Privacy Sandbox on Android Developer Preview is here! Learn how to get started, and continue to provide feedback.

Attribution reporting

Provide feedback

Today, it's common for mobile attribution and measurement solutions to use cross-party identifiers, such as Advertising ID. The Attribution Reporting API is designed to provide improved user privacy by removing reliance on cross-party user identifiers, and to support key use cases for attribution and conversion measurement across apps and the web.

This API has the following structural mechanisms that offer a framework for improving privacy, which later sections in this document describe in more detail:

The preceding mechanisms limit the ability to link user identity across two different apps or domains.

The Attribution Reporting API supports the following use cases:

  • Conversion reporting: Help advertisers measure the performance of their campaigns by showing them conversion (trigger) counts and conversion (trigger) values across various dimensions, such as by campaign, ad group, and ad creative.
  • Optimization: Provide event-level reports that support optimization of ad spend, by providing per-impression attribution data that can be used to train ML models.
  • Invalid activity detection: Provide reports that can be used in invalid traffic and ad fraud detection and analysis.

At a high level, the Attribution Reporting API works as follows, which later sections of this document describe in more detail:

  1. The ad tech platform completes an enrollment process to use the Attribution Reporting API.
  2. The ad tech platform registers attribution sources—ad clicks or views—with the Attribution Reporting API.
  3. The ad tech platform registers triggers—user conversions on the advertiser app or website—with the Attribution Reporting API.
  4. The Attribution Reporting API matches triggers to attribution sources—a conversion attribution—and one or more triggers are sent off-device through event-level and aggregatable reports to ad tech platforms.

Enroll an ad tech platform

To access the Attribution Reporting API and to ensure that privacy mechanisms work as intended, all ad tech platforms (including Google's) need to complete a lightweight enrollment process. The details of this process are still in development, and we welcome your feedback.

The enrollment process ensures that ad tech platforms don't unnecessarily duplicate themselves to gain more information about a user's site and app activities. For example, the Attribution Reporting API limits the amount of tracking and information an ad tech platform can view for a given attribution source and trigger. More details on these limits appear in the section on viewing measurement data in attribution reports later in this document.

Businesses may register multiple times if there is a legitimate business need (such as operating multiple independent product lines), and they do not combine data from their multiple enrollments to bypass privacy restrictions.

During the enrollment process, ad tech platforms provide information such as the following:

  • Contact and business information
  • Postback URLs used for receiving event-level and aggregatable reports
  • Attribution Reporting API use cases

Register an attribution source (click or view)

The Attribution Reporting API refers to ad clicks and views as attribution sources. To register an ad click or ad view, call registerAttributionSource(). This API expects the following parameters:

  • Attribution source URI: The platform issues a request to this URI in order to fetch metadata associated with the attribution source.
  • Input event: Either an InputEvent object (for a click event) or null (for a view event).

When the API makes a request to the Attribution Source URI, the ad tech platform should respond with the attribution source metadata in a new HTTP header Attribution-Reporting-Register-Source, with the following fields:

  • Source event ID: A DOMString that encodes a 64-bit unsigned integer. This value represents the event-level data associated with this attribution source (ad click or view).
  • Destination: An origin whose eTLD+1 or app package name where the trigger event happens.
  • Expiry (optional): Expiry, in seconds, for when the source should be deleted off the device. Default is 30 days, with a minimum value of 2 days and a maximum value of 30 days. This is rounded to the nearest day.
  • Source priority (optional): A signed 64-bit integer used to select which attribution source a given trigger should be associated with, in case multiple attribution sources could be associated with the trigger.

    When a trigger is received, the API finds the matching attribution source with the highest source priority value and generates a report. Each ad tech platform can define its own prioritization strategy.

    A higher value indicates a higher priority.

  • Install and post-install attribution windows (optional): Used to determine attribution for post-install events, described later in this document.

