Abstract: This document describes systems and techniques for improving the integrity and protecting the security of information in content selection and distribution. In one aspect, a method includes receiving, by a first server of a secure multi-party computation (MPC) system from an application on a user device, a request for a digital component. The request is parsed into distinct sub-requests. Each sub-request is transmitted to a different server. A set of candidate selection values is received from a separate server. The first server performs, in collaboration with one or more second servers of the MPC system, a selection process to generate a selection result for a winning digital component, including merging, the first set of candidate selection values and a set of cached selection values to create a final set of candidate selection values and sorting the final set according to the values of the candidate selection values.

Abstract: This disclosure relates to preserving the privacy of users and preventing access to information of other entities. In one aspect, a method includes receiving, from a client device, a content request including request signals specifying user group identifiers that each identify a user group that includes a user of the client device. One or more user group identifiers that satisfy a first k-anonymity process are identified. Selection parameter elements that each include data indicating a respective digital component and a selection parameter for the respective digital component are received from one or more first content platforms. At least a portion of the selection parameters and, for each selection parameter, data identifying the first content platform from which the selection parameter was received are transmitted to a second content platform. Data specifying a given first content platform selected based on the selection parameters is received from the second content platform.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for using cryptographic techniques to enhance data security and privacy and increasing computational efficiency in selecting digital components for multiple digital component slots are described. In one aspect, a method includes receiving, from a client device and by a first MPC computer of a group of MPC computers that collaborate to perform MPC computations, a composite request for digital components to display in multiple digital component slots of an electronic resource. The composite request includes first secret shares of data identifying user groups that include a user of the client device as a member. A determination is made, in collaboration with one or more second MPC computers, a first secret share of a value of each of multiple candidate parameters of a candidate expression for each digital component in a set of digital components.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for using cryptographic techniques to enhance data security and privacy and increase computational efficiency in selecting digital components are described. In one aspect, a method includes receiving, by an MPC computer of a group of MPC computers configured to perform computations of a secure MPC protocol to select digital components for distribution to client devices, a first secret share of location information indicating a location of a client device. The MPC computer generates, by performing the computations of the secure MPC protocol in collaboration with one or more second computers of the group of MPC computers, a first secret share of a selection result including data identifying a selected digital component that is selected from candidate digital components that are candidates based at least in part on the location of the client device.

Abstract: This disclosure relates to a privacy preserving machine learning platform. In one aspect, a method includes receiving, by a first computing system of multiple multi-party computation (MPC) systems, an inference request that includes a first share of a given user profile. A number k of nearest neighbor user profiles that are considered most similar to the given user profile are identified. The first computing system identifies a first set of nearest neighbor profiles based on the first share of the given user profile and a k-nearest neighbor model. The first computing system receives, from each of one or more second computing systems of the multiple MPC systems, data indicating a respective second set of nearest neighbor profiles identified by the second computing system based on a respective second share of the given user profile and a respective second k-nearest neighbor model trained by the second computing system.

Abstract: This document relates to using secure MPC to select digital components in ways that preserve user privacy and protects the security of data of each party that is involved in the selection process. In one aspect, a method includes performing, by a first server of a secure MPC system in collaboration with one or more second servers of the secure MPC system, a selection process to select a digital component based in part on a selection value for each digital component in the selection process. This includes determining a first secret share of a winner parameter for each digital component in the selection process. The first server determines, for each given digital component in the selection process and in collaboration with the second server(s), a highest other selection value that corresponds to a different digital component that is different from the given digital component.

