Introducing Unified ID 2.0 Private Operator Services on AWS Using Nitro Enclaves
Advertisers have traditionally relied on third-party cookies and device identifiers to deliver tailored advertising to specific consumers and provide recommendations through mobile apps, streaming TV, and web experiences. But as the advertising industry reduces its reliance on cookies and identifiers in favor of protecting consumer privacy, industry customers are exploring new opportunities to improve how to identify consumers online and deliver personalized advertising in a transparent and trusted way.
Unified ID 2.0 (UID2) is a new industry solution designed to address this opportunity. Developed by The Trade Desk, UID2 is a non-proprietary, open standard accessible to constituents across the advertising ecosystem. UID2 enables advertisers, agencies, ad technology companies, and ad publishers selling advertising to continue to provide relevant, personalized advertising without the use of third-party cookies. It also provides mechanisms for consumer consent with transparency baked in. Despite the promise of UID2, there hasn’t been an easy way to deploy UID2 operator services into your Amazon Web Services (AWS) account to date.
Today we’re excited to introduce Unified ID 2.0 on AWS, a new solution that enables advertising industry customers to easily deploy UID2 operator services with improved data security and transparency in their advertising workflows with only a few clicks via AWS Marketplace. The solution uses AWS Nitro Enclaves to create trusted compute environments for UID2 operator services that protect and securely process highly sensitive data, and enables advertisers to anonymously match ad opportunities with their own first-party user data, thus helping protect consumer privacy and delivering relevant advertising to users.
“With our strategy of providing identity solutions that are multi-layered, Unified ID 2.0 is an important open-source identity solution for the open web that enables Acxiom and Kinesso to directly connect brands’ audiences with the publisher ecosystem without client data leaving our privacy-safe environments. We’re excited by the ‘Unified ID 2.0 on AWS’ solution to further enhance data security and privacy through the use of AWS Nitro Enclaves, and to reduce heavy lifting from our development teams to launch Unified ID 2.0 in our AWS Cloud environment. Further, because Unified ID 2.0 directly connects first-party audiences to publishers, this solution will help with improved efficiency, match rates and ultimately, better customer experiences.”
Ian Johnson, Global Chief Operating Officer, across Acxiom, Kinesso, and Matterkind
This blog post provides a brief overview of UID2 functionality and describes how customers can get started quickly via AWS Marketplace or deploy themselves via GitHub.
Before we dive into how to deploy this solution, let’s share a brief overview of UID2: First, a UID2 identifier is a token representing a user’s verifiable Personally Identifiable Information (PII) such as authenticated email. UID2 identifiers differ from third-party cookies in a few ways:
- UID2 identifiers are never shared between partners. Instead, they are encrypted into ephemeral UID2 “tokens.”
- UID2 tokens do not persist and instead use a cryptographic nonce so their value is different each time they are shared during real-time request and response workflows in programmatic advertising (known as the “bid stream”).
- UID2 tokens refresh at a defined interval to prevent misuse of tokens by non-UID2 participants who may want to build consumer profiles using UID2 tokens.
When a user visits a website, an ad publisher requests a user login that includes a transparent consent explanation and provides opt-in/opt-out options to personalize ads and delete data. The authenticated login information is provided to a service, a UID2 Operator, to create an SHA-256 hashed and salted alphanumeric value (“UID2 identifier”) and an encrypted UID2 identifier (“UID2 token”) representing the user. These tokens enable advertisers to anonymously match ad opportunities with their own first-party user data, and help improve relevancy of advertising while keeping consumer information protected.
There are two basic entities that interact in UID2 workflows—Administrator and Operators. The UID2 Administrator is a centralized service managing access to the distributed UID2 System, and is responsible for distributing encryption and decryption keys, and salts to UID2 Operators. The UID2 Operator operates a UID2 service to process user PII and generate and manage UID2s and UID2 tokens. Operators can be either Public Operators or Private Operators. Public Operators are organizations that operate the UID2 service (via API) to generate and manage UID2s and UID2 tokens, and are accessible to all participants. Private Operators are organizations that operate their own internal version of the UID2 service to generate and manage UID2s and UID2 tokens.
Now let’s explore how The Trade Desk leveraged AWS services to build the UID2 Private Operator service on AWS (more details are available on GitHub). The architecture uses AWS Nitro Enclaves to create isolated, hardened, and highly constrained compute environments for the UID2 Private Operator service to protect and securely process highly sensitive data. Before we get started, there are several requirements for applications that generate UID2 and UID2 tokens:
Requirements for Private Operators to meet the UID2 standard
- Establish a “Trusted Environment” for the UID2 Operator application to process users’ private data (i.e., a user’s phone number or email address) such that sensitive data does not leave the application boundary in plaintext.
