Private Click Measurement

1. Introduction

This section is non-normative.

A popular business model for the web is to get attribution and payment for clicks, for instance ad clicks that result in purchases or sign-ups. Traditionally, such attribution has been facilitated by user or device identifying cookies sent in cross-site HTTP requests. However, the same technology can be and has been used for privacy invasive cross-site tracking of users.

The technology described in this document is intended to allow for click attribution, such as ad click attribution, while disallowing arbitrary cross-site tracking.

1.1. Goals

Support click attribution or measurement of clicks across websites.
Preserve user privacy, specifically prevent cross-site tracking of users.

1.2. Terminology

click: This document will use the term “click” for any kind of user gesture on web content that invokes the navigation to a link destination, such as clicks, taps, and use of accessibility tools.
attribution: A user action on one website is attributed to a preceding click, meaning that the source of the click should receive attribution for the user action.

The four parties involved in this technology are:

user: They click, end up on a destination website, and perform an action that triggers attribution, such as a purchase.
user agent: The web browser that acts on behalf of the user and facilitates click attribution.
click source website: The first-party website where the user clicks.
attribution destination website: The destination website where the user performs an action that triggers attribution.

The data consumed by the user agent to support private click measurement is:

attribution source id: An eight-bit decimal value identifying the content that was clicked to navigate to the destination. This means support for 255 unique pieces of content, such as ads, per attribution destination on the click source. Example: merchant.example can run up to 255 concurrent ad campaigns on search.example. The valid decimal values are 0 to 255.
trigger data: A four-bit decimal value encoding the user action that triggers the attribution. This value may encode things like specific steps in a sales funnel or the value of the sale in buckets, such as less than $10, between $10 and $50, between $51 and $200, above $200, and so on. The valid decimal values are 00 to 15.
optional trigger priority: An optional six-bit decimal value encoding the priority of the triggering event. The priority is only intended for the user agent to be able to pick the most important trigger data if there are multiple. One such case may be after the user has taken step 1 through 3 in a sales funnel and the third step is the most important to get attribution for. The valid decimal values are 00 to 63.

The final step in private click measurement results in an:

attribution report: An report comprised of the click source website, attribution source id, attribution destination website, and trigger data.

1.3. A High Level Scenario

A high level example of a scenario where the described technology is intended to come into play is this:

A user searches for something on search.example's website.
The user is shown an ad for a product and clicks it.
The click source website, search.example, informs the user agent (see § 2 Click Source Link Format):
- That it will want attribution for this click.
- What the intended attribution destination website is.
- What the attribution source id is.
The user agent navigates and takes note that the user landed on the intended attribution destination website.
The user’s activity on the attribution destination website leads to a triggering event.
A third-party HTTP request is made on the attribution destination website to https://search.example/.well-known/private-click-measurement/trigger-attribution/ with trigger data.
The user agent checks for stored clicks for the click source-attribute-on pair and if there’s a hit, makes or schedules an HTTP POST request to https://search.example/.well-known/private-click-measurement/report-attribution/ with the corresponding attribution report.

One thing to consider here is whether there should be an option to send the attribution report to the attribution destination website too.

2. Click Source Link Format

This specification adds two attributes to the HTMLAnchorElement interface. Authors can use these attributes in HTML content like so (where 17 is an attribution source id and https://destination.example/ is an attribution destination website):

<a attributionsourceid="17" attributiondestination="https://destination.example/">

Formally:

partial interface HTMLAnchorElement {
    [CEReactions] attribute unsigned long attributionSourceId;
    [CEReactions] attribute DOMString attributionDestination;
};

The IDL attributes attributionSourceId and attributionDestination must reflect the attributionsourceid and attributiondestination content attributes, respectively.

Should these attributes be on HTMLHyperlinkElementUtils instead? <https://github.com/privacycg/private-click-measurement/issues/1>

If an element with such attributes triggers a top frame navigation that lands, possibly after HTTP redirects, on the attribution destination website, the user agent stores the request for click attribution as the tuple ( click source website, attribution destination website, attribution source id ). If any of the conditions do not hold, such as the attribution source id not being a valid eight-bit decimal value, the request for click attribution is ignored.

