Apple's CEO Tim Cook has been on a crusade against social media and ad companies that track users online. In one interview Cook reportedly stated that "To me it’s creepy when I look at something and all of a sudden it’s chasing me all the way across the web. I don’t like that." Neither do users when they understand the extent of ad tracking. Well, Apple isn't just talking about it any more. Today Apple's WebKit site introduced 'Privacy Preserving Ad Click Attribution for the Web." The WebKit blog entry was written by John Wilander, WebKit Security & Privacy Engineer from Apple.
Wilander notes on his LinkedIn page: "My most significant work is Safari’s Intelligent Tracking Prevention—an on by default data policy that prevents cross-site tracking on the web. It uses a machine learning model to classify tracking abilities and restricts those abilities unless the user grants an exception."
According to Apple's WebKit announcement: "A typical website is made of numerous components coming from a wide variety of sources. Many of the sources that make up a website are opaque to the user, and some third-party resources are designed to identify and track users as they browse the web, often in order to retarget ads and measure ad campaign effectiveness.
The combination of third-party web tracking and ad campaign measurement has led many to conflate web privacy with a web free of advertisements. We think that’s a misunderstanding. Online ads and measurement of their effectiveness do not require Site A, where you clicked an ad, to learn that you purchased something on Site B. The only data needed for measurement is that someone who clicked an ad on Site A made a purchase on Site B.
Today we are presenting a new technology to allow attribution of ad clicks on the web while preserving user privacy. We used the following principles as we designed this technology:
- Users should not be uniquely identified across websites for the purposes of ad click attribution. This means the combined data of an ad click and a conversion should not be attributable to a single user at web scale. To achieve this, our design has the following properties:
- Up to 64 ad campaigns can be measured in parallel per website where ads are placed and advertiser. This low number means ad campaign IDs cannot be turned into user identifiers.
- Up to 64 conversion events can be distinguished on the advertiser’s own website. This means conversion IDs are also restricted from being turned into user identifiers.
- Only websites that users visit should be involved in measuring ad clicks and conversions. This means that opaque third-parties should not receive ad click attribution reports and we enforce it by requiring that the ad link is part of a first-party webpage and by only reporting on which first-party website a conversion happened.
- The browser should act on behalf of the user and do its best to preserve privacy while reporting on ad click attribution. We achieve this by:
- Sending attribution reports in a dedicated Private Browsing Mode even though the user is in regular browsing mode.
- Disallowing data like cookies for reporting purposes.
- Delaying reports randomly between 24 and 48 hours.
- Not supporting Privacy Preserving Ad Click Attribution at all when the user is in Private Browsing Mode.
- The browser vendor should not learn about the user’s ad clicks or conversions. For this reason, we designed the feature to do all of its work on-device. The browser vendor does not see any of the ad click attribution data.
Critically, our solution avoids placing trust in any of the parties involved — the ad network, the merchant, or any other intermediaries — and dramatically limits the entropy of data passed between them to prevent communication of a tracking identifier.
Below is WebKit's "Step 3: Send Out Ad Click Attribution Data" Graphic.
For ad click attribution to happen, some bits of data about what happened across two websites need to be sent. Today’s practice of ad click attribution has no practical limit on the bits of data, which allows for full cross-site tracking of users using cookies. This is privacy invasive and thus we are obliged to prevent such ad click attribution from happening in Safari and WebKit.
But by keeping the entropy of attribution data low enough, we believe the reporting can be done in a privacy preserving way.
Here is a summary of our privacy considerations for Privacy Preserving Ad Click Attribution:
- Only links served on first-party pages should be able to store ad click attribution data. This ensures that users have a chance of understanding how Privacy Preserving Ad Click Attribution works.
- Neither the website where the ad click happens nor the website where the conversion happens should be able to see whether ad click data has been stored, has been matched, or is scheduled for reporting.
- Ad clicks should only be stored for a limited time, such as a week. Users cannot be expected to understand that a purchase they make today is attributed to an ad click they made months ago.
- The entropy of both ad campaign ID and conversion data needs to be restricted to a point where this data cannot be repurposed for cross-site tracking of users. We propose six bits each for these two pieces of data, or values between 0 and 63.
- Ad click attribution requests should be delayed randomly between 24 to 48 hours. This makes sure that a conversion that happens shortly after an ad click will not allow for speculative cross-site profiling of the user. The randomness in the delay makes sure the request does not in itself reveal when during the day the conversion happened.
- The browser should not guarantee any specific order in which multiple ad click attribution requests are sent, since the order itself could be abused to increase the entropy and allow for cross-site tracking of users.
- The browser should use an ephemeral session (a.k.a. private or incognito mode) to make ad click attribution requests.
- The browser should not use or accept any credentials such as cookies, client certificates, or Basic Authentication in ad click attribution requests or responses.
- The browser should offer a way to turn ad click attribution on and off. We intend to have the default setting to be on to encourage websites to move to this technology and abandon general cross-site tracking.
- The browser should not enable ad click attribution in private/incognito mode.
For more details on Apple's 'Privacy Preserving Ad Click Attribution for the Web' click here. The details include debugging the link attributes; Debugging storage of Ad Clicks; Debugging Conversions; Detecting Successful Conversions; Receiving Conversion Reports; and more.
The timing is interesting, as Firefox version 67 that was introduced yesterday expresses their fight against ad tracking as well as you can see in the Firefox graphic below that presents itself as version 67 starts up.
About Making Comments on our Site: Patently Apple reserves the right to post, dismiss or edit any comments. Those using abusive language or negative behavior will result in being blacklisted on Disqus.