The attribution source metadata response may include additional data in the following separate headers:

The following snippet shows the current design for attribution source data:

Attribution-Reporting-Register-Source: {
  "source_event_id": "[64 bit unsigned integer]",
  "destination": "[eTLD+1 or app package name]",
  "expiry": "[64 bit signed integer]",
  "source_priority": "[64 bit signed integer]"
}
Attribution-Reporting-Register-Aggregate-Source: <aggregation-key-data>
Attribution-Reporting-Redirects: <Ad tech partner URLs>

The following steps show an example workflow:

  1. The ad tech SDK calls the API to initiate attribution source registration, specifying a URI for the API to call:

    registerAttributionSource(
        Uri.parse("https://adtech.example/attribution_source?my_ad_click_id=123"),
        myClickEvent);
    
  2. The API makes a request to https://adtech.example/attribution_source?my_ad_click_id=123, using one of the following headers:

    <!-- For click events -->
    Attribution-Reporting-Source-Info: navigation
    
    <!-- For view events -->
    Attribution-Reporting-Source-Info: event
    
  3. This ad tech platform's HTTPS server replies with headers containing the following:

    Attribution-Reporting-Register-Source: {
        "destination": "android-app://com.advertiser.example",
        "source_event_id": "234",
        "expiry": "60000",
        "source_priority": "5"
    }
    Attribution-Reporting-Redirects: https://adtechpartner1.example?their_ad_click_id=567,
    https://adtechpartner2.example?their_ad_click_id=890
    Attribution-Reporting-Source-Info: navigation
    
  4. The API makes a request to each URL specified in Attribution-Reporting-Redirects. In this example, two ad tech partner URLs are specified, so the API makes one request to https://adtechpartner1.example?their_ad_click_id=567 and another request to https://adtechpartner2.example?their_ad_click_id=890.

  5. This ad tech platform's HTTPS server replies with headers containing the following:

    Attribution-Reporting-Register-Source: {
        "destination": "android-app://com.advertiser.example",
        "source_event_id": "789",
        "expiry": "120000",
        "source_priority": "2"
    }
    

    Note that ad tech platforms' replies can specify different metadata in the Attribution-Reporting-Register-Source header.

Three navigation (click) attribution sources are registered based on the requests shown in the previous steps.

Register a trigger (conversion)

Ad tech platforms can register triggers—conversions such as installs or post-install events—using the triggerAttribution() method.

The triggerAttribution() method expects the Trigger URI parameter. The API issues a request to this URI to fetch metadata associated with the trigger.

The API follows redirects. The ad tech server response should include an HTTP header called Attribution-Reporting-Register-Event-Trigger, which represents information on one or more registered triggers. The header's content should be JSON-encoded and include the following fields:

  • Trigger data: Data to identify the trigger event (3 bits for clicks, 1 bit for views)
  • Trigger priority (optional): Signed 64-bit integer which represents the priority of this trigger compared to other triggers for the same attribution source
  • Deduplication key (optional): Signed 64-bit integer which is used to identify cases where the same trigger is registered multiple times by the same ad tech platform, for the same attribution source

The ad tech server response may include additional data in the following headers:

Multiple ad tech platforms can register the same trigger event using either redirects in the Attribution-Reporting-Redirects field or multiple calls to the triggerAttribution() method. We recommend that you use the deduplication key field to avoid including duplicate triggers in reports in the case that the same ad tech platform provides multiple responses for the same trigger event.

The following snippet shows the current design for trigger data:

Attribution-Reporting-Register-Event-Trigger: {
    // trigger_data returned in reports is truncated to the last 1 or 3 bits,
    // based on conversion type
    "trigger_data": "[unsigned 64-bit integer]",
    "trigger_priority": "[signed 64-bit integer]",
    "deduplication_key": "[signed 64-bit integer]"
}
Attribution-Reporting-Aggregate-Trigger-Data: <aggregation-key-data>
Attribution-Reporting-Aggregate-Values: <aggregation-value-data>
Attribution-Reporting-Redirects: <Ad tech partner URLs>

The following steps show an example workflow:

  1. The Ad tech SDK calls the API to initiate trigger registration, with a URI they enrolled with:

    triggerAttribution(
        Uri.parse("https://adtech.example/attribution_trigger?app_install=123"));
    
  2. The API makes a request to https://adtech.example/attribution_trigger?app_install=123.

  3. This ad tech platform's HTTPS server replies with headers containing the following:

    Attribution-Reporting-Register-Event-Trigger: {
        "trigger_data": "1122",
        // This returns 010 for click-through conversions (CTCs) and 0 for
        // view-through conversions (VTCs) in reports
        "trigger_priority": "3",
        "deduplication_key": "3344",
    }
    Attribution-Reporting-Redirects: https://adtechpartner.example?app_install=567
    
  4. The API makes a request to each URL specified in Attribution-Reporting-Redirects. In this example, only one URL is specified, so the API makes a request to https://adtechpartner.example?app_install=567.

