Background
AdVeil is a targeted advertising ecosystem with formal privacy guarantees for its users.
It enables ad targeting and billing through a Broker (e.g., Google AdSense) without: 1) revealing personal user data or 2) allowing the Broker to link user identities to their ad interactions.
AdVeil uses a novel targeting protocol built using Locality-Sensitive Hashing (LSH) and Private Information Retrieval (PIR).
This protocol allows users to obtain relevant ads without the Broker learning any of their data used in targeting.
In AdVeil, fraud prevention is integrated into reporting (i.e., for billing purposes) using unlinkable anonymous tokens issued by the Broker during targeting.
These tokens do not allow tracking of users, but permit the Broker to prevent fraudulent reporting.
A prototype implementation of AdVeil is provided to demonstrate its applicability to a real-world deployment.
Our evaluation shows that AdVeil scales to ad networks with millions of ads, using state-of-the-art single-server PIR.
AdVeil’s Properties
- Transparency: Users have full control over their personal data. Users may arbitrarily limit which features are used in targeting and may even opt-out of personalized targeting entirely. In AdVeil, personal user features are never shared with the Broker.
- Unlinkability: While the Broker may learn ad interactions (i.e., which ads were viewed and clicked on), it does not learn which users generated them. This prevents the Broker from inferring a specific user's features through the inherent relationship between a user’s features and targeted ads.
- Fraud Prevention: AdVeil integrates fraud prevention into billing and reporting. This allows the Broker to eliminate fraudulent and duplicate reports without compromising user unlinkability.
- Scalability: The average person sees ~5000 ads per day, leading to tens of billions of ad requests served by ad networks. AdVeil is intended to be lightweight and scalable, with the majority of its overhead occurring during targeting. AdVeil ensures that targeting can happen out-of-band (e.g. overnight) and amortized across many ads.
Overview
1. Ad Targeting
- User profile feature vector constructed locally by the client.
- Client learns ad IDs for the ads most relevant to their features through PIR and LSH.
- Client obtains a set of user-targeted ads and signed tokens for verified reporting.
2. Ad Delivery
- Client retrieves ads corresponding to the ad IDs obtained in Targeting from the database.
- Retrieved ad is displayed on a publisher's webpage by the user's client.
3. Metrics & Reporting
- User interactions generate reports (e.g. ad ID: view, ad ID: click, ad ID: conversion).
- User's client sends encrypted interaction report and signed token at fixed intervals.
- The Broker decrypts reports and validates tokens. Invalid reports are eliminated prior to computing metrics for billing.
People: Sacha Servan-Schreiber (MIT), Kyle Hogan (MIT), and Srini Devadas (MIT)