Why your MMP still isn’t iOS 14 safe
Is your mobile measurement partner creating risk for your business?
That’s a question every major mobile developer on the planet has to ask right now.
Last week we witnessed a massive event with Apple rejecting apps due to a measurement SDK that violated Apple’s privacy rules. Ever since the release of AppTrackingTransparency, much of the discussion has been around enforcement, and more specifically: will Apple really enforce their policies, even when it comes to hard-to-identify violations like fingerprinting?
I think that after last week, we got the answer that Apple is dead serious, and companies interpreting their policies in naive ways, or simply ignoring them, will be paying a price.
As we enter a new era of marketing attribution on mobile, courtesy of Apple’s iOS 14, I thought it would be helpful to share how Singular interprets the rules, how our competitors see it, and share some tips on how to avoid getting your app kicked from the app store.
First: what Apple wants
While we can’t speak for Apple, we believe it’s been very clear that Apple has staked its brand on the promise of privacy.
With the introduction of iOS 14, and the AppTrackingTransparency framework, Apple clearly stated that brands or ad-tech companies who want to track devices or users, must obtain explicit permission. Absent that permission, Apple has provided a framework called SKAdNetwork, which is their answer to a privacy-safe form of marketing attribution.
In the past, discussions around privacy mostly revolved around the IDFA and it’s deprecation, since it has been the key identifier for tracking. With ATT however, Apple has actually broadened the scope of tracking, and stated multiple times that the technology you use does not matter.
The tracking is what matters.
Very recently and in an unusual move, coinciding with some app update rejections, Apple sent a reminder to its developers, reiterated that ATT is indeed coming and reinforced to developers what should happen when you fail to receive the user’s permission to track:
“Unless you receive permission from the user to enable tracking, the device’s advertising identifier value will be all zeros and you may not track them.”
The “and” is critical here. It’s not just a case of asking for permission to the IDFA and if you fail to get it — find another way to track them. It’s asking for permission to do any form of tracking, and failing to get it means “you may not track them”.
By any method available.
Every MMP’s response to Apple’s guidelines
While Apple is becoming more clear and direct about their intentions, MMPs have been interpreting Apple’s intentions quite differently from one another.
Here’s what all the MMPs agree about when it comes to iOS 14.5:
- Every MMP still supports IDFA-based attribution when ATT permission is granted
- Every MMP will support SKAdNetwork, to varying degrees and with varying quality
- Every MMP will perform fingerprinting between owned & operated assets
Aside from these points however, you will start finding different interpretations among the MMPs.
I believe those different interpretations were a natural product of the chasm we’re all crossing ever since the announcement of ATT in WWDC 2020, and in this chasm, companies have encountered a lot of gaps:
- Gaps with the SKAdNetwork solution and the market readiness
- Gaps with Apple’s vague/confusing guidelines
- Gaps with how monumental and disruptive this shift could be for advertisers and the entire app ecosystem
To provide more color, let’s walk through where each MMP is right now (April 12th 2021), as best we can determine.
AppsFlyer supports SKAdNetwork, but considers it insufficient. As such, they have launched an alternative measurement solution to overcome the gaps of SKAdNetwork, which they call “Aggregated Advanced Privacy” (AAP). AAP provides WAY more granular measurement than what SKAN offers, and AppsFlyer claims that the solution “aims to prevent cross-site tracking and the ability to uniquely identify a user or device.”.
The use of the word “aims” is critical here.
Essentially, Advanced Aggregate Privacy utilizes fingerprinting to enable user-level attribution with some margin of error (hence: “probabilistic”). The user-level data is kept internally in AppsFlyer’s servers, and the output (postbacks / reports) is redacted before being sent out to Advertisers (AppsFlyer’s customers) and Ad Networks (AppsFlyer’s partners).
AppsFlyer’s documentation explains how they redact data, and the excerpt below shows what they do to partner postbacks before sending them out:
While I think AAP is a cool concept, I think there are some fatal flaws in it:
- AppsFlyer’s partner postbacks include fields like: Campaign Name, Campaign ID, Creative Name, Creative ID, Event Name, Site ID, Sub-Site ID, Ad ID, Ad Set Name, Ad Set ID.
