A lull in the enforcement of Apple’s privacy safeguards causes confusion over fingerprinting

The feature image is an illustration of a hand holding a smartphone with the word "News" on it and coins falling down.

When rules aren’t enforced properly, confusion reigns.

Nowhere is this more apparent than in the confusion around what is and isn’t allowed when it comes to fingerprinting, gathered up data points from a device that are used to identify someone across apps and sites.

Even some of the largest mobile measurement firms can’t seem to come to a consensus. Most agree fingerprinting won’t fly with Apple. The company’s main issue being it is normally used to track is customers without their permission. But there are some mobile measurement firms that think it’s ok to cherry-pick certain techniques linked to fingerprinting as a way to smooth over the cracks caused by Apple’s App Tracking Transparency safeguard. Often, those techniques revolved around a process called “probabilistic attribution”. 

Where things get really confusing is that fingerprinting is regularly used interchangeably with probabilistic attribution. Usually, it’s done to avoid some of the negative connotations associated with the practice. The reason: probabilistic attribution isn’t matching data from a device in order to uniquely identify it. Instead, it’s matching data from a device to estimate with some degree of certainty whether an ad made someone download an app.  

It’s an important distinction for some of the largest mobile measurement firms. They feel probabilistic matching is in line with how Apple helps marketers measure ad campaigns sans personal data, and so aren’t doing anything wrong. But even if they were, it’s not like Apple’s around to tell them anyway. In fact, these efforts are like test cases to establish what it takes to be fully compliant with Apple’s privacy rules. 

“Apple will have to keep a close eye on these approaches and enforce ATT against any implementations that are in violation, or risk the policy being completely toothless and consumer privacy commitments not being honored,” said eMarketer analyst Nicole Perrin. “And if that were to happen, I expect the industry will wise up to the ongoing lack of enforcement, encouraging everyone to take these steps to maintain a level playing field.”

Welcome to the unofficial grace period for Apple’s crackdown on in-app tracking where every risk is one worth taking until it’s not.

Mobile measurement firm Adjust recently sent an email to clients that said it would rename “fingerprinting” to “probabilistic matching” on May 20.  But it has been at pains to stress that the two terms are not interchangeable. In a blog post, CEO Paul Müller tried to allay any concerns. To paraphrase Müller’s explanation, probabilistic matching isn’t fingerprinting because it doesn’t produce a persistent identifier. So Adjust can only measure what ad a user came from for clients who won’t be able to retarget them without the identifier. 

This should be fine with Apple, according to Müller. And yet the company has still advised clients to read Apple’s policy when it comes to determining whether probabilistic attribution is compliant in their eyes. 

In other words, it’s a grey area. 

Yes, Adjust isn’t sharing the persistent ID with clients. And no it’s not tracking or targeting users across sites or apps. But the company is promoting that it can provide probabilistic attribution when Apple’s mobile identifier isn’t available. Doing so means taking data collected about the device an ad was seen on (think impressions or clicks) and blending it to data taken from the app the ad promoted (like installs and events) to make probabilistic matches. They’re just not sharing it. 

Apple could have problems with this if and when it does decide to enforce ATT. That’s because of its broad view on when it’s wrong for marketers to track iOS users. In a nutshell, Apple’s stance boils down to this: if the owner of one app pays the owner of another app for an ad placement then that is tracking because data from both are being merged to facilitate tracking and measurement. 

Should this happen without someone’s consent then it’s the advertiser and the publisher on the line even though the data processing was done by the mobile measurement firm. There’s no caveat from Apple to say tracking is fine if one of those firms does the matching. Apple makes it clear that any activity as defined as tracking must have ATT consent. 

“Ultimately these solutions will not work,” said Liam Brennan, ‎global director of innovation, ‎MediaCom. “When it comes to the conversation around user privacy and changes in the ID space, stopgaps are just weaker solutions or ways to try to avoid the ‘privacy police’ until they get caught.”

