Governance of Ad Requests by a Union of Diverse Actors (GARUDA)

Multiple proposals exist to reform programmatic advertising on the Web. Some, most notably PARAKEET, the FLEDGE bid server, and ongoing work by Prebid, rely on the existence of a trustworthy server that can perform tasks such as anonymising ad requests. This type of model has interesting properties, notably they are easier to audit and do not require moving significant chunks of logic into the browser, but they also suffer from the problem that the server itself must be trusted, even while sitting outside the realm of the user's control.

This document drafts an overall vision and governance model able to support such trustworthy utility servers by having them owned and operated by an entity governed in common by different constituencies. The name comes from Garuda, which Wikipedia describes as "the king of birds" and "a protector with the power to swiftly go anywhere, ever watchful."

The Impossible, Inescapable Reform of Advertising

Digital advertising has rightly become despised through decades of mismanagement, but it nevertheless is an essential utility. While other business models do exist and should prosper, they are simply insufficient to make up for the loss that eradicating advertising would cause. Our only option, then, is to fix it.

Most parties support reform, but it is proving politically difficult to achieve. Advertising is a complex environment involving multiple stakeholders that run completely different organisations yet the pieces they provide must all more or less fit together for the system to function. The current system operates poorly — in some parts staggeringly so — but it does operate. Changing the way in which some parts fit together requires different stakeholders to agree to change in matching ways, and therein lies the rub.

Coordinate change is difficult at all times, but in digital advertising it is particularly challenging because most of the parties actively distrust one another.

We therefore find ourselves presented with a choice: reform can either happen through vertical integration which will favour the most integrated, or it can happen through multistakeholder standards. The latter is preferable as it can bring forward a healthier ecosystem in which more voices are represented, but it can only exist if we develop a principled governance structure to foster trust between stakeholders.

This is where a trustworthy server becomes a particularly useful construct. Since it has to be trusted by all stakeholders (no one would trust such a server operated by just one type of party), it provides a common space for browsers (representing users), publishers, and adtech intermediaries to meet, and where they can be put in a position of needing to achieve consensus for the system to operate.

Objective

The goal of Garuda is to make a trustworthy advertising server possible. The notion of a trustworthy advertising server is a potentially very powerful one in that it can enable a number of highly-desirable use cases in advertising technology, notably that of anonymising requests. However, trust does not appear as if by magic and it needs to be designed for.

Several suggestions have been made in order to make this trust possible, but none of them works today:

Just trust the publisher/intermediary/tech company. This is not a realistic option, certainly not for a system meant to operate in the wild and at this scale. The web is trustworthy because there is no need to trust a website. This property needs to be imported here.
Use some form of secure multiparty computation magic. Purely mathematical solutions are great in that they are highly enforceable; however it is not yet clear that this problem can be solved in full that way, straight from the browser.
It's open source! That is great, and whatever Garuda produces will be open source, but just because something is open source doesn't prove that the system running it is actually running that open source implementation as is — it's pretty easy to cheat.
Rely on regulation or contracts. Our jobs as technologists would be a lot simpler if we could treat technology as neutral and offload figuring out the hard human parts to legislators. Unfortunately, that approach is not just not simple but simplistic. The past two decades of digital advertising regulation have relied on contractual obligations and user-hostile choice architectures, with effectively nothing to show for it.
Move everything into the browser. The browser is intended as a point of maximal trust for users, and to a large degree this trust is inescapable. Unfortunately, there is no longer consensus in the Web community that all major browsers are acting as trustworthy agents for the users and there is suspicion of self-dealing from some vendors, particularly relating to advertising. Rebuilding trust in browsers is a highly desirable outcome, but sits outside the scope that we tackle here. This proposal endeavours to deal with the cards we have been given and not those I might wish we had had instead.

Garuda's core tenet is that we can solve problems of trust with human arrangements. On the downside, these are necessarily imperfect and they incur some overhead. On the upside, a group of people with effective checks and balances can handle complex and evolving situations better than anything else — and provide a strong foundation atop which to build trust between parties that, historically and structurally, do not trust one another much.

