Abstract: A method includes receiving, by a data processing apparatus and from a content distribution system, a message comprising a probabilistic data structure representing a set of content items that should not be provided to a user device, content item data for content items available to be provided, and a request to determine whether any content item data is invalid, determining that the content item data for a given content item is invalid because the given content item may be in the set of content items represented by the probabilistic data structure, including removing the content item data for the given content item that was determined to be invalid; and preventing distribution of content items including the given content item.

Abstract: Methods, systems, and apparatus, including a method for determining network measurements. In some aspects, a method includes receiving, by a first aggregation server and from each of multiple client devices, encrypted impression data. A second aggregation server received from each of at least a portion of the multiple client devices, conversion data that includes, for each conversion recorded by the client device, encrypted conversion value data. The first aggregation server and the second aggregation server perform a multi-party computation process to decrypt the encrypted impression data and the encrypted conversion data.

Abstract: This disclosure relates to preserving the privacy of users and preventing access to information of other entities. In one aspect, a method includes receiving, from a client device, a content request including request signals specifying user group identifiers that each identify a user group that includes a user of the client device. One or more user group identifiers that satisfy a first k-anonymity process are identified. Selection parameter elements that each include data indicating a respective digital component and a selection parameter for the respective digital component are received from one or more first content platforms. At least a portion of the selection parameters and, for each selection parameter, data identifying the first content platform from which the selection parameter was received are transmitted to a second content platform. Data specifying a given first content platform selected based on the selection parameters is received from the second content platform.

Abstract: Systems, methods, devices, and other techniques for preserving privacy when comparing private datasets from first and second computing systems. The second computing system identifies a first set of identifiers corresponding to records in a private database of the second computing system. The second computing system receives blinded versions of a set of identifiers corresponding to records in a private database of the first computing system. The second computing system determines an intersection or characteristic thereof of the records in the private database of the first computing system and the records in the private database of the second computing system based on matches between the blinded versions of the first and second sets of identifiers.

Abstract: Methods, systems, and apparatus, including a method for preventing fraud. In some aspects, a method includes: receiving, from multiple client devices, a measurement data element that includes a respective group member key and a group identifier for a given conversion as a result of displaying a digital component. Each client device uses a threshold encryption scheme to generate, based at least on network data that includes one or more of impression data or conversion data for the conversion, a group key that defines a secret for encrypting the network data and generate, based on data related to the application, the respective group member key that includes a respective share of the secret. In response to determining that at least the threshold number of measurement data elements having the same group identifier have been received, the network data is decrypted using the group member keys in the received measurement data elements.

Abstract: The present disclosure provides systems and methods for authenticated control of content delivery. The method includes receiving a request for an item of content from a computing device, the request comprising a security token associated with the computing device and an identifier of a group of domains, identifying the group of domains from the identifier, and retrieving a security key associated with the group of domains. The method further includes decrypting a signature of the security token, identifying an authentication string, determining that the authentication string matches a server authentication string, and identifying characteristics of the security token. The characteristics of the security token include a confidence score. The method further includes comparing the confidence score of the security token to a threshold, determining that the confidence score does not exceed the threshold, and preventing transmission of content to the computing device.

Abstract: Methods, systems, and computer media provide attestation tokens that protect the integrity of communications transmitted from client devices, while at the same time avoiding the use of stable device identifiers that could be used to track client devices or their users. In one approach, client devices can receive anonymous certificates from a device integrity computing system signifying membership in a selected device trustworthiness group, and attestation tokens can be signed anonymously with the anonymous certificates using a group signature scheme. Client devices can include throttlers imposing limits on the quantity of attestation tokens created by the client device.

Abstract: The present disclosure provides systems and methods for content quasi-personalization or anonymized content retrieval via aggregated browsing history of a large plurality of devices, such as millions or billions of devices. A sparse matrix may be constructed from the aggregated browsing history, and dimensionally reduced, reducing entropy and providing anonymity for individual devices. Relevant content may be selected via quasi-personalized clusters representing similar browsing histories, without exposing individual device details to content providers.

Abstract: Methods, systems, and apparatus, including a method for determining network measurements. In some aspects, a method includes receiving, by a first aggregation server and from each of multiple client devices, encrypted impression data. A second aggregation server receives, from each of at least a portion of the multiple client devices, encrypted conversion data. The first aggregation server and the second aggregation server perform a multi-party computation process to generate chronological sequences of encrypted impression data and encrypted conversion data and to decrypt the encrypted impression data and the encrypted conversion data.

Abstract: The present disclosure provides systems and methods for secure identification retrieval. The method includes retrieving a value of a periodic variable and calculating a plurality of query tokens from a corresponding plurality of client device identifiers and the value of the periodic variable. Each query token is associated with a corresponding client device identifier in a first database. The method further includes receiving a first query token calculated from a client device identifier of the first client device and the value of the periodic variable and identifying a second query token of the calculated plurality of query tokens in the first database matching the first query token. The method further includes, responsive to the identification, retrieving the associated client device identifier and retrieving one or more characteristics of the first client device according to the associated client device identifier. The method further includes transmitting the retrieved one or more characteristics.

