In this episode, we explain Apple’s soon-to-be-introduced privacy manifests, which could be the beginning of the end for fingerprinting/probabilistic attribution, which could seriously impact performance for advertisers that still rely on fingerprinting/probabilistic networks.
***
ABOUT ROCKETSHIP HQ: Website | LinkedIn | Twitter | YouTube
FULL TRANSCRIPT BELOW
One of the reasons why the performance of many ad networks post-ATT has been relatively strong is that they’ve relied on what has been called probabilistic matching – which is effectively device fingerprinting – to measure performance, and optimize campaign performance.
Firstly, how does device fingerprinting(or probabilistic matching) work?
Probabilistic matching or device fingerprinting looks at specific data points on a user’s device – including IP address, free storage, battery level, volume level etc.
By looking at a combination of these data points, an ad network SDK can identify a device in a way that is nearly unique.
And how does this allow tracking?
An ad network SDK could say: “ok, this is a device that is an iPhone 13 running on iOS 16 from IP address XYZ, battery level 90% at such and such a time. Let’s call this device ABC”.
“I see device ABC with specific characteristics saw an ad impression today – AND I also saw that a device with very similar characteristics made an install and a first purchase today.
I can say with reasonable confidence that this is the same device belonging to the same user that saw the ad – and made the purchase.
Therefore let me attribute the install and purchase to this campaign – and also try to target more users with similar device characteristics as they are more likely to purchase.”
**
So that is how device fingerprinting or probabilistic matching has worked – and because of this, probabilistic matching has attained stronger measurement and performance than SKAN.
**
BUT that party is likely to end soon.
Why? Because of the privacy manifests that Apple announced in this year’s WWDC.
**
What are privacy manifests?
A privacy manifest is a file that will have 4 sub sections:
NSPrivacyTracking: does an app or SDK use data for tracking(as defined by Apple)(Y/N)?
NSPrivacyTrackingDomains: domains or SDKs in an app that engage in ‘tracking’. If a user has not consented to the ATT prompt, any network requests to these will not go through
NSPrivacyCollectedDataTypes. The types of data collected by the app or SDK
NSPrivacyAccessesAPITypes: APIs accessed by an app or SDK that are ‘restricted'(or require reasons to access).
**
How does this kill fingerprinting?
Apple is going to announce a new list of third party SDKs that it calls ‘privacy impacting SDKs’ which must include a Privacy Manifest file and a code signature from the SDK developer.
So: if you have an ad network SDK that is deemed by Apple to be ‘privacy impacting,’ the SDK is expected to declare *why* they are accessing data that could be used for fingerprinting(for instance, battery level, file size etc.)
While obviously the onus is on the SDK to report truthfully, and technically they could lie about their reasons for accessing user data(for instance, they could say they are accessing battery or OS versions for personalizing the user experience and not for ad targeting), BUT they are accountable for consequences – which could include rejection of the app from the app stores.
As per Apple’s documentation:
“If you determine that the domains your app connects to are using data sent from your app to track people, declare them in your privacy manifest and ask for permission to track under the App Tracking Transparency framework.”
and
“The operating system blocks network requests to declared tracking domains when the user has not granted tracking permission.”
**
All of this is to say that if there is an SDK that is declaring privacy manifests as doing probabilistic fingerprinting, then it is going to get blocked by the operating system if it tries to ‘track’ opted out users(as these SDKs may be doing now).
And if the SDK lies in its privacy manifests or declares incorrectly, then it’s likely the app gets disapproved during the app store review process.
And if you’re a marketer that is currently relying on probabilistic matching based SDKs, you should start making contingency plans. SKAN is imperfect and messy – but it’s the best safe alternative for now.
**
A REQUEST BEFORE YOU GO
I have a very important favor to ask, which as those of you who know me know I don’t do often. If you get any pleasure or inspiration from this episode, could you PLEASE leave a review on your favorite podcasting platform – be it iTunes, Overcast, Spotify, or wherever you get your podcast fix? This podcast is very much a labor of love – and each episode takes many many hours to put together. When you write a review, it will not only be a great deal of encouragement to us, but it will also support getting the word out about the Mobile User Acquisition Show.
Constructive criticism and suggestions for improvement are welcome, whether on podcasting platforms – or by email to shamanth@rocketshiphq.com. We read all reviews & I want to make this podcast better.
Thank you – and I look forward to seeing you with the next episode!