There are a number of designs for an online advertising system that allow
for behavioral targeting without revealing user online behavior or user
interest profiles to the ad network. However, none of the proposed designs
have been deployed in real-life settings. In this talk, I will present an
effort to fill this gap by building and evaluating a fully functional
prototype of a practical privacy-preserving ad system at a reasonably
large scale. With more than 13K opted-in users, our system was in
operation for over two months serving an average of 4800 active users
daily. During the last month alone, we registered 790K ad views, 417
clicks, and even a small number of product purchases. In addition, our
prototype is equipped with a differentially private data collection
mechanism, which we used as the primary means for gathering experimental
data. The data we collected show, for example, that our system obtained
click-through rates comparable with those for Google display ads. In this
talk, I will describe our first-hand experience and lessons learned in
running the first fully operational "private-by-design" behavioral
advertising and analytics system.