Data & Analytics Consultant
Earlier this week, Apple announced at it’s WWDC 2018 it will implement new security features to its Safari web browser. One of these new features is the second version of Intelligent Tracking Prevention (ITP), which was first released by Apple in March last year.
It’s still uncertain exactly what the ramification of ITP 2.0 will be, however the first version of ITP had a dramatic impact on the advertising technology industry.
ITP is designed to prevent unwanted third parties from collecting user data without their knowledge. It uses a machine learning model to manage cookies. All data collection and classification happens on-device.
ITP 2.0 immediately partitions cookies it determines to have tracking abilities, removing the 24 hour window after the last website interaction allowed in ITP. Authenticated embeds can get access to their first party cookies through the Storage Access API.
ITP 2.0 adds a prompt to WebKit’s implementation of the Storage Access API. When a user selects ‘Allow’, Safari remembers their choice and blocks access when ‘Don’t allow’ is selected.
ITP 2.0 detects third parties making use of “first party bounce trackers”, purging their website data.
Apple security engineer John Wilander describes how ITP 2.0 prevents trackers from helping each other identify users (tracker collusion):
“Through our research, we found that cross-site trackers help each other identify the user. This is basically one tracker telling another tracker that “I think it’s user ABC,” at which point the second tracker tells a third tracker “Hey, Tracker One thinks it’s user ABC and I think it’s user XYZ.” We call this tracker collusion, and ITP 2.0 detects this behavior through a collusion graph and classifies all involved parties as trackers.”
Any third party requests (including analytics and remarketing tags) making use of first party bounce trackers or tracker collusion can be blocked by ITP 2.0.
Even when ITP purges website data, trackers still receive the referrer header. This contains the full page url (e.g. https://example.com/product/baby/strollers/deluxe-stroller-navy-blue), providing valuable data to third parties showing which page the user is currently on.
ITP 2.0 will only send the domain name (e.g. https://example.com) for third party requests to domains that have been classified as possible trackers and have not received user interaction.
With Safari holding 15% of the global browser market, these new measures dramatically limit the tracking ability of marketing technology companies and the advertising industry has responded with complaints that they face unrivalled disruption to their business model.
Specifically, a technique known as device “fingerprinting” (a way of identifying users across different websites and devices without relying on cookie technology) will be rendered almost impossible with the update to ITP. This technique relies on data such as a user’s browser operating system versions and browser add-ins, which Apple’s browsers will now suppress as standard. However these techniques are far from mainstream, so this change is unlikely to significantly disrupt operations for advertisers or ad-tech providers.
Of greater concern will be the changes to the way Apple’s browser handles cookies. In an open letter to Apple, the American Association of Advertising Agencies (4A’s), American Advertising Federation (AAF), Association of National Advertisers (ANA), Data & Marketing Association (DMA), Interactive Advertising Bureau (IAB) and Network Advertising Initiative (NAI) wrote:
"We strongly encourage Apple to rethink its plan to impose its own cookie standards and risk disrupting the valuable digital advertising ecosystem that funds much of today's digital content and services".
Apple responded by saying:
“Ad tracking technology has become so pervasive that it is possible for ad tracking companies to recreate the majority of a person’s web browsing history. This information is collected without permission and is used for ad re-targeting, which is how ads follow people around the internet.”
Apple offer the following guidelines:
Make sure your web analytics don’t rely on third party cookies from domains with no user interaction. You can still implement cross-site tracking using link decoration, passing information cross-site using url parameters.
Apple recommend server-side storage for attribution of ad impressions on your website. You can also use link decoration to pass attribution information.
The new security features will be available in iOS 12 and macOS Mojave which are due to be released this autumn. Both are currently available in beta.
We believe that moving too slowly in digital is the biggest risk your business faces. If you are ready to move faster in digital, we are here to help.
GET IN TOUCH