Aggregation service

Deploy and manage this service to produce summary reports for the Attribution Reporting API or the Private Aggregation API.

Published on

Deploy and manage an aggregation service to process aggregatable reports from the Attribution Reporting API or the Private Aggregation API to create a summary report.

At this time, the aggregation service and its local testing tool only process aggregatable reports for the Attribution Reporting API. This will be updated to support the Private Aggregation API soon.

Implementation status

The proposal outlines key terms, useful for understanding the aggregation service.

Secure data processing

The aggregation service decrypts and combines the collected data from the aggregatable reports, adds noise, and returns the final summary report. This service runs in a trusted execution environment (TEE), which is deployed on a cloud service that supports necessary security measures to protect this data.

A Trusted Execution Environment is a special configuration of computer hardware and software that allows external parties to verify the exact versions of software running on the computer. TEEs allow external parties to verify that the software does exactly what the software manufacturer claims it does—nothing more or less.

The TEE's code is the only place in the aggregation service which has access to raw reports—this code will be auditable by security researchers, privacy advocates, and adtechs. To confirm that the TEE is running the exact approved software and that data remains secured, a coordinator performs attestation.

Aggregatable reports are collected, batched, and send to the TEE to be transformed into a final summary report.

Aggregatable reports are collected, batched, and send to the aggregation service, running on a TEE. The aggregation service environment is owned and operated by the same party collecting the data.

Coordinator attestation of the TEE

The coordinator is an entity responsible for key management and aggregatable report accounting.

A coordinator has several responsibilities:

  • Maintain a list of authorized binary images. These images are cryptographic hashes of the aggregation service software builds, which Google will periodically release. This will be reproducible so that any party can verify the images are identical to the aggregation service builds.
  • Operate a key management system. Encryption keys are required for the Chrome on a user's device to encrypt aggregatable reports. Decryption keys are necessary for proving the aggregation service code matches the binary images.
  • Track the aggregatable reports to prevent reuse in aggregation for summary reports, as reuse may reveal personal identifying information (PII).

Noise and scaling

To protect user privacy, the aggregation service applies an additive noise mechanism to the raw data from aggregatable reports. This means that a certain amount of statistical noise is added to each aggregate value before its release in a summary report.

While you are not in direct control of the ways noise is added, you can influence the impact of noise on its measurement data.

Noise is constant, regardless of the aggregated value.

The noise value is randomly drawn from a Laplace probability distribution, and the distribution is the same regardless of the amount of data collected in aggregatable reports. The more data you collect, the less impact the noise will have on the summary report results. You can multiply the aggregatable report data by a scaling factor to reduce the impact of noise.

To understand how noise is added, your controls, and the impact on your reports, refer to the Contribution section of the Attribution Reporting strategy guide.

Generate summary reports

Summary report generation is dependent on your API usage. Learn more about generating summary reports for the Private Aggregation API and the Attribution Reporting API.

Engage with this API

We want to engage in conversations with you to ensure we build an API that works for everyone. Like other Privacy Sandbox proposals, the aggregation service is documented and discussed publicly.

  • You can experiment with the Attribution Reporting API.
  • The Private Aggregation API is available for testing in Chrome M107+ Canary and Dev locally, and is available in the [Privacy Sandbox Unified Origin Trial] in Chrome M107+ Beta, but the integration with the aggregation service backend is still in development.

Updated on Improve article

We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.