Apple is continuing its whack-a-mole war against online tracking. Since introducing the Intelligent Tracking Prevention feature within its Safari browser in 2017 to limit companies’ abilities to track people around the web, Apple has had to semi-regularly update the feature to close loopholes that companies have been able to exploit to continue tracking people.
Apple’s latest ITP update — announced on Sept. 23 and included in the latest versions of Apple’s operating systems for its computers, iPhones and iPads — seals up the limits that it had introduced in two previous updates made this year. However, ITP 2.3 could have a broader impact on websites that use certain non-cookie-based web storage tools to maintain visitors’ preferences.
“The consequences of the cross-site tracking restrictions to date have been around persistent attribution with maybe limited impact on user experience. But this now heightens that impact and is probably more noticeable as a consequence,” said Sara Stevens, vp of identity, audience and measurement at digital marketing firm Conversant.
WTF is ITP 2.3?
The latest update to Safari’s Intelligent Tracking Prevention feature, ITP 2.3 aims to eliminate a workaround that enabled companies track people on other companies’ sites without relying on cookies.
Wait. I thought the last two updates to ITP were supposed to eliminate cookie-related workarounds?
They were, and they did. Earlier this year, Apple announced ITP 2.1 to curtail companies’ abilities to use first-party cookies to track people on third-party sites. Prior to that update, when someone clicked a link from one website to another, the first website could include an identifier in the destination URL that the second website would store within a first-party cookie and pass back to the first website in order for the first website to record what the person did on the second website; this practice is called cross-site tracking via link decoration and provided a way for companies to sidestep ITP’s previous crackdown on companies using third-party cookies for cross-site tracking. With ITP 2.1, Apple would delete these first-party cookies seven days after they were installed on a browser so that they could not be used to persistently track people around the web. In April, Apple announced ITP 2.2, which cut the first-party cookies’ lifespan to one day.
Got it. So then companies found a way to track people without using cookies?
Yes. Companies have been able to use the same link decoration practice to pass identifiers from one website to another, but instead of storing the IDs within a first-party cookie, they stored it within non-cookie-based web storage mechanisms, such as local storage.
WTF is local storage?
Local storage is similar to a cookie in that websites can use local storage to record information about a person visiting their site, such as an ID, and store that information on that person’s browser in order to quickly refer to it the next time that browser visits their site. The main difference between local storage and a cookie is that local storage can be used to stash more information than a cookie, which is why some websites use local storage to preserve people’s preferences when visiting a website.
How does ITP prevent companies from using non-cookie-based web storage for cross-site tracking?
If Safari sees that a company that it classifies as a cross-site tracker has decorated the link that a person clicks to visit another website, then it will delete all the non-cookie-based website data for that website from the person’s browser after seven days in which the person has continued to use Safari but not visited the site since clicking that link.
Safari will delete all non-cookie-based website data on the second site? Is that a problem?
It could be. There’s the evergreen caveat that, as of August 2019, Safari accounted for 15% of the global browser market compared to Google’s Chrome browser’s 64% market share, according to online traffic monitor StatCounter. Furthermore, if people typically visit a site at least once a week, then it’s probably not a problem because of the seven-day stipulation. That said, for sites that are visited somewhat regularly but less frequently than weekly, ITP 2.3 could be a problem. However, that also depends on whether a website uses these web storage tools and what information the site stores within them. According to Conversant vp of platform architecture Danny Avni, it’s “fairly common” for websites to use non-cookie-based web storage to save information that sites use to maintain the user experience, such as whether a person has already filled out a survey solicited by the site or at what volume a person prefers videos to play.
So the consequences of ITP 2.3 could extend beyond how ads are targeted and measured online?
Yes. Advertising-wise, ITP 2.3 is considered by programmatic advertising experts to be a fairly minor update. “I believe it pales in comparison to the cookie-related rules rolled out previously with ITP. These changes impact publishers/sites more so than advertising efforts from my vantage point,” said Amanda Martin, vp of enterprise partnerships at Goodway Group, in an email.
If anything, ITP 2.3 could be a positive for advertisers, particularly with regard to measurement and attribution. By deleting first-party cookies after 24 hours, ITP 2.2 effectively cut the measurement and attribution window from seven days to one day. ITP 2.3 re-extends the window to seven days so long as companies use non-cookie-based web storage to stash the identifier used for measurement and attribution, said Ameet Shah, vp of publisher and technology strategy at Prohaska Consulting.
What can sites that rely on these web storage tools do about this?
They can save information on their own servers instead of within these web storage tools. However, that would require time for these sites to switch to server-side storage, including rewriting their sites’ code, and would increase sites’ back-end costs because they would be storing more data on the server, said Avni.
Are there ways other than link decoration for companies to pass data from one site to another while staying under the radar?
Yes, but it’s no longer under the radar. Instead of decorating the link by attaching the ID data to the destination site’s URL, some companies were decorating their own URLs that get passed to the destination site as a referrer. Apple has picked up on this and will only let the destination site access the top-level domain information when checking for the referrer data. That is, instead of the destination site being able to read the full URL “http://example.com?id=1234,” the site will only receive “http://example.com.”
Will companies find other workarounds that Apple will have to cordon off?
How the layoffs at Upcomer show the challenges of public ownership in esports media
Enthusiast’s lack of a seemingly cohesive strategy for Upcomer is a reflection of the broader challenges it faces as a gaming and esports holding company that is, at the moment, one of the few publicly traded firms in the industry.
‘A lot of investment and commitment’: Manchester City ramps up esports efforts
Early forays from football teams into esports were conservative to say the least, opting to stay close to football and focus on competitive events for the Fifa football series.
How Blue Apron meal kit is revamping its marketing strategy with digital video
Returning to advertising after two years, DTC Blue Apron is diversifying its media spend with video advertising to boost brand awareness.
SponsoredHow marketers and retailers are unlocking the true value of retail media
Ben Kneen, senior director of product management, Xandr It’s a challenging time for retailers in the advertising industry. As they cope with supply chain woes and inflation-related pressures, they seek high-margin revenue streams amid evolving privacy regulations and massive shifts in identity solutions — including IDFA, the deprecation of third-party cookies and more. In light […]
Why Snap and Saber Interactive are promoting the release of Evil Dead: The Game with an AR magazine cover
As augmented and virtual reality technologies continue to become more widespread, game developers like Saber are likely to continue leaning into this type of immersive activation — and, at the moment, Snap might be the most advanced and accessible AR platform with a gaming audience.
Fortnite Creative’s creator economy represents the future of metaversal brand activations
Fortnite Creative — a workshop mode where players can design their own levels similarly to Roblox or Minecraft — lets brands bring their vision for metaversal activations to life, sometimes without working with Epic Games at all.