Multiple proposals exist to reform programmatic advertising on the Web. Some, most notably PARAKEET, the FLEDGE bid server, and ongoing work by Prebid, rely on the existence of a trustworthy server that can perform tasks such as anonymising ad requests. This type of model has interesting properties, notably they are easier to audit and do not require moving significant chunks of logic into the browser, but they also suffer from the problem that the server itself must be trusted, even while sitting outside the realm of the user's control.

This document drafts an overall vision and governance model able to support such trustworthy utility servers by having them owned and operated by an entity governed in common by different constituencies. The name comes from Garuda, which Wikipedia describes as "the king of birds" and "a protector with the power to swiftly go anywhere, ever watchful."

The Impossible, Inescapable Reform of Advertising

Digital advertising has rightly become despised through decades of mismanagement, but it nevertheless is an essential utility. While other business models do exist and should prosper, they are simply insufficient to make up for the loss that eradicating advertising would cause. Our only option, then, is to fix it.

Most parties support reform, but it is proving politically difficult to achieve. Advertising is a complex environment involving multiple stakeholders that run completely different organisations yet the pieces they provide must all more or less fit together for the system to function. The current system operates poorly โ€” in some parts staggeringly so โ€” but it does operate. Changing the way in which some parts fit together requires different stakeholders to agree to change in matching ways, and therein lies the rub.

Coordinate change is difficult at all times, but in digital advertising it is particularly challenging because most of the parties actively distrust one another.

We therefore find ourselves presented with a choice: reform can either happen through vertical integration which will favour the most integrated, or it can happen through multistakeholder standards. The latter is preferable as it can bring forward a healthier ecosystem in which more voices are represented, but it can only exist if we develop a principled governance structure to foster trust between stakeholders.

This is where a trustworthy server becomes a particularly useful construct. Since it has to be trusted by all stakeholders (no one would trust such a server operated by just one type of party), it provides a common space for browsers (representing users), publishers, and adtech intermediaries to meet, and where they can be put in a position of needing to achieve consensus for the system to operate.


The goal of Garuda is to make a trustworthy advertising server possible. The notion of a trustworthy advertising server is a potentially very powerful one in that it can enable a number of highly-desirable use cases in advertising technology, notably that of anonymising requests. However, trust does not appear as if by magic and it needs to be designed for.

Several suggestions have been made in order to make this trust possible, but none of them works today:

Garuda's core tenet is that we can solve problems of trust with human arrangements. On the downside, these are necessarily imperfect and they incur some overhead. On the upside, a group of people with effective checks and balances can handle complex and evolving situations better than anything else โ€” and provide a strong foundation atop which to build trust between parties that, historically and structurally, do not trust one another much.


Garuda is an institutional arrangement composed of several constituencies and groups that together form the Garuda institution. The [=Garuda institution=] has several responsibilities:

Shepherding the technical standards that define the Garuda trustworthy server
Garuda will need to cooperate with the W3C and with WPT in order to guarantee that the technical standards that define how all parties integrate and interact with the trusted server are interoperable, royalty-free, and in line with the ethical principles of the Web and the Internet ([[?ETHICAL-WEB]], [[?RFC8890]]).
Managing the open source implementation and maintenance of the trusted server
The trusted server will be developed in an open source manner, but changes made to the code will need to be aligned with the objectives of the [=institution=], which will need to be reflected in the change review process. Further, there is no expectation that software development will be entirely carried out by the community; rather the [=institution=] should provision sufficient resources to underwrite the entirety of the server's development.
Operating the worldwide network of trustworthy servers
The [=institution=] will operate a network of trustworthy servers with high-performance SLAs and an arrangement that enables easy auditing. This is intended to be core infrastructure for the entire Web, and requires a level of quality and scale to match.
Ensuring the general health of the advertising ecosystem
By providing a common space where stakeholders must reach some form of consensus in order for the system to operate, the [=institution=] is taking on some responsibility for the health of the broader digital advertising ecosystem.

Governance Model

This section provides only an outline of the governance model for the [=Garuda institution=]. At this stage, my purpose is solely to describe the approach and sketch out enough of its mechanics to establish feasibility. Development of the full principles and bylaws will, by nature, have to be an open and multistakeholder exercise.

Significant parts of the Internet's infrastructure operate under more or less formal governance arrangements. Standards, of course (W3C, IETF, WHATWG, TC-39), but also top-level domain names, internet peering, or the ISRG and Let's Encrypt. We can make this work for advertising too.

The [=Garuda institution=] is comprised of two primary bodies: the [=Governance Board=] and the [=Legal Entity=].

The Governance Board is tasked with the oversight of the [=institution=]. It concerns itself primarily with the [=principles=], which it will control for in the behaviour of the [=Legal Entity=] as well as the technical standards and open source implementation of the trusted server. It also names the [=Executive Director=]. All [=Board=] deliberations are public (with perhaps a few exceptions for personnel matters).

The Legal Entity takes care of day-to-day operations. It is responsible for maintaining, deploying, and operating the trusted server at requisite SLAs and at reasonable cost, as well as of research into future technology that Garuda could use, with organising the various working groups that will bring stakeholders together to help evolve Garuda over time, and with the elaboration of policy positions which Garuda will cooperate with regulators on. It is run by the [=Executive Director=].

The [=Board=] selects (by consensus) an Executive Director every three years or whenever the post becomes vacant. There is a strong assumption that the [=Executive Director=] will not necessarily be renewed: every time a new [=ED=] must be selected, the [=Board=] is expected to review multiple candidates. The [=Board=] can revoke the [=ED=] with a [=supermajority=]. The [=ED=] leads the [=Legal Entity=].

