InterestGroup in reportWin()

[mbowiewilson]

This PR is intended to document my understanding of the outcome of the conversation on the 5/11/22 FLEDGE meeting regarding #145.

@michaelkleber

[michaelkleber]

Hi Matt,

Right now the "Event-Level Reporting (for now)" section of the Explainer says:

(Once we have a trusted reporting mechanism, we can consider allowing the reports to be influenced by the interest group's userBiddingSignals.)

It seems like this PR is trying to do the second half of that job before the first half.

I'm pretty hesitant to do that, because I think we could well end up with a different reporting design once we have the integration with the aggregation APIs figured out. For example, the forDebuggingOnly.reportAdAuctionWin() and reportAdAuctionLoss() methods (described in the First FLEDGE OT Details doc) could be replaced by methods that trigger an aggregated reporting contribution upon win or loss instead.

My impression from yesterday's call was that those forDebuggingOnly APIs are enough to support your needs during the OT, so that we had time to wait and design this longer-term solution when we're ready. Did I get that wrong?

[mbowiewilson]

Hey Michael,

Thanks for the quick response. I didn't see that sentence in the "Event-Level Reporting (for now)" section of the explainer. I also wasn't able to attend yesterday's call so my understanding of what happened in that meeting is based on a conversation with @appascoe afterward and the notes of the call.

My understanding is that you are open to FLEDGE's reportWin() using the interestGroup object once aggregate reporting is in place to prevent the exfiltration of private data, and that reportWin() may not use the interestGroup object before that time. So I wasn't intending for this PR to allow reports to be influenced by the interestGroup's userBiddingSignals before we have a trusted reporting mechanism. The PR is intended to document the acceptability of using the interestGroup in reportWin() after such a private reporting mechanism exists (which the passage you cited leaves in doubt). Am I understanding correctly what is acceptable here?

This sentence in the FLEDGE specification

The reportWin() function's reporting happens by calling the Private Aggregation API or, temporarily, directly calling network APIs.

made me think the signature of reportWin() should reflect the state of the world after the private reporting mechanism is in place, rather than the state before it, and I go on to say in the PR that this argument won't be available before the private reporting mechanism is in place. Would you prefer if I left the signature of reportWin() unchanged and simply note that the signature will change to include the interestGroup object once aggregate reporting has been developed?

[michaelkleber]

Ah right, I forgot that we had this conversation without you yesterday! My bad.

I'd rather not make any claims right now about the signatures of functions after we update the design, because really that design work is the place where we will think about the best way to add the aggregated reporting capability. Our experience in implementation so far and what we observe during the Origin Trial will influence this. (For example, we might try for declarative API calls in the bidding functions, rather than a separate reporting function.)

To put it another way: I think that once we have appropriately private reporting in place, interest group info in reporting would be acceptable according to FLEDGE's privacy goals — but that what we actually implement might be a different also-acceptable solution, if we find something that is more efficient and meets everyone's needs.

So I have no objection to a philosophical statement about what we want to make possible in the future, if you think the existing line in Section 5 isn't enough. But I don't feel that we're ready to commit to a particular implementation.

[mbowiewilson]

Gotcha, thanks @michaelkleber -- I will leave the signature of reportWin() unchanged and just note that the plan is to make interestGroup information available to reportWin() once the Private Aggregation API is in use.

[michaelkleber]

Sure, this sounds good for now. And of course all the forward-looking statements in this doc are particularly subject to change as we work further on the design.