“We spend most of our time telling privacy advocates and even our clients what we don’t collect,” comments James Lamberti, Vice President and General Manager of AdTruth. “If you read our contract, there’s a list of 20 things we don’t collect: IFA, cookies, UDID, MAC address, etc. We purposefully stay away from not just PII, but beyond that any sensitive data.”
Garnered through Javascript signals or piggybacked iFrames, probabilistic device identifiers capture a variety of common signals: browser version, device type, country, time zone, language settings, user agent, browser resolution, browser add-ons, etc. Basically, the stuff that makes the Internet work, Lamberti explains.
“If you started to take away the data that we use to do the probability-based ID, pages would not load, videos will not stream,” he says. “It’s not that we’re trying to be scary or creepy about it, but we’re using data that’s so innocuous that there’s nothing to shut off.”
Perhaps that’s what is most unsettling about probabilistic device identification, which is also unglamorously referred to as device fingerprinting: the digital technologies that facilitate our jobs and lives give off a variety of signals that can be employed for identification purposes. Unlike with third-party cookies, where disabling them limits some website functionality, shutting off these Javascript signals basically invalidate all the Internet’s usefulness.
Like the cookie, probabilistic device identification was not developed with advertising in mind. AdTruth’s parent company, the 41st Parameter, has long been using device identification services to power digital user verification and anti-fraud measures for financial institutions.
And device identification companies aren’t new to the digital advertising space: I’ve been writing stories about both for years, well aware that advertisers and publishers were cagey (or at least tight-lipped) around adoption due to the privacy concerns. If privacy advocates took up arms over dropping cookies, imagine the fervor over IDs based on the most banal of Javascript signals. (Indeed, the press remains creeped out by the tech.)
But the cookie’s impotency in the mobile app environment has changed the equation, and started a major shift in how digital media players track and measure across an ever-growing amount of platforms. Anonymous identifiers are the clear way to solve for the cookie’s lack of tracking functionality in apps. Fallout from the use of hardware-based identifiers led Apple iOS and Google Android to offer software-based IDs that developers, publishers and advertisers can use to their tracking and targeting delight within apps.
However, there’s still a tracking gulf between apps and the mobile web. “The app world and the browser world are effectively two different worlds,” says TRUSTe CEO Chris Babel. “They fundamentally operate differently.”
This mirrors the tracking gulf between mobile and desktop Internet. Add in connected TVs and over-the-top devices like gaming consoles, then addressable television and video-on-demand, and it’s easy to see why cross-device measurement and targeting is digital advertising’s new frontier. Many companies are successfully bridging these gaps, but their burgeoning solutions all wrap around device identification.
High Probability
It may be the first time where inaccuracy is highlighted in marketing: these device identifiers are called probabilistic because they’re not perfect. Collecting hundreds of data points is the easy part, but the math is where the sophistication (differentiation) lies. Weighing and combining these data points enable companies like AdTruth to identify and recognize a device at a high enough probability for behavioral advertising purposes, but not 100%.
Lamberti says that AdTruth’s primary mission is to get into the middle of the market by integrating its technology into SSPs, DSPs, DMPs and exchanges – achieve scale where identification problems are most acute. AdTruth considers its device identification service a universal recognition technology layer within the ecosystem.
“We deploy on premise without ever receiving data from either party,” comments Lamberti. “Our technology is licensed through both parties in a transaction. They never call my server… It’s in their stack.”
Say AdTruth’s technology is deployed with DSPx – this company will be able to recognize AdTruth IDs on every mobile exchange that supports the technology. A user’s ID will look the same to DSPx as AdTruth-endowed DSPy – as well as PUBz, who sits on the exchange. Ideally for AdTruth, in addition to IDFA or Android ID, all ad calls will also pass through AdTruth IDs.
Now that AdTruth has gained traction with intermediaries, it is reaching out more to publishers as both a measurement tool and way to inject audience data into unsold inventory on the exchanges. Other companies in the field are concentrating their efforts beyond intermediaries on marketers.
For probabilistic device identification companies, relieving consumer anxiety over privacy goes beyond ensuring only “innocuous” data is collected. An advantage of collecting hundreds of data points to build identifiers is that it allows flexibility when privacy norms change.
“If the definition of sensitive data changes, we can respond,” Lamberti comments. “If some government or industry organization says don’t use time zone, OK, we’ll pull out time zone. We may be a little less accurate, but we’ll pull it out and a week later everyone will have a new version of the software.”
The major device identification firms recognize browsers’ do-not-track signals and are compliant with the Digital Advertising Alliance’s Online Behavioral Advertising initiative. However, opting out of targeted ads is more complicated within the mobile app realm since OBA is based on cookies.
