Impression site quotas eliminate other impressions when reached #374
Description
In the present design, impression site quotas are checked for every impression that are potentially included in the conversion logic. If any of those quotas are exceeded, the entire conversion fails. That is, no information is contributed to the final report.
This is a little unfortunate. It would be ideal if an impression site that was overused were instead excluded from consideration. However, getting the analysis to support that mode is a little fiddly. It's not as though the impression site quota is a load-bearing piece of the privacy story, they exist to help defend the global privacy budget against various forms of attack.
As I understand it, the challenge is in ensuring that a change to the quota structure doesn't lead to a concrete privacy problem. Even a problem with the privacy analysis such that we couldn't be sure of the absence of concrete privacy problems would be unwelcome.
An analysis is being actively worked on, so this issue is to track that. If a solution is found, it would be good to make the spec more resilient to this sort of information loss.