In this article
An overview of ITP 2.3 and what affect it will have on Publishers and Permutive
ITP 2.3 is a follow-on from the changes Apple made a few months ago with ITP 2.2 and it focuses on link decoration.
This is not an attack on publishers; instead, it is another move to restrict the use of workarounds when it comes to third parties who are using publisher sites to track users across domains.
For this update, Apple requires the help of publishers to protect the data users entrust to them from being used by third parties.
Why has Apple made this change?
Apple best summarises this in the following quote from their blog post: “Site owners have been convinced to deploy third-party scripts on their websites for years. Now those scripts are being repurposed to circumvent browsers’ protections against third-party tracking. By limiting the ability to use any script-writable storage for cross-site tracking purposes, ITP 2.3 makes sure that third-party scripts cannot leverage the storage powers they have gained over all these websites."
What is Apple referring to when they say 'link decoration'?
Link decoration allows data to be passed alongside URLs. Third parties are manipulating this to allow Personally Identifiable Information (e.g. user identifiers) to be passed across domains, enabling cross-domain tracking.
This has been an issue that privacy advocates have focused on for years, and it's one of the main techniques that allows companies to track people around the web.
Example: Pre-ITP 2.2, query params were used to pass identifiers and other information directly in the URL. For example, pub.com?user_id=123. In ITP 2.2, Apple targeted those use-cases by reducing the time-to-expiry of client-side cookies to 24 hours. Companies began to circumvent this by using a redirect service: instead of linking to pub.com?user_id=123 directly, a company would link to redirect.com?user_id=123&dest=pub.com. The user would be redirected to pub.com without the URL parameters, but could still access the user_id by looking at the referrer URL, which would be redirect.com?user_id=123&dest=pub.com
Will this affect publishers?
The release of ITP 2.3 is not an attack on publishers. Apple is maintaining its policy and continuing efforts to protect user privacy by preventing cross-domain tracking by third parties. These changes will restrict the use of local storage in situations where ITP identifies that publisher traffic is being used by third parties for cross-domain tracking.
Apple has placed the onus on publishers to close this loophole. This also means it is within your control to resolve any impact you may see.
ITP 2.3's restriction will only affect users from referrers that fit Apple's criteria, i.e., users coming from a tracking domain which also has URL parameters. (Apple uses on-device learning to identify tracking domains.)
The following examples (correct as of Sept 27, 2019) show how different referrers will be affected by Apple's criteria:
- Google is likely classified as a tracking domain. However, they have taken the step to remove link decoration - so traffic from Google won't be affected.
- The New York Times utilizes link decoration. However the New York Times is likely not classified as a tracking domain - so traffic from the New York Times won't be affected.
- Facebook is likely classified as a tracking domain, and also utilizes link decoration. Therefore traffic from Facebook will be affected as both criteria are fulfilled.
Apple is unable to distinguish between genuine and nefarious uses of link decoration and is, therefore, applying a blanket policy, stating "WebKit often has no technical means to distinguish valid uses from tracking, and doesn’t know what the parties involved will do with the collected data, either now or in the future."
Will this affect Permutive?
By default, Permutive will remain unaffected.
To protect user privacy, look-back for users referred by domains deemed under ITP to be cross-domain trackers may be limited to 7 days until the publisher implements the changes recommended by Apple (detailed below).
To protect user privacy, data for users referred to URLs with link decoration by domains deemed to be cross-domain trackers may be cleared after seven days until the publisher implements the changes recommended by Apple (detailed below).
What action should I take?
Apple has made its intentions and policy clear and will continue to crack down on third-party cross-domain tracking, which publishers can unintentionally facilitate by accepting link decoration.
We recommend that you take Apple's advice and read through their directions for developers which were first published with the release of ITP 2.2. We have included an excerpt below and discuss it in a more detailed blog post here. Within this, Apple lays out a recommendation for publishers to prevent cross-domain tracking by filtering out trackers’ link decoration.
To support publishers, we have also released guidance for developers on how to implement Apple's suggestions to filter trackers' link decoration.
Article is closed for comments.