This means that AAP provides unlimited granularity with any campaign ID, Creative ID and event name you’d like. Which is one of the main appeals of the solution… but will it fly with Apple?
My opinion is simple: NO.
It’s no accident that Apple’s SKAdNetwork limits you to 100 campaign IDs, and a single conversion event with a value of 0-63. In contrast, AppsFlyer’s postbacks include unlimited identifiers that enable much higher granularity of measurement, tracking, and attribution, that very easily can point to a specific device and user.
A limited number of campaigns automatically reduces (and even eliminates, when combined with privacy thresholds) the chance that an individual user will be tracked without their permission. If you enable an unlimited number, you can essentially track people. For example: you could theoretically map every email address you have to a number, and then register each ad click as one of 100+ million campaigns.
That’s an extreme case, granted. But it’s possible, and as such, we believe it’s against what Apple is trying to prevent.
- Apple has never reviewed this solution, validated it upholds their standards, or certified it. The above example would more than be enough for them to rule against this solution.
In fact, Apple has not certified anyone but themselves to provide a privacy preserving solution. If they do, we would be thrilled, and trust me we have tried to suggest countless ideas to them, but their narrative has been the same: stick to SKAdNetwork, and we can explore alternatives and improvements later.
- I believe that perhaps the biggest flaw here is not whether partners or advertisers can exploit this, but the fact that there is an entity, AppsFlyer, that will be performing tracking on iOS users without consent.
And while we can sit here and debate about whether their output is “privacy preserving,” based on Apple’s POV, one could claim their entire data set itself is obtained incorrectly, and the information is tainted, even if it’s aggregated and anonymized.
AppsFlyer’s response to this is that their probabilistic matching is only 90% accurate, and therefore not “uniquely identifying a device”, therefore not breaking Apple’s guidelines, but I believe that’s over-reaching, and Apple has clarified, and will continue to clarify that this is a clear violation.
Adjust (which has recently been acquired by the ad network and gaming publishing giant AppLovin), was the provider whose SDK got rejected by Apple in a few app updates. They’ve since updated their SDK and removed some problematic code, and app approvals are proceeding again.
The data Adjust’s SDK initially requested included battery status, location and locale data, uptime, and a variety of other system profile parameters, which Apple said creates a unique identifier. Adjust CEO Paul Muller said the data was being collected for fraud protection purposes, and that the company has “never used these symbols for this purpose.”
Be that as it may, Adjust sees 3 main attribution methodologies going forward, Muller says.
- Deterministic Attribution based on ATT consent to sharing IDFA
- Probabilistic Attribution based on “basic device information” (AKA fingerprinting)
Honestly, I find this surprising, to put it lightly. Apple had literally just rejected the Adjust SDK for “algorithmically converting device and usage data to create a unique identifier in order to track the user.”, and yet Adjust reiterates their intention to continue utilizing device information for tracking purposes.
The immediate pushback we’re hearing from supporters of this approach is that fingerprinting is only 90% accurate. (Similar to what AppsFlyer has been saying). The thing is – if you are 90% correct, those 90% of the users are still tracked without their consent, so that argument seems quite invalid to me.
This silly claim is derived from taking a single line of Apple’s developer FAQ out of context. Apple says that “you may not derive data from a device for the purpose of uniquely identifying it.”, and the over-reaching interpretation is that “fingerprinting is not really uniquely identifying a device” … at least not very accurately.Honestly, I just don’t see how this is going to fly.
Branch and Kochava
I’m lumping Branch and Kochava here together because they have remarkably similar story arcs with regard to SKAdNetwork.
Originally – both were huge proponents of building massive billion-plus device graphs or data collectives using IDFA and fingerprinting. And both, after some time, have internalized Apple’s messaging and swung away from fingerprinting towards SKAdNetwork.
