leads to a triggering event.

6. A third-party HTTP request is made on the attribution destination website to ​https://search.example/.well-known/private-click-measurement/trigger-attribution/ with trigger data.

7. The user agent checks for stored clicks for the click source-attribute-on pair and if there’s a hit, makes or schedules an HTTP POST request to ​https://search.example/.well-known/private-click-measurement/report-attribution/ with the corresponding attribution report.

   One thing to consider here is whether there should be an option to send the attribution report to the attribution destination website too.

2. Click Source Link Format

This specification adds two attributes to the HTMLAnchorElement interface. Authors can use these attributes in HTML content like so (where 17 is an attribution source id and https://destination.example/ is an attribution destination website):

<a attributionsourceid="17" attributiondestination="https://destination.example/">

Formally:

partial interface HTMLAnchorElement {
    [CEReactions] attribute unsigned long attributionSourceId;
    [CEReactions] attribute DOMString attributionDestination;
};

The IDL attributes attributionSourceId and attributionDestination must reflect the attributionsourceid and attributiondestination content attributes, respectively.

Should these attributes be on HTMLHyperlinkElementUtils instead? <https://github.com/privacycg/private-click-measurement/issues/1>

If an element with such attributes triggers a top frame navigation that lands, possibly after HTTP redirects, on the attribution destination website, the user agent stores the request for click attribution as the tuple ( click source website, attribution destination website, attribution source id ). If any of the conditions do not hold, such as the attribution source id not being a valid eight-bit decimal value, the request for click attribution is ignored.

3. Triggering of Click Attribution

Triggering of attribution is what happens when there is a triggering event.

Existing ad click attribution relies on third-party HTTP requests to the click source website or other websites and these requests are typically the result of invisible image elements or "tracking pixels" placed in the DOM solely to fire HTTP GET requests. To allow for a smooth transition from these old pixel requests to Private Click Measurement, a server-side redirect to a well-known location is used as triggering mechanism. [WELL-KNOWN]

4. Attribution Report Format

An attribution report has this JSON format:

{ "source_engagement_type":"click", "source_site":"search.example", "source_id":3, "attributed_on_site":"destination.example", "trigger_data":12, "version":1 }

5. Receiving Attribution Reports

1. The user agent makes or schedules a secure HTTP POST request to the URL returned by generating an attribution report URL for click source website with an attribution report. The use of HTTP POST is intentional in that it differs from the HTTP GET redirect used to trigger the attribution and in that it is not expected to be idempotent. ISSUE: We may have to add a nonce to the HTTP POST request to prohibit double counting in cases where the user agent decides to retry the request.

If there are multiple ad click attribution requests for the same click source-attribute-on pair, the one with the highest optional trigger priority will be the one sent and the rest discarded.

This needs to be reworked to monkeypatch HTML’s "follows a hyperlink" algorithm.

6. Well-Known URLs

6.1. Triggering Event URL

6.2. Attribution Report URL

7. Click source/attribute-on pairs

An click source-attribute-on pair is a tuple of two sites: (source, attribute-on).

8. N-bit decimal values

A four-bit decimal value is a string for which the extract a four-bit decimal value algorithm does not return failure. A six-bit decimal value is a string for which the extract a six-bit decimal value algorithm does not return failure. A eight-bit decimal value is an unsigned long between 0 and 255 inclusive.

9. Modern Triggering of Attribution

We envision a JavaScript API and a same-site "pixel" redirect on the attribution destination website as a modern triggering event. This removes the necessity for third-party "pixels" and would allow the attribution destination website to fire a triggering event without direct dependencies to the exact click source websites where their incoming clicks are coming from.

10. Privacy Considerations

The total entropy in Private Click Measurement HTTP requests is 12 bits (8+4), which means 4096 unique values can be managed for each click source-attribute-on pair.

With no other means of cross-site tracking, the click source website and the attribution destination website have no joint view of the user or the device. This restricts the entropy under control to 8 bits, or 256 values, at any moment.

We believe these restrictions avoid general cross-site tracking while still providing useful click attribution at web scale.

In the interest of user privacy, user agents are encouraged to deploy the following restrictions to when and how they make secure HTTP POST requests to an Attribution Report URL:

• The user agent targets a delay of attribution report requests by 24–48 hours. However, the user agent might not be running or the user’s device may be or disconnected from the internet, in which case the request may be delayed further.

• The user agent only holds on to the tuple (click source website, attribution destination website, attribution source id) for 7 days, i.e. one week of potential click attribution.

• The user agent doesn’t guarantee any specific order in which multiple attribution report requests for the same attribution destination website are sent, since the order itself could be abused to increase the entropy.

• The user agent uses an ephemeral session (a.k.a. private or incognito mode) to make attribution report requests.

• The user agent doesn’t use or accept any credentials such as cookies, client certificates, or Basic Authentication in attribution report requests or responses.

• The user agent may use a central clearinghouse to further anonymize attribution report requests, should a trustworthy clearinghouse exist.

• The user agent offers users a way to turn Private Click Measurement on and off.

• The user agent doesn’t support Private Click Measurement in private/incognito mode.

11. Performance Considerations

The user agent may want to limit the amount of stored click attribution data. Limitations can be set per click source website, per attribution destination website, and on the total amount of click attribution data.

12. IANA considerations

This document defines the ".well-known" URIs "trigger-attribution" and "report-attribution". These registrations will be submitted to the IESG for review, approval, and registration with IANA using the template defined in [WELL-KNOWN] as follows:

URI suffix

"trigger-attribution"

"report-attribution"

Change controller

W3C

Specification document(s)

This document is the relevant specification. (See § 6.1 Triggering Event URL § 6.2 Attribution Report URL.)

Related information:

None.

13. Related Work

The Improving Web Advertising Business Group has related work that started in January 2019. It similarly uses a .well-known path with no cookies. [METRICS]

Brave publised a security and privacy model for ad confirmations in March 2019. [CONFIRMATIONS]

Google Chrome published an explainer document on May 22, 2019, for a very similar technology. They cross-reference this spec in its earlier form on the WebKit wiki. [EVENT-LEVEL]

14. Acknowledgements

Thanks to Brent Fulgham, Ehsan Akghari, Erik Neuenschwander, Jason Novak, Maciej Stachowiak, Mark Xue, and Steven Englehardt for their feedback on this proposal.