Responsibilities

Garuda is an institutional arrangement composed of several constituencies and groups that together form the Garuda institution. The [=Garuda institution=] has several responsibilities:

Shepherding the technical standards that define the Garuda trustworthy server: Garuda will need to cooperate with the W3C and with WPT in order to guarantee that the technical standards that define how all parties integrate and interact with the trusted server are interoperable, royalty-free, and in line with the ethical principles of the Web and the Internet ([[?ETHICAL-WEB]], [[?RFC8890]]).
Managing the open source implementation and maintenance of the trusted server: The trusted server will be developed in an open source manner, but changes made to the code will need to be aligned with the objectives of the [=institution=], which will need to be reflected in the change review process. Further, there is no expectation that software development will be entirely carried out by the community; rather the [=institution=] should provision sufficient resources to underwrite the entirety of the server's development.
Operating the worldwide network of trustworthy servers: The [=institution=] will operate a network of trustworthy servers with high-performance SLAs and an arrangement that enables easy auditing. This is intended to be core infrastructure for the entire Web, and requires a level of quality and scale to match.
Ensuring the general health of the advertising ecosystem: By providing a common space where stakeholders must reach some form of consensus in order for the system to operate, the [=institution=] is taking on some responsibility for the health of the broader digital advertising ecosystem.

Governance Model

This section provides only an outline of the governance model for the [=Garuda institution=]. At this stage, my purpose is solely to describe the approach and sketch out enough of its mechanics to establish feasibility. Development of the full principles and bylaws will, by nature, have to be an open and multistakeholder exercise.

Significant parts of the Internet's infrastructure operate under more or less formal governance arrangements. Standards, of course (W3C, IETF, WHATWG, TC-39), but also top-level domain names, internet peering, or the ISRG and Let's Encrypt. We can make this work for advertising too.

The [=Garuda institution=] is comprised of two primary bodies: the [=Governance Board=] and the [=Legal Entity=].

The Governance Board is tasked with the oversight of the [=institution=]. It concerns itself primarily with the [=principles=], which it will control for in the behaviour of the [=Legal Entity=] as well as the technical standards and open source implementation of the trusted server. It also names the [=Executive Director=]. All [=Board=] deliberations are public (with perhaps a few exceptions for personnel matters).

The Legal Entity takes care of day-to-day operations. It is responsible for maintaining, deploying, and operating the trusted server at requisite SLAs and at reasonable cost, as well as of research into future technology that Garuda could use, with organising the various working groups that will bring stakeholders together to help evolve Garuda over time, and with the elaboration of policy positions which Garuda will cooperate with regulators on. It is run by the [=Executive Director=].

The [=Board=] selects (by consensus) an Executive Director every three years or whenever the post becomes vacant. There is a strong assumption that the [=Executive Director=] will not necessarily be renewed: every time a new [=ED=] must be selected, the [=Board=] is expected to review multiple candidates. The [=Board=] can revoke the [=ED=] with a [=supermajority=]. The [=ED=] leads the [=Legal Entity=].

Garuda operates according to fundamental ethical principles (which need to be written before it kicks off, [[?ETHICAL-WEB]], [[?RFC8890]], or [[?PUP]] are good starting points). These [=principles=] can be changed with [=supermajority=]. The purpose of these [=principles=] is to guide the [=Board=]'s discussions and inform its decisions.

There are three primary constituencies: browser vendors (vendors, not engines, and expected to proxy for users), publishers, and adtech intermediaries. For each of them, there are inclusion criteria that are based on volume of the traffic they see through the trusted server. The volume threshold can differ per [=constituency=], it is designed to prevent gaming the system by spawning multiple entities. Entities with sufficient volume have voting rights on a one-entity/one-vote basis, there is no volume proration.

Any entity eligible to be part of a [=constituency=] has some voting rights. These voting rights allow them to elect their representatives to the [=Governance Board=] for that [=constituency=]. Candidates can be nominated by any entity with voting rights. [=Board=] seats are open for three years with a third being renewed every year.

Each [=constituency=] has three representatives on the [=Board=]. No company can have more than one representative, even if it participates in different [=constituencies=]. If one [=constituency=] has fewer than two candidates in a given election, then it gains zero representation. (If interest from that group is too low, it shouldn't be taken over by a single party.)

Supermajority: some changes require a [=supermajority=] of the [=Board=]. [=Supermajority=] is defined as:

⅔rd of the members of the [=Board=] vote in support; and
at least one [=Board=] member from each [=constituency=] must vote in support (so if the three members from one [=constituency=] are agreed against, they effectively have veto power).

The [=Legal Entity=] is financed through a very small tax on advertising. Two models are possible: one is a flat fee per request, another is a percentage of effective CPM. The latter is preferred in that it will incentivise Garuda to increase effectiveness of advertising (whereas the former incentivises volume) but may prove more complicated to build, especially in terms of how to avoid lying about it (so long as it's above the provided bid floor). The amount and type of the tax is determined by the [=Board=]. The overall taxation structure might further depend on the type of operation requested, since not all are equally computationally expensive, and making sure that we properly cost in computational cost is important from an ecological point of view.

Part of the tax should further be set aside to provide financial support to stakeholders who cannot afford to pay someone to spend time in [=Board=] discussions, so as to ensure that participants from companies of all sizes, and from all backgrounds the world around can participate with equity.

