File: surface_set_valuation.h

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (109 lines) | stat: -rw-r--r-- 4,739 bytes parent folder | download | duplicates (7) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
 
// Copyright 2021 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CHROME_BROWSER_PRIVACY_BUDGET_SURFACE_SET_VALUATION_H_
#define CHROME_BROWSER_PRIVACY_BUDGET_SURFACE_SET_VALUATION_H_

#include "base/memory/raw_ref.h"
#include "chrome/browser/privacy_budget/representative_surface_set.h"
#include "chrome/browser/privacy_budget/surface_set_equivalence.h"
#include "chrome/common/privacy_budget/privacy_budget_settings_provider.h"
#include "chrome/common/privacy_budget/types.h"
#include "third_party/blink/public/common/privacy_budget/identifiable_surface.h"

// Estimates the privacy budget cost for a set of identifiable surfaces.
//
// Random surface selection is guided by a rudimentary naïve costing model.
// _This model is in no way meant to resemble any model that will result from
// the identifiability study_. It currently has the following properties:
//
// * By default all surfaces are assumed to have a cost of 1 median surface.
//
//     * Units are in information exposed by a _median _surface. So sans
//       anything more specific the costing model assumes that a given surface
//       exposes a median amount of identifiable information _independently of
//       any other surface_.
//
//       This choice of unit has the desirable property of being compatible with
//       just counting the number of surfaces.
//
//     * The measure is proportional to the exposed Shannon entropy. I.e. if
//       a single unit corresponds to 𝛮 bits, then 2 units will correspond to 2𝛮
//       bits. Hence the information content of two independent identifiable
//       surfaces is the sum of the information content of each individual
//       surface.
//
// * The cost of any individual surface can be overridden on the basis of its
//   type or its identifier. This is for dealing with substantial deviations
//   from the median.
//
// * A group of surfaces can be treated as a single unit and be assigned a group
//   cost. This is useful, for example, if we want to select `Screen.width` and
//   `Screen.height` together so that any time we decide to include one we
//   implicitly include the other.
//
//   The set of surfaces that are considered as a unit for valuation purposes is
//   referred to in code as an "equivalence class" or "equivalence set."
//
// * Given a set of surfaces 𝑺 the cost of the set is the sum of:
//
//   * The costs of each surface that is _not_ a member of any equivalence
//     class.
//
//   * The cost of each equivalence class where at least one of the surfaces in
//     𝑺 is a member.
class SurfaceSetValuation {
 public:
  // The default cost is always one median identifiable surface.
  static constexpr double kDefaultCost = 1.0;

  // Constructs a valuation object. The SurfaceSetEquivalence object passed in
  // by reference as `equivalence` MUST outlive this object.
  explicit SurfaceSetValuation(const SurfaceSetEquivalence& equivalence);
  ~SurfaceSetValuation();

  // Returns an upper-bound for the cost of the surfaces in `set`.
  PrivacyBudgetCost Cost(const IdentifiableSurfaceSet& set) const;

  // Returns an upper-bound for the cost of `surface`.
  PrivacyBudgetCost Cost(blink::IdentifiableSurface surface) const;

  // Returns an upper-bound for the cost of `surface`.
  PrivacyBudgetCost Cost(RepresentativeSurface surface) const;

  // Returns an upper-bound for the cost of the surfaces in `set`.
  PrivacyBudgetCost Cost(const RepresentativeSurfaceSet& set) const;

  // Returns the _incremental_ change in cost that would result from adding
  // `new_addition` to the set of surfaces represented by `prior`.
  //
  // Costs are always zero or positive, so the returned value will never be
  // negative.
  PrivacyBudgetCost IncrementalCost(const RepresentativeSurfaceSet& prior,
                                    RepresentativeSurface new_addition) const;

  // Returns a reference to the underlying identifiable surface equivalence
  // model.
  const SurfaceSetEquivalence& equivalence() const {
    return *equivalence_sets_;
  }

  // Returns the expected number of surfaces that would fit in `cost`. This is
  // a naive estimate that assumes that the surfaces will be of average cost and
  // mutually independent.
  //
  // `cost` must be positive.
  static size_t ExpectedSurfaceCountForCost(PrivacyBudgetCost cost);

 private:
  const raw_ref<const SurfaceSetEquivalence> equivalence_sets_;

  // Per surface relative cost.
  const IdentifiableSurfaceCostMap per_surface_costs_;

  // Per surface type relative cost.
  const IdentifiableSurfaceTypeCostMap per_type_costs_;
};

#endif  // CHROME_BROWSER_PRIVACY_BUDGET_SURFACE_SET_VALUATION_H_