The Trade Desk Launches UID2 On AWS Using Nitro Enclaves

0
87

Advertisers have traditionally relied on third-party cookies and device identifiers to deliver tailored advertising to specific consumers and provide recommendations through mobile apps, streaming TV, and web experiences.

But as the advertising industry reduces its reliance on cookies and identifiers to protect consumer privacy, industry customers are exploring new opportunities to improve how to identify consumers online and deliver personalized advertising in a transparent and trusted way.

Unified ID 2.0 (UID2) is a new industry solution to address this opportunity. Developed by The Trade Desk, UID2 is a non-proprietary, open standard accessible to constituents across the advertising ecosystem. UID2 enables advertisers, agencies, ad technology companies, and publishers selling advertising to continue providing relevant, personalized advertising without third-party cookies. It also provides mechanisms for consumer consent with transparency baked in. Despite the promise of UID2, there hasn’t been an easy way to deploy UID2 operator services into your Amazon Web Services (AWS) account to date.

The solution uses AWS Nitro Enclaves to create trusted compute environments for UID2 operator services that protect and securely process sensitive data and enable advertisers to match ad opportunities with their first-party user data anonymously, thus helping protect consumers’ privacy and delivering relevant advertising to users.

“With our strategy of providing multi-layered identity solutions, Unified ID 2.0 is an important open-source identity solution for the open web that enables Acxiom and Kinesso to directly connect brands’ audiences with the publisher ecosystem without client data leaving our privacy-safe environments. We’re excited by the ‘Unified ID 2.0 on AWS’ solution further to enhance data security and privacy through AWS Nitro Enclaves and reduce heavy lifting from our development teams to launch Unified ID 2.0 in our AWS Cloud environment. Further, because Unified ID 2.0 directly connects first-party audiences to publishers, this solution will help with improved efficiency, match rates and ultimately, better customer experiences,” said Ian Johnson, Global Chief Operating Officer, across Acxiom, Kinesso, and Matterkind

UID2 Overview

A UID2 identifier is a token representing a user’s verifiable Personally Identifiable Information (PII), such as authenticated email. UID2 identifiers differ from third-party cookies in a few ways:

  • UID2 identifiers are never shared between partners. Instead, they are encrypted into ephemeral UID2 “tokens.”
  • UID2 tokens do not persist and instead use a cryptographic nonce so their value is different each time they are shared during real-time request and response workflows in programmatic advertising (known as the “bid stream”).
  • UID2 tokens refresh at a defined interval to prevent misuse of tokens by non-UID2 participants who may want to build consumer profiles using UID2 tokens.

When a user visits a website, an ad publisher requests a user login that includes a transparent consent explanation and provides opt-in/opt-out options to personalize ads and delete data. The authenticated login information is provided to a service, a UID2 Operator, to create an SHA-256 hashed and salted alphanumeric value (“UID2 identifier”) and an encrypted UID2 identifier (“UID2 token”) representing the user. These tokens enable advertisers to anonymously match ad opportunities with their first-party user data and help improve the relevancy of advertising while keeping consumer information protected.

Two basic entities interact in UID2 workflows—Administrator and Operator. The UID2 Administrator is a centralized service managing access to the distributed UID2 System and is responsible for distributing encryption and decryption keys and salts to UID2 Operators. The UID2 Operator operates a UID2 service to process user PII and generates and manage UID2s and UID2 tokens. Operators can be either Public Operators or Private Operators. Public Operators are organizations that operate the UID2 service (via API) to generate and manage UID2s and UID2 tokens and are accessible to all participants. Private Operators are organizations that operate their internal version of the UID2 service to generate and manage UID2s and UID2 tokens.