  5. This ad tech platform's HTTPS server replies with headers containing the following:

    Attribution-Reporting-Register-Event-Trigger: {
        "trigger_data": "5566",
        "trigger_priority": "3",
        "deduplication_key": "3344"
    }
    

    Two triggers are registered based on the requests in the previous steps.

Source-prioritized attribution algorithm applied

The Attribution Reporting API employs a source-prioritized attribution algorithm to match a trigger (conversion) to an attribution source. In the case where multiple ad tech platforms register an attribution source, as described later in this document, this attribution happens independently for each ad tech platform. For each ad tech platform, the attribution source with the highest priority is attributed with the trigger event. If there are multiple attribution sources with the same priority, the API picks the last registered attribution source. Any other attribution sources, that aren't picked are discarded and are no longer eligible for future trigger attribution.

Post-install attribution

In some cases, there is a need for post-install triggers to be attributed to the same attribution source that drove the install, even if there are other eligible attribution sources that occurred more recently.

The API can support this use case by allowing ad tech platforms to set a post-install attribution period:

  • When registering an attribution source, specify an install attribution window during which installs are expected (generally 2-7 days, accepted range 2 to 30 days).
  • When registering an attribution source, specify a post-install attribution window where any post-install trigger events should be associated with the attribution source that drove the install (generally 7-30 days, accepted range 0 to 30 days).
  • The Attribution Reporting API validates when an app install happens and internally attributes the install to the source-prioritized attribution source. However, the install isn't sent to ad tech platforms and doesn't count against the platforms' respective rate limits.
  • Any future triggers that happen within the post-install attribution window are attributed to the same attribution source as the validated install, as long as that attribution source is eligible.

    We are looking into ways to support use cases where the user uninstalls and reinstalls the app.

In the future, we might explore extending the design to support more advanced attribution models.

All combinations of app- and web-based trigger paths are supported

The Attribution Reporting API enables attribution of the following trigger paths on a single Android device:

  • App-to-app: The user sees an ad in an app, then converts in either that app or another installed app.
  • App-to-web: The user sees an ad in an app, then converts in a mobile or app browser.
  • Web-to-app: The user sees an ad in a mobile or app browser, then converts in an app.
  • Web-to-web: The user sees an ad in a mobile or app browser, then converts in either the same browser or another browser on the same device.

We allow web browsers to support new web-exposed functionality, such as functionality that's similar to the Privacy Sandbox for the Web's Attribution Reporting API, which can call the Android APIs to enable attribution across app and web.

Prioritize multiple triggers for a single attribution source

A single attribution source can lead to multiple triggers. For example, a purchase flow could involve an "app install" trigger, one or more "add-to-cart" triggers, and a "purchase" trigger. Each trigger is attributed to one or more attribution sources according to the source-prioritized attribution algorithm, described later in this document.

There are limits on how many triggers can be attributed to a single attribution source; for more details, read the section on viewing measurement data in attribution reports later in this document. In the cases where there are multiple triggers beyond these limits, it's useful to introduce prioritization logic to get back the most valuable triggers. For example, the developers of an ad tech platform might want to prioritize getting "purchase" triggers over "add-to-cart" triggers.

To support this logic, a separate priority field can be set on the trigger, and the highest priority triggers are picked before limits are applied, within a given reporting window.

Allow multiple ad tech platforms to register attribution sources or triggers

It's common for more than one ad tech platform to receive attribution reports. Therefore, the API allows multiple ad tech platforms to register the same attribution source or trigger. An ad tech platform must register both attribution sources and triggers to receive postbacks from the API.

