What is Halo CMMS?
The Halo Cross-Media Measurement System (CMMS) is a privacy-centric system for cross-publisher, cross-media advertising measurement through secure multiparty computations. Built by the World Federation of Advertisers, it enables advertisers to measure campaign reach and frequency across multiple publishers and media channels while preserving user privacy.Halo CMMS uses cryptographic techniques and secure multiparty computation (MPC) to ensure that no single party can access individual user data, while still generating accurate aggregate measurements.
Why Halo CMMS?
Privacy-First Architecture
The system is designed from the ground up with privacy as a core principle:- No Single Point of Data Access: Encrypted data is distributed across multiple independent organizations (Duchies)
- Multiparty Computation: All Duchies must participate in computations, preventing any single party from accessing raw data
- Differential Privacy: Statistical noise is added to results to protect individual user privacy
- Encrypted Sketches: Publishers encrypt measurement data using the combined public key of all Duchies
Key Use Cases
Halo CMMS enables advertisers to:Cross-Publisher Reach
Measure unique reach across multiple publishers without sharing user-level data
Frequency Distribution
Understand how often users see ads across different platforms and campaigns
Cross-Media Measurement
Combine measurements from digital, TV, and other media channels
Campaign Analytics
Generate privacy-safe reports spanning multiple campaigns and time periods
How It Works: High-Level Overview
Advertisers Configure Reports
Measurement consumers (advertisers) configure reports that may span various campaigns, publishers, and media types through the Kingdom API.
Kingdom Manages Requisitions
The Kingdom determines which data is required and creates requisitions for publishers. It tracks fulfillment status and orchestrates the overall workflow.
Publishers Submit Encrypted Data
Publishers compute encrypted sketches (similar to HyperLogLog for cardinality estimation) and encrypt them using the combined public key of all Duchies. These sketches are sent to a Duchy for storage.
Secure Multiparty Computation
When all requisitions for a measurement are fulfilled, Duchies perform secure multiparty computation in a predetermined order. Each Duchy holds part of the decryption key, so all must participate.
Privacy-Preserving Measurement
The system employs multiple privacy-protection techniques:Secure Multiparty Computation (MPC)
Data is encrypted with a threshold encryption scheme where the private key is distributed across all Duchies. No single Duchy can decrypt data on its own. Computations proceed through two rounds:- First Round: Each Duchy shuffles the encrypted sketches to destroy information that could be reconstructed from register indices
- Second Round: Duchies each use their piece of the private key to progressively decrypt the results
Differential Privacy
The system adds calibrated statistical noise to measurement results to provide formal privacy guarantees. This ensures that individual user data cannot be inferred from the aggregate results, even when combined with external information.For a deeper understanding of differential privacy, see the included research papers:
Multi-Cloud Deployment
For additional security, Duchies should be operated by independent organizations and deployed across different cloud providers. This prevents any single cloud provider from accessing all components of the system.System Components
The Halo CMMS consists of three main deployment types:Kingdom
Single controller deployment that manages report configuration, requisitions, and result delivery. See System Components for details.
Duchies
At least two independent secure computation nodes, each operated by a different organization. See Architecture for the computation flow.
Data Providers
Publishers and media companies that fulfill requisitions by submitting encrypted measurement data.
Supported Protocols
Halo CMMS implements multiple secure computation protocols:- Liquid Legions v2 (LLv2): Full reach and frequency measurement protocol
- Reach-Only Liquid Legions v2: Optimized protocol for reach-only measurements
- Honest Majority Share Shuffle (HMSS): Alternative protocol with different security assumptions
Benefits
For Advertisers
For Advertisers
- Measure campaign effectiveness across publishers without requiring data sharing
- Gain insights into cross-media reach and frequency
- Comply with privacy regulations while maintaining measurement capabilities
- Standardized measurement across the industry
For Publishers
For Publishers
- Participate in cross-publisher measurement without sharing user data
- Maintain user privacy and comply with regulations
- Support advertiser measurement needs without sacrificing privacy principles
- No need to trust a single centralized entity
For Users
For Users
- Strong privacy protections through cryptographic guarantees
- No single party can access individual user data
- Differential privacy ensures aggregate data cannot reveal individual behavior
- Transparent, open-source implementation
Next Steps
To get started with Halo CMMS:Understand the Architecture
Learn about the system architecture and how components interact
Explore System Components
Detailed breakdown of Kingdom and Duchy services
Deploy a Kingdom
Step-by-step guide to deploying a Kingdom on GKE
Deploy a Duchy
Instructions for setting up a Duchy deployment
Open Source
Halo CMMS is open source and available on GitHub. The project welcomes contributions and is built using modern technologies including:- Kotlin for business logic and services
- gRPC for inter-service communication
- Kubernetes for orchestration
- C++ for cryptographic operations
- Bazel for build management