A Primer: Privacy-Enhancing Technologies (PETs) in Digital Advertising

The NAI released a primer to guide privacy professionals in digital advertising in the fundamentals of different Privacy-Enhancing Technologies (PETs) and their roles and practical applications. The NAI’s goal is to inform organizations about how to better protect consumer privacy, safeguard proprietary data, and manage compliance obligations while still enabling effective data-driven advertising. 

To that end, the paper explains how PETs help to achieve the following key objectives as applied to digital advertising:

• Improve data governance by addressing confidentiality, privacy, and security.
• Enable safe collaboration across organizations while limiting exposure of personal data.
• Help organizations meet privacy obligations and reduce regulatory risk.

Specifically, the paper explains the use of the following four methods in substantial detail, highlights strengths for each, and identifies their relevance for advertising. 

Trusted Execution Environments (TEEs) – A TEE is a centralized computing environment that enables a data controller to limit the ways a dataset it controls may be processed. This can allow a data controller to reduce the risks of unauthorized manipulation and use of the data, as well as limit secondary uses of data intended only for specific purposes within this environment. It also provides controllers with enhanced audit capabilities to mathematically prove that processing happened as expected. This can help enable data collaboration without unintended sharing of personal data.

• Advertising uses: To provide owners of an advertising-related dataset (e.g. an advertiser’s marketing list) an additional layer of security and certainty for data access and use controls is set for recipients of that dataset. For example:
• Matching: A TEE is useful for matching disparate datasets to create a targetable audience segment based on overlap between two companies’ data. By using a TEE, both companies can be assured that only the overlapping records of the two datasets will be outputted from the TEE. Neither party has access to the non-overlapping data, only the TEE operator does.
• Attribution Reporting: A TEE can be helpful in generating an aggregated report, by preventing unauthorized access to raw conversion data. Within a TEE, analytics can be performed on encrypted conversion data.

Multiparty Computation (MPC) – This is a technique for utilizing multiple processing entities to analyze subsets of data without revealing to counterparties the underlying information being processed. This can allow each participating data controller to reduce the risks of unauthorized access and use of their underlying data by other counterparties while still enabling joint analysis of their respective datasets.

• Advertising uses: MPC is used to provide insights from the combination of multiple datasets. For example, an advertiser may want to analyze the return on ad spend (ROAS) of a campaign based on offline sales. Through a multiparty-compute process, the analysis can be performed without revealing the retailers’ or media owners’ data to one another. At a high level, the process would entail:

1. Retailers send sales data for attribution
2. Media owner sends ad exposure data for attribution
3. Trusted MPC vendor uses common match key to compute the attribution

Differential Privacy (DP) – DP allows the controller of a dataset containing personal data to share aggregate information with another party while reducing the risk that any specific individual in the underlying dataset can be re-identified. Differential Privacy works by introducing “noise” into datasets–essentially, random data points that do not reflect any true features of the individuals in the dataset–to mitigate privacy risks to specific individuals. Added noise reduces the risk that the identity of individuals within the dataset can be discovered while still allowing for statistically useful information to be drawn from the dataset.

• Advertising uses: DP is used in advertising for measurement and attribution purposes, as well as for modeling certain audiences. Because Differential Privacy is primarily a tool for protecting against reidentification while enabling analysis of aggregate data, its utility is more limited for use cases that require processing or sharing consumer-level data (e.g., auditing specific impressions).

Zero-Knowledge Proofs (ZKPs) – This process enables one party (a Prover) to convey to another party (a Verifier) some truth about a dataset without revealing to the Verifier the actual underlying information. By involving a trusted third party in the verification process, Zero-Knowledge Proofs ensure that the fact can be confirmed without the Verifier–or any other party–gaining additional access to the confidential underlying information. This can allow the Prover, as a data controller, to reduce the risks of unauthorized disclosure of underlying data to a counterparty while still enabling that counterparty to confirm a fact about the dataset, and without the Verifier gaining any knowledge of the underlying data (hence, the moniker “zero-knowledge” proof). 

• Advertising uses: ZKPs provide facts about audiences without revealing the underlying data. For example, the controller of personal data can provide knowledge of which specific consumers are subject to age restrictions without revealing the age or birthdate of each individual. Another example could be enabling an output recipient to query whether a given consumer has purchased more than a certain amount of a product without the actual sales transactional data or even aggregate purchase amounts being revealed, say for fraud prevention purposes.

This primer also discusses the trade-off between accuracy and utility that adoption of PETs may incur, and it highlights some key limitations of PETs, recognizing that PETs cannot fully eliminate risks or ensure compliance; therefore context-specific safeguards are still required.

While using PETs is not a substitute for maintaining a robust privacy program, it is the NAI’s hope that broader adoption of PETs–applied appropriately with additional safeguards–can provide a valuable compliment to existing data governance and legal compliance efforts by advertising businesses to raise the bar on data privacy and security, without compromising the effectiveness of data-driven advertising to support free and low-cost digital media. 

The NAI will continue to work with members, other stakeholders of the digital media industry, and policymakers to promote broader adoption of PETs to achieve these goals. If you have additional questions or would like to engage with the NAI, please contact privacy@thenai.org.