Apple arms web browser privacy torpedo, points it directly at Google's advertising model

Safari tech ready to be ignored by online ad giants like all other privacy proposals

Apple's WebKit team, which develops the plumbing beneath the iGiant's Safari browser, has proposed a way that online ads can be measured while maintaining the privacy of those browsing the internet.

The proposal is called Privacy Preserving Ad Click Attribution For the Web and its available for testing as an experimental feature in Safari Technology Preview 82+. It's a way of providing click attribution – linking an ad click to an event like a purchase – that lets advertisers measure ad effectiveness without relying on potentially invasive cross-site tracking.

"Critically, our solution avoids placing trust in any of the parties involved — the ad network, the merchant, or any other intermediaries — and dramatically limits the entropy of data passed between them to prevent communication of a tracking identifier," explains John Wilander, a web engineer at Apple, in a blog post.

In a typical scenario, an internet user conducting a Google Search might see an ad displayed in a list of search results and click on it to buy the advertised item. The store web page would request a tracking pixel from Google to report back user interactions, in order to attribute the purchase to the search ad.

The new WebKit mechanism would have Google, or whatever site is hosting the ad, store the ad click. The destination site would connect conversions – desired actions like a purchase – to the stored ad click. It would do so by using a tracking pixel request to Google that gets redirected back to the merchant site to confirm an ad campaign identified by a specific number worked.

The proposal limits ad campaign identifiers to a range from 0 to 63 in order to prevent the number from becoming a unique identifier.

The task of reporting the attribution to the ad source would fall to the browser. "Once the browser has matched a conversion against a stored ad click, it sets a timer, randomized between 24 and 48 hours," explains Wilander. "When that timer fires, the browser makes an ephemeral, stateless POST request to the same well-known location."

Handy, but marketing

The proposal is consistent with Apple's attempt to occupy the moral high-ground of technology by championing privacy at the expense of the surveillance capitalism embodied by Google and Facebook. Note this is for Western iThing users only, if you're a Chinese customer privacy is just a distant dream.

Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, expressed enthusiasm for Apple's ad tech in an email to The Register.

"The protocol is great, but it may be too big of a change for most ad tech to understand and then deploy," he said.

"Simple things like order numbers won't be leaked in plain text as query strings on the url; and important things like user IDs are also not leaked in the same way. For years, ad tech middlemen have been harvesting user IDs by simply reading them off the urls since they were literally in plain text and even conveniently marked for them."

Consumers may find Apple's promise of privacy appealing but the ad industry isn't exactly clamoring to know less. Fou said this isn't something the ad industry wants. "It will be ignored, delayed, suppressed, and argued against, like DNT and every other privacy initiative before it," he said.

Apple Safari icon

One step forward and one step back for Apple's privacy campaign with latest Safari build


However, given recent political interest in revisiting ad tracking limitations, there's a chance regulators may get behind Apple's proposal.

The technology doesn't address ad fraud specifically – which is a broad topic – but could help reduce a specific form of it, ad attribution fraud. Fou explains that's when miscreants click the attribution URL repeatedly to ensure they are the last click and thus get paid the attribution bounty.

Apple's attribution scheme also isn't a complete privacy solution for the web; rather it needs to be considered in conjunction with other info-limiting systems like the company's Intelligent Tracking Protection.

Fou doesn't see the technology as a threat to Google's data gathering – look to Amazon for that. "Google can scan users' Gmails to see what items they bought," he said. "That is why Amazon removed the list of products from order confirmation emails and require the user to click and login to Amazon to see the order details."

If privacy-preserving attribution takes hold, the hardest hit companies are likely to be marketing attribution platforms, said Fou. ®

Other stories you might like

  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading
  • Workday nearly doubles losses as waves of deals pushed back
    Figures disappoint analysts as SaaSy HR and finance application vendor navigates economic uncertainty

    HR and finance application vendor Workday's CEO, Aneel Bhusri, confirmed deal wins expected for the three-month period ending April 30 were being pushed back until later in 2022.

    The SaaS company boss was speaking as Workday recorded an operating loss of $72.8 million in its first quarter [PDF] of fiscal '23, nearly double the $38.3 million loss recorded for the same period a year earlier. Workday also saw revenue increase to $1.43 billion in the period, up 22 percent year-on-year.

    However, the company increased its revenue guidance for the full financial year. It said revenues would be between $5.537 billion and $5.557 billion, an increase of 22 percent on earlier estimates.

    Continue reading

Biting the hand that feeds IT © 1998–2022