The Involuntary Fear: Intelligent Tracking Prevention

Yet again, an Apple internet privacy update has the digital advertising world in a frenzy.  This time it’s called Intelligent Tracking Prevention (ITP) released on Safari in the latest update High Sierra (desktop) and iOS11 (mobile). 

It’s described as a privacy system that uses a machine-learning model to identify domains used to track internet users cross-site.  If flagged, a domain’s cookies will only be available to use for their intended purpose for 24 hours unless the domain is visited again by the user.  Cookies flagged by this system will be purged completely from the user’s browser 30 days after the domain has been visited.

In practice, as long as a cookie is associated with a website a user has visited in the last 24 hours, nothing much will change.  But ad networks that use domains a user would never knowingly visit to store cookies for tracking and ad serving face having their cookies portioned and deactivated after 24 hours.  The Display retargeting industry that relies on a massive proliferation of browser cookies to identify which ads to serve when and where faces the biggest impact.

The principles of ITP will undoubtedly bring the much-maligned browser cookie back into focus.  Cookies have long been a staple part of online tracking systems, but the first/third party definition has generally been misunderstood. To think about how Safari’s ITP will impact advertising companies we have to remind ourselves how to think about the cookies that are used by online advertisers.

First and third party cookies are an urban myth. They don’t really exist.  Indeed, first/third party is a definition Safari has always avoided in its privacy settings.  A browser like Safari maintains a collection of cookies. It receives a request from a website to store a cookie and it adds the cookie to the collection. The distinction between these cookies only exists within the context of a visit to a website. If a cookie is associated with a file requested from the same domain as the page the user is visiting, it’s a first-party cookie. A cookie associated with a file requested from a different domain is a third-party cookie.  Safari’s privacy settings have never cared about how a cookie is served. It has always been focused on whether a user has tried to interact with the domain that serves the cookie.

Http redirects have long been associated with third-party cookies in click-based online advertising – the idea that a user clicks on an online ad and is sent to another website to complete an action.  Ad networks typically use a 302 (temporary) redirect to send a user from a piece of advertising on one site to the focus of the advertising on another site, which is normally an e-commerce company.

When a redirect URL is clicked, the user’s browser identifies the redirect domain as the first party.

- So if a browser requests http://redirect.another-tracker.com/?goto=client1.com/index.html

- The target page is http://client1.com/index.html

- But along the way a cookie will be requested and set for another-tracker.com."  Since the request is to "another-tracker.com" and the cookie is for "another-tracker.com", the browser considers this first party.

This is a widely used method of redirection that has been in use by ad networks and tracking companies for years.  Understanding this journey is important for ITP. Click based tracking solutions that use 302 redirects to set tracking cookies should not be affected by ITP, because the browser considers the redirect to be a visit, albeit a very brief one.

Of course ad networks are not just trying to send a user from one piece of advertising to a target website. They also want to collect data when a user views a webpage. This is the traditional definition of third-party – a cookie set by a domain other than the one a user has visited. This use case is common for Display and Email retargeting. It’s also used by companies doing cross-platform customer recognition, and is commonly used for what the ad industry calls ‘conversion tracking’ or knowing that a user has competed an action on a website. 

ITP is likely to have a bigger impact on ad networks like Display networks, Video advertising, retargeters and Influencer networks that operate by tracking using domains the user will never visit or even see.  Six major advertising trade groups wrote an open letter to Apple saying the new ITP system was taking a “unilateral and heavy-handed approach” to internet privacy.  Apple’s response was unequivocal.  Internet privacy should be sacrosanct for all users and ITP is aimed at preventing tracking without permission, not legitimately published internet advertising. This is an important distinction.

Short of open letters and malevolent press releases it will be interesting to see the response of online ad companies to ITP.  History tells us that the ad networks will hit back.  Circumventing internet privacy has been big business in the ad industry for a decade, from the use of Locally Shared Objects to replace cookies, multiple domain redirection, browser caching to IP and user agent matching and device fingerprinting.  Ad companies are rarely caught short of clever ideas to ensure their tracking gets through.

Google was one of the first companies to respond to ITP, by changing the domain used to set an important Adwords conversion cookie. Instead of the traditional third-party googleadservices.com it will use a cookie titled ‘gac_cookie’ to store AdWords conversion data when auto-tagging is turned on. Other ad networks use similar methods to write a first-party cookie from the host domain, however it normally requires the company to have a deep integration with the host domain – something the Google Analytics JavaScript allows Google to achieve. Expect other companies to follow suit.

Of course, Google and Facebook have an inherent advantage in dealing with internet privacy restrictions – be it on a device, browser or software level. They control huge amounts of logged-in, first-party data. Most of us log-in to a Facebook or Google service every day.  Both services also work as a kind of permanent login, used to access sites without a separate password. As a result, most users stay logged in to Google and Facebook as long as they’re online, and this makes them much more able to meet the 24 hour visit requirement of ITP than companies like Adroll or Criteo that rely significantly on data collected from other websites.

Apple’s own press on ITP advocates the use of server-side scripting for data storage. This simply means the action, be it an action to serve an ad or to collect a piece of data, takes place on a web server rather than in the user’s browser.  While sound technical advice, changing the way an ad network operates isn’t going to happen at the flick of a switch, nor is it going to be cheap. 

The impact of ITP will also be fundamentally determined by the popularity of Safari, which has a 30% share of all mobile browsing sessions, but only a 4% share of desktop traffic. Apple have not built ITP because they are the self-anointed protector of internet privacy. They want to grow Safari’s market share. With internet usage undergoing a fundamental mobile shift they are certainly backing the right horse, but the impact of ITP would certainly be worse if it were running on Google Chrome! Oh, but just to cheer up the ad industry they recently announced the release of a machine-learned ad blocker for Chrome anticipated next year.  Just like online advertising, online ad prevention is here to stay.