‘The elephant in the room’: Companies persist with fingerprinting as a workaround to Apple’s new privacy rules

Some ad tech vendors like Adjust have immediately fallen in line. The mobile measurement firm quickly removed code that collected data like battery power and device memory that could be used to identify a unique device after the practice caused apps it was being used on to be rejected by Apple earlier this month. Other players, though, are doing the opposite. They’re using a version of fingerprinting that’s harder to track. 

“The elephant in the room here is server-to-server fingerprinting,” said an ad tech executive who runs a mobile advertising business who spoke to Digiday on the condition of anonymity. “People will say you can’t, but there are ways to not to be found out.”

Here’s the reason: any type of fingerprinting is predicated on the ability to combine different attributes — like what operating system a device uses or the IP address of a device — to identify someone. It’s a much-maligned practice in these privacy-conscious times because the subject of the fingerprint doesn’t always know it exists. Still, it’s easy for a company like Apple to protect its users against this sort of tracking because it can usually see what data is being shared explicitly to the server by the SDK tools companies like Adjust weave into apps. It’s not so easy for Apple, however, to see what the server does with this data or any server-to-server connections. This is the blindspot some companies are using to continue to do fingerprinting beyond Apple’s purview. 

“From the perspective of the SDK it’s indistinguishable between legitimate uses of data like IP address to make the apps work and fingerprinting,” said Rob Webster, chief strategy officer at media consultancy Canton. “There’s no way for Apple to see into the app via the SDK that this type of fingerprinting is happening,” 

The publisher and advertiser will know as they’ll be able to do or see tracking and targeting at levels that should otherwise be impossible once Apple’s crackdown on in-app tracking starts. 

“I spoke to someone recently in the identity space and they were pitching me the application of probabilistic matching across non-opted-in Apple uses like it was the way of the future,” said a chief revenue officer at a mobile publisher on condition of anonymity for fear of jeopardizing commercial deals. “At that moment I stopped the pitch there and said ‘no thanks’.”

It might seem odd for a publisher to completely discount the workaround, especially when the chances of being caught are slim. But the risks are not worth the reward. Not when publishers aren’t just responsible for what a business like Adjust does on their app, but also what they do on others. Apple won’t approve any app that works with a vendor it deems unsavory.

As the chief revenue officer explained: “We have a list of everyone we’re working with that Apple checks should anything go down. It’s effectively the names of the companies we’re willing to take a bullet for and I hope it isn’t very long.”

In other words, Apple is relying on the market to enforce its own rule for it. Call it the deterrent effect. 

“Vendors won’t talk about this as fingerprinting, but you can pick apart what they mean by the language they use,” said the head of data partnerships at a global media agency who was not authorized to speak to Digiday.

It starts by asking about how the data is collected, said the exec. “Sometimes the vendor might say they have a series of HTTP information about a person’s device — that HTTP mention is the red flag that what that company is doing is server-side fingerprinting,’ the exec said.

Regardless, these instances should be few and far between in markets where the General Data Protection Regulation is applicable. After all, the data taken for fingerprinting is often done so without a person’s consent, which isn’t legal under the data privacy law unless whoever is doing the tracking has “legitimate interests” to do so.

“It’s not crazy to think that all this tracking could happen server-to-server,” said an ad tech exec. “My server would be talking to another server outside of a client, which Apple gates.”

Execs like this are in a precarious position. In order to compete for ad dollars, they have to do something that’s not permitted, but is what many of their rivals do. And until Apple is clearer on how it will enforce all aspects of its privacy rules, companies are going to continue to try their luck. 

“Server-side fingerprinting has always existed, but few have had the incentive to use it — browser, or client, side buying has been more seamless and doesn’t have the efficacy concerns of not being able to opt-out,” said Wes Farris, vp of product, atDigilant. “Now, with data privacy concerns and regulations on the rise, the likelihood that server-side fingerprinting is blocked is high.”

The reality is tech companies like Apple will struggle to block everything from their own ecosystems otherwise the internet won’t work — companies wouldn’t be able to transfer data from point A to point B so a full lockdown isn’t possible without a replacement framework to filter information. That said, solutions must respect privacy laws, regulations and provide consumers with choices. 

“I think as a whole the industry needs to do more to educate consumers both about their rights under current privacy laws as well as about the tech that powers the internet which we all benefit from,” said  Michael Zacharski, CEO at Engine Media Exchange. “The trade-offs that happen are necessary to keep the economy of the open internet working — and the monetization for content creators needs to be made part of the privacy conversation.”