Advertisers have traditionally relied on third-party cookies and device identifiers to deliver tailored advertising to specific consumers and provide recommendations through mobile apps, streaming TV, and web experiences.
But as the advertising industry reduces its reliance on cookies and identifiers to protect consumer privacy, industry customers are exploring new opportunities to improve how to identify consumers online and deliver personalized advertising in a transparent and trusted way.
Unified ID 2.0 (UID2) is a new industry solution to address this opportunity. Developed by The Trade Desk, UID2 is a non-proprietary, open standard accessible to constituents across the advertising ecosystem. UID2 enables advertisers, agencies, ad technology companies, and publishers selling advertising to continue providing relevant, personalized advertising without third-party cookies. It also provides mechanisms for consumer consent with transparency baked in. Despite the promise of UID2, there hasn’t been an easy way to deploy UID2 operator services into your Amazon Web Services (AWS) account to date.
The solution uses AWS Nitro Enclaves to create trusted compute environments for UID2 operator services that protect and securely process sensitive data and enable advertisers to match ad opportunities with their first-party user data anonymously, thus helping protect consumers’ privacy and delivering relevant advertising to users.
“With our strategy of providing multi-layered identity solutions, Unified ID 2.0 is an important open-source identity solution for the open web that enables Acxiom and Kinesso to directly connect brands’ audiences with the publisher ecosystem without client data leaving our privacy-safe environments. We’re excited by the ‘Unified ID 2.0 on AWS’ solution further to enhance data security and privacy through AWS Nitro Enclaves and reduce heavy lifting from our development teams to launch Unified ID 2.0 in our AWS Cloud environment. Further, because Unified ID 2.0 directly connects first-party audiences to publishers, this solution will help with improved efficiency, match rates and ultimately, better customer experiences,” said Ian Johnson, Global Chief Operating Officer, across Acxiom, Kinesso, and Matterkind
UID2 Overview
A UID2 identifier is a token representing a user’s verifiable Personally Identifiable Information (PII), such as authenticated email. UID2 identifiers differ from third-party cookies in a few ways:
- UID2 identifiers are never shared between partners. Instead, they are encrypted into ephemeral UID2 “tokens.”
- UID2 tokens do not persist and instead use a cryptographic nonce so their value is different each time they are shared during real-time request and response workflows in programmatic advertising (known as the “bid stream”).
- UID2 tokens refresh at a defined interval to prevent misuse of tokens by non-UID2 participants who may want to build consumer profiles using UID2 tokens.
When a user visits a website, an ad publisher requests a user login that includes a transparent consent explanation and provides opt-in/opt-out options to personalize ads and delete data. The authenticated login information is provided to a service, a UID2 Operator, to create an SHA-256 hashed and salted alphanumeric value (“UID2 identifier”) and an encrypted UID2 identifier (“UID2 token”) representing the user. These tokens enable advertisers to anonymously match ad opportunities with their first-party user data and help improve the relevancy of advertising while keeping consumer information protected.
Two basic entities interact in UID2 workflows—Administrator and Operator. The UID2 Administrator is a centralized service managing access to the distributed UID2 System and is responsible for distributing encryption and decryption keys and salts to UID2 Operators. The UID2 Operator operates a UID2 service to process user PII and generates and manage UID2s and UID2 tokens. Operators can be either Public Operators or Private Operators. Public Operators are organizations that operate the UID2 service (via API) to generate and manage UID2s and UID2 tokens and are accessible to all participants. Private Operators are organizations that operate their internal version of the UID2 service to generate and manage UID2s and UID2 tokens.
Now let’s explore how The Trade Desk leveraged AWS services to build the UID2 Private Operator service on AWS (more details are available on GitHub). The architecture uses AWS Nitro Enclaves to create isolated, hardened, and highly constrained compute environments for the UID2 Private Operator service to protect and securely process highly sensitive data. Before we get started, there are several requirements for applications that generate UID2 and UID2 tokens:
Requirements for Private Operators to meet the UID2 standard
- Establish a “Trusted Environment” for the UID2 Operator application to process users’ private data (i.e., a user’s phone number or email address) such that sensitive data does not leave the application boundary in plaintext.
- User PII shouldn’t be accessible to other UID2 Operators, Ad Publishers, Supply-Side Platforms (SSPs), Data Providers, Advertisers, or Demand-Side Platforms (DSPs).
- Validate that UID2 Operators run only authorized code and configurations.
- An API key to establish a connection between UID2 Operator application and UID2 Core (managed by UID2 Administrator).
- Encryption keys and salt buckets to be provided by UID2 Administrator to the trusted application code within the UID2 Operator application
- All data processing and transformation should happen in memory and encryption keys, salt store, and UID2 identifier should not be written to persistent storage by the application.
