Device fingerprinting: the cure that’s worse than the disease

The practice of device fingerprinting has continued unabated since compliance with Apple’s App Tracking Transparency privacy policy was made mandatory with the release of iOS 14.5. Apple’s privacy documentation defines fingerprinting in a clear-cut, unequivocal way: that no advertiser may “derive data from a device for the purpose of uniquely identifying it.”

Nonetheless, fingerprinting is being done in the ATT environment with aplomb, as noted in the advertising trade media and as was discussed in the final episode of my three-part podcast series, ATT: One Month In. It is partly for this reason — but also because ATT-mandatory versions of iOS have been rolled out slowly — that gauging the impact of ATT is currently difficult, although it appears that iOS 14.6 is being pushed to user devices in earnest ahead of WWDC. While it’s inevitable that ATT-mandatory versions of iOS will be installed on the vast majority of iOS devices, it’s less clear when Apple will begin enforcing its rule against fingerprinting. Apple should do this sooner rather than later.

The term “probabilistic attribution” is used within the advertising ecosystem to camouflage a practice that is very obviously fingerprinting. Probabilistic attribution is a broad umbrella term that simply describes the use of likelihood estimates to make assumptions about user engagement with advertising campaigns. Probabilistic attribution can take many forms: an algorithm that uses only first-party, in-product behavioral data to estimate the source campaign of a user is an expression of probabilistic attribution, and this approach is totally compliant with ATT. Fingerprinting is a much different and more specific form of probabilistic attribution — it matches device parameters across multiple contexts (first-party and third-party) within a short timeframe to try to attribute an ad interaction. For more background on fingerprinting, see Fingerprinting with iOS 14: Reality or delusion?

A very obvious logical fallacy is being promoted within the mobile advertising ecosystem: the mechanics currently being used to directly attribute installs to ad interactions are being characterized into the very wide-ranging bucket of probabilistic attribution. Apple has clearly spelled out that certain device or network parameters are off-limits for use in uniquely identifying a device to attribute to an ad click or view, regardless of whether that identification is persistent or not. The false premise that collecting device and network parameters for use in making assumptions about ad campaign provenance produces an invalid syllogism:

Probabilistic attribution is not broadly prohibited by ATT
What our company is doing is a form of probabilistic attribution
What our company is doing is not broadly prohibited by ATT

It’s true that mechanisms that are undetectable could be created for collecting device and network data from advertisers, such as through server-to-server transmission, but this fact simply amplifies the case for prosecuting the existing restrictions against fingerprinting now. The longer fingerprinting is allowed to persist, the more energy and resources will be invested by ad tech companies and advertisers alike into building robust mechanics to conduct fingerprinting in a way that imperceptible — and, perhaps, in a way that is persistent, such as with CAID. Right now, fingerprinting is detectable via SDK data capture, and because Apple has not enforced its restriction of fingerprinting, advertisers are participating in it.

As soon as Apple very deliberately and publicly sanctions the use of fingerprinting techniques, advertisers will stop using them. And most advertisers will lose interest in server-to-server fingerprinting workarounds if Apple makes clear that flaunting its rules carries the risk of extreme consequences. An advertising ecosystem in which measurement is driven by fingerprinting is a terrible outcome of ATT: it’s a cure that’s worse than the disease. Not only is consumer privacy not safeguarded when fingerprinting is rampant, but advertiser costs increase because fingerprinting is not reliably accurate. Everyone loses if fingerprinting becomes the de facto replacement for the IDFA.

It’s possible that Apple is waiting until a majority of iOS devices have upgraded to iOS 14.6 before enforcing its fingerprinting restriction. And this may happen this week as iOS 14.6 proliferates. But as of now, the advertisers that built new infrastructure to accommodate SKAdNetwork and to conduct advertising measurement through compliant methods are effectively being punished for conforming to Apple’s rules. Some advertisers spent millions of dollars transitioning their machinery away from deterministic, user-level measurement to prepare for ATT. And consumers are now being sold on the privacy benefits bestowed upon them as iPhone owners through a high-profile advertising campaign. The fact that fingerprinting is being allowed to continue this long after the release of iOS 14.5 is a great affront to both groups.