3. Triggering of Click Attribution

Triggering of attribution is what happens when there is a triggering event.

Existing ad click attribution relies on third-party HTTP requests to the click source website or other websites and these requests are typically the result of invisible image elements or "tracking pixels" placed in the DOM solely to fire HTTP GET requests. To allow for a smooth transition from these old pixel requests to Private Click Measurement, a server-side redirect to a well-known location is used as triggering mechanism. [WELL-KNOWN]

To generate a triggering event, the top frame context of an attribution destination website page needs to do the following:

An HTTP GET request to the click source website. This HTTP request may be the result of an HTTP redirect, such as searchUK.example HTTP 302 redirect to search.example. The use of HTTP GET is intentional in that existing “pixel requests” can be repurposed for this and in that the HTTP request should be idempotent.
A secure HTTP GET redirect to the URL returned by generating a triggering event URL for click source website with trigger data and optional trigger priority. This mandatory redirect ensures that the click source website is in control of who can trigger click attribution on its behalf and optionally what the priority is. If the user agent gets such an HTTP request, it will check its stored clicks, and if there’s a match for (click source website, attribution destination website), attribution has been triggered for that stored click.

4. Attribution Report Format

An attribution report has this JSON format:

{ "source_engagement_type":"click", "source_site":"search.example", "source_id":3, "attributed_on_site":"destination.example", "trigger_data":12, "version":1 }

5. Receiving Attribution Reports

The user agent makes or schedules a secure HTTP POST request to the URL returned by generating an attribution report URL for click source website with an attribution report. The use of HTTP POST is intentional in that it differs from the HTTP GET redirect used to trigger the attribution and in that it is not expected to be idempotent. ISSUE: We may have to add a nonce to the HTTP POST request to prohibit double counting in cases where the user agent decides to retry the request.

If there are multiple ad click attribution requests for the same click source-attribute-on pair, the one with the highest optional trigger priority will be the one sent and the rest discarded.

This needs to be reworked to monkeypatch HTML’s "follows a hyperlink" algorithm.

6. Well-Known URLs

6.1. Triggering Event URL

Clients generate a tiggering event URL for source site with trigger data and optional trigger priority by following these steps:

Let url be the result of concatenating the strings « ".well-known", "private-click-measurement", "trigger-attribution", trigger data, optional trigger priority » using the separator U+002F (/).
Return the result of calling URL(url, base) with url url and base source site.

6.2. Attribution Report URL

User agents generate an attribution report URL for source site by following these steps:

Let url be ".well-known/private-click-measurement/report-attribution/".
Return the result of calling URL(url, base) with url url and base source site.

7. Click source/attribute-on pairs

An click source-attribute-on pair is a tuple of two sites: (source, attribute-on).

8. N-bit decimal values

A four-bit decimal value is a string for which the extract a four-bit decimal value algorithm does not return failure. A six-bit decimal value is a string for which the extract a six-bit decimal value algorithm does not return failure. A eight-bit decimal value is an unsigned long between 0 and 255 inclusive.

The strings "00" and "15" are both four-bit decimal values, whereas "7", "20", and "!!11one" are not.

Clients from a string string by running these steps:

If string’s length is not 2, return failure.
Let tens be the code unit at position 0 within string, and ones be the code unit at position 1.
If tens is less than U+0030 (0) or greater than U+0031 (1), return failure.
If ones is less than U+0030 (0) or greater than U+0039 (9), return failure.
If tens is U+0031 (1) and ones is greater than U+0035 (5), return failure.
Return (tens - 30) * 10 + ones - 30.

The strings "00" and "63" are both six-bit decimal values, whereas "7", "98", and "!!11one" are not.

Clients from a string string by running these steps:

If string’s length is not 2, return failure.
Let tens be the code unit at position 0 within string, and ones be the code unit at position 1.
If tens is less than U+0030 (0) or greater than U+0036 (6), return failure.
If ones is less than U+0030 (0) or greater than U+0039 (9), return failure.
If tens is U+0036 (6) and ones is greater than U+0033 (3), return failure.
Return (tens - 30) * 10 + ones - 30.

