-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
463 lines (463 loc) · 26.5 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<script src="https://www.w3.org/Tools/respec/respec-w3c" async class="remove"></script>
<link rel="icon" href="data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22 viewBox=%220 0 100 100%22><text y=%220.9em%22 font-size=%22105%22>🦉</text></svg>">
<title>Governance of Ad Requests by a Union of Diverse Actors (GARUDA)</title>
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:site" content="@robinberjon">
<meta name="twitter:creator" content="@robinberjon">
<meta name="twitter:title" property="og:title" content="Governance of Ad Requests by a Union of Diverse Actors (GARUDA)">
<meta name="twitter:description" property="og:description" content="Governance for advertising on the Web">
<meta name="twitter:image" property="og:image" content="https://darobin.github.io/garuda/owl.png">
<meta name="twitter:image:alt" content="Outline of an owl">
<meta name="twitter:url" property="og:url" content="https://darobin.github.io/garuda/">
<meta property="og:locale" content="en">
<style>
body {
background: url(proposal.svg) no-repeat fixed !important;
background-size: 25px 380px !important;
}
</style>
<script class="remove">
var respecConfig = {
specStatus: 'unofficial',
postProcess: [(config, doc) => {
let time = doc.querySelector('#w3c-state time')
, h2 = doc.querySelector('#w3c-state')
;
h2.innerHTML = 'Proposal ';
h2.appendChild(time);
}],
editors: [{
name: 'Robin Berjon',
company: 'The New York Times',
companyURL: 'https://nytimes.com/',
url: 'https://berjon.com/',
}],
github: {
repoURL: 'https://github.com/darobin/garuda',
branch: 'main',
},
edDraftURI: 'https://darobin.github.io/garuda/',
shortName: 'garuda',
localBiblio: {
'PUP': {
title: 'Principles of User Privacy (PUP)',
authors: ['Robin Berjon'],
href: 'https://darobin.github.io/pup/',
},
},
};
</script>
</head>
<body>
<!--
For future iterations:
- include mention of Elizabeth's concerns: https://www.adalovelaceinstitute.org/blog/privacy-enhancing-technologies-not-always-our-friends/
- also from Reuben, worth citing (particularly §5.3): https://arxiv.org/abs/2101.08048
- Eventually, the "Ad Requests" in Garuda could evolved into "Attention Resources".
- If we have trustworthy origins, could this make SXG viable? What governance would that need?
-->
<section id="abstract">
<p>
Multiple proposals exist to reform programmatic advertising on the Web. Some, most
notably <a href="https://github.com/microsoft/privacy-preserving-ads/blob/main/Parakeet.md">PARAKEET</a>,
the <a href="https://github.com/WICG/turtledove/blob/master/FLEDGE.md">FLEDGE</a> bid server,
and ongoing work by <a href="https://prebid.org/">Prebid</a>, rely on the existence of a
<em>trustworthy</em> server that can perform tasks such as anonymising ad requests. This type
of model has interesting properties, notably they are easier to audit and do not require
moving significant chunks of logic into the browser, but they also suffer from the problem
that the server itself must be trusted, even while sitting outside the realm of the user's
control.
</p>
<p>
This document drafts an overall vision and governance model able to support such
trustworthy utility servers by having them owned and operated by an entity governed in
common by different constituencies. The name comes from <a href="https://en.wikipedia.org/wiki/Garuda">Garuda</a>,
which Wikipedia describes as "<em>the king of birds</em>" and "<em>a protector with the power
to swiftly go anywhere, ever watchful</em>."
</p>
</section>
<section id="sotd"></section>
<section>
<h2>The Impossible, Inescapable Reform of Advertising</h2>
<p>
Digital advertising has rightly become despised through decades of mismanagement, but it
nevertheless is an essential utility. While other business models do exist and should
prosper, they are simply insufficient to make up for the loss that eradicating advertising
would cause. Our only option, then, is to fix it.
</p>
<p>
Most parties support reform, but it is proving politically difficult to achieve.