That’s not to say all probabilistic attribution is wrong in Apple’s eyes. After all, there are solutions out there capable of doing attribution this way without resorting to fingerprinting. But Apple needs to be a lot clearer about where it draws the line. 

“This lack of certainty is causing major issues for the ecosystem because anyone who truly wants to follow the spirit of the ATT policy is at a major competitive disadvantage right now,” said Alex Bauer, head of product marketing and market strategy at mobile ad tech startup Branch. “Even the most sincere companies can’t sustain that forever if Apple doesn’t follow through with what they’ve promised.”

Both AppsFlyer and Singular take the stance that Apple won’t be cool with probabilistic attribution without consent in the main. There are, however, exceptions based on their own take on Apple’s rules — specifically when it comes to instances when the same company owns both the media the ad appears in and the app it’s promoting. The rationale is that it’s just one company promoting its products, so data isn’t being shared without someone’s consent.

In the case of Singular, there’s a configuration option that a client must use to turn probabilistic attribution on when they want to track the performance of ads across media they own.

AppsFlyer has a similar option built into its dashboard. By default it provides aggregated data i.e. marketers only can see aggregated data about the campaign, not the user. The theory seems to be that so long as the data AppsFlyer lets out of their system is no more granular than the data provided by SKAdNetwork, they can use whatever methods they want (including fingerprinting). 

In a statement, Barak Witkowski, vp of product at AppsFlyer said: “Unlike fingerprinting, which seeks to maximize captured data points and create a unique identifier that can be used to track users over an extended period and across websites, AppsFlyer’s privacy-centric solutions seek to do the exact opposite — to minimize the captured data points and prevent the ability to create a unique and persistent identifier.

But there’s nothing to stop clients of these companies from using these options whenever they see fit. If a marketer wanted to track people without getting their consent in order to get a sharper view of how ads performed they could do so at the flip of a switch. In fact, Digiday has seen an email from a mobile ad tech vendor advising clients to do just that.

“It allows these vendors to be ‘publicly compliant’, but while still providing an option that allows publishers and advertisers to maintain the status quo by violating Apple’s policy,” said the ad tech who shared the email but declined to be named as a result.

Until Apple starts enforcing its own ATT rules it’s hard to see how this situation changes. Not when it’s so easy to misuse the tools available to them to get around the tracking safeguards.

“We appear to be the only measurement and attribution provider that is complying with Apple rules. Apple does not say — it’s okay to match data from two separate companies provided that the data isn’t shared — or provided that it’s only exposed with a config switch,” said Charles Manning, CEO of Kochava. “Several ad networks are encouraging non-compliance by suggesting that brands should work with an MMP that doesn’t comply in order to get access to more inventory. This creates incentives for non-compliance, and it’s incumbent upon Apple to enforce their own rules.”  

Indeed, all this confusion raises questions over whether Apple is able to enforce ATT or if it has any real interest in enforcing it at all. Either way, the inaction could cause some unintended consequences down the line. 

Namely, undermine Apple’s privacy stance. Spurred by ATT, the company is telling customers that it can be their security blanket when it comes to protecting their privacy online. That there are marketers who are currently using this confusion to knowingly track people without consent is something that could contradict this stance. 

“It’s in the genetic makeup of anyone who is in ad tech to push the line as far as they possibly can until they’re slapped because rules only matter if they’re enforced,” said a mobile ad tech executive.  


More in Marketing

CMO Strategies: A guide to display ads — benefits, obstacles and trends

The third installment of Digiday’s 2024 CMO Strategies series examines current investment in display advertising, as well as the business strategies and challenges associated with this marketing channel.

‘It’s in Google’s best interest’: Sources urge more formal Privacy Sandbox legal terms

Some even ponder the benefits of regulating web browsers, just like a public utility.

Why angel investor Matthew Ball still believes in the metaverse

Matthew Ball’s 2022 book “The Metaverse: And How It Will Revolutionize Everything” was a national bestseller in the U.S. and U.K. On July 23, he plans to publish the second edition of the book.