Attribution sources

Attribution source redirects are supported in the registerAttributionSource() method:

  1. The ad tech platform that calls the registerAttributionSource() method can provide an additional Attribution-Reporting-Redirects field in their response, which represents the set of partner ad tech's redirect URLs.
  2. The API then calls the redirect URLs so the attribution source can be registered by the partner ad tech platforms.

Multiple partner ad tech platform URLs can be listed in the Attribution-Reporting-Redirects field, and partner ad tech platforms cannot specify their own Attribution-Reporting-Redirects field.

The API also allows different ad tech platforms to each call registerAttributionSource().

Triggers

For trigger registration, third parties are supported in a similar way: ad tech platforms can either use the additional Attribution-Reporting-Redirects field, or they can each call the triggerAttribution() method.

When an advertiser uses multiple ad tech platforms to register the same trigger event, a deduplication key should be used. The deduplication key serves to disambiguate these repeated reports of the same event. If no deduplication key is provided, duplicate triggers may be reported back to each ad tech platform as unique.

Attribution example

In the example described in this section, the advertiser is using two serving ad tech platforms (Adtech A and Adtech B) and one measurement partner (MMP).

To start, Adtech A, Adtech B, and MMP must each complete enrollment to use the Attribution Reporting API.

The following list provides a hypothetical series of user actions that each occur one day apart, and how the Attribution Reporting API handles those actions with respect to Adtech A, Adtech B, and MMP:

Day 1: User clicks on an ad served by Adtech A

Adtech A calls registerAttributionSource() with their URI. The API makes a request to the URI, and the click is registered with the metadata from Adtech A's server response.

Adtech A also includes MMP's URI in the Attribution-Reporting-Redirects header. The API makes a request to MMP's URI, and the click is registered with the metadata from MMP's server response.

Day 2: User clicks on an ad served by Adtech B

Adtech B calls registerAttributionSource() with their URI. The API makes a request to the URI, and the click is registered with the metadata from Adtech B's server response.

Like Adtech A, Adtech B has also included MMP's URI in the Attribution-Reporting-Redirects header. The API makes a request to MMP's URI, and the click is registered with the metadata from the MMP's server response.

Day 3: User views an ad served by Adtech A

The API responds in the same way that it did on Day 1, except that a view is registered for Adtech A and MMP.

Day 4: User installs the app, which uses the MMP for conversion measurement

MMP calls triggerAttribution() with their URI. The API makes a request to the URL, and the conversion is registered with the metadata from MMP's server response.

MMP also includes the URIs for Adtech A and Adtech B in the Attribution-Reporting-Redirects header. The API makes requests to Adtech A and Adtech B's servers, and the conversion is registered accordingly with the metadata from the server responses.

Figure 1 illustrates the process described in the preceding list:

Figure 1. Example of how the Attribution Reporting API responds to a series of user actions.

Attribution works as follows:

  • Adtech A sets the priority of clicks higher than views and therefore gets the install attributed to the click on Day 1.
  • Adtech B gets the install attributed on Day 2.
  • MMP sets the priority of clicks higher than views and gets the install attributed to the click on Day 2. Day 2's click is the highest priority, most recent ad event.

View measurement data in attribution reports

The Attribution Reporting API enables the following types of reports, described in more detail later in this document:

  • Event-level reports associate a particular attribution source (click or view) with limited bits of high-fidelity trigger data.
  • Aggregatable reports aren't necessarily tied with a specific attribution source. These reports provide richer, higher-fidelity trigger data than event-level reports, but this data is only available in an aggregate form.

These two report types are complementary to each other and can be used simultaneously.

Event-level reports

After a trigger is attributed to an attribution source, an event-level report is generated and stored on the device until it can be sent back to each ad tech platform's postback URL during one of the time windows for sending reports, described in more detail later in this document.

Event-level reports are useful when very little information is needed about the trigger. Event-level trigger data is limited to 3 bits of trigger data for clicks—which means that a trigger can be assigned one of eight categories—and 1 bit for views. In addition, event-level reports don't support encoding of high-fidelity trigger-side data, such as a specific price or trigger time.