Advertising is a complex environment involving multiple stakeholders that run completely
different organisations yet the pieces they provide must all more or less fit together for
the system to function. The current system operates poorly — in some parts staggeringly so —
but it does operate. Changing the way in which some parts fit together requires different
stakeholders to agree to change in matching ways, and therein lies the rub.
</p>
<p>
Coordinate change is difficult at all times, but in digital advertising it is particularly
challenging because most of the parties actively distrust one another.
</p>
<p>
We therefore find ourselves presented with a choice: reform can either happen through
vertical integration which will favour the most integrated, or it can happen through
multistakeholder standards. The latter is preferable as it can bring forward a healthier
ecosystem in which more voices are represented, but it can only exist if we develop a
principled governance structure to foster trust between stakeholders.
</p>
<p>
This is where a trustworthy server becomes a particularly useful construct. Since it
<em>has</em> to be trusted by all stakeholders (no one would trust such a server operated by
just one type of party), it provides a common space for browsers (representing users),
publishers, and adtech intermediaries to meet, and where they can be put in a position of
<em>needing</em> to achieve consensus for the system to operate.
</p>
</section>
<section>
<h2>Objective</h2>
<p>
The goal of Garuda is to <em>make a trustworthy advertising server
possible.</em> The notion of a trustworthy advertising server is a potentially very
powerful one in that it can enable a number of highly-desirable use cases in advertising
technology, notably that of anonymising requests. However, trust does not appear as if by
magic and it needs to be designed for.
</p>
<p>
Several suggestions have been made in order to make this trust possible, but none of them
works today:
</p>
<ul>
<li>
<strong>Just trust the publisher/intermediary/tech company</strong>. This is not a
realistic option, certainly not for a system meant to operate in the wild and at this
scale. The web is trustworthy <em>because</em> there is no need to trust a website. This
property needs to be imported here.
</li>
<li>
<strong>Use some form of secure multiparty computation magic</strong>. Purely
mathematical solutions are great in that they are highly enforceable; however it is not yet
clear that this problem can be solved in full that way, straight from the browser.
</li>
<li>
<strong>It's open source!</strong> That is great, and whatever Garuda produces will be
open source, but just because something is open source doesn't prove that the system
running it is actually running that open source implementation as is — it's pretty easy to
cheat.
</li>
<li>
<strong>Rely on regulation or contracts</strong>. Our jobs as technologists would be a
lot simpler if we could treat technology as neutral and offload figuring out the hard
human parts to legislators. Unfortunately, that approach is not just not simple but
simplistic. The past two decades of digital advertising regulation have relied on
contractual obligations and user-hostile choice architectures, with effectively nothing to
show for it.
</li>
<li>
<strong>Move everything into the browser</strong>. The browser is intended as a point of
maximal trust for users, and to a large degree this trust is inescapable. Unfortunately,
there is no longer consensus in the Web community that all major browsers are acting as
trustworthy agents for the users and there is suspicion of self-dealing from some vendors,
particularly relating to advertising. Rebuilding trust in browsers is a highly desirable
outcome, but sits outside the scope that we tackle here. This proposal endeavours to deal
with the cards we have been given and not those I might wish we had had instead.
</li>
</ul>
<p>
Garuda's core tenet is that we can solve problems of trust with human arrangements. On the
downside, these are necessarily imperfect and they incur some overhead. On the upside, a
group of people with effective checks and balances can handle complex and evolving
situations better than anything else — and provide a strong foundation atop which to build
trust between parties that, historically and structurally, do not trust one another much.
</p>
</section>
<section>
<h2>Responsibilities</h2>
<p>
Garuda is an institutional arrangement composed of several constituencies and groups that
together form the <dfn data-lt="institution">Garuda institution</dfn>. The
[=Garuda institution=] has several responsibilities:
</p>
<dl>
<dt>Shepherding the technical standards that define the Garuda trustworthy server</dt>
<dd>
Garuda will need to cooperate with the <a href="https://w3.org/">W3C</a> and with
<a href="https://web-platform-tests.org/">WPT</a> in order to guarantee that the technical
standards that define how all parties integrate and interact with the trusted server are
interoperable, royalty-free, and in line with the ethical principles of the Web and the
Internet ([[?ETHICAL-WEB]], [[?RFC8890]]).