- User PII shouldn’t be accessible to other UID2 Operators, Ad Publishers, Supply-Side Platforms (SSPs), Data Providers, Advertisers, or Demand-Side Platforms (DSPs).
- Validate that UID2 Operators run only authorized code and configurations.
- An API key to establish connection between UID2 Operator application and UID2 Core (managed by UID2 Administrator).
- Encryption keys, and salt buckets to be provided by UID2 Administrator to the trusted application code within the UID2 Operator application
- All data processing and transformation should happen in memory and encryption keys, salt store, UID2 identifier should not be written to persistent storage by the application.
Leveraging AWS Nitro Enclaves
In order to meet the requirements of UID2 standard, the UID2 Private Operator service uses AWS Nitro Enclaves for processing highly sensitive data. A Nitro Enclave is a highly constrained virtual machine created by allocating CPU cores and memory from a single “parent” Amazon Elastic Compute Cloud (EC2) instance. Applications running inside a Nitro Enclave can leverage Nitro Enclave’s cryptographic attestation capabilities to prove its identity and build trust with an external service. Nitro Enclaves do not provide network connectivity, persistent storage, or interactive access. A Nitro Enclave is connected to its parent instance via a secure local socket connection (“vsock”) which is used for input and output from the enclave environment. The Trade Desk designed its UID2 Operator architecture to take advantage of the isolation and attestation capabilities of Nitro Enclaves.
UID2 Private Operator on AWS architecture
The UID2 Private Operator service uses a pre-packaged Amazon Machine Image (AMI) to distribute the application for deployment on an Amazon EC2 instance. The AMI includes a prebuilt Nitro Enclave Image File (EIF) containing the UID2 Operator environment. The AMI also includes various required configuration scripts and utilities which are needed by the parent instance. When an Amazon EC2 instance is launched using the pre-packaged AMI, it is configured to allocate a portion of its’ CPU core and memory to launch a Nitro Enclave using the included EIF.
As shown in the Diagram 1 below, UID2 Operator enclave application requests attestation document using Nitro Secure Module API providing one time public key and nonce as input. The enclave application then sends the signed attestation document to UID2 Core service (managed by a UID2 Administrator). To validate the Nitro Enclaves cryptographic attestation document, the UID2 Administrator service decodes and extracts the document, validates the signing certificate’s chain, and confirms that the document is properly signed. Once it has validated the attestation document, the UID2 Administrator service is able to inspect the attestation to confirm that it was issued to a Nitro Enclave launched using an unmodified copy of the pre-built EIF already validated by UID2 Administrator.
NOTE: A UID2 Private Operator Enclave must be configured with an API key obtained from a UID2 Administrator (e.g., The Trade Desk).
After successful attestation, UID2 Core service sends a unique authorization token encrypted using the public key provided in the enclave’s attestation document to authorize. This token is used to authorize subsequent requests by the UID2 Operator enclave application and is periodically refreshed automatically. After receiving the authorization token, the UID2 Operator enclave application requests encryption keys, salt buckets, and associated data from UID2 Core. UID2 Core responds with an Amazon S3 presigned URL to download the required data. The enclave application uses salt buckets to transform a user’s email address or phone number into a hashed (SHA256) alphanumeric UID2 identifier and uses encryption keys to encrypt UID2 into UID2 tokens. Entities running UID2 operator private operator services can integrate their applications to send requests to their UID2 Operator enclave application to transform user’s PII into UID2 and UID2 tokens.
As shown in Diagram 2 below, UID2’s Private Operator service design uses Amazon EC2 launch templates and Amazon EC2 Auto Scaling groups to horizontally scale the UID2 Private Operator service as needed. UID2 Private Operator service nodes are deployed across multiple Availability Zones to provide high availability and resiliency.
To deploy the solution developed by The Trade Desk
- Subscribe to “Unified ID 2.0 on AWS” through AWS Marketplace.
- Request access to UID2 API Keys via AWS Marketplace or via this form.
- For customers seeking to deploy manually, refer to the deployment instructions on the UID2 GitHub repository
With the decreasing reliance on third-party cookies in real-time advertising, Unified ID 2.0 (UID2) has emerged as a solution which improves how to identify consumers online and deliver personalized advertising in a transparent and trusted way. In this blog you learned about the UID2 system, and The Trade Desk’s solution for deploying a UID2 Private Operator service on AWS using isolation and attestation provided by AWS Nitro Enclaves to meet the sensitive data processing requirements of UID2.
For additional AWS Nitro Enclaves learning resources, visit AWS Nitro Enclaves.