Wildcard support for interestGroupOwners

[brodrigu]

@MattMenke2 noted the possibility for removing wildcard support in the interestGroupBuyers declaration from FLEDGE:

(Note that wildcard owners are allowed in the FLEDGE spec, but that is currently disabled in Chrome, and likely will be removed)

It is possible sellers will prefer to run a Fledge auction which allows multiple SSPs to participate as this is better for competition. Exactly how this would work in the current spec is being explored, but the most straightforward solution is for SSPs to contribute their own scoring functions to a neutral "controller" which would handoff each bid to each SSP and choose the best score per bid. This is described in more detail here.

In this paradigm, multiple SSPs will contribute to the set of allowed buyers. Without wildcard support in interestGroupBuyers a mechanism for collecting all supported buyers across all participating SSPs will need to be created which could add more latency to the page and unnecessary complexity to the FLEDGE flow.

If wildcard support is being considered for removal, could we have a discussion about the driver for this and tradeoffs?

[vincent-grosbois]

I think the argument in favor of removing the wildcard is the one that was said in the thread you linked:

• There are a few things that are not handled by Fledge itself (such as billing and currency conventions) that require "over the counter" agreements between sellers and buyer outside of Fledge
• as such, if you were to allow all possible buyers in the auction with a wildcard, you would potentially end up doing displays for an entity with whom you have no legal agreement and that isn't even able to pay you as a seller

[MattMenke2]

Two concerns:

1. A rogue IG could be added that then gets informed of all "*" auctions IGs are user takes part in. Even once there's some enforcement of worklet servers being trusted, I don't think we want to just be informing any IGs of all auctions. Before there's any enforcement of worklet servers being trusted, we certainly can't implement this.

2. It's logically impossible to have agreements with every IG owner on the planet, so they shouldn't all be taking part in auctions.

Edit: My 2) is the same issue as vincent-grosbois mentioned above.

[brodrigu]

I agree that an agreement between a buyer and a seller is needed and that there are use cases where the seller declaring their list of supported buyers would be beneficial. However, it is possible for the seller's scoring logic to handle the decisioning on which bids (or indeed buyers) to allow and perhaps even to leverage the response from trusted scoring signals to ultimately make that decision. The scoring function is also an appropriate place to ensure the proper currency is provided (through some agreed meta-data).

Removing the ability for the seller to choose to receive all bids would ultimately limit the flexibility of the seller within FLEDGE. Are their known privacy or functional issues that require this features removal?

[MattMenke2]

My issue 1) that I listed above is the reason why the Chrome security team asked for its removal before using it in any origin trial, on privacy grounds.

[MattMenke2]

And just to make sure we're on the same page, 1) is entirely about leaking information to the bidder when data is requested to run the auction, not the seller seeing bidders it has no interest in selling to.

There are certainly concerns about leaking bidder data to sellers as well, but the wildcard interestGroupOwners doesn't cause that - that's more an issue around the trustedScoringSignalsUrl, which I raised in #200 (There may, of course, be other leaks in that direction, that's the one on my mind, currently).