</dd>
<dt>Managing the open source implementation and maintenance of the trusted server</dt>
<dd>
The trusted server will be developed in an open source manner, but changes made to the code
will need to be aligned with the objectives of the [=institution=], which will need to be
reflected in the change review process. Further, there is no expectation that software
development will be entirely carried out by the community; rather the [=institution=]
should provision sufficient resources to underwrite the entirety of the server's
development.
</dd>
<dt>Operating the worldwide network of trustworthy servers</dt>
<dd>
The [=institution=] will operate a network of trustworthy servers with high-performance
SLAs and an arrangement that enables easy auditing. This is intended to be core
infrastructure for the entire Web, and requires a level of quality and scale to match.
</dd>
<dt>Ensuring the general health of the advertising ecosystem</dt>
<dd>
By providing a common space where stakeholders must reach some form of consensus in order
for the system to operate, the [=institution=] is taking on some responsibility for the
health of the broader digital advertising ecosystem.
</dd>
</dl>
</section>
<section>
<h2>Governance Model</h2>
<p>
This section provides only an outline of the governance model for the [=Garuda institution=].
At this stage, my purpose is solely to describe the approach and sketch out enough of its
mechanics to establish feasibility. Development of the full principles and bylaws will, by
nature, have to be an open and multistakeholder exercise.
</p>
<p>
Significant parts of the Internet's infrastructure operate under more or less formal
governance arrangements. Standards, of course (W3C, IETF, WHATWG, TC-39), but also top-level
domain names, internet peering, or the ISRG and Let's Encrypt. We can make this work for
advertising too.
</p>
<p>
The [=Garuda institution=] is comprised of two primary bodies: the [=Governance Board=] and
the [=Legal Entity=].
</p>
<p>
The <dfn data-lt="Board">Governance Board</dfn> is tasked with the oversight of the
[=institution=]. It concerns itself primarily with the [=principles=], which it will control
for in the behaviour of the [=Legal Entity=] as well as the technical standards and open
source implementation of the trusted server. It also names the [=Executive Director=].
All [=Board=] deliberations are public (with perhaps a few exceptions for personnel matters).
</p>
<p>
The <dfn data-lt="LE">Legal Entity</dfn> takes care of day-to-day operations. It is
responsible for maintaining, deploying, and operating the trusted server at requisite SLAs
and at reasonable cost, as well as of research into future technology that Garuda could use,
with organising the various working groups that will bring stakeholders together to help
evolve Garuda over time, and with the elaboration of policy positions which Garuda will
cooperate with regulators on. It is run by the [=Executive Director=].
</p>
<p>
The [=Board=] selects (by consensus) an <dfn data-lt="ED">Executive Director</dfn> every three years or
whenever the post becomes vacant. There is a strong assumption that the [=Executive Director=]
will not necessarily be renewed: every time a new [=ED=] must be selected, the [=Board=] is
expected to review multiple candidates. The [=Board=] can revoke the [=ED=] with a
[=supermajority=]. The [=ED=] leads the [=Legal Entity=].
</p>
<p>
Garuda operates according to fundamental <dfn data-lt="principles">ethical principles</dfn>
(which need to be written before it kicks off, [[?ETHICAL-WEB]], [[?RFC8890]], or [[?PUP]]
are good starting points). These [=principles=] can be changed with [=supermajority=]. The
purpose of these [=principles=] is to guide the [=Board=]'s discussions and inform its decisions.
</p>
<p>
There are three primary <dfn>constituencies</dfn>: browser vendors (vendors, not engines, and
expected to proxy for users), publishers, and adtech intermediaries. For each of them,
there are inclusion criteria that are based on volume of the traffic they see through the
trusted server. The volume threshold can differ per [=constituency=], it is designed to
prevent gaming the system by spawning multiple entities. Entities with sufficient volume
have voting rights on a one-entity/one-vote basis, there is no volume proration.