The event-level report contains data such as the following:

  • Destination: Advertiser app package name or eTLD+1 where the trigger happened
  • Attribution Source ID: The same attribution source ID that was used for registering an attribution source
  • Trigger type: 1 or 3 bits of low-fidelity trigger data, depending on the type of attribution source

Privacy-preserving mechanisms applied to event-level reports

Limited fidelity of trigger data

The API provides 1 bit for view-through triggers and 3 bits for click-through triggers. Attribution sources continue to support the full 64 bits of metadata.

You should evaluate if and how to reduce the information expressed in triggers so they work with the limited number of bits available in event-level reports.

Framework for differential privacy noise

A goal of this API is to allow event-level measurement to satisfy local differential privacy requirements by using k-randomized responses to generate a noisy output for each source event.

Noise is applied on whether an attribution source event is reported truthfully. An attribution source is registered on the device with probability $ p $ that the attribution source is registered as normal, and with probability $ 1-p $ that the device randomly chooses among all possible output states of the API (including not reporting anything at all, or reporting multiple fake reports).

The k-randomized response is an algorithm that is epsilon differentially private if the following equation is satisfied:

\[ p = \frac{k}{k + e^ε - 1} \]

For low values of ε, the true output is protected by the k-randomized response mechanism. Exact noise parameters are works in progress and are subject to change based on feedback.

Limits on available triggers (conversions)

There are limits on the number of triggers per attribution source, with a current proposal of the following:

  • 1-2 triggers for view ad attribution sources
  • 3 triggers for click ad attribution sources

These limits are applied after priorities regarding attribution sources and triggers are taken into consideration.

Limits on number of ad tech platforms per attribution source

There are limits on the number of ad tech platforms that can be associated with a single attribution source. These limits are applied after priorities regarding attribution sources and triggers are taken into consideration.

Specific time windows for sending reports

Reports for ad view attribution sources are sent 1 hour after the source expires. This expiry date can be configured, but it cannot be fewer than 2 days or more than 30 days.

Reports for ad click attribution sources cannot be configured and are sent before the source expires, at specified points in time relative to when the source was registered. The time between the attribution source and expiry is split into multiple reporting windows. Each reporting window has a deadline (from the attribution source time). At the end of each reporting window, the device collects all the triggers that have occurred since the previous reporting window and sends a scheduled report. The API supports the following reporting windows:

  • 2 days: The device collects all the triggers that occurred at most 2 days after the attribution source was registered. The report is sent 2 days and 1 hour after the attribution source is registered.
  • 7 days: The device collects all the triggers that occurred more than 2 days but no more than 7 days after the attribution source was registered. The report is sent 7 days and 1 hour after the attribution source is registered.
  • A custom length of time, defined by the "expiry" attribute of an attribution source. The report is sent 1 hour after the specified expiry time. This value cannot be fewer than 2 days or more than 30 days.

Aggregatable reports

Aggregatable reports provide higher-fidelity trigger data from the device more quickly, beyond what is offered for event-level reports. This higher-fidelity data can only be learned in aggregate, and isn't associated with a particular trigger or user. Aggregation keys are up to 128 bits, and this allows aggregatable reports to support reporting use cases such as the following:

  • Reports for trigger values, such as revenue
  • Handling more trigger types

In addition, aggregatable reports use the same source-prioritized attribution logic as event-level reports, but they support more conversions attributed to a click or view.

The overall design of how the Attribution Reporting API prepares and sends aggregatable reports, shown in figure 1, is as follows:

  1. The device sends encrypted aggregatable reports to the ad tech platform.
  2. The ad tech platform sends a batch of aggregatable reports to the aggregation service for aggregation.
  3. The aggregation service reads a batch of aggregatable reports, decrypts and aggregates them.
  4. The final aggregates are sent back to the ad tech platform.
Figure 1. Process that the Attribution Reporting API uses to prepare and send aggregatable reports.

Aggregatable reports contain the following data related to attribution sources:

  • Source: The app's package name or eTLD+1 web URL where the ad was served.
  • Destination: The app's package name or eTLD+1 web URL where the trigger happened.
  • Date: The date when the event represented by the attribution source occurred.
  • Payload: Trigger values, collected as encrypted key/value pairs, which is used in the trusted aggregation service to compute aggregations.

Aggregation services

The following services provide aggregation functionality and help protect against inappropriate access of aggregation data.

