Overly conservative check and deduct for budget

[bmcase]

The current text in [=deduct privacy budget=] function is a bit overly conservative when checking and deducting budget

1. If |deductionFp| is negative or greater than [=maximum epsilon=], [=map/set|set=] the value of |key| in the [=privacy budget store=] to 0
   and return false.

Also

1. If |deduction| is greater than |currentValue|, [=map/set|set=] the value of |key| in the [=privacy budget store=] to 0
   and return false.

If someone asks for a really big epsilon, you don’t have to both zero out their budget and give them a null report. You can just give them a null report and hope they figure out how this API works to come back and spend their budget properly…

I think I'll end up addressing this in #309 as need to also make it such that privacy budget deduction occurs if and only if all safety limit deductions can be made, otherwise just drop the epoch's impressions from consideration in this measureConversion request.

[csharrison]

Are you sure about that Ben? My understanding of the privacy filters is that once they return $\bot$, they always return that from then on, although I can't think of any counterexample where privacy fails off the top of my head.

[bmcase]

Hi @csharrison, yes I am sure; and confirmed with @roxanageambasu. If you look at Algorithm 2 in Big Bird this overall transaction process is specified https://arxiv.org/pdf/2506.05290

What happens is a per-epoch atomic transaction which checks all filters (privacy budget or quotas) to see if there is enough left. If not, then that epoch will not have any impressions considered and contribute nothing to the result; thus, the individual privacy loss for that epoch is 0 and we don't deduct anything from that epoch's filters. If enough remains in all filters, we deduct from all and include those impressions.

Each epoch handles this separately, so it could be the case that for a requested epsilon one epoch had enough remaining to be deducted while another did not, so you might not get a null report just because one epoch dropped out.

In the extreme case where someone requested to spend more budget than the per-site-epoch budget, they will get back a null report but not have lost any budget and they can call the API again later with a smaller epsilon to spend the budget.