</p>
<p>
Any entity eligible to be part of a [=constituency=] has some voting rights. These voting
rights allow them to elect their representatives to the [=Governance Board=] for that
[=constituency=]. Candidates can be nominated by any entity with voting rights.
[=Board=] seats are open for three years with a third being renewed every year.
</p>
<p>
Each [=constituency=] has three representatives on the [=Board=]. No company can have more
than one representative, even if it participates in different [=constituencies=]. If one
[=constituency=] has fewer than two candidates in a given election, then it gains zero
representation. (If interest from that group is too low, it shouldn't be taken over by a
single party.)
</p>
<p>
<dfn>Supermajority</dfn>: some changes require a [=supermajority=] of the [=Board=].
[=Supermajority=] is defined as:
</p>
<ul>
<li>
⅔rd of the members of the [=Board=] vote in support; and
</li>
<li>
at least one [=Board=] member from each [=constituency=] must vote in support (so if the
three members from one [=constituency=] are agreed against, they effectively have veto
power).
</li>
</ul>
<p>
The [=Legal Entity=] is financed through a very small tax on advertising. Two models are
possible: one is a flat fee per request, another is a percentage of effective CPM. The
latter is preferred in that it will incentivise Garuda to increase effectiveness of
advertising (whereas the former incentivises volume) but may prove more complicated to
build, especially in terms of how to avoid lying about it (so long as it's above the
provided bid floor). The amount and type of the tax is determined by the [=Board=]. The
overall taxation structure might further depend on the type of operation requested, since
not all are equally computationally expensive, and making sure that we properly cost in
computational cost is important from an ecological point of view.
</p>
<p>
Part of the tax should further be set aside to provide financial support to stakeholders
who cannot afford to pay someone to spend time in [=Board=] discussions, so as to ensure that
participants from companies of all sizes, and from all backgrounds the world around can
participate with equity.
</p>
</section>
<section>
<h2>Use Cases</h2>
<p>
The immediate focus is on getting enough of a PARAKEET-like structure off the ground, so
that we can have an open source system and the server infrastructure to operate it in a
trustworthy fashion up and running. This should enable sufficient anonymisation in the ad
environment to make it safe for users, and enable novel publisher techniques. But longer-term,
more can be done from this position because the PARAKEET server creates a "place" of sort
which can broker multiple adtech functions in such a way that multiple stakeholders have to
reach consensus as to how it works. This can progressively build a way out of the current
unilateral, conflict-driven model that is causing so much strife across the ecosystem.
</p>
<p>
Some problems that this could help address are listed below. Note that I am deliberately
staying at a very high level for the time being as I do not believe that any of these should
be the first area of focus.
</p>
<ul>
<li>
<strong>Fraud</strong>: putting control over fraud prevention not just with
intermediaries would incentivise making it more effective. The trusted server has
access to detailed user information that can support fraud detection. How this would
integrated safely with fraud detection vendors is an open question.
</li>
<li>
<strong>Malvertising</strong>: users and publishers have strong incentives to prevent
malvertising, but are not usually in a position to do much about it. This would also help
provide the line of defence that they expect. Detecting malvertising at the trusted server
level will cause less revenue loss than when it happens on the publisher side. This should
also make it easier to collaborate across servers to weed out dangerous creatives.
</li>
<li>
<strong>Privacy</strong>: the system is designed for that, but it could be extended to
protect user privacy in further contexts.
</li>
<li>
<strong>Accountability</strong>: the current system is opaque and operates with no audit
or control, and not visibility from most actors including publishers and users. Garuda
could help bring about a position of farm-to-table accountability and traceability for
creatives, of revenue transparency, and could help comply with coming regulations such as
the DSA — though that would also require changes to upstream intermediaries as well.
</li>
<li>
<strong>Brand Safety</strong>: this is a topic that needs to be managed with publisher
input, instead of the system we have now that doesn't work for anyone. Attesting agents on
the Garuda server could analyse the content of the page using a methodology of their own,
and pass an attestation in the bid that the page is brand safe. The methodology in
question would only be allowed to run on Garuda after consensus is found that it is not
unilaterally detrimental to publishers.