Abstract: This disclosure describes systems and techniques for using controlling access to user information using ephemeral user identifiers. In one aspect, a method includes determining, for a given domain, engagement by a user with content provided by the given domain for display by an application at a client device of the user. A determination is made, based on the engagement by the user, to extend, for the given domain, a linkage between user identifiers for a user of the application. In response to determining to extend, for the given domain, the linkage between the user identifiers for the user of the application, one or more future domain-specific ephemeral user identifiers for the user and the given domain are obtained. An attestation record that includes a current domain-specific ephemeral user identifier and the one or more is generated and sent to the given domain.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for transmitting/processing requests to control information stored at multiple content platforms/servers. In one aspect, a client device can send a request to verify the device's trustworthiness to a device trustworthiness server. The client device can receive, from the device trustworthiness server, data indicating that the client device is trustworthy, in response to which, the client device can send, to a relay server, a request to control user data stored at a plurality of servers. The client device can receive, via the relay server, a response from each of the plurality of servers. Based on the responses, the client device can determine that at least a subset of the plurality of servers that included the user data has performed the action specified in the request to control the user data.

Abstract: This disclosure relates to protecting the security of information in content selection and distribution. In one aspect, a method includes receiving, from a client device and by a first computing system of multi-party computation (MPC) systems, a digital component request including first secret shares of data identifying user groups that include a user of the client device as a member. The first computing system transmits a contextual digital component request to a content platform. The first computing system receives, from the content platform, selection data for multiple digital components. The selection data includes first vector data defining a contextual-based vector of values selected based in part on the set of contextual signals. The first computing system obtains, for each digital component, second vector data defining a user group-based vector of values selected based in part on a respective user group corresponding to the digital component.

Abstract: This document describes systems and techniques for using secure MPC to select digital components in ways that preserve user privacy and protects the security of data of each party that is involved in the selection process. In one aspect, a method includes obtaining, by a first computer of a secure multi-party computation (MPC) system, at least a first share of a set of contextual properties of an environment in which a selected digital component will be displayed at a client device. For each digital component in a set of digital components, at least a first share of an eligibility expression that defines a relationship between a set of eligibility criteria for the digital component is obtained. A determination is made, based on the at least first share of the set of contextual properties and the at least first share of the eligibility expression, a first share of an eligibility parameter.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for batch retrieving data are described. In one aspect, a method includes receiving, from a client device and by a first multi-party computation (MPC) server of a cluster of MPC servers, a batch request for retrieving multiple database values stored in one or more databases. The batch request includes a first byte array that includes, for each requested key of multiple requested keys, a first secret share of the requested key. Each database includes multiple data items that each include a database key and a corresponding value. The MPC server processes each database key to generate first secret shares of matching data indicating whether the database key matches at least one requested key. The MPC server generates one or more results that represent database values corresponding to each database key that matches at least one requested key.

Abstract: Methods, systems, and apparatus, including a method for preventing fraud. In some aspects, a method includes: receiving, from multiple client devices, a measurement data element that includes a respective group member key and a group identifier for a given conversion as a result of displaying a digital component. Each client device uses a threshold encryption scheme to generate, based at least on network data that includes one or more of impression data or conversion data for the conversion, a group key that defines a secret for encrypting the network data and generate, based on data related to the application, the respective group member key that includes a respective share of the secret. In response to determining that at least the threshold number of measurement data elements having the same group identifier have been received, the network data is decrypted using the group member keys in the received measurement data elements.

Abstract: This disclosure relates to a privacy preserving machine learning platform. In one aspect, a method includes receiving, by a first computing system of multiple multi-party computation (MPC) systems, an inference request that includes a first share of a given user profile. A number k of nearest neighbor user profiles that are considered most similar to the given user profile are identified. The first computing system identifies a first set of nearest neighbor profiles based on the first share of the given user profile and a k-nearest neighbor model. The first computing system receives, from each of one or more second computing systems of the multiple MPC systems, data indicating a respective second set of nearest neighbor profiles identified by the second computing system based on a respective second share of the given user profile and a respective second k-nearest neighbor model trained by the second computing system.

Abstract: This disclosure relates to using additive and subtractive noise for preserving the privacy of users. In one aspects, a method includes obtaining a first set of genuine user group identifiers that identify user groups that include a user as a member. A second set of user group identifiers is generated for the user by removing zero or more genuine user group identifiers from the first set to generate the second set and adding, to the second set, one or more fake user group identifiers for user groups that do not include the user as a member. A probabilistic data structure is generated based on the second set of user group identifiers. The probabilistic data structure is transmitted to a recipient computing system. Data indicating a set of digital components including at least one digital component selected based on the probabilistic data structure is received. A given digital component is presented.

