How Apple is taming the ad biz. Just don't expect Google or Zuck to follow
Inside ITP, Safari's third-party cookie zapper
Can the world's biggest tech company tame the Wild West of the digital ad industry as its data slurping becomes ever more intrusive? Since Facebook and Google are essentially colluding with behavioural data collection, and Microsoft has given up the fight for user privacy, few companies have Apple's means or incentive. But for Apple, privacy doesn't hit its bottom line, and might even increase it.
All this makes the imminent arrival of its controversial third-party cookie zapper in Safari, ITP, so interesting. Last week Microsoft executive Steve Sinofsky said on Twitter that Apple had resisted pressure that Microsoft had succumbed to – and he wishes it hadn't.
Stand strong Apple [rhetorical]. Had these groups come after us trying to offer browsing safety. MS backed down. https://t.co/L4saQpdE7l— 🍪Steven Sinofsky ॐ (@stevesi) September 14, 2017
We gave you a quick overview earlier this week. Now let's dig down with Mike O'Neill, founder of Baycloud Systems, and a member of the W3C Tracking Protection Group that helped devise Do Not Track, a technology that lets browsers opt out of tracking by websites they do not visit.
ITP extends Apple's third-party cookie blocking by making sure that the user's interaction is really with a first-party site, by detecting their page clicks. If it is a first-party site, then all cookies are allowed to be stored.
If a third party has inserted itself into your web browsing, ITP takes action. If there has not been an interaction with that third party's domain for a day, then ITP quarantines the third party. If after 30 days, there has been no user interaction with that third-party site, that cookie is deleted completely.
O'Neil says Apple is stepping in where industry consensus failed.
"Obama got everyone together as a way to solve this problem, and said: 'Come up with a Do Not Track protocol, or we'll legislate.' So we did, but the adtech people flounced away – and there wasn't any comeback.
"Do Not Track indicates consent for third parties in a standard way that everyone can recognise. There's no agreement on the duration or naming of cookies, but Do Not Track ensures that every server receives a signal."
He welcomes Apple's ITP with some important qualifications.
"The result of this is it stops adtech companies, ad exchanges, third-party analytics that do not have a first-party presence tracking people, which is good. However, it is not much of a threat to the big players, such as Google, Facebook, Automattic, and so on, because they have sites that people visit every day: Google Search home page, and Facebook."
There's also an important loophole vital to behavioural advertising.
"It also does not stop 'cookie syncing', which is where first-party cookies, limited to their site by the Same Origin Policy, are correlated with each other via an intermediary domain. As long as the other first-party sites are visited within one day, then the intermediary third-party will still have its cookie so the two first-parties can be correlated."
Blame an outfit called Criteo. Criteo was found to be using a pretty ropey method to capture and redirect cookies to itself. It's smaller behavioural tracking companies that are most affected – and most upset.
"It's not really inhibiting the Googles or Facebooks of this world," said O'Neill. "It's hitting the little companies and the little companies say this is unfair. My response is tracking without consent is the problem."
He said it's also hitting reputable publishers (like The Register). Third-party tracking gathers behavioural information at one site then uses tracking to sell cheaper ad inventory on "a cheapskate Wordpress site" somewhere else.
This was acknowledged in a piece by DigiDay recently. Todd Sawicki of ad platform Zemanta pointed out: "Publishers that rely on third-party data vendors to sell the majority of their ads programmatically on open exchanges are most likely to be affected. The issue doesn't hurt publishers that get most of their revenue from direct sales." Premium publishers are less reliant on hypertargeting.
Apple makes its money from very expensive – you could even say overpriced – hardware. Its advertising business is negligible. It has every incentive to make its products more attractive by protecting people who buy its products. By contrast, Google and Facebook are the global ad duopoly that promises advertisers ever more precise targeting. It's an arms race of increasing data collection, but behavioural advertisers won't be happy until you have a brain implant. If Apple can't tame them, who can?
Not Microsoft. The company once used to warn users against being Scroogled when its new Edge browser appeared, O'Neil notes. It had Do Not Track turned on by default. Then it turned it off. Then it bought LinkedIn. ®
Sponsored: Becoming a Pragmatic Security Leader