Leveraging AWS Nitro Enclaves
To meet the requirements of the UID2 standard, the UID2 Private Operator service uses AWS Nitro Enclaves for processing highly sensitive data. A Nitro Enclave is a highly constrained virtual machine created by allocating CPU cores and memory from a single “parent” Amazon Elastic Compute Cloud (EC2) instance. Applications running inside a Nitro Enclave can leverage Nitro Enclave’s cryptographic attestation capabilities to prove its identity and build trust with an external service. Nitro Enclaves do not provide network connectivity, persistent storage, or interactive access. A Nitro Enclave is connected to its parent instance via a secure local socket connection (“vsock”) which is used for input and output from the enclave environment. The Trade Desk designed its UID2 Operator architecture to take advantage of Nitro Enclaves’s isolation and attestation capabilities.
UID2 Private Operator on AWS architecture
The UID2 Private Operator service uses a pre-packaged Amazon Machine Image (AMI) to distribute the application for deployment on an Amazon EC2 instance. The AMI includes a prebuilt Nitro Enclave Image File (EIF) containing the UID2 Operator environment. The AMI also includes various required configuration scripts and utilities that the parent instance needs. When an Amazon EC2 instance is launched using the pre-packaged AMI, it is configured to allocate a portion of its’ CPU core and memory to launch a Nitro Enclave using the included EIF.
As shown in Diagram 1 below, the UID2 Operator enclave application requests an attestation document using Nitro Secure Module API, providing one time public key and nonce as input. The enclave application then sends the signed attestation document to the UID2 Core service (managed by a UID2 Administrator). To validate the Nitro Enclaves cryptographic attestation document, the UID2 Administrator service decodes and extracts the document, validates the signing certificate’s chain, and confirms that the document is signed correctly. Once it has validated the attestation document, the UID2 Administrator service can inspect the attestation to confirm that it was issued to a Nitro Enclave launched using an unmodified copy of the pre-built EIF already validated by the UID2 Administrator.
After successful attestation, the UID2 Core service sends a unique authorization token encrypted using the public key provided in the enclave’s attestation document to authorize. This token is used to authorize subsequent requests by the UID2 Operator enclave application and is periodically refreshed automatically. After receiving the authorization token, the UID2 Operator enclave application requests encryption keys, salt buckets, and associated data from UID2 Core. UID2 Core responds with an Amazon S3 presigned URL to download the required data. The enclave application uses salt buckets to transform a user’s email address or phone number into a hashed (SHA256) alphanumeric UID2 identifier and uses encryption keys to encrypt UID2 into UID2 tokens. Entities running UID2 operator private operator services can integrate their applications to send requests to their UID2 Operator enclave application to transform the user’s PII into UID2 and UID2 tokens.
As shown in Diagram 2 below, UID2’s Private Operator service design uses Amazon EC2 launch templates and Amazon EC2 Auto Scaling groups to scale the UID2 Private Operator service as needed horizontally. UID2 Private Operator service nodes are deployed across multiple Availability Zones to provide high availability and resiliency.
Conclusion
With the decreasing reliance on third-party cookies in real-time advertising, Unified ID 2.0 (UID2) has emerged as a solution that improves how to identify consumers online and deliver personalized advertising in a transparent and trusted way.
Microsoft Dynamics 365 represents a robust cloud-based CRM solution with features such as pipeline assessment, relationship analytics, and conversational intelligence. It utilises AI-powered insights to provide actionable intelligence via predictive analytics, lead scoring, sentiment analysis, etc. Currently, Microsoft operates in 190 countries and is made up of more than 220,000 employees worldwide.
HubSpot is an inbound marketing, sales, and customer service software provider, offering robust CRM and automation solutions. Some of its products include Marketing Hub, Sales Hub, Operations Hub, Content Hub, Commerce Hub, Marketing Analytics and Dashboard Software. Guided by its inbound methodology, HubSpot enables companies to prioritise innovation and customer success.
Monday.com is a project management software company, offering a cloud-based platform that enables businesses 
Headquartered in San Mateo, California, Freshworks is a global AI-powered business software provider. Its tech stack includes a scalable and comprehensive suite for IT, customer support, sales, and marketing teams, ensuring value for immediate business impact. Its product portfolio includes Customer Service Suite, Freshdesk, Freshchat, Freshcaller, Freshsuccess, and Freshservice. Freshservice for Business Teams has helped several global organisations to enhance their operational efficiency.
Talkdesk offers an innovative AI-powered customer-centric tech stack to its global partners. The company provides generative AI integrations, delivering industry-specific solutions to its customers. Talkdesk CX Cloud and Industry Experience Clouds utilise modern machine learning and language models to enhance contact centre efficiency and client satisfaction.
The company offers comprehensive cloud-based solutions, such as Microsoft Dynamics 365, Gaming Consoles, Microsoft Advertising, Copilot, among other things, to help organisations offer enhanced CX and ROI. Its generative-AI-powered speech and voice recognition solutions,such as Cortana and Azure Speech Services empowers developers to build intelligent applications.