Abstract: Disclosed herein are systems, methods, and computer-readable media for enabling more secure multi-party computations (MPCs) using a trusted execution environment (TEE). In one aspect, a method includes executing, by a first MPC computer, a secure MPC protocol in a first TEE of the first MPC computer. The first MPC computer generates a request to a second MPC computer executing the secure MPC protocol in a second TEE of the second MPC computer. The first TEE determines that one or more attestation conditions are met by the first MPC computer executing the secure MPC protocol in the first TEE. In response to determining that the one or more attestation conditions are met, the first TEE generates an attestation token including one or more digital signatures for the secure MPC protocol executing in the first TEE. The first MPC computer sends the attestation token with the request to the second MPC computer.

Abstract: The present disclosure provides systems and methods for secure identification retrieval. The method includes retrieving a value of a periodic variable and calculating a plurality of query tokens from a corresponding plurality of client device identifiers and the value of the periodic variable. Each query token is associated with a corresponding client device identifier in a first database. The method further includes receiving a first query token calculated from a client device identifier of the first client device and the value of the periodic variable and identifying a second query token of the calculated plurality of query tokens in the first database matching the first query token. The method further includes, responsive to the identification, retrieving the associated client device identifier and retrieving one or more characteristics of the first client device according to the associated client device identifier. The method further includes transmitting the retrieved one or more characteristics.

Abstract: This disclosure relates to protecting the security and privacy of data, including user identifiers (IDs). In some aspects, a method includes receiving, by a cryptographically-secure private set intersection (CSPSI) server and from a first device corresponding to a first entity, a first identifier retrieval request corresponding to a digital component request being sent from the first device to a second device corresponding to a second entity. The first identifier retrieval request includes a first encrypted user identifier generated by encrypting a user identifier for a user using a first encryption key corresponding to the first entity. The CSPSI server determines, using the encrypted user identifier, a bilateral encrypted user identifier for the user generated by encrypting the first encrypted user identifier using a second encryption key corresponding to the second entity. The CSPSI server sends the bilateral encrypted user identifier for the user to the first device.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for using additive and subtractive noise for preserving the privacy of users. In one aspect, a method includes obtaining a first set of genuine user group identifiers that identify user groups that include a user as a member. A second set of user group identifiers is generated for the user by removing zero or more genuine user group identifiers from the first set to generate the second set and adding, to the second set, one or more fake user group identifiers for user groups that do not include the user as a member. A probabilistic data structure is generated based on the second set of user group identifiers. The probabilistic data structure is transmitted. Data indicating a set of digital components including at least one digital component selected based on the probabilistic data structure is received.

Abstract: This document describes systems and techniques for using secure MPC to select digital components in ways that preserve user privacy and protects the security of data of each party that is involved in the selection process. In one aspect, a method includes obtaining, by a first computer of a secure multi-party computation (MPC) system, at least a first share of a set of contextual properties of an environment in which a selected digital component will be displayed at a client device. For each digital component in a set of digital components, at least a first share of an eligibility expression that defines a relationship between a set of eligibility criteria for the digital component is obtained. A determination is made, based on the at least first share of the set of contextual properties and the at least first share of the eligibility expression, a first share of an eligibility parameter.

Abstract: This disclosure describes systems and techniques for using controlling access to user information using ephemeral user identifiers. In one aspect, a method includes determining, for a given domain, engagement by a user with content provided by the given domain for display by an application at a client device of the user. A determination is made, based on the engagement by the user, to extend, for the given domain, a linkage between user identifiers for a user of the application. In response to determining to extend, for the given domain, the linkage between the user identifiers for the user of the application, one or more future domain-specific ephemeral user identifiers for the user and the given domain are obtained. An attestation record that includes a current domain-specific ephemeral user identifier and the one or more is generated and sent to the given domain.