These services are managed by different parties, which are described in more detail later in this document:

  • The aggregation service is the only one that ad tech platforms are expected to deploy.
  • The key management and privacy budget services are run by trusted parties called verifiers. These verifiers attest that the code running the aggregation service is the publicly-available code provided by Google and that all aggregation service users have the same key and budget services applied to them.
Aggregation service

Ad tech platforms must, in advance, deploy an aggregation service that's based on binaries provided by Google.

This aggregation service operates in a Trusted Execution Environment (TEE) hosted in the cloud. A TEE offers the following security benefits:

  • It ensures that the code operating in the TEE is the specific binary offered by Google. Unless this condition is satisfied, the aggregation service can't access the decryption keys it needs to operate.
  • It offers security around the running process, isolating it from external monitoring or tampering.

These security benefits make it safer for an aggregation service to perform sensitive operations, such as accessing encrypted data.

For more information on the design, workflow, and security considerations of the aggregation service, see the aggregation service document on GitHub.

Key management service

This service verifies that an aggregation service is running an approved version of the binary and then provides the aggregation service in the ad tech platform with the correct decryption keys for their trigger data.

Privacy budget service

This service tracks how often an ad tech platform's aggregation service accesses a specific trigger—which can contain multiple aggregation keys—and limits access to the appropriate number of decryptions. One decryption per trigger is permitted.

Aggregatable Reports API

The API for creating contributions to aggregatable reports uses the same base API as when registering an attribution source for event-level reports. The following sections describe the extensions of the API.

Register the aggregatable source data

When the API makes a request to the Attribution Source URI, the ad tech platform can register a list of aggregation keys by responding with a new HTTP header Attribution-Reporting-Register-Aggregate-Source, with the following fields for each aggregation key in the list:

  • Source event ID: A string for the name of the key. Used as a join key to combine with trigger-side keys to form the final key.
  • Key piece: A bitstring value for the key.
  • Key offset: An integer value of offset index for combining this key piece with the trigger-side key piece.

The final key is a combination of this piece and the trigger-side pieces, using the key offset field to concatenate the bitstrings. Final keys are restricted to a maximum of 128 bits; keys longer than this are truncated.

In the following example, an ad tech platform uses the API to collect the following:

  • Aggregate conversion counts at a campaign level
  • Aggregate purchase values at a geo level
Attribution-Reporting-Register-Aggregate-Source:
[{
  // Generates a "101011001" key prefix named "campaignCounts".
  "source_event_id": "campaignCounts",
  "key_piece": "101011001", // User saw ad from campaign 345 (out of 511).
  "key_offset": 0 // The first part of the key
                  // when combined with trigger-side keys.
},
{
  // Generates a "101" key prefix named "geoValue".
  "source_event_id": "geoValue",
  // Source-side geo region = 5 (US) but pad with 0s since the shop operates in
  // ~100 separate countries.
  "key_piece": "0000101",
  "key_offset": 0 // The first part of the key
                  // when combined with trigger-side keys.
}]

Register the aggregatable trigger

Trigger registration includes two additional headers.

The first header is used to register a list of aggregate keys on the trigger side. The ad tech platform should respond back with the HTTP header Attribution-Reporting-Aggregate-Trigger-Data, with the following fields for each aggregate key in the list:

  • Key piece: A bitstring value for the key.
  • Key offset: An integer value, used as the offset index when combining the attribution source key piece with the trigger key piece.
  • Source keys: A list of strings with the names of attribution source side keys that the trigger key should be combined with to form the final keys.

The following snippet continues the example from registering aggregate source data in aggregatable reports:

Attribution-Reporting-Aggregate-Trigger-Data:
[
  // Each dictionary independently adds pieces to multiple source keys.
  {
    "key_piece": "10",// Conversion type purchase = 2
    // Combine key piece at offset index 9 with attribution source key piece.
    "key_offset": 9,
    // Apply this suffix to:
    "source_keys": ["campaignCounts"]
  },
  {
    "key_piece": "10101",// Purchase category shirts = 21
    // Combine key piece at offset index 9 with attribution source key piece.
    "key_offset": 7,
    // Apply this suffix to:
    "source_keys": ["geoValue" ]
  }
]

The second header is used to register a list of values which should contribute to each key. The ad tech platform should respond back with the HTTP header Attribution-Reporting-Aggregate-Values.

