From c9c5ac15ce750753596dd0398507b87014ff0247 Mon Sep 17 00:00:00 2001
From: Charlie Harrison <csharrison@chromium.org>
Date: Thu, 4 May 2023 15:40:25 -0500
Subject: [PATCH 1/4] Add private single events to areas of agreement

---
 design-dimensions/Dimensions-with-General-Agreement.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/design-dimensions/Dimensions-with-General-Agreement.md b/design-dimensions/Dimensions-with-General-Agreement.md
index 0182dd4..8ee1167 100644
--- a/design-dimensions/Dimensions-with-General-Agreement.md
+++ b/design-dimensions/Dimensions-with-General-Agreement.md
@@ -25,6 +25,11 @@ We’ve explored three main definitions of privacy:
 
 The community group has reached general agreement that the _Private Measurement Technical Specification MVP_ should use a definition of privacy based on differential privacy. This does not preclude the use of other privacy definitions in conjunction with differential privacy, however any proposal should aim to provide differential privacy guarantees.
 
+### Private measurement of single events
+The group has discussed the use-case of “differentially private measurement of single events” i.e. whether, under a differential privacy guarantee, we would permit queries which ask about a single event’s outcome (did impression lead to a conversion, for instance). For more information about this, see https://github.com/patcg/docs-and-reports/issues/41 and the [agenda topic](https://github.com/patcg/meetings/issues/112) from the May 2023 meeting.
+
+We have reached a general consensus that these types of queries can be particularly sensitive, so we must take care when setting the proper [differential privacy scope](#privacy-unit--privacy-budget-scoping) as well as privacy parameters (e.g. epsilon) to ensure that events are properly protected, and we ensure that the protection covers people that submit many events. However, queries of this form can be generally permitted, and we do not require special mitigations to ensure aggregation across many events is happening.
+
 ## Privacy unit / privacy budget scoping
 
 A privacy budget scope denotes a boundary for user data leakage, formally described in terms of a privacy definition, which is allowed by a private measurement design. Proposals define a scope, or scopes, within which a limited maximum amount of data may be disclosed.

From d0a638077cc26dfe45581f07e2353404da63819d Mon Sep 17 00:00:00 2001
From: Charlie Harrison <csharrison@chromium.org>
Date: Thu, 4 May 2023 19:38:53 -0500
Subject: [PATCH 2/4] Apply suggestions from code review

Co-authored-by: Martin Thomson <mt@lowentropy.net>
---
 design-dimensions/Dimensions-with-General-Agreement.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/design-dimensions/Dimensions-with-General-Agreement.md b/design-dimensions/Dimensions-with-General-Agreement.md
index 8ee1167..2c6c18c 100644
--- a/design-dimensions/Dimensions-with-General-Agreement.md
+++ b/design-dimensions/Dimensions-with-General-Agreement.md
@@ -26,7 +26,7 @@ We’ve explored three main definitions of privacy:
 The community group has reached general agreement that the _Private Measurement Technical Specification MVP_ should use a definition of privacy based on differential privacy. This does not preclude the use of other privacy definitions in conjunction with differential privacy, however any proposal should aim to provide differential privacy guarantees.
 
 ### Private measurement of single events
-The group has discussed the use-case of “differentially private measurement of single events” i.e. whether, under a differential privacy guarantee, we would permit queries which ask about a single event’s outcome (did impression lead to a conversion, for instance). For more information about this, see https://github.com/patcg/docs-and-reports/issues/41 and the [agenda topic](https://github.com/patcg/meetings/issues/112) from the May 2023 meeting.
+The group has discussed the use-case of “differentially private measurement of single events”. Specifically, whether, given differential privacy protections, we would permit queries which ask about the outcome for a single event (did impression lead to a conversion, for instance). For more information about this, see https://github.com/patcg/docs-and-reports/issues/41 and the [agenda topic](https://github.com/patcg/meetings/issues/112) from the May 2023 meeting.
 
 We have reached a general consensus that these types of queries can be particularly sensitive, so we must take care when setting the proper [differential privacy scope](#privacy-unit--privacy-budget-scoping) as well as privacy parameters (e.g. epsilon) to ensure that events are properly protected, and we ensure that the protection covers people that submit many events. However, queries of this form can be generally permitted, and we do not require special mitigations to ensure aggregation across many events is happening.
 

