Existing Privacy-Preserving Attribution (PPA) APIs lack a systematic privacy budget management framework, resulting in ad hoc utility–privacy trade-offs without theoretical grounding. Method: Targeting the W3C PPA standard, we propose the first site-level, semantically well-defined quota budget and design a global budget management system based on resource isolation. We innovatively integrate differential privacy theory with a utility-aware dynamic batching scheduler to enable adaptive, utility-sensitive budget allocation. Crucially, we formally apply the resource isolation principle to cross-site privacy budget coordination for the first time. Contribution/Results: Our approach significantly improves global budget utilization while ensuring rigorous privacy guarantees. Evaluated on real-world advertising data and a Firefox browser extension, it demonstrates rational budget allocation, strong robustness against adversarial attacks, and successful end-to-end deployment—marking the first production-ready, theory-grounded PPA budgeting system.

Privacy-preserving advertising APIs like Privacy-Preserving Attribution (PPA) are designed to enhance web privacy while enabling effective ad measurement. PPA offers an alternative to cross-site tracking with encrypted reports governed by differential privacy (DP), but current designs lack a principled approach to privacy budget management, creating uncertainty around critical design decisions. We present Big Bird, a privacy budget manager for PPA that clarifies per-site budget semantics and introduces a global budgeting system grounded in resource isolation principles. Big Bird enforces utility-preserving limits via quota budgets and improves global budget utilization through a novel batched scheduling algorithm. Together, these mechanisms establish a robust foundation for enforcing privacy protections in adversarial environments. We implement Big Bird in Firefox and evaluate it on real-world ad data, demonstrating its resilience and effectiveness.