Apple continues to close up loopholes in Safari’s anti-tracking feature, Intelligent Tracking Prevention.

In the latest update to ITP that was announced on April 24 and is currently being tested, Apple appears to be taking aim at the workaround that companies including Facebook and Google have rolled out since ITP’s introduction in 2017 that are meant to enable them to continue measuring traffic and attributing ads to site visits and online purchases on third-party sites.

ITP 2.2 does not disarm those workarounds entirely. Instead the update is largely intended to ensure that the companies are not using the workarounds to side-step Safari’s anti-tracking feature and persistently track people around the web.

ITP 2.2 significantly narrows the workarounds’ tracking window to 24 hours, restricting the ability of companies like Facebook and Google to measure traffic and attribute ads. “I expect that this has a big impact on attribution,” said Ameet Shah, vp of data and technology strategy at Prohaska Consulting. We break down what’s going on.

WTF is ITP again?
ITP is a feature that Apple added to Safari in 2017 to curtail companies’ abilities to monitor people’s browsing behavior when they visit other companies’ sites. Initially, Apple took aim at the third-party cookies that platforms like Facebook and Google, as well as a bevy of ad tech vendors, place on sites they don’t own that allow them to track people across the various sites that carry their third-party cookies. Then earlier this year, Apple updated ITP to account for a workaround that companies came up with in which they have a site drop a first-party cookie that mimics the functionality of the third-party cookie. With ITP 2.1, Safari deletes these first-party cookies seven days after they were installed on a browser.

If ITP 2.1 already affected these first-party cookie workarounds, what’s different about ITP 2.2?
ITP 2.2 cuts the first-party cookie’s lifespan from seven days to one day. As a result, the first-party cookies that Facebook and Google have introduced in order to continue measuring site traffic and attributing ads will be deleted after 24 hours. As a result, if a person clicks on an ad for a product on Friday and decides to take the weekend to think about buying, then the cookie wouldn’t be around on Monday to register when the person returns directly to the site to buy the product.

“Many actions advertisers are interested in attributing back to digital marketing efforts happen outside the newly implemented 24-hour window, creating a blind spot for advertisers and brands,” said Amanda Martin, vp of enterprise partnerships at Goodway Group.

I thought Apple was fine with companies using first-party cookies to attribute ads?
It was and still is. But it’s wary of companies taking advantage of that functionality to do more than attribute ads or analyze traffic, which is why ITP 2.2 only applies to a certain kind of first-party cookie.

What kind of first-party cookie does ITP 2.2 apply to?
It applies to the persistent first-party cookie that a site drops on a person’s browser on behalf of another company that Apple has determined is able to track people across multiple sites that it does not own. Specifically, the update is concerned with companies that use a method called link decoration to drop the first-party cookie and track people on the site. As it happens, Facebook’s and Google’s ITP workarounds employ link decoration to continue tracking Safari users on third-party sites.

WTF is link decoration?
Link decoration provides a way to attach information to a URL that a person clicks on in order to pass that information to the destination site. For example, let’s say you click a link in FakePublisher’s email newsletter to an article on its site. The newsletter can attach information to that URL — ex. http://fakepublisher.com?referrer=ouremailnewsletter — so that it knows a person navigated to its site by clicking a link in its email newsletter.

That sounds pretty common. What’s the problem?
The problem is that companies can use link decoration to pass information to other sites that enables them to persistently track a person on those sites. This practice is called cross-site tracking via link decoration, and it’s what Apple is addressing with ITP 2.2.

How does cross-site tracking via link decoration work?
It’s a three-step process that involves attaching a tracking monitor to a link, having the destination site store that tracking monitor and notifying the company that set the tracking monitor when the person who clicked on the link has visited the site, even if it has been days since the person clicked that initial link. Essentially, the link gets a unique identifier, which is then stored by the destination site in a first-party cookie. Then, when a page loads on a site with Facebook’s pixel or Google’s tag, those tracking mechanisms look for the first-party cookie, pull the click ID and send it to Facebook or Google, along with whatever other information that may be designed to attached, such as the page URL which enables them measure product purchases if it’s a transaction confirmation page. This enables Facebook and Google to track a person’s visits to the site long after they had clicked on the initial link, so long as the first-party cookie has not expired.

OK, but is this a big deal?
In some ways, yes. But it’s limited to Apple’s Safari browser, which limits the scope of its impact. On desktop, Safari accounted for only 4% of browser sessions worldwide in April 2019, according to NetMarketShare. However, for mobile, Safari accounted for 26% of browser sessions that month.

What are Facebook and Google doing about this?
Unclear.

“We have solutions in place to help our clients continue to measure their advertising in accordance with Apple’s policies,” said a Google spokesperson in an emailed statement.

“We are working with our partners to better understand these latest updates and how they affect Facebook. We plan to share more guidance for businesses in the future,” said Facebook spokesperson Joe Osborne in an emailed statement.

Facebook and Google could follow Microsoft’s example. In January 2018, the company’s advertising division introduced its own ITP workaround that is similar to Facebook’s and Google’s examples except that it uses a session cookie that expires once a person closes their Safari browser. ITP 2.2 only applies to persistent cookies that remain on the browser after it has been closed.

Are Facebook and Google the only companies affected by ITP 2.2?
No, though they are probably the biggest ones. ITP 2.2 would affect any company that uses link decoration to track people around the web. That includes ad tech vendors, measurement firms, affiliate marketers and certain types of influencers.

How would affiliate marketers and influencers be affected?
Publishers and individual bloggers use link decoration to get credit when people click on a product link featured on their sites and purchase the product on the merchant’s site. These publishers and bloggers would not be credited with a purchase made more than a day after a person clicked on that product link from their sites. Without that credit, the publisher or blogger may not be compensated for contributing to the purchase.

“That’s one key area that we’re going to start seeing companies or this market of small businesses start going out of business if they’re not going to get compensated properly. These are downstream impacts from those bad actors [that take advantage of link decoration to follow people around the web],” said Desiree Toto, vp of product development at affiliate marketing network CJ Affiliate.

  • LinkedIn Icon