Garuda operates according to fundamental ethical principles (which need to be written before it kicks off, [[?ETHICAL-WEB]], [[?RFC8890]], or [[?PUP]] are good starting points). These [=principles=] can be changed with [=supermajority=]. The purpose of these [=principles=] is to guide the [=Board=]'s discussions and inform its decisions.

There are three primary constituencies: browser vendors (vendors, not engines, and expected to proxy for users), publishers, and adtech intermediaries. For each of them, there are inclusion criteria that are based on volume of the traffic they see through the trusted server. The volume threshold can differ per [=constituency=], it is designed to prevent gaming the system by spawning multiple entities. Entities with sufficient volume have voting rights on a one-entity/one-vote basis, there is no volume proration.

Any entity eligible to be part of a [=constituency=] has some voting rights. These voting rights allow them to elect their representatives to the [=Governance Board=] for that [=constituency=]. Candidates can be nominated by any entity with voting rights. [=Board=] seats are open for three years with a third being renewed every year.

Each [=constituency=] has three representatives on the [=Board=]. No company can have more than one representative, even if it participates in different [=constituencies=]. If one [=constituency=] has fewer than two candidates in a given election, then it gains zero representation. (If interest from that group is too low, it shouldn't be taken over by a single party.)

Supermajority: some changes require a [=supermajority=] of the [=Board=]. [=Supermajority=] is defined as:

The [=Legal Entity=] is financed through a very small tax on advertising. Two models are possible: one is a flat fee per request, another is a percentage of effective CPM. The latter is preferred in that it will incentivise Garuda to increase effectiveness of advertising (whereas the former incentivises volume) but may prove more complicated to build, especially in terms of how to avoid lying about it (so long as it's above the provided bid floor). The amount and type of the tax is determined by the [=Board=]. The overall taxation structure might further depend on the type of operation requested, since not all are equally computationally expensive, and making sure that we properly cost in computational cost is important from an ecological point of view.

Part of the tax should further be set aside to provide financial support to stakeholders who cannot afford to pay someone to spend time in [=Board=] discussions, so as to ensure that participants from companies of all sizes, and from all backgrounds the world around can participate with equity.

Use Cases

The immediate focus is on getting enough of a PARAKEET-like structure off the ground, so that we can have an open source system and the server infrastructure to operate it in a trustworthy fashion up and running. This should enable sufficient anonymisation in the ad environment to make it safe for users, and enable novel publisher techniques. But longer-term, more can be done from this position because the PARAKEET server creates a "place" of sort which can broker multiple adtech functions in such a way that multiple stakeholders have to reach consensus as to how it works. This can progressively build a way out of the current unilateral, conflict-driven model that is causing so much strife across the ecosystem.

Some problems that this could help address are listed below. Note that I am deliberately staying at a very high level for the time being as I do not believe that any of these should be the first area of focus.

Known Issues

These issues need to be addressed before this can move forward.

One core problem in institution provision is how to pick who is legitimately in a given constituency, or put differently who is the polity? Garuda selects the polities of its constituencies through volume thresholds as measured by the trusted server. This is expedient for some constituencies, but does not work for all (see below).

Another core problem is how to ensure that the constituencies are balanced? Historically, the interests of the buy-side and of the intermediaries have often aligned against users, with publishers splitting between the two. A system in which some stakeholder constituencies that are almost always aligned have a guaranteed majority will lack the checks and balances to be effective, fair, and credible.

This can in part be addressed with principles (which we need anyway, and that would prevent approaching users from an adversarial angle), which can't be changed without support from at least one entity in each constituency, and also from the fact that if user-hostile tactics were to become supported in Garuda then enough browsers would just walk as to void their constituency, returning the world to ad blocking as the logical line of defense. But that offers relatively weak protection.

Users are not represented

Traditionally, user agents have taken on the role of aligning with users. As detailed in [[?RFC8890]], this is an architecture that presents multiple advantages. Unfortunately, in recent times, some user agents have drifted away from this position of trustworthiness, and this complicates the process of relying on them as representatives of users.

Additionally, the problems created by advertising often target underrepresented and marginalised communities, issues which browser vendors have limited expertise in combating. Browser vendors are not, either in terms of their employees or their legal structures, very representative of the global community, notably of the global South.

Establishing a legitimate worldwide polity for humankind (including those not yet connected whose participation could be helped by a healthy advertising ecosystem) is not a problem that we can solve, however we should seek ways to increase representativity. One option could be the UN (possibly as an observer).

The buy side is not represented

The buy side is where the money comes from and is the set of sources who have the strongest incentives to keep everyone honest in terms of fraud, effectiveness, and brand safety.

It is not obvious how to pick a good polity for this group either. There is also a risk that they could align excessively with intermediaries, which would unbalance the governance structure and undermine its credibility.

One potential solution is to make it so that the Garuda system knows who is paying for every creative that it eventually serves. If the system supports farm-to-table traceability and revenue transparency, this is a requirement anyway as the creative will need to contain verifiable information about who paid for it and how much. Extracting this payment information would make it possible to establish a volume threshold (in spend) for the buy-side to be represented. This would not address balancing issues โ€” unless users also got a constituency of their own (or intermediaries lost theirs).

Another potential option would be the WFA (possibly as an observer).


I stole a bunch of ideas from Mark Nottingham, and a few from Cullen Jennings too. Aram Zucker-Scharff, Mihir Kshirsagar, and Reuben Binns provided a lot of invaluable feedback. Many thanks to Juan Ortiz Freuler for organising a discussion session around Garuda at the Berkman Klein Center for Internet & Society before it was even public, as well as to Levin Kim, Crystal Lee, Sahar Massachi, Tom Zick as convenors of the Ethical Tech and Big Tech Governance groups, and the attendees of the session for a spirited and constructive discussion.

I am very grateful for my colleagues at The New York Times for supporting this work, atypical as it may be.