Martin Pál
For example, multiple-pass querying, different privacy accounting schemes, different batching schemes.
What other models, such as outputting buckets and values if the value exceeds a noisy threshold, may be considered in future iterations?
The aggregate API explainer [says](https://github.com/WICG/conversion-measurement-api/blob/main/AGGREGATE.md#aggregatable-reports) that source_registration_time will be rounded to the nearest day boundary. The explainer does not explicitly specify a time zone, but the assumption is we'll round...
How should we choose appropriate parties to act as coordinators and how can we ensure that the coordinator(s) can be trusted?
There are two options worth considering: (a) Disable the rule, which may make it easier for adtechs to become familiar and experiment with the system. If third-party cookies are disabled...
For some adtechs, the number "shared IDs" used for report deduplication may grow very large. Are there mitigations to reduce the granularity number of IDs required (for example, by allowing...
We could consider supporting query modes that don't require label pre-declaration.To preserve differential privacy, such a query model will require thresholding (i.e. reporting only noisy values that are above a...
Is there interest in exploring support for differentially private querying schemes that allow multiple passes over data?
Are there any other approaches to the security architecture that could work here? For example, multi-party computation (MPC) is an interesting approach that can be complementary.
How should proposed extensions be evaluated for privacy, security and utility to be included in the aggregation service?