The past month has seen a dramatic shift in browser-based user privacy, with the third-party cookie looking set to crumble.
In their latest update to Safari, Apple has implemented the next version of Intelligent Tracking Prevention, referred to as ITP 2.2, thus further weakening cross-site tracking capabilities. This story has slipped under the radar though, given the long-touted release of privacy tools on Google’s Chrome browser which, although less stringent than Apple’s attack on the third-party cookie, has attracted far more attention given Chrome’s dominance of the browser market. Here we examine the technical aspects of the protocols, the tech giants’ rationale behind implementing them, and future implications for the advertising industry.
The technical details
Whilst the exact mechanisms behind Chrome’s new privacy tools are unclear prior to launch, what is certain is that Google will allow users to block, clear, and control their third-party cookies in a much more granular way than what is currently possible through their browser. Moreover, Google will be lifting the lid on how data is used to personalise ads shown on their partner websites, through an open-source browser extension, with the purpose of enhancing ad transparency for the user. Other advertisers will also be able to contribute towards this once Google has launched compatible APIs.
In terms of ITP 2.2, the latest iteration builds upon the work of the predecessor versions by strictly limiting cross-site tracking via URL query string link decoration. These strings, such as click IDs, were previously able to be used as a way of monitoring user activity across different sites because scripts from ad networks, social networks, etc. can be augmented for tracking purposes. ITP 2.2 strongly inhibits these capabilities by capping all cookies from a specific page to a storage period of just a single day, if the particular site has cross-tracking abilities, and if the URL used during the navigation had a query string.
Workarounds: A wasted effort
Upon hearing the news of Google’s and Apple’s attempts to limit third-party cookie usage, many executives will have sent a flurry of emails to their development teams, asking if there were easy ways of circumnavigating these solutions. Whilst any way of avoiding Google’s anti-tracking tools will not become fully apparent until we see how they are implemented, they have publicly stated they will be ‘aggressively’ clamping down on fingerprinting, which entails the identification of users through cataloging their device attributes ranging from screen resolution to browser plugins.
Various workarounds have been suggested for ITP, ranging from simple client-side solutions to complicated server-side efforts. However the problem with using these workarounds is three-fold. Firstly any relatively easy way of sidestepping ITP is likely to be stamped out on the next update, similar to what we are seeing with tracking via link decoration, thus placing cross-site monitoring efforts back to square one. Secondly such workarounds are both time-consuming and expensive for development teams to handle. Finally some suggestions, such as establishing 302 redirects to pages without parameters, are simply deleterious to company health, in this case detrimental to SEO. Putting investment into cookie-less solutions is likely to prove far more beneficial.
Operating in their own interests: The cynical view
Given that they have well-established divisions in virtually every link of the advertising chain, the main benefit to Google of blocking tracking for other tech vendors is clear. That aim is to simply consolidate their dominant position. For example, take a rival tech behemoth, Amazon, who has been growing their share of the ad market at pace for several consecutive quarters. Whilst their first-party data gives them a strong ability to track shoppers within their own platform, restricting tracking on third-party sites limits their user reach, thus clipping the wings of their advertising capabilities. Being seen as giving the users choice into how they manage how companies track their activities on Chrome is also a useful PR exercise for Google, and may help prevent further GDPR-related fines being imposed.
The self-serving motivation behind Apple further enhancing ITP’s restrictive capabilities through v2.2 is similar to that of Google: forcing advertisers into sunbathing in their walled garden, thus consolidating their market position. The main target beneficiary of the Apple ITP play is their App Store, with a shifting of marketing budgets away from browsers to mobile platforms helping to further their cause. Whilst some may raise eyebrows at this and scoff that such a move also pushes ad spend towards advertising onto Google’s app ecosystem, Apple has significantly more market share in mobile compared to internet browsing, so any shift in budget towards mobile will benefit them.
Crouching tiger, hidden Google: Why future updates need to be monitored
Google’s position of being stuck between the rock of promoting user privacy and the hard place of anti-competition laws is well documented, which is likely to be why the firm decided to restrict cross-site tracking without completely bringing the axe down upon the third-party cookie. However, now the general framework is in place it will be much easier for the firm to launch seemingly minor updates that do not attract anything close to the same level of media attention as the initial launch. Say, for instance, Chrome’s privacy tools are first placed in several sub-menus that are hidden in advanced settings, but are then moved directly onto the main options page. This would surely lead to a significant increase in cookie blocking, but would not garner widespread fury.
Such a scenario could also be pertinent for their new transparency tools, whilst these will initially be available only through a browser extension, it could be relatively simple for Google to incorporate them into the standard Chrome package without too much mainstream media attention, whilst, in their own words, making it, "easy for people to switch off individual factors we use to tailor ads, stop seeing ads from a specific company or simply opt out of personalised ads entirely."
Driving meaningful industry-wide change: The optimistic view
Regardless of any hidden motivations behind Apple’s and Google’s decisions to restrict cross-site tracking, few can argue against it being necessary. Trust in the advertising industry hit a low ebb last year, with ad executives found to be less trusted than politicians, with user privacy concerns being a contributory factor. The hope is that Google and Apple have recognised this and are now starting to address these concerns in a meaningful way. This is backed up by the fact that Google has been working closely with IAB Europe behind the scenes to help shape the direction of their Transparency & Consent Framework (TCF) v2.0.
Measurement, attribution, and targeting all needed to be monitored going forward, with change necessary to restore user trust in the advertising world and penalise fraudulent players in the market. Whilst companies that rely on the third-party cookie and retargeting will undoubtedly struggle, there is a huge opportunity for the industry to work together to create new technologies for the benefit of users, publishers and ad tech. Whilst those in 'the 20%’ have been calling for such measures for years, the fact that the major tech platforms are also now engaging in the debate and creating solutions of their own can only be a good thing. Walter Knapp, CEO of Sovrn supported this view, stating: "The changes they have announced with how third-party data is handled and visible to consumers will, we hope, lead to a more transparent view into the personalisation between publisher and consumer. There is clearly a trend towards more transparent and consent-based approaches to consumer data collection and use. It’s a positive step for consumers, publishers, and advertisers. We believe these changes, as well as what we've seen from the other major browsers, could lead to a better consumer experience as publishers become better at managing their first-party and third-party data."
The ability for companies to pepper the web with innumerable third-party cookies that slowed site performance, and more importantly tracked users in a shady manner without their consent, is fundamentally wrong. That is not an attack against personalisation as a whole, take a wholly hypothetical example of a sports-loving editor with a shaved bonce, such an individual would much rather get adverts for rugby kits than for hair straighteners. But there is a better way of targeting ads than blindly following the consumer’s every move. Yes, common solutions, new technologies and compromises will have to be developed but, considering the financial clout and technical expertise within the ad industry, this is entirely possible.