9. Modern Triggering of Attribution

We envision a JavaScript API and a same-site "pixel" redirect on the attribution destination website as a modern triggering event. This removes the necessity for third-party "pixels" and would allow the attribution destination website to fire a triggering event without direct dependencies to the exact click source websites where their incoming clicks are coming from.

10. Privacy Considerations

The total entropy in Private Click Measurement HTTP requests is 12 bits (8+4), which means 4096 unique values can be managed for each click source-attribute-on pair.

With no other means of cross-site tracking, the click source website and the attribution destination website have no joint view of the user or the device. This restricts the entropy under control to 8 bits, or 256 values, at any moment.

We believe these restrictions avoid general cross-site tracking while still providing useful click attribution at web scale.

In the interest of user privacy, user agents are encouraged to deploy the following restrictions to when and how they make secure HTTP POST requests to an Attribution Report URL:

The user agent targets a delay of attribution report requests by 24–48 hours. However, the user agent might not be running or the user’s device may be or disconnected from the internet, in which case the request may be delayed further.
The user agent only holds on to the tuple (click source website, attribution destination website, attribution source id) for 7 days, i.e. one week of potential click attribution.
The user agent doesn’t guarantee any specific order in which multiple attribution report requests for the same attribution destination website are sent, since the order itself could be abused to increase the entropy.
The user agent uses an ephemeral session (a.k.a. private or incognito mode) to make attribution report requests.
The user agent doesn’t use or accept any credentials such as cookies, client certificates, or Basic Authentication in attribution report requests or responses.
The user agent may use a central clearinghouse to further anonymize attribution report requests, should a trustworthy clearinghouse exist.
The user agent offers users a way to turn Private Click Measurement on and off.
The user agent doesn’t support Private Click Measurement in private/incognito mode.

11. Performance Considerations

The user agent may want to limit the amount of stored click attribution data. Limitations can be set per click source website, per attribution destination website, and on the total amount of click attribution data.

12. IANA considerations

This document defines the ".well-known" URIs "trigger-attribution" and "report-attribution". These registrations will be submitted to the IESG for review, approval, and registration with IANA using the template defined in [WELL-KNOWN] as follows:

URI suffix: "trigger-attribution"; "report-attribution"
Change controller: W3C
Specification document(s): This document is the relevant specification. (See § 6.1 Triggering Event URL § 6.2 Attribution Report URL.)
Related information:: None.

The Improving Web Advertising Business Group has related work that started in January 2019. It similarly uses a .well-known path with no cookies. [METRICS]

Brave publised a security and privacy model for ad confirmations in March 2019. [CONFIRMATIONS]

Google Chrome published an explainer document on May 22, 2019, for a very similar technology. They cross-reference this spec in its earlier form on the WebKit wiki. [EVENT-LEVEL]

14. Acknowledgements

Thanks to Brent Fulgham, Ehsan Akghari, Erik Neuenschwander, Jason Novak, Maciej Stachowiak, Mark Xue, and Steven Englehardt for their feedback on this proposal.

Conformance

Document conventions

Conformance requirements are expressed with a combination of descriptive assertions and RFC 2119 terminology. The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this document are to be interpreted as described in RFC 2119. However, for readability, these words do not appear in all uppercase letters in this specification.

All of the text of this specification is normative except sections explicitly marked as non-normative, examples, and notes. [RFC2119]

Examples in this specification are introduced with the words “for example” or are set apart from the normative text with class="example", like this:

This is an example of an informative example.

Informative notes begin with the word “Note” and are set apart from the normative text with class="note", like this:

Note, this is an informative note.

Conformant Algorithms

Requirements phrased in the imperative as part of algorithms (such as "strip any leading space characters" or "return false and abort these steps") are to be interpreted with the meaning of the key word ("must", "should", "may", etc) used in introducing the algorithm.

Conformance requirements phrased as algorithms or specific steps can be implemented in any manner, so long as the end result is equivalent. In particular, the algorithms defined in this specification are intended to be easy to understand and are not intended to be performant. Implementers are encouraged to optimize.