‘The elephant in the room’: Companies persist with fingerprinting as a workaround to Apple’s new privacy rules
As Apple starts to flex its anti-privacy muscles, some companies are trying to stay one step ahead.
Some ad tech vendors like Adjust have immediately fallen in line. The mobile measurement firm quickly removed code that collected data like battery power and device memory that could be used to identify a unique device after the practice caused apps it was being used on to be rejected by Apple earlier this month. Other players, though, are doing the opposite. They’re using a version of fingerprinting that’s harder to track.
“The elephant in the room here is server-to-server fingerprinting,” said an ad tech executive who runs a mobile advertising business who spoke to Digiday on the condition of anonymity. “People will say you can’t, but there are ways to not to be found out.”
Here’s the reason: any type of fingerprinting is predicated on the ability to combine different attributes — like what operating system a device uses or the IP address of a device — to identify someone. It’s a much-maligned practice in these privacy-conscious times because the subject of the fingerprint doesn’t always know it exists. Still, it’s easy for a company like Apple to protect its users against this sort of tracking because it can usually see what data is being shared explicitly to the server by the SDK tools companies like Adjust weave into apps. It’s not so easy for Apple, however, to see what the server does with this data or any server-to-server connections. This is the blindspot some companies are using to continue to do fingerprinting beyond Apple’s purview.
“From the perspective of the SDK it’s indistinguishable between legitimate uses of data like IP address to make the apps work and fingerprinting,” said Rob Webster, chief strategy officer at media consultancy Canton. “There’s no way for Apple to see into the app via the SDK that this type of fingerprinting is happening,”
The publisher and advertiser will know as they’ll be able to do or see tracking and targeting at levels that should otherwise be impossible once Apple’s crackdown on in-app tracking starts.
“I spoke to someone recently in the identity space and they were pitching me the application of probabilistic matching across non-opted-in Apple uses like it was the way of the future,” said a chief revenue officer at a mobile publisher on condition of anonymity for fear of jeopardizing commercial deals. “At that moment I stopped the pitch there and said ‘no thanks’.”
It might seem odd for a publisher to completely discount the workaround, especially when the chances of being caught are slim. But the risks are not worth the reward. Not when publishers aren’t just responsible for what a business like Adjust does on their app, but also what they do on others. Apple won’t approve any app that works with a vendor it deems unsavory.
As the chief revenue officer explained: “We have a list of everyone we’re working with that Apple checks should anything go down. It’s effectively the names of the companies we’re willing to take a bullet for and I hope it isn’t very long.”
In other words, Apple is relying on the market to enforce its own rule for it. Call it the deterrent effect.
“Vendors won’t talk about this as fingerprinting, but you can pick apart what they mean by the language they use,” said the head of data partnerships at a global media agency who was not authorized to speak to Digiday.
It starts by asking about how the data is collected, said the exec. “Sometimes the vendor might say they have a series of HTTP information about a person’s device — that HTTP mention is the red flag that what that company is doing is server-side fingerprinting,’ the exec said.
Regardless, these instances should be few and far between in markets where the General Data Protection Regulation is applicable. After all, the data taken for fingerprinting is often done so without a person’s consent, which isn’t legal under the data privacy law unless whoever is doing the tracking has “legitimate interests” to do so.
“It’s not crazy to think that all this tracking could happen server-to-server,” said an ad tech exec. “My server would be talking to another server outside of a client, which Apple gates.”
Execs like this are in a precarious position. In order to compete for ad dollars, they have to do something that’s not permitted, but is what many of their rivals do. And until Apple is clearer on how it will enforce all aspects of its privacy rules, companies are going to continue to try their luck.
“Server-side fingerprinting has always existed, but few have had the incentive to use it — browser, or client, side buying has been more seamless and doesn’t have the efficacy concerns of not being able to opt-out,” said Wes Farris, vp of product, atDigilant. “Now, with data privacy concerns and regulations on the rise, the likelihood that server-side fingerprinting is blocked is high.”
The reality is tech companies like Apple will struggle to block everything from their own ecosystems otherwise the internet won’t work — companies wouldn’t be able to transfer data from point A to point B so a full lockdown isn’t possible without a replacement framework to filter information. That said, solutions must respect privacy laws, regulations and provide consumers with choices.
“I think as a whole the industry needs to do more to educate consumers both about their rights under current privacy laws as well as about the tech that powers the internet which we all benefit from,” said Michael Zacharski, CEO at Engine Media Exchange. “The trade-offs that happen are necessary to keep the economy of the open internet working — and the monetization for content creators needs to be made part of the privacy conversation.”
‘Not the future’: European publishers remain steadfast in blocking alternative IDs to third-party cookies
Some European publishers believe alternatives to the third-party cookies, probabilistic or deterministic, will do more harm than good to their ads businesses.
Media Briefing: Why Leaf Group spun off its media arm into a standalone company
World of Good's newly appointed CEO Lindsey Abramo spoke with Digiday about her plans to lean into experiential and embrace niche vs. scale.
Dentsu’s latest ad report shows slowed growth, driven mostly by inflation
The good news in Dentsu's ad forecast is that there's still growth. The bad news: most of the growth is the result of inflation, while real ad pricing actually dropped a bit.
SponsoredWhat the measurement and currency discussion really means to TV advertisers
Ali Mack, head of TV and agency, Experian Major streaming video providers have recently made headlines by adopting new currencies for ad measurement, threatening Nielsen’s long-standing TV ratings monopoly. NBCUniversal, for example, has certified iSpot and VideoAmp as currencies for advanced audiences and formed the Joint Industry Committee with Paramount, TelevisaUnivision and Warner Bros. Discovery. […]
How chef influencer Tue Nguyen works with the BuzzFeed Creator Network
BuzzFeed's Creator Network has been valuable from an audience and production education standpoint, but Nguyen still drives most of her business on her own.
Dentsu’s new Web3 readiness tool shines light on the tech’s potential to complement AI
Dentsu's Innovation Initiative is launching a web3 readiness index next month — at a time when the industry is obsessed with AI. Could the two technologies actually make a good pair?