Last month, in response to an invitation from PRAM (the Partnership for Responsible Addressable Media) to the industry for contributions of code for collaborative development toward addressability solutions, The Trade Desk submitted Unified ID 2.0 (UID2). This submission, the first of its kind, put UID2 code on a path to be managed and operated by independent, objective third parties and the industry at large. IAB Tech Lab then commenced a process, as the technology standards organization supporting PRAM, to engage the industry’s engineering and product community and review UID2 as an approach to addressability.
Over the past several weeks, we’ve facilitated among our members a technical review and discussion of current UID2 system designs, ID states, encryption and hashing schemes, roles, use cases, and workflows. We also recommended independent and neutral technical oversight of the codebase, a specific open-source licensing model, additional work streams for industry collaboration, and clarification of the role of IAB Tech Lab, PRAM, and other industry stakeholders.
The Technical Roles and System Design of UID2
A UID2 Token is a user-provided and controlled, persistent identifier for digital advertising. A token may only be created and used within the digital advertising ecosystem when the user allows it, via a first party they trust. Creation of the UID2 Token is dependent on a variety of technical roles and security measures which are complicated by design to safeguard consumer privacy.
There are three distinct technical infrastructure roles and services to support the current UID2 technical design and uphold its secure design principles:
1. “Admin” service: One central utility that manages and distributes encryption/decryption keys and salt buckets for the distributed UID2 ecosystem. These are required for Operators to fulfill their roles and UID2 participants to access UID2 Tokens.
2. “Operator” services: Operators generate and manage the UID2 Tokens. The design is for many Operators to exist. Using the encryption keys and salt buckets from the Admin service, Operators translate user-provided data (email or phone number) into secure UID2 Tokens that can be used to enable a discrete set of addressability outcomes.
3.User controlled services and technical accountability: There are also APIs to enable transparency and control to users, signaling preferences to the Admin and Operators in an auditable manner.
UID2 Roles in Context
Last fall, when UID2 was first proposed in the Rearc Addressability Working Group, the consensus from Tech Lab members was that Tech Lab, as a technical standards organization, is not well-suited to work with personal data or generate controlled persistent user IDs for the industry (i.e., as a UID2 Operator). Rather, Tech Lab was better suited to serve the technical role of Admin, plus manage the open-source software powering UID2 in collaboration with our industry’s technical leaders. It was also agreed that PRAM should guide related policy efforts in collaboration with our industry’s regional policy leaders.
We are encouraged that Prebid will be one of the trusted Operators in the UID2 system design. As the Admin for UID2, Tech Lab will liaise closely with Prebid and other UID2 Operators to make sure UID2 Token generation and distribution is functioning in accordance with the preferences of consumers and their direct, trusted relationships with brands and publishers (all in conjunction with PRAM). Similarly, we expect Prebid and all UID2 Operators to play a valuable role as contributors within the open-source effort managed by Tech Lab, and to be critical frontline partners in enforcing responsible use of UID2 within the ecosystem through strong technical designs and accountability to transparency and control provided to users.
ABOUT THE AUTHOR
Jordan Mitchell
Senior Vice President, Privacy, Identity & Data
IAB Tech Lab