Now let’s explore how The Trade Desk leveraged AWS services to build the UID2 Private Operator service on AWS (more details are available on GitHub). The architecture uses AWS Nitro Enclaves to create isolated, hardened, and highly constrained compute environments for the UID2 Private Operator service to protect and securely process highly sensitive data. Before we get started, there are several requirements for applications that generate UID2 and UID2 tokens:

Requirements for Private Operators to meet the UID2 standard

  1. Establish a “Trusted Environment” for the UID2 Operator application to process users’ private data (i.e., a user’s phone number or email address) such that sensitive data does not leave the application boundary in plaintext.
  2. User PII shouldn’t be accessible to other UID2 Operators, Ad Publishers, Supply-Side Platforms (SSPs), Data Providers, Advertisers, or Demand-Side Platforms (DSPs).
  3. Validate that UID2 Operators run only authorized code and configurations.
  4. An API key to establish a connection between UID2 Operator application and UID2 Core (managed by UID2 Administrator).
  5. Encryption keys and salt buckets to be provided by UID2 Administrator to the trusted application code within the UID2 Operator application
  6. All data processing and transformation should happen in memory and encryption keys, salt store, and UID2 identifier should not be written to persistent storage by the application.

Leveraging AWS Nitro Enclaves

To meet the requirements of the UID2 standard, the UID2 Private Operator service uses AWS Nitro Enclaves for processing highly sensitive data. A Nitro Enclave is a highly constrained virtual machine created by allocating CPU cores and memory from a single “parent” Amazon Elastic Compute Cloud (EC2) instance. Applications running inside a Nitro Enclave can leverage Nitro Enclave’s cryptographic attestation capabilities to prove its identity and build trust with an external service. Nitro Enclaves do not provide network connectivity, persistent storage, or interactive access. A Nitro Enclave is connected to its parent instance via a secure local socket connection (“vsock”) which is used for input and output from the enclave environment. The Trade Desk designed its UID2 Operator architecture to take advantage of Nitro Enclaves’s isolation and attestation capabilities.

UID2 Private Operator on AWS architecture

The UID2 Private Operator service uses a pre-packaged Amazon Machine Image (AMI) to distribute the application for deployment on an Amazon EC2 instance. The AMI includes a prebuilt Nitro Enclave Image File (EIF) containing the UID2 Operator environment. The AMI also includes various required configuration scripts and utilities that the parent instance needs. When an Amazon EC2 instance is launched using the pre-packaged AMI, it is configured to allocate a portion of its’ CPU core and memory to launch a Nitro Enclave using the included EIF.

As shown in Diagram 1 below, the UID2 Operator enclave application requests an attestation document using Nitro Secure Module API, providing one time public key and nonce as input. The enclave application then sends the signed attestation document to the UID2 Core service (managed by a UID2 Administrator). To validate the Nitro Enclaves cryptographic attestation document, the UID2 Administrator service decodes and extracts the document, validates the signing certificate’s chain, and confirms that the document is signed correctly. Once it has validated the attestation document, the UID2 Administrator service can inspect the attestation to confirm that it was issued to a Nitro Enclave launched using an unmodified copy of the pre-built EIF already validated by the UID2 Administrator.

Diagram 1: Nitro Enclave secure local channel and attestation document

After successful attestation, the UID2 Core service sends a unique authorization token encrypted using the public key provided in the enclave’s attestation document to authorize. This token is used to authorize subsequent requests by the UID2 Operator enclave application and is periodically refreshed automatically. After receiving the authorization token, the UID2 Operator enclave application requests encryption keys, salt buckets, and associated data from UID2 Core. UID2 Core responds with an Amazon S3 presigned URL to download the required data. The enclave application uses salt buckets to transform a user’s email address or phone number into a hashed (SHA256) alphanumeric UID2 identifier and uses encryption keys to encrypt UID2 into UID2 tokens. Entities running UID2 operator private operator services can integrate their applications to send requests to their UID2 Operator enclave application to transform the user’s PII into UID2 and UID2 tokens.

As shown in Diagram 2 below, UID2’s Private Operator service design uses Amazon EC2 launch templates and Amazon EC2 Auto Scaling groups to scale the UID2 Private Operator service as needed horizontally. UID2 Private Operator service nodes are deployed across multiple Availability Zones to provide high availability and resiliency.

Diagram 2: UID2 Private Operator Service on AWS Architecture Diagram

Conclusion

With the decreasing reliance on third-party cookies in real-time advertising, Unified ID 2.0 (UID2) has emerged as a solution that improves how to identify consumers online and deliver personalized advertising in a transparent and trusted way.