</li>
<li>
<strong>Creative Quality</strong>: ad creatives are produced with low quality
engineering and are often highly wasteful of resources, with the cost of poor experience
being borne by the publisher and user. This is a point of intervention for the server.
Managing creative quality is similar to malvertising at a technical level, but the
governance is different: we need the stakeholders to agree on what quality can get
blocked, and the buy side needs to be informed that their ads are being dropped.
</li>
</ul>
</section>
<section>
<h2>Known Issues</h2>
<p>
These issues need to be addressed before this can move forward.
</p>
<p>
One core problem in institution provision is <u>how to pick who is legitimately in a given
constituency</u>, or put differently who is the polity? Garuda selects the polities of its
constituencies through volume thresholds as measured by the trusted server. This is expedient
for some constituencies, but does not work for all (see below).
</p>
<p>
Another core problem is <u>how to ensure that the constituencies are balanced</u>?
Historically, the interests of the buy-side and of the intermediaries have often aligned
against users, with publishers splitting between the two. A system in which some stakeholder
constituencies that are almost always aligned have a guaranteed majority will lack the checks
and balances to be effective, fair, and credible.
</p>
<p>
This can in part be addressed with principles (which we need anyway, and that would
prevent approaching users from an adversarial angle), which can't be changed without support
from at least one entity in each constituency, and also from the fact that if
user-hostile tactics were to become supported in Garuda then enough browsers would just walk
as to void their constituency, returning the world to ad blocking as the logical line of
defense. But that offers relatively weak protection.
</p>
<section>
<h3>Users are not represented</h3>
<p>
Traditionally, user agents have taken on the role of aligning with users. As detailed in
[[?RFC8890]], this is an architecture that presents multiple advantages. Unfortunately,
in recent times, some user agents have drifted away from this position of trustworthiness,
and this complicates the process of relying on them as representatives of users.
</p>
<p>
Additionally, the problems created by advertising often target underrepresented and
marginalised communities, issues which browser vendors have limited expertise in
combating. Browser vendors are not, either in terms of their employees or their legal
structures, very representative of the global community, notably of the global South.
</p>
<p>
Establishing a legitimate worldwide polity for humankind (including those not yet
connected whose participation could be helped by a healthy advertising ecosystem) is not a
problem that we can solve, however we should seek ways to increase representativity. One
option could be the UN (possibly as an observer).
</p>
</section>
<section>
<h3>The buy side is not represented</h3>
<p>
The buy side is where the money comes from and is the set of sources who have the strongest
incentives to keep everyone honest in terms of fraud, effectiveness, and brand safety.
</p>
<p>
It is not obvious how to pick a good polity for this group either. There is also a risk
that they could align excessively with intermediaries, which would unbalance the
governance structure and undermine its credibility.
</p>
<p>
One potential solution is to make it so that the Garuda system knows who is paying for
every creative that it eventually serves. If the system supports farm-to-table traceability
and revenue transparency, this is a requirement anyway as the creative will need to contain
verifiable information about who paid for it and how much. Extracting this payment
information would make it possible to establish a volume threshold (in spend) for the
buy-side to be represented. This would not address balancing issues — unless users also
got a constituency of their own (or intermediaries lost theirs).
</p>
<p>
Another potential option would be the WFA (possibly as an observer).
</p>
</section>
</section>
<section class="appendix">
<h2>Acknowledgements</h2>
<p>
I stole a bunch of ideas from Mark Nottingham, and a few from Cullen Jennings too. Aram
Zucker-Scharff, Mihir Kshirsagar, and Reuben Binns provided a lot of invaluable feedback.
Many thanks to Juan Ortiz Freuler for organising a discussion session around Garuda at the
Berkman Klein Center for Internet & Society before it was even public, as well as to
Levin Kim, Crystal Lee, Sahar Massachi, Tom Zick as convenors of the <em>Ethical Tech</em>
and <em>Big Tech Governance</em> groups, and the attendees of the session for a spirited and
constructive discussion.
</p>
<p>
I am very grateful for my colleagues at <em>The New York Times</em> for supporting this work,
atypical as it may be.
</p>
</section>
</body>
</html>