Apple has built a strong reputation as a leader in tech innovation, and has stayed at the forefront of user privacy protection as well. With its most recent update of iOS 11 and Safari, the company is taking the privacy of its customers one step further with a brand new feature known as Intelligent Tracking Prevention.
What is Intelligent Tracking Prevention?
Intelligent Tracking Prevention is a new feature of Webkit, an open-source web-browser engine that powers Apple’s Safari web browser, among others, shipped out in the new release of Safari 11 and iOS 11.
The feature aims to further protect users’ online privacy by changing the way Safari handles first-party cookies.
How Does Intelligent Tracking Prevention Work?
Before the notion of Intelligent Tracking Prevention, Safari desktop and mobile browsers blocked third-party cookies by default and allowed iOS users to block ads by installing Safari extensions, aka content blockers (available from iOS 9 onwards).
First-party cookies have traditionally been safe from any sort of automatic blocking or removal, as they are responsible for providing a seamless user experience.
For example, first-party cookies can keep the session information open, which can remember things like:
- Your login status, which can be used to keep you logged into to websites and applications.
- Which products you added to shopping carts.
- Website settings, such as which language version you have chosen.
- Values you’ve entered into forms (e.g. name, email, and company on a white paper download form).
However, some first-party cookies can be used to track users in the same way as third-party cookies, and the new release of Safari 11 takes aim at this very activity.
Calling All AdTech and MarTech Companies!
Take part in our 2-minute anonymous survey and help us find out how AdTech and MarTech companies are preparing their technology for the GDPR...Learn more about the survey and participate
When First-Party Cookies Become Trackers
Most people don’t associate first-party cookies with trackers, but there are certain situations where this is possible, and this is where things start to get a bit tricky.
To help explain this point, let’s look at an example of how a first-party cookie could be used to track users across the Internet while using Safari (either desktop or mobile).
Example #1 – A User Clicks on an Ad
Here is what’s happening in the image above:
- The user visits a website and a first-party cookie (xzy890) is created by the website in its domain (example.com) and assigned to the user.
- The user then clicks on the ad and is directed to the AdTech platform’s domain (ad.ads-r-us.com).
- The AdTech platform creates a first-party cookie (klm456) under its domain (i.e. ads.ads-r-us.com) and assigns it to the user.
- The AdTech platform then redirects the browser to the advertiser’s landing page (www.usedcarsite.com).
It’s important to note that the reason the AdTech platform is able to create a first-party cookie is because the user clicked on the ad, which was then directed to the AdTech platform’s domain. If the user had not clicked on the ad, then the AdTech platform wouldn’t have been able to create a third-party cookie, as Safari blocks them by default.
As the AdTech platform has created a first-party cookie under its domain (ads-r-us.com) and assigned it to the user, it can now track the user as they move around the web and serve them with personalized ads.
However, this ability for first-party cookies to act as trackers has changed slightly with the latest release of Safari 11.
Here’s a brief breakdown of how Intelligent Tracking Prevention works:
1. Intelligent Tracking Prevention incorporates a machine-learning model (known as the Machine Learning Classifier) to assess which privately controlled domains have the ability to track users across different websites. This model is based on statistics collected by the browser.
2. If the Machine Learning Classifier identifies that a particular first-party cookie (e.g. ad.ads-r-us.com) can be used for tracking, then the user will have to interact with the site at the main-domain level (i.e. access the website directly) within a certain time frame, otherwise the cookies will lose their third-party capabilities and be purged (tech talk for deleted).
Let’s explore some possible scenarios using the example located above (Example #1):
The user visits ads-r-us.com (i.e. the main domain) within 24 hours after clicking on the ad. The first-party cookies from ads-r-us.com will be able to function as third-party trackers from then on.
In this case, the cookie can now be used in a third-party context, e.g. for retargeting.
The user doesn’t visit ads-r-us.com within 24 hours of clicking on the ad. However, they do visit the site 3 days after clicking on the ad.
