Safari test points to a future with tracker-free ads

Apple thinks it has come up with a way for advertisers to track how well their ads are doing without (*gasp*) compromising user privacy.

It sounds like a tall order but according to John Wilander, WebKit engineer and architect of Apple’s Intelligent Tracking Prevention (ITP), a technology called Privacy Preserving Ad Click Attribution has been added as an experimental feature to Preview 82+ of the Safari browser.

Nobody doubts the industry has a problem. Advertising keeps websites and advertisers afloat but at the expense of all sorts of privacy-bashing tracking that follows, profiles and gathers as much data about users as it can using cross-site tracking.

A lot of web users are fed up with this, hence the popularity of ad blockers and the rise of ad-limiting features in rival browsers such as Firefox.

But according to Wilander, the problem isn’t advertising per se, but the sense that web surveillance has become about not merely understanding what users do but who they are.

The combination of third-party web tracking and ad campaign measurement has led many to conflate web privacy with a web free of advertisements.

Undoubtedly true, but arguably a woe the industry has brought on itself. Can privacy and advertising be reconciled?

Safari as gatekeeper

Apple’s solution is a compromise – allow websites and advertisers to see that a user responded to an ad but not who that user is.

Online ads and measurement of their effectiveness do not require Site A, where you clicked an ad, to learn that you purchased something on Site B. The only data needed for measurement is that someone who clicked an ad on Site A made a purchase on Site B.

Instead of advertisers recording this data in the form of tracking pixels and cookies, a mechanism in Safari’s WebKit engine would do that for them instead.

And unlike today’s web, no “opaque third-parties” should see ad attribution data, only the websites visited by the user who generated the click-through.

Attribution reports would, therefore, be sent via a JavaScript API as if the user was in Private Browsing Mode, delaying those reports for 24 and 48 hours (i.e. no live data), and disallowing any ad attribution when users have entered Private Browsing Mode.

To be counted, links will need to be in the main frame (not an iFrame) while ad campaign IDs will be limited to 64 possibilities to avoid this being used as a backdoor tracker by assigning unique strings that might identify users across sites. Wilander sums this up:

Today’s practice of ad click attribution has no practical limit on the bits of data, which allows for full cross-site tracking of users using cookies. This is privacy invasive and thus we are obliged to prevent such ad click attribution from happening in Safari and WebKit.

Will it work?

Judging by the level of detail in Wilander’s blog, Privacy Preserving Ad Click Attribution is no whim. Significantly, Apple says it plans to propose the concept as a standard to the W3C Web Platform Incubator Community Group (WICG) which, if accepted, would mean other browser developers would be able to adopt it.

The obvious problem is whether advertisers will accept tighter control even if it’s imposed on them through Safari. Apple’s ITP anti-tracking has already annoyed advertisers who accused it of economic “sabotage.”

A second hurdle will be avoiding the pitiful fate that befell the Do Not Track initiative the industry made big claims for when it was launched in 2012 but which went nowhere.

When Privacy Preserving Ad Click Attribution makes it to Safari later this year, this will be one to watch.