Google Patents a Privacy-Preserving Ad Attribution System Using Attestation Tokens

By Patentlyze Team · Updated May 8, 2026

Google is trying to solve one of mobile advertising's most contentious problems — figuring out which ad caused you to install an app — without ever exposing who you actually are.

How Google's token-matching attribution hides your identity

Imagine you see an ad for a fitness app while scrolling through your favorite game. You tap it, download the app, and the advertiser wants to know: did their ad cause that install? Normally, answering that question means passing around identifiers that can be tied back to you specifically — which is a privacy nightmare.

Google's new patent describes a system that answers the same question using anonymous, hashed tokens instead of personal identifiers. Think of each token like a scrambled receipt number — it can be matched against another scrambled receipt number to confirm they came from the same session, but you can't reverse-engineer it to figure out who was holding the receipt.

The clever part is that multiple tokens are exchanged at different stages — when the ad is shown, when it's clicked, and when the app is installed — and only a neutral "attribution processor" ever compares them. No single party in the chain sees your personal data, yet the advertiser still learns which platform deserves credit for the install.

How the hash-chain comparison attributes an install privately

At its core, the patent describes a multi-party attribution protocol built around anonymous tokens and their cryptographic hashes (a one-way mathematical fingerprint — you can verify a match, but you can't recover the original value).

Here's the flow the claim lays out:

• When an ad is shown and interacted with, the client device generates anonymous tokens at each step — impression, click, and install — and passes their hash values (not the raw tokens) to the app server.
• After an install is detected, an attribution processing apparatus (a neutral intermediary) collects the hash set from the app server, then queries multiple competing ad platforms asking, in effect, "do you recognize this install?"
• Each content platform responds with its own set of hash values corresponding to the tokens it observed during ad delivery.
• The processor compares the two sets. A match means that platform served the ad that led to the install — and it gets credited accordingly.

The device integrity system referenced in the diagram suggests the tokens themselves are tied to a hardware or OS-level attestation, making it harder to fabricate fake installs. This is the "attestation" part of the title — the tokens aren't just anonymous, they're verifiably issued by a real device.

What this means for the post-cookie ad attribution world

Mobile ad attribution is a multi-billion-dollar measurement problem that Apple's App Tracking Transparency (ATT) framework dramatically disrupted. ATT broke the old model — which relied on device-level identifiers like the IDFA — and forced the industry toward probabilistic or privacy-preserving alternatives. Google's own Privacy Sandbox for Android is already attempting something similar with its Protected Attribution API.

This patent fits squarely into that battle. If you install an app after seeing an ad, advertisers still need to know what worked — but the old way of finding out violated your privacy. A token-matching system like this one could let the ad ecosystem keep functioning without reconstructing your identity at any step, which is exactly the kind of design regulators in the EU and California have been pushing for.

Editorial commentary on a publicly published patent application. Not legal advice. Patentlyze may earn a commission if you click an affiliate link and make a purchase. This doesn't affect what we cover or how we cover it.