Trust tokens | What is the Privacy Sandbox?

Domain & Hosting bundle deals!

[MUSIC PLAYING] SAM DUTTON: Trust Tokens is a
new API to help combat fraud and distinguish bots
from real humans without passive tracking. The Trust Tokens API is
part of the Privacy Sandbox, a series of proposals to
satisfy cross-site use cases without third-party
cookies or other tracking mechanisms. Now, Trust Tokens enable
trust of a user in one context to be conveyed to
another context, without identifying the user
or linking their identity across websites. When a user is shown to be
authentic– for example, by account activity or by
completing a CAPTCHA challenge, say, on a website– the Trust Tokens API can
be used by the website to issue cryptographic
tokens to the user. The tokens are securely
stored by the user's browser, and tokens can be
redeemed later when there's a need to evaluate
the user's authenticity– for example, to detect that a
user is a real human and not a bot before allowing a comment
to be posted on a blog post, for example, or before
requesting and displaying an advertisement. So why do we need Trust Tokens? Well, the web needs ways to
convey trust signals, which show that a user is
who they say they are and not a bot
pretending to be a human or a malicious third party
defrauding a real person or service.

Fraud protection is particularly
important for advertisers, ad platforms, and publishers and
Content Distribution Networks, or CDNs. Now unfortunately, many
existing mechanisms to propagate trustworthiness
so a website can be confident that an interaction
is from a real human rely on third-party cookies,
which have historically also been used for individual
user tracking, and are being phased
out by browsers. Mechanisms to communicate
trust must preserve privacy, enabling trust to be
propagated across sites without individual
user tracking. So how do Trust Tokens work? Well, I'll take you through
a typical example step by step in a bit more
technical detail. Now, one caveat–
the outline here corresponds to the current
state of Trust Tokens. The specifics of
how the Trust Tokens API is designed
and implemented may evolve owing to origin trial
testing, API development, and other factors. Anyway, so this example
shows a news website, and it wants to check if a user
is a real human and not a bot before displaying an ad.

Ad fraud can be a
significant problem, so this is an
important use case. So first up, the user visits
a website known as an issuer. I've called them issuer.example. The actions performed by
the user lead issuer.example to believe that they
are a real human– for example, making purchases,
using an email account, or successfully completing
a CAPTCHA challenge. Once issuer.example is satisfied
that the user is genuine, it can make a request
for Trust Tokens from a Trust Token service that
it runs on its backend server. The issuer.example server
responds with Trust Token data. And then the user's browser
saves the Trust Token data in special secure
storage for Trust Tokens. Now later on, the user visits
a website like a news publisher that needs to verify
that the user is actually a real human being, for
example when displaying ads.

pexels photo 8540259

Now, with Trust Tokens,
this type of site is known as a
redeemer because it will attempt to redeem Trust
Tokens to verify the user. The site uses the
Trust Tokens API to check if the user's browser
has tokens stored for an issuer that the site trusts. And good news– Trust Tokens are
found for the issuer the user visited previously. In this example, the
redeemer site, use.example, makes a request to the
issuer, issuer.example, to redeem a Trust Token that was
stored by the user's browser. The issuer site responds
with data, including what's called a redemption record. And the news site
now makes a request to an ad platform including
the redemption record to show that the user
is trusted by the issuer to be a real actual human. Once the ad platform is
satisfied by the redemption record that the request
is for a real user, the platform provides the data
required to display an ad, and the publisher's
site displays the ad. If all goes well, an
ad view impression is counted by using a technology
such as the Attribution Reporting API, which is another
Privacy Sandbox initiative. In this process, sites can
request a token for a user, but they cannot see sites
that the user has visited.

The service displaying
the ad verifies the token, and the advertiser doesn't get
information about the user's browsing activity. So that's an overview
of the Trust Tokens API. To find out more, take a look
at our article on web.dev, and we also have a demo
that shows Trust Token issuance and redemption. Now if you have
comments or feedback, you can create an issue on
the API explainer on GitHub. And you can track
implementations of all the Privacy Sandbox
APIs on this status page.

So thanks for watching,
and be sure to check out the other videos in the
Privacy Sandbox series. [MUSIC PLAYING] .

You May Also Like