Each trigger can make multiple contributions to the aggregatable reports. The total amount of contributions to any given attribution source is bound by an $ L1 $ parameter, which is the maximum sum of contributions (values) across all aggregate keys for a given attribution source. Exceeding these limits causes future contributions to silently drop. The initial proposal is to set $ L1 $ to $ 2^{16} $ (65536). The noise in the aggregation service is scaled in proportion to this parameter. Given this, it is recommended to appropriately scale the values reported for a given aggregate key, based on the portion of $ L1 $ privacy budget allocated to it. This approach helps ensure that the aggregate reports retain the highest possible fidelity when noise is applied. This mechanism is highly flexible and can support many aggregation strategies.

In the following example, the privacy budget is split equally between campaignCounts and geoValue by splitting the $ L1 $ contribution to each:

Attribution-Reporting-Aggregate-Values:
{
    // Privacy budget for each key is L1 / 2 = 2^15 (32768).
    // Conversion count was 1.
    // Scale the count to use the full budget allocated: 1 * 32768 = 32768.
    "campaignCounts": 32768,

    // Purchase price was $52.
    // Purchase values for the app range from $1 to $1,024 (integers only).
    // Scaling factor applied is 32768 / 1024 = 32.
    // For $52 purchase, scale the value by 32 ($52 * 32 = $1,664).
    "geoValue": 1664
}

The preceding example generates the following aggregate counts:

[
  // campaignCounts:
  {
    // The attribution source key piece "101011001" (offset 0)
    // is concatenated with  "10" (offset 9) trigger key piece to form
    // the final key "10101100110" = 1382.
    "key": "1382",
    "value": 32768
  },
  // geoValue:
  {
    // The attribution source key piece "0000101" (offset 0)
    // is concatenated with  "10101" (offset 7) trigger key piece to form
    // the final key "000010110101" = 181.
    "key": "181",
    "value": "1664"
  }
]

The scaling factors can be inverted in order to obtain the correct values, modulo noise that is applied:

L1 = 65536
trueCampaignCounts = campaignCounts / (L1 / 2)
trueGeoValue = geoValue / (L1 / 2) * 1024

Differential privacy

A goal of this API is to have a framework which can support differentially private aggregate measurement. This can be achieved by adding noise proportional to the $ L1 $ budget, such as picking noise with the following distribution:

\[ Laplace(\frac{ε}{L1}) \]

Future considerations & open questions

The Attribution Reporting API is a work in progress. We're also exploring future potential features, such as non-last-click attribution models and cross-device measurement use cases.

Additionally, we'd like to seek feedback from the community on a few issues:

  1. We plan to allow multiple ad tech platforms to register attribution sources and triggers to enable third-party measurement. With our current proposal, only the ad tech platform originating the API calls can specify a list of third-party ad tech platforms. To simplify our API design, we could instead allow ad tech platforms to daisy-chain redirects by specifying only the next ad tech platform.
  2. To enable app-to-web measurement where the trigger can happen on either app or web, ad tech platforms need to provide the same destination field in attribution source and trigger registration. We're evaluating whether it's reasonable to use the web eTLD+1, even if the trigger happened in the app.
  3. To prevent duplicate trigger reports, in the event that an ad tech platform registers the same trigger multiple times, we recommend that you use a deduplication key. We're evaluating whether apps can pass this deduplication key to all ad tech platforms, including third-party platforms.
  4. For attribution source registration, we're evaluating whether the proposed design for third-party and redirects is feasible, including for self-attributing networks. In particular, we wonder whether you need transparency to see everyone in the redirect path.
  5. We're evaluating the case where there are multiple attribution sources, some web-based and some app-based, that lead up to the trigger, and whether there is any special attribution that needs to happen.
  6. When registering an attribution source, ad tech platforms can specify only one app destination. We wonder whether that works for your use cases.
  7. We wonder whether there are any use cases where you'd like the API to send out reports for the verified install. These reports would count against ad tech platforms' respective rate limits.