Use Cases

The immediate focus is on getting enough of a PARAKEET-like structure off the ground, so that we can have an open source system and the server infrastructure to operate it in a trustworthy fashion up and running. This should enable sufficient anonymisation in the ad environment to make it safe for users, and enable novel publisher techniques. But longer-term, more can be done from this position because the PARAKEET server creates a "place" of sort which can broker multiple adtech functions in such a way that multiple stakeholders have to reach consensus as to how it works. This can progressively build a way out of the current unilateral, conflict-driven model that is causing so much strife across the ecosystem.

Some problems that this could help address are listed below. Note that I am deliberately staying at a very high level for the time being as I do not believe that any of these should be the first area of focus.

Fraud: putting control over fraud prevention not just with intermediaries would incentivise making it more effective. The trusted server has access to detailed user information that can support fraud detection. How this would integrated safely with fraud detection vendors is an open question.
Malvertising: users and publishers have strong incentives to prevent malvertising, but are not usually in a position to do much about it. This would also help provide the line of defence that they expect. Detecting malvertising at the trusted server level will cause less revenue loss than when it happens on the publisher side. This should also make it easier to collaborate across servers to weed out dangerous creatives.
Privacy: the system is designed for that, but it could be extended to protect user privacy in further contexts.
Accountability: the current system is opaque and operates with no audit or control, and not visibility from most actors including publishers and users. Garuda could help bring about a position of farm-to-table accountability and traceability for creatives, of revenue transparency, and could help comply with coming regulations such as the DSA — though that would also require changes to upstream intermediaries as well.
Brand Safety: this is a topic that needs to be managed with publisher input, instead of the system we have now that doesn't work for anyone. Attesting agents on the Garuda server could analyse the content of the page using a methodology of their own, and pass an attestation in the bid that the page is brand safe. The methodology in question would only be allowed to run on Garuda after consensus is found that it is not unilaterally detrimental to publishers.
Creative Quality: ad creatives are produced with low quality engineering and are often highly wasteful of resources, with the cost of poor experience being borne by the publisher and user. This is a point of intervention for the server. Managing creative quality is similar to malvertising at a technical level, but the governance is different: we need the stakeholders to agree on what quality can get blocked, and the buy side needs to be informed that their ads are being dropped.

Known Issues

These issues need to be addressed before this can move forward.

One core problem in institution provision is how to pick who is legitimately in a given constituency, or put differently who is the polity? Garuda selects the polities of its constituencies through volume thresholds as measured by the trusted server. This is expedient for some constituencies, but does not work for all (see below).

Another core problem is how to ensure that the constituencies are balanced? Historically, the interests of the buy-side and of the intermediaries have often aligned against users, with publishers splitting between the two. A system in which some stakeholder constituencies that are almost always aligned have a guaranteed majority will lack the checks and balances to be effective, fair, and credible.

This can in part be addressed with principles (which we need anyway, and that would prevent approaching users from an adversarial angle), which can't be changed without support from at least one entity in each constituency, and also from the fact that if user-hostile tactics were to become supported in Garuda then enough browsers would just walk as to void their constituency, returning the world to ad blocking as the logical line of defense. But that offers relatively weak protection.

Users are not represented

Traditionally, user agents have taken on the role of aligning with users. As detailed in [[?RFC8890]], this is an architecture that presents multiple advantages. Unfortunately, in recent times, some user agents have drifted away from this position of trustworthiness, and this complicates the process of relying on them as representatives of users.

Additionally, the problems created by advertising often target underrepresented and marginalised communities, issues which browser vendors have limited expertise in combating. Browser vendors are not, either in terms of their employees or their legal structures, very representative of the global community, notably of the global South.

Establishing a legitimate worldwide polity for humankind (including those not yet connected whose participation could be helped by a healthy advertising ecosystem) is not a problem that we can solve, however we should seek ways to increase representativity. One option could be the UN (possibly as an observer).

The buy side is not represented

The buy side is where the money comes from and is the set of sources who have the strongest incentives to keep everyone honest in terms of fraud, effectiveness, and brand safety.

It is not obvious how to pick a good polity for this group either. There is also a risk that they could align excessively with intermediaries, which would unbalance the governance structure and undermine its credibility.

One potential solution is to make it so that the Garuda system knows who is paying for every creative that it eventually serves. If the system supports farm-to-table traceability and revenue transparency, this is a requirement anyway as the creative will need to contain verifiable information about who paid for it and how much. Extracting this payment information would make it possible to establish a volume threshold (in spend) for the buy-side to be represented. This would not address balancing issues — unless users also got a constituency of their own (or intermediaries lost theirs).

Another potential option would be the WFA (possibly as an observer).