pdslib is a Rust library that implements on-device differential privacy (DP) budgeting for privacy-preserving attribution measurement APIs such as the W3C's PPA, Cookie Monster or Big Bird. It aims to remain more generic than Web advertising use cases, exposing a relatively abstract interface for:
- storing events, such as impressions for PPA but also other personal-data-events like locations the user has visited previously, and
- requesting reports computed based on previously stored events, such as conversion attribution reports for PPA or also whether the user visited a particular location previously.
The library is currently under active development and is highly experimental. The most experimental APIs and algorithms, as well as some debugging APIs, are behind an experimental feature flag.
This repository contains the following releases:
- The v0.3 - Big Bird release implements the Big Bird algorithm.
- Big Bird is an extension to PPA and Cookie Monster that supports and manages privacy budgets for different sites while maintaining global privacy guarantees against colluding sites. Big Bird preserves both user privacy and isolation among queriers competing for privacy budget on user devices.
- This release builds on Cookie Monster algorithm for individual privacy loss accounting (Section 3.3 of the linked paper), whose main logic is implemented in src/pds/accounting.rs.
- The Big Bird privacy management layer is mainly implemented in src/pds/core.rs, with external entrypoints at src/pds/private_data_service.rs and src/pds/batch_pds.rs.
- The v0.2 - Cookie Monster release is an older release that implements Cookie Monster only.
- The purpose of this release is to help with understanding of the Cookie Monster algorithm, however please note that because the repository is still very much under development and experimental, we urge that you do not rely on it for implementations of PPA. File src/pds/epoch_pds.rs implements the Cookie Monster algorithm.
- A test case that shows how to use the library in the context of PPA Level 1 is in tests/ppa_workflow.rs.
- This version of pdslib implements privacy loss accounting against a single privacy filter (a.k.a.,
budget), for example for a single advertiser. To support multiple privacy filters (such as one per advertiser, as dictated by the Cookie Monster paper and in PPA Level 1), one would instantiate multiple pdslibs. No support is provided in this version for management of these different pdslib instances.
We provide an example integration of pdslib into Firefox at columbia/pdslib-firefox. This integration comes with a companion Firefox extension, at columbia/pdslib-firefox-extension, that displays a privacy dashboard (see screenshot below). Section 5 and Appendix E of the Big Bird paper give more details about our Firefox integration.
We are also experimenting with a prototype integration of pdslib into Android.
srccontains the following main components:budget,events,mechanisms(no dependencies),queries(depends onbudget,events,mechanisms) andpds(depends on the rest).src/*/traits.rsdefine interfaces. Other files insrc/*implement these interfaces, with simple in-memory datastructures for now, such as HashMapFilterStorage. Other crates using pdslib in particular environments (e.g., Firefox or Android) can have implementations for the same traits using browser storage or SQLite databases.src/pdsis structured to work withbudget,events,queriesonly through interfaces. This should allow customers to swap the implementation for event storage or replace the type of query, and still obtain a working implementation of thePrivateDataServiceinterface.src/events/ppa_event.rsandsrc/queries/ppa_histogram.rsprovide concrete implementations of the pdslib interfaces for PPA-like events and queries, which are used to evaluate Big Bird.
testscontains integration tests. In particular,tests/*_demo.rsshow how an external application can use pdslib to register events and request different types of reports on a device.