TEEs: What They Are and Why They’re Critical for the Future of Privacy
A cloud-based “Trusted Execution Environment” (TEE) is a set of infrastructure maintained by one organization that securely and opaquely runs code developed by a different organization. The organization hosting the TEE can monitor the environment and invoke the code, but cannot change it, and in many cases, cannot see the details of how it works. In the context of adtech, specifically Google’s Privacy Sandbox initiative, a TEE is a critical piece of the privacy puzzle that allows the processing of a user’s data without revealing their identity.
How are TEEs Used in the Privacy Sandbox?
With Chrome’s impending deprecation of third party cookies, the Privacy Sandbox, which includes NextRoll and other adtech providers, is developing an industry-wide solution to support the future of digital advertising. Historically, the adtech industry uses third-party cookies to track a user’s actions across sites and associate those actions with future actions. Without third-party cookies, linking those actions becomes considerably more complicated. The Privacy Sandbox focuses on correlating user activity within the Chrome browser, preventing that information from leaving the browser in a de-anonymized way. This information is then securely provided to advertisers using TEEs, maintaining a privacy-forward environment.
Within the Privacy Sandbox, there are several proposed APIs that leverage TEEs for data processing. At NextRoll, we’re exploring these capabilities in relation to ad performance measurement and attribution. These include the Attribution Reporting API (ARA) for recording attributable conversions and for measuring ad performance, as well as the Private Aggregation API for tracking the health of the system and key user metrics.
NextRoll's Use of TEEs
As part of this implementation, NextRoll receives valuable, encrypted information (which will later be aggregated and anonymized) from users’ browsers when an attribution event is detected, such as a click, purchase, or other conversion. This information comes via reports from users’ browsers, which detail information about the conversion, the ad that was viewed, the associated ad campaign, and other parameters that we set.
However, we’re not able to read these encrypted reports directly to prevent the identification of user interactions and cross-site tracking. Instead, we process these reports through the “Aggregation Service”, a capability developed largely by Google that is run in a NextRoll-owned cloud environment. We invoke, monitor, scale, and pay for this service, which gives us full control over the underlying infrastructure. However, the implementation details are provided in an open-source, auditable repository on GitHub. This separation allows us to make design decisions related to how we use the data, and ensures user-level privacy, as promised by Chrome, such as:
Recommended by LinkedIn
At NextRoll, we’ve been testing the Aggregation Service, via the TEE, on production-level attribution data. Our diverse customer base has helped us understand the accuracy of the data and the impact of privacy-preserving measures for customers of all sizes, spend, and campaign cadences. These inputs are helping us think through desired data granularity and the impacts of these privacy-forward changes.
There are a few interesting technical points to consider in using these particular services and TEEs in general:
Overall, TEEs and specifically the TEEs associated with the Privacy Sandbox provide a good separation of responsibilities and a clear trust model. Even though the service details are abstracted, it’s necessary to have a strong understanding of how the privacy-preserving measures work and the variables that companies can use to tailor their use of the services.
This article was written by Tom Polchowski, a Senior Manager of Software Engineering at NextRoll, with contributions from Marco Lugo, a Staff Data Science Engineer at NextRoll.