As Kochava said recently, “Apple has drawn a line in the sand, removing ambiguity and bringing specificity where it was previously lacking.” And that MMPs that cross this line are putting their customers’ businesses in jeopardy.
Branch is clearly on the same page, saying that “it’s absolutely clear that if a user has not accepted ATT, no one – not even the advertising app or its CRM tools – can attempt to join an app install to an advertising click for attribution. They must use Apple’s SKAdNetwork (SKAN) framework or get permission via ATT.”
Both Kochava and Branch, therefore, appear to be adhering to Apple’s rules: both the letter and the spirit of the law.
Every mobile marketer who’s paying attention to iOS 14 knows what Singular’s stance is on this, and knows what my stance is.
We started working on privacy-safe attribution a year before iOS 14 was released. We were the first MMP to announce support for SKAdNetwork. In June 2020 we said fingerprinting was antithetical to what Apple was doing. In November we said using fingerprinting for tracking was a good way to get your app kicked off the iOS App Store. And we have reiterated it multiple times since.
Instead of fighting the policy, inventing shaky workarounds, or trying to do something under the table, Singular has thrown its weight behind compliant solutions and invested in building the best, most secure, and most complete SKAdNetwork solution on the market. One which will allow mobile app publishers to safely live on the App Store and allow mobile app marketers to continue to optimize for growth.
I firmly believe that.
Singular’s SKAdNetwork solution incorporates:
- Best-in-class analytics with ROAS and cohorts for SKAdNetwork
- World-class automatic conversion management and amazing SKAdNetwork conversion strategy testing
- Tough anti-fraud measures with Secure-SKAN (we were the first to pioneer using 307 redirects to get raw device data)
- Centralized data with everything else you’re measuring
- All available on-platform, via API, or via ETL
And all with full compliance with platform guidelines from Apple, which means worry-free app updating. There’s a reason Rovio and countless other massive mobile publishers are choosing Singular.
The cat and mouse game
That cat and mouse game that we’re seeing played out in public here is one of privacy and enforcement. Everyone can technically do fingerprinting. Everyone can technically do some form of probabilistic marketing measurement, device tracking, user targeting, and more.
But what will Apple, ultimately, allow?
In a recent article, David Philippson, once the CEO of one of the first MMPs (Ad-X) and now the CEO of DataSeat said:
“As fingerprinting gives marketers a far superior solution to that offered by Apple SKA, who would adopt SKA if they were still allowed to fingerprint? We suspect no one. Which is the exact reason we should all prepare ourselves for Apple to act quickly and aggressively to enforce a ban on fingerprinting shortly after ATT.”
I completely agree with that. If you could get away with fingerprinting via Adjust or AppsFlyer, why on earth would anyone adopt SKAdNetwork? That’s a whole lot of work for something that will, in most cases, get you less data than fingerprinting. And if that’s the case, I doubt Apple would leave it up to chance. They will act strongly and quickly.
In a recent interview with Kara Swisher of the NY Times, Apple CEO Tim Cook said that “privacy is one of the top issues of the 21st century” and that “we’re in a crisis.” He also said that Steve Jobs believed that individuals should own their own data and own the ability to say who gets it, what they get, and how they use it. Specifically about ATT, Tim Cook said it’s about limiting the ability of companies to track people, create profiles of them, and surveil them across the internet.
It could not be more clear, therefore, what principles are at stake for Apple. And that means that fingerprinting, already banned by policy, likely has a limited technology-enabled life span.
What AppsFlyer and Adjust are doing, in my opinion, breaks App Tracking Transparency. It’s pretty clear that it goes against what Apple is telling us, and therefore it’s only a matter of time until Apple takes action.
Our goal is to help our customers succeed. We’re building the technology and engaging with the ecosystem in ways that enable that as opposed to risking it. And that’s what we’re going to continue to do.
Charting your iOS 14 course?
You have to chart your course in the emerging world of privacy-safe marketing measurement. We’ve been helping brands and publishers get ready for months now.
If you’d like to chat, we’re here to talk.