IBM is a global hybrid cloud and AI-powered 
Uniphore is an enterprise-class, AI-native company that was incubated in 2008. Its enterprise-class multimodal AI and data platform unifies all elements of voice, video, text and data by leveraging Generative AI, Knowledge AI, Emotion AI and workflow automation. Some of its products include U-Self Serve, U-Assist, U-Capture, and U-Analyze. Its Q for Sale is a conversational intelligence software that guides revenue teams with AI-powered insights, offering clarity on how to effectively keep prospects engaged.
Google Cloud accelerates every organisation’s ability to digitally transform its business. Its enterprise-grade solutions leverage modern technology to solve the most criticial business problems 
8×8 offers out-of-the-box contact centre solutions, assisting all-size businesses to efficiently meet customer needs and preferences. It offers custom CRM integrations support and integrates effortlessly with third-party CRMs like Salesforce, Microsoft Dynamics, Zendesk, and more. Offering global support in all time zones & development teams in 5 continents, its patented geo-routing solution ensures consistent voice quality.
Sprinklr is a comprehensive enterprise software company for all customer-focused functions. With advanced AI, Sprinklr’s unified customer experience management (Unified-CXM) platform lets organisations offer human experiences to every customer, every time, across any modern channel.
Upland offers a comprehensive suite of contact centre and customer service solutions with products including InGenius, Panviva, Rant & Rave, and RightAnswers. InGenius enables organisations to connect their existing phone system with CRM, further enhancing agent productivity. Panviva provides compliant and omnichannel capabilities for highly regulated industries. Whereas, Rant & Rave, and RightAnswers are its AI-powered solutions, 
Zoho Social, a part of Zoho’s suite of 50+ products, is a comprehensive social media management platform for businesses and agencies. The Zoho Social dashboard includes a robust set of features, such as Publishing Calendar, Bulk Scheduler, and Approval Management to offer businesses all the essential social media publishing tools. Its monitoring tools help enterprises track and respond to relevant social conversations.
Hootsuite, headquartered in Vancouver, is a social media management platform that streamlines the process of managing multiple social media accounts. Some of its core offerings include social media content planning and publishing, audience engagement tools, analytics and social advertising. Its easy-to-integrate capabilities help marketing teams to schedule and publish social media posts efficiently.
Brandwatch enables businesses to build and scale the optimal strategy for their clients with intuitive, use-case-focused tools that are easy and quick to master. Bringing together consumer intelligence and social media management, the company helps its users react to the trends that matter, collaborate on data-driven content, shield the brand from threats and manage all the social media channels at scale.
Zoho Corporation offers innovative and tailored software to help leaders grow their business. Zoho’s 55+ products aid sales and marketing, support and collaboration, finance, and recruitment requirements. Its customer analytics capabilities come with a conversational feature, Ask Zia. It enables users to ask questions and get insights in the form of reports and widgets in real-time.
Salesforce-owned Tableau is an AI-powered analytics and business intelligence platform, offering the breadth and depth of capabilities that serve the requirements of global enterprises in a seamless, integrated experience. Marketers can utilise generative AI models, AI-powered predictions, natural language querying, and recommendationsons.
Fullstory is a behavioural data platform, helping C-suite leaders make informed decisions by injecting digital behavioural data into its analytics stack. Its patented technology uncovers the power of quality behavioural data at scale, transforming every digital visit into actionable insights. Enterprises can increase funnel conversion and identify their highest-value customers effortlessly.
Contentsquare is a cloud-based digital experience analytics platform, helping brands track billions of digital interactions, and turn those digital 
Amplitude is a product analytics platform, enabling businesses to track visitors with the help of collaborative analytics. The platform leverages the capabilities of 
Adobe Experience Cloud offers a comprehensive set of applications, capabilities, and services specifically designed to address day-to-day requirement for personalised customer experiences at scale. Its platform helps play an essential role in managing different digital content or assets to improve customer happiness. Its easy-to-optimise content gives users appropriate marketing streams, ensuring product awareness.
Started in 2005 in a Sweden-based small town, Norrköping, Voyado offers a customer experience cloud platform that includes a customer loyalty management system. This platform helps businesses design and implement customer loyalty programs, track customer 
TapMango provides a comprehensive, customisable, flexible and feature-rich customer loyalty program. The loyalty tools include an integrated suite of customised consumer-facing technology, easy-to-use merchant tools, and automation algorithms, all aimed at enhancing customer experience. Adaptable to any industry, TapMango’s platform helps merchants compete with larger chains, converting customer one-time purchases into profitable spending habits.
Adobe Experience Cloud offers a comprehensive set of applications, capabilities, and services specifically designed to address day-to-day requirements for personalised customer experiences at scale. Its innovative platform has played an essential role in managing different digital content or assets, to improve customer happiness or satisfaction. Some of its products include Adobe Gen Studio, Experience Manager Sites, Real-time CDP, and Marketo Engage.
