How changes from Google and Apple impact privacy and fraud

5 min read

Opinion, 02/07/2021

Augustine Fou, Marketing Science Consulting

Topics

Marketers needn’t worry about the demise of third-party cookie and mobile ad ID-based user tracking. It will accidentally make their digital campaigns better, argues Dr. Augustine Fou.

More and more privacy tsunamis are hitting ad tech island, and that’s a good thing for consumers who didn’t know their information was being harvested and sold by hundreds of ad tech companies.

All of this was done without their knowledge, consent, or recourse (e.g. if there were errors in the data). Apple’s privacy changes started years ago with the elimination of third-party cookies from the Safari browser in iOS 13.4, and now extends to IDFAs (device identifiers) in iOS 14.5, and email tracking pixels or IP addresses in iOS 15.

Google will also be eliminating third-party (3P) cookies from Chrome, its browser with a two-thirds market share. Google announced last week that 3P cookie deprecation has been pushed back from 2022 to late 2023.

Ad tech companies whose technologies rely on 3P cookies to track users across different websites will be most adversely affected. They are all scrambling to find ‘workarounds’ to these privacy protections.

Most of them are going to adopt some form of ‘fingerprinting’. Fingerprinting uses device and browser characteristics to uniquely identify devices, e.g. operating system, browser type and version, list of plugins and fonts, screen resolution, etc.

When enough of these parameters are collected and smashed together, ad tech companies can uniquely identify the user. Such ‘fingerprints’ are stored on servers. This means users cannot see them or delete them, like they could with cookies stored in browsers on their devices.

The key to fingerprinting

One of the key ingredients in fingerprinting is the IP address. This is because an iPhone 12 Pro Max on one IP address is different from an identical iPhone on a different IP address – think household cable modem IP address or wireless IP address on mobile networks.

The IP address plus device and browser characteristics allow ad tech companies to identify the user even without cookies going forward. This means they can continue to harvest data and use that data to target ads to those users. However, when Apple does away with access to IP addresses, fingerprinting by ad tech companies will become unreliable, i.e. they won’t be able to tell apart identical iPhones without IP addresses.

That said, even if the fingerprints are unreliable, ad tech companies will continue selling their ad targeting services because most marketers are not tech-savvy enough to ask, let alone conduct their own technical evaluations to see if targeting was working at all. If they did, they would have concluded long ago that ad tech targeting is not as effective as ad tech companies have claimed.

The inferences of “who they are and what they like” based on which websites users visited are notoriously bad, and targeting based on such data is equally bad. When fingerprints become unreliable, too, it will be bad user identification layered on top of bad targeting layered on top of bad data. Advertisers would be better off with “spray and pray” campaigns.

What about campaign measurement?

Many advertisers are rightly concerned that the loss of 3P cookies, device identifiers, and IP addresses will mess up measurement and analytics. They are right, but they should not be concerned. This is because the ad tech measurement they are currently exposed to is built on layers of fiction, e.g. that an ad was targeted at an individual user, yielded higher click rates because it was more relevant, and resulted in a purchase.

Advertisers don’t need to know that a specific individual or device made the purchase or installed an app to know if their digital campaigns were successful. They just need to know that users or devices exposed to ads converted at a higher rate than users or devices that were not exposed to ads. This has worked well for decades in TV, print, and radio advertising. The basics of marketing are no different in digital.

Furthermore, the seemingly abundant details in digital campaign measurement cover up the fact that bot activity pervades digital marketing, not only in additional (false) traffic, but also fake audience segments, fake clicks, and falsified purchases.

Bots load webpages to create traffic; this generates more fake ads to sell in ad exchanges. Bots click on the ads to create the illusion of engagement. Bots visit select websites to pretend to be desirable audience segments that advertisers pay extra to target. Fraudsters harvest real device IDs and re-use them to defeat fraud detection. Criminals even falsify attribution and analytics data to make it appear that they drove purchases that had already occurred.

Some fraud will be harder to commit

Doing away with 3P cookies makes it harder for bots to pretend to be desirable audience segments, so it reduces that particular type of retargeting fraud. Doing away with device identifiers makes it harder for fraudsters to harvest real device identifiers and re-use them to pretend to be real devices and defeat fraud detection. Doing away with IP addresses makes it slightly harder for fraudsters to uniquely identify users and their devices and target them with ‘malvertising’ (ads laced with malicious code). This also reduces the usefulness of data center bot traffic disguised with residential proxy networks.

However, clever criminals have always found workarounds when needed to continue to make money and are likely to continue the practice. Remarketing fraud will likely continue unabated because it doesn’t rely on any of those three things: 3P cookies, device identifiers or IP addresses.

This type of fraud will still be done by inserting false data into Google Analytics to make it appear that particular purchases were caused by remarketing programs, when no ads were even run. This is exactly the same fraud that Uber faced – mobile exchanges falsified the attribution records to make it appear that millions of app installs were caused by their marketing programs, when in reality the app installs happened organically (users installed the app because they wanted to, without ever seeing and clicking an ad).

Affiliate fraud will also continue unabated because they use forced redirects, pop-unders, and self-clicking ads to drive real users to e-commerce merchant pages, complete with utm_source codes and affiliateIDs. That way they falsely claim affiliate commissions on sales they didn’t drive.

So what?

For marketers, these changes from Google and Apple will accidentally make their digital campaigns better. It reduces some forms of fraud and makes other forms of fraud harder to commit. If marketers don’t take advantage of these upcoming changes – if targeting cookies go away and there is no change in business outcomes compared to when targeting cookies were present, how good do you think those targeting cookies were in the first place? – they will continue to waste money on digital advertising. Seize the opportunity to look harder, ask harder questions and do differently.

About the author

Augustine Fou
Marketing Science Consulting

View all of Augustine Fou's Opinion posts

Blog author

Dr. Augustine Fou is a digital marketer of 25 years, and currently an independent cybersecurity and ad fraud investigator. Dr. Fou was Chief Marketing Science Officer at the Advertising Research Foundation and Group Chief Digital Officer at Omnicom’s Healthcare Consultancy Group, a $100 million agency group. Dr. Fou taught digital marketing at NYU and Rutgers University. He got his PhD, at the age of 23, in Materials Science & Engineering from MIT.

Get a demo

Topics

Send feedback

www.warc.com

All rights reserved including database rights. This electronic file is for the personal use of authorised users based at the subscribing company's office location. It may not be reproduced, posted on intranets, extranets or the internet, e-mailed, archived or shared electronically either within the purchaser's organisation or externally without express written permission from WARC.