Validating the security of the Aggregation Service

The Aggregation Service extends the computation capabilities of Privacy Sandbox APIs beyond the device, to enable measurement of events across users. Several design decisions help ensure that user privacy is maintained outside the device. For example, the Aggregation Service can only process events in a Trusted Execution Environment, and jobs must be approved by central coordinators.

Today, we are sharing updates on the Aggregation Service coordinators, and results of an independent security assessment.

NCC security assessment

Open source implementations of the Aggregation Service and coordinator services ensure that the codebase for these systems are publicly accessible and can be inspected by all stakeholders, including security researchers, privacy advocates, and ad tech providers. In October 2022, we open-sourced the implementation of the Aggregation Service, and recently open-sourced the coordinator services.

To further establish that our design and implementation meet high security and privacy standards, we contracted the NCC Group, an independent firm with expertise in cybersecurity, to review the Aggregation Service and coordinator. NCC recently published their report, and confirmed our assertions about the system. The report states:

  • "NCC Group did not identify any flaws in the design of Privacy Sandbox Aggregation Service. It appears to satisfy industry best practices and provide strong protections for the confidentiality and integrity of data collected from end users."
  • "The overall design of the cryptography components within the Privacy Sandbox Aggregation Service was found to be suitable for the stated goals."
  • "There was no significant issue found that could allow an ad tech or any malicious party to gain access to any complete keys or higher privileges."

We continue to welcome feedback on our implementations.

Independent coordinator

To improve security and privacy, and in line with the initial design of the Aggregation Service, we decided to split the operation of the coordinator services between Google and an independent third party.

We are excited to announce Accenture recently started operating as the independent coordinator for Aggregation Service on Amazon Web Services (AWS). We chose Accenture due to their strong track record as an independent trusted service provider to many companies, and their robust operational and security expertise for the benefit of consumers and ad techs.

Looking ahead

Beta testing for Aggregation Service on Google Cloud recently started. We'll announce plans for an independent coordinator on Google Cloud at a later date. You can follow other planned improvements for Aggregation Service on our status page.

We are committed to continuing to engage with the ecosystem to enable services that meet high security standards, and are open to your feedback.