Abstract: Methods, systems, and apparatus, including an apparatus for verifying the integrity of requests. In some aspects, a method includes receiving, from an application, a request including an attestation token of the application. The attestation token includes a set of data that includes at least a public key of the application and a token creation time that indicates a time at which the attestation token was created. The attestation also includes a signature of the set of data. The signature is generated using a private key that corresponds to the public key. The integrity of the request is verified using the attestation token. The verification includes determining that the integrity of the request is valid based on a determination that the token creation time is within a threshold duration of the time at which the request was received and a determination that the set of data has not been.

Abstract: The present disclosure provides systems and methods for secure identification retrieval. The method includes retrieving a value of a periodic variable and calculating a plurality of query tokens from a corresponding plurality of client device identifiers and the value of the periodic variable. Each query token is associated with a corresponding client device identifier in a first database. The method further includes receiving a first query token calculated from a client device identifier of the first client device and the value of the periodic variable and identifying a second query token of the calculated plurality of query tokens in the first database matching the first query token. The method further includes, responsive to the identification, retrieving the associated client device identifier and retrieving one or more characteristics of the first client device according to the associated client device identifier. The method further includes transmitting the retrieved one or more characteristics.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, facilitate cross-platform content muting. Methods include detecting a request from a user to remove, from a user interface, a media item that is provided by a first content source and presented on a first platform. One or more tags that represent the media item are determined. These tags, which indicate that the user removed the media item represented by the one or more tags from presentation on the first platform, are stored in a storage device. Subsequently, content provided by a second content source (different from the first content source) on a second platform (different from the first platform) is prevented from being presented. This content is prevented from being presented based on a tag representing the content matching the one or more tags stored in the storage device.

Abstract: Systems, methods, devices, and other techniques for preserving privacy when comparing private datasets from first and second computing systems. The second computing system identifies a first set of identifiers corresponding to records in a private database of the second computing system. The second computing system receives blinded versions of a set of identifiers corresponding to records in a private database of the first computing system. The second computing system determines an intersection or characteristic thereof of the records in the private database of the first computing system and the records in the private database of the second computing system based on matches between the blinded versions of the first and second sets of identifiers.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, facilitate cross-platform content muting. Methods include detecting a request from a user to remove, from a user interface, a media item that is provided by a first content source and presented on a first platform. One or more tags that represent the media item are determined. These tags, which indicate that the user removed the media item represented by the one or more tags from presentation on the first platform, are stored in a storage device. Subsequently, content provided by a second content source (different from the first content source) on a second platform (different from the first platform) is prevented from being presented. This content is prevented from being presented based on a tag representing the content matching the one or more tags stored in the storage device.

Abstract: Methods, systems, and apparatus, including a method for updating user consent in a verifiable manner. In some aspects, a method includes receiving, from a client device, a request including an attestation token. The attestation token includes a set of data that includes at least a user identifier that uniquely identifies a user of the client device, a token creation time that indicates a time at which the attestation token was created, user consent data specifying whether one or more entities that receive the attestation token are eligible to use data of the user, an action to be performed in response to the request. The attestation token also includes a digital signature of at least a portion of the set of data, including at least the user identifier and the token creation time. An integrity of the request is verified using the attestation token.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for detecting errors in a client device and its associated applications while preserving the privacy of the user of the device. Methods can include obtaining and blinding contextual application data for an application on a device. Data regarding the application's digital certificate and device trustworthiness data are obtained and provided to a trust assessment server along with the blinded data. This server can provide indications that the device is trustworthy and the application is authentic, and can digitally sign the blinded data. The digital signature can be validated and the unblinded contextual application data can be obtained. If the unblinded data matches the contextual application data, the application can provide the digital signature, the indications, and the unblinded contextual application data to an error detection server, which in turn can indicate the application does not have errors.

Abstract: The present disclosure provides systems and methods for secure identification retrieval. The method includes retrieving a value of a periodic variable and calculating a plurality of query tokens from a corresponding plurality of client device identifiers and the value of the periodic variable. Each query token is associated with a corresponding client device identifier in a first database. The method further includes receiving a first query token calculated from a client device identifier of the first client device and the value of the periodic variable and identifying a second query token of the calculated plurality of query tokens in the first database matching the first query token. The method further includes, responsive to the identification, retrieving the associated client device identifier and retrieving one or more characteristics of the first client device according to the associated client device identifier. The method further includes transmitting the retrieved one or more characteristics.

Abstract: The present disclosure provides systems and methods for content quasi-personalization or anonymized content retrieval via aggregated browsing history of a large plurality of devices, such as millions or billions of devices. A sparse matrix may be constructed from the aggregated browsing history, and dimensionally reduced, reducing entropy and providing anonymity for individual devices. Relevant content may be selected via quasi-personalized clusters representing similar browsing histories, without exposing individual device details to content providers.

Abstract: The present disclosure provides systems and methods for content quasi-personalization or anonymized content retrieval via aggregated browsing history of a large plurality of devices, such as millions or billions of devices. A sparse matrix may be constructed from the aggregated browsing history, and dimensionally reduced, reducing entropy and providing anonymity for individual devices. Relevant content may be selected via quasi-personalized clusters representing similar browsing histories, without exposing individual device details to content providers.