In this case, as the user didn’t visit ads-r-us.com within 24 hours, the cookie created by ads-r-us.com cannot be used in a third-party context – e.g. it can’t be used for ad retargeting and would have to display a non-retargeted ad to the user.
The user doesn’t access ads-r-us.com at all within 30 days of clicking on the ad.
In this case, the first-party cookie created by ads-r-us.com will be purged.
Which Companies or Services Are NOT Affected By Intelligent Tracking Prevention?
The Intelligent Tracking Prevention feature is just another example of a privacy update that threatens the very thing upon which online advertising depends — cookies.
However, there are some companies that may not be affected too much by the Safari 11 and iOS 11 release.
Web Analytics and Other Marketing Software Relying on First-Party Cookies
As long as the first-party cookie is used only in a first-party context, as is the case with Google Analytics or Piwik PRO Marketing Suite, then Intelligent Tracking Prevention will not block the software from setting cookies.
For example, if the Piwik PRO tag were installed on the www.example.com website, then it would set the cookie under the www.example.com domain. This cookie isn’t used in a third-party context because the software is used only within the www.example.com domain. Now if Piwik PRO were used to analyze a different site, e.g. www.usedcarsite.com, then it would have a separate cookie set in the www.usedcarsite.com domain along with a separate site ID in the database.
Self-Hosted and White-Labeled Software
Most companies that use self-hosted software won’t be affected by this change as in most cases the software is hosted under a subdomain (e.g. software.example.com), meaning first-party cookies will still be created when a user visits their site.
Also, some cloud-based software can be configured so that the software points to the client’s subdomain. This practice is known as custom domain support or domain white labeling.
However, there are very few AdTech companies that provide on-premises versions of their software or domain white labelling, mainly because:
- The user will be bound to a specific client, meaning they can’t track them across a whole customer base.
- The cookie-syncing process would have to be carried out separately for each custom domain, making it an unscalable model as it would have to support hundreds or thousands of customers.
It’s important to note that this point applies to all popular platforms in the ecosystem, such as data-management platforms (DMPs) and other marketing software. Companies will have to make changes to how their marketing and advertising tools handle third-party cookies or use one that can be self-hosted and white-labeled.
Walled-Garden Advertising Ecosystems
While companies like Facebook and Amazon won’t be fully immune to Intelligent Tracking Prevention, they won’t be affected in the same way as other AdTech companies.
The reason for this comes back to the concept of first-party cookies. As explained above, if a visitor accesses their Facebook account (i.e. via facebook.com), then Facebook will assign a first-party cookie to that user. If that user then access a different site, let’s say mycookingsite.com, then an advertiser using Facebook’s ad network (known as Audience Network) will be able to display targeted ads to them.
Because most users visit Facebook and Amazon on a regular basis, their first-party cookies will be active for longer and the risk of them being purged is quite low.
Google, on the other hand, may experience some issues with these new changes, as most of their AdTech platforms are hosted under the DoubleClick domain (i.e. doubleclick.net), not the Google domain. Only time will tell whether Google moves all their advertising technology products to their Google domain.
Major advertising groups have criticized Apple for releasing Intelligent Tracking Prevention as they feel it will threaten the economic model of the Internet, even though Safari browsers only account for about 14% of total browser usage across all devices, but the feature’s introduction is just one of many changes the online advertising industry will have to adjust to.
With the GDPR and ePrivacy set to come into force in 2018, all companies operating in the digital advertising ecosystem will need to put more of a focus on protecting user privacy and complying with new privacy laws.
For the most part, this will involve making major policy changes and a lot of innovation.
Share this article
FREE AdTech & MarTech Resources
Thousands of C-level executives, software engineers, marketers, and advertisers all learn about the inner workings of AdTech and MarTech with our bimonthly newsletter — and so can you! Subscribe today and get access to the latest and best articles, videos, and guides!