Apple is continuing its whack-a-mole war against online tracking. Since introducing the Intelligent Tracking Prevention feature within its Safari browser in 2017 to limit companies’ abilities to track people around the web, Apple has had to semi-regularly update the feature to close loopholes that companies have been able to exploit to continue tracking people.
Apple’s latest ITP update — announced on Sept. 23 and included in the latest versions of Apple’s operating systems for its computers, iPhones and iPads — seals up the limits that it had introduced in two previous updates made this year. However, ITP 2.3 could have a broader impact on websites that use certain non-cookie-based web storage tools to maintain visitors’ preferences.
“The consequences of the cross-site tracking restrictions to date have been around persistent attribution with maybe limited impact on user experience. But this now heightens that impact and is probably more noticeable as a consequence,” said Sara Stevens, vp of identity, audience and measurement at digital marketing firm Conversant.
WTF is ITP 2.3?
The latest update to Safari’s Intelligent Tracking Prevention feature, ITP 2.3 aims to eliminate a workaround that enabled companies track people on other companies’ sites without relying on cookies.
Wait. I thought the last two updates to ITP were supposed to eliminate cookie-related workarounds?
They were, and they did. Earlier this year, Apple announced ITP 2.1 to curtail companies’ abilities to use first-party cookies to track people on third-party sites. Prior to that update, when someone clicked a link from one website to another, the first website could include an identifier in the destination URL that the second website would store within a first-party cookie and pass back to the first website in order for the first website to record what the person did on the second website; this practice is called cross-site tracking via link decoration and provided a way for companies to sidestep ITP’s previous crackdown on companies using third-party cookies for cross-site tracking. With ITP 2.1, Apple would delete these first-party cookies seven days after they were installed on a browser so that they could not be used to persistently track people around the web. In April, Apple announced ITP 2.2, which cut the first-party cookies’ lifespan to one day.
Got it. So then companies found a way to track people without using cookies?
Yes. Companies have been able to use the same link decoration practice to pass identifiers from one website to another, but instead of storing the IDs within a first-party cookie, they stored it within non-cookie-based web storage mechanisms, such as local storage.
WTF is local storage?
Local storage is similar to a cookie in that websites can use local storage to record information about a person visiting their site, such as an ID, and store that information on that person’s browser in order to quickly refer to it the next time that browser visits their site. The main difference between local storage and a cookie is that local storage can be used to stash more information than a cookie, which is why some websites use local storage to preserve people’s preferences when visiting a website.
How does ITP prevent companies from using non-cookie-based web storage for cross-site tracking?
If Safari sees that a company that it classifies as a cross-site tracker has decorated the link that a person clicks to visit another website, then it will delete all the non-cookie-based website data for that website from the person’s browser after seven days in which the person has continued to use Safari but not visited the site since clicking that link.
Safari will delete all non-cookie-based website data on the second site? Is that a problem?
It could be. There’s the evergreen caveat that, as of August 2019, Safari accounted for 15% of the global browser market compared to Google’s Chrome browser’s 64% market share, according to online traffic monitor StatCounter. Furthermore, if people typically visit a site at least once a week, then it’s probably not a problem because of the seven-day stipulation. That said, for sites that are visited somewhat regularly but less frequently than weekly, ITP 2.3 could be a problem. However, that also depends on whether a website uses these web storage tools and what information the site stores within them. According to Conversant vp of platform architecture Danny Avni, it’s “fairly common” for websites to use non-cookie-based web storage to save information that sites use to maintain the user experience, such as whether a person has already filled out a survey solicited by the site or at what volume a person prefers videos to play.
So the consequences of ITP 2.3 could extend beyond how ads are targeted and measured online?
Yes. Advertising-wise, ITP 2.3 is considered by programmatic advertising experts to be a fairly minor update. “I believe it pales in comparison to the cookie-related rules rolled out previously with ITP. These changes impact publishers/sites more so than advertising efforts from my vantage point,” said Amanda Martin, vp of enterprise partnerships at Goodway Group, in an email.
If anything, ITP 2.3 could be a positive for advertisers, particularly with regard to measurement and attribution. By deleting first-party cookies after 24 hours, ITP 2.2 effectively cut the measurement and attribution window from seven days to one day. ITP 2.3 re-extends the window to seven days so long as companies use non-cookie-based web storage to stash the identifier used for measurement and attribution, said Ameet Shah, vp of publisher and technology strategy at Prohaska Consulting.
What can sites that rely on these web storage tools do about this?
They can save information on their own servers instead of within these web storage tools. However, that would require time for these sites to switch to server-side storage, including rewriting their sites’ code, and would increase sites’ back-end costs because they would be storing more data on the server, said Avni.
Are there ways other than link decoration for companies to pass data from one site to another while staying under the radar?
Yes, but it’s no longer under the radar. Instead of decorating the link by attaching the ID data to the destination site’s URL, some companies were decorating their own URLs that get passed to the destination site as a referrer. Apple has picked up on this and will only let the destination site access the top-level domain information when checking for the referrer data. That is, instead of the destination site being able to read the full URL “http://example.com?id=1234,” the site will only receive “http://example.com.”
Will companies find other workarounds that Apple will have to cordon off?
Why the esports community’s toxicity is becoming the industry’s most enduring problem with brands
As fan blowback becomes a regular occurrence in esports, the industry is turning into a potential minefield for the brands looking to use it as a vehicle to reach gamers.
Terry Kawaja explains why he invested in Possible, the Dmexco founder’s new conference
Kawaja believes Possible will super-serve the intersection of marketing, media and tech like no other tentpole can. And he's invested his own money into it.
Execs are ignoring the dangers of ‘confidently incorrect’ AI and why it’s a massive problem
That means significant risks are emerging as companies rapidly race to re-orient themselves around ChatGPT without being aware of – or ignoring – the numerous pitfalls.
SponsoredIn a cookieless world, publishers are embracing new approaches to personalized UX
Asaf Shamly, CEO and co-founder, Browsi With user experience at the forefront of many publishers’ minds, the eventual deprecation of third-party cookies is bound to wreak havoc for those who haven’t quite figured out how to adjust their ad model to the coming change. The problem is well defined at this point: They can’t afford, […]
Why Chips Ahoy’s linear TV budget is crumbling in the face of new digital options
To keep up with Gen Z shoppers, Mondelēz-owned brand Chips Ahoy! is all but waving bon voyage to its linear television advertising budget in favor of digital advertising.
Google Pixel creates ad campaign to highlight the 50th anniversary of hip-hop
Google Pixel is highlighting the birth of hip-hop with a new, multi-touchpoint ad campaign.