From 634d55cb0c9f0dde3847e731f514ce62cf838f54 Mon Sep 17 00:00:00 2001
From: Charlie Harrison <csharrison@chromium.org>
Date: Thu, 4 May 2023 20:13:52 -0500
Subject: [PATCH 3/4] Apply suggestions from code review

---
 design-dimensions/Dimensions-with-General-Agreement.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/design-dimensions/Dimensions-with-General-Agreement.md b/design-dimensions/Dimensions-with-General-Agreement.md
index 2c6c18c..b904272 100644
--- a/design-dimensions/Dimensions-with-General-Agreement.md
+++ b/design-dimensions/Dimensions-with-General-Agreement.md
@@ -28,7 +28,7 @@ The community group has reached general agreement that the _Private Measurement
 ### Private measurement of single events
 The group has discussed the use-case of “differentially private measurement of single events”. Specifically, whether, given differential privacy protections, we would permit queries which ask about the outcome for a single event (did impression lead to a conversion, for instance). For more information about this, see https://github.com/patcg/docs-and-reports/issues/41 and the [agenda topic](https://github.com/patcg/meetings/issues/112) from the May 2023 meeting.
 
-We have reached a general consensus that these types of queries can be particularly sensitive, so we must take care when setting the proper [differential privacy scope](#privacy-unit--privacy-budget-scoping) as well as privacy parameters (e.g. epsilon) to ensure that events are properly protected, and we ensure that the protection covers people that submit many events. However, queries of this form can be generally permitted, and we do not require special mitigations to ensure aggregation across many events is happening.
+We have reached consensus that these types of queries can be particularly sensitive, so we must take care when setting the proper [differential privacy scope](#privacy-unit--privacy-budget-scoping) and parameters (e.g., epsilon and delta) to ensure that user contributions are adequately protected. Any protection needs to cover people that submit many events. However, queries of this form will not necessarily be prohibited, although additional protections should be considered if differential privacy guarantees are deemed too weak.
 
 ## Privacy unit / privacy budget scoping
 

From 7c0393d5fdaa5485bbdb2153738e7c4866cdda7b Mon Sep 17 00:00:00 2001
From: Charlie Harrison <csharrison@chromium.org>
Date: Mon, 8 May 2023 19:15:17 -0500
Subject: [PATCH 4/4] Clarify the privacy scope

---
 design-dimensions/Dimensions-with-General-Agreement.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/design-dimensions/Dimensions-with-General-Agreement.md b/design-dimensions/Dimensions-with-General-Agreement.md
index b904272..8c84643 100644
--- a/design-dimensions/Dimensions-with-General-Agreement.md
+++ b/design-dimensions/Dimensions-with-General-Agreement.md
@@ -28,7 +28,7 @@ The community group has reached general agreement that the _Private Measurement
 ### Private measurement of single events
 The group has discussed the use-case of “differentially private measurement of single events”. Specifically, whether, given differential privacy protections, we would permit queries which ask about the outcome for a single event (did impression lead to a conversion, for instance). For more information about this, see https://github.com/patcg/docs-and-reports/issues/41 and the [agenda topic](https://github.com/patcg/meetings/issues/112) from the May 2023 meeting.
 
-We have reached consensus that these types of queries can be particularly sensitive, so we must take care when setting the proper [differential privacy scope](#privacy-unit--privacy-budget-scoping) and parameters (e.g., epsilon and delta) to ensure that user contributions are adequately protected. Any protection needs to cover people that submit many events. However, queries of this form will not necessarily be prohibited, although additional protections should be considered if differential privacy guarantees are deemed too weak.
+We have reached consensus that these types of queries can be particularly sensitive, so we must take care when setting the proper [differential privacy scope](#privacy-unit--privacy-budget-scoping) and parameters (e.g., epsilon and delta) to ensure that user contributions are adequately protected. Any protection needs to cover people that submit many events within the chosen privacy scope. However, queries of this form will not necessarily be prohibited, although additional protections will be considered if differential privacy guarantees are deemed too weak.
 
 ## Privacy unit / privacy budget scoping