As discussed in Part I, Apple’s IDFA features a toggle for disabling targeted advertising based on the identifier. With the opt-out methods provided by the Android OS and its identifiers considered inefficient, earlier this year privacy enablers Evidon and TRUSTe worked with a variety of mobile ad tech companies to develop cross-device, opt-out solutions consistent with DAA policies.
Probabilistic identification once again presented a specific challenge, and a solution emerged at this year’s Cannes festival. Working in partnership with PubMatic and TRUSTe, AdTruth developed the mechanics to follow the DAA’s OBA standards and AdChoices program using TRUSTe’s opt-out program in the context of of AdTruth technology. To test its effectiveness, the companies deployed ads featuring the AdChoices icon in PubMatic’s SSP exchange.
Enabling this required the statistical targeting mechanism to be coupled with a deterministic (in this case, cookie-based) method of opt-out, explains TRUSTe’s Babel. When a mobile user clicks the AdChoices icon, the opt-out provider opens a browser window with the DAA opt-out choices. The user’s decisions are saved to a first-party cookie, which is then recognized by all ad networks and exchanges integrated with the opt-out provider when receiving ad calls from apps. In the back-end, this opt-out cookie is tied to the OS-based device identifier (e.g., Apple’s IDFA or Android ID).
This remarkable ability to bridge seemingly disparate technologies becomes increasingly important in the burgeoning field of cross-device measurement and marketing.
The Cross-Device Frontier
Let’s think about it this way – you’re a big sports guy, so you’re constantly looking for updates from your favorite sports website. Sometimes you check the latest scores on your smartphone – particularly when you’re on the move or watching television. Sometimes you enjoy an in-depth athlete profile on your tablet while chilling around the house. Sometimes you’re old-fashioned and use your laptop to browse.
Granted, you’re registered with said website, but you don’t always sign in when you visit – we’ll say you bother about 5% of the time. The other 95% of the time, the site is basically cataloging you as three different users. An advertiser delivering across channels can’t tell that it has just hit the same person on three different devices.
Consumer device-juggling plays absolute havoc with measuring reach and frequency for both publishers and advertisers, which is kind of demoralizing considering how far digital measurement and segmentation has come. Alas, the cookie’s usefulness can only be stretched so far, and continued device fragmentation requires stronger stuff.
“To do multi-screen, cross-device, householding or whatever term you want to use, you have to use some kind of device identification,” comments Lamberti.
By employing device identification, that sports site above can assemble those three devices as one user to track behavior and target campaigns across devices regardless of whether you’re logged in. In an ideal world, the site would be granted permission by the user to assemble the devices into a single profile or household.
But for an industry that’s never been fond of being upfront (perhaps we still believe forgiveness is easier to ask for), householding is mainly being performed now through IP tethering. Basically, if three devices access the Internet through the same IP (presumably more than once), they probably can be tied together. As IP addresses continue to exist in the grayer area of sensitive data, this method can easily be seen as invasive.
However, IP tethering is really the tip of the iceberg. For TapAd, privacy-safe identifiers are the building blocks of its device graph. By offering advertisers and publishers a unified view across devices, Tapad optimizes campaigns across devices; Without giving away too much of the secret sauce, the company takes disparate data points – device IDs, third-party cookies, etc. – and layers them into a profile.
CEO Are Traasdahl is quick to point out that Tapad is not a device fingerprinting company, but it does employ probabilistic methods.
“Our technology is predictive in nature, not deterministic,” he says. “We are always looking to increase the probability of us being right… We don’t need to be 100% accurate – we can work on a 70%-90% accuracy rate, which is far better than the alternative, typically 0%.”
Cross-device profiles can be employed in targeting, frequency capping, message sequencing (e.g., delivering ads in an episodic fashion), measurement and more. In addition, license technology to publishers to enable selling of cross-platform products. The biggest challenge Traasdahl cites at the moment is scaling the technology, hence why Tapad has been on a hiring spree, picking up quantitative engineers by the dozen. The realm of devices continues to expand – Traasdahl believes Connected TVs will become a huge new space in 2014.
“Consumers are looking for seamless experiences across multiple devices – whether it’s for content, commerce or advertising,” he says. “I believe consumers are seeing the benefit of relevant ads rather than belly-fat ads.”
That’s a common sentiment in the world of audience targeting – relevancy will drive consumer acceptance. Yet in the desktop world there is an obsession with cookies in the great privacy debate when device identification seems to be the future. This burgeoning area is grayest shade of gray: is there a clear line where tying together devices into households and profiles crosses into invasive? Or perhaps privacy notions are shifting to make that question irrelevant.
Privacy Crossroads
Combined with other mobile data signals, unique IDs makes for fascinating targeting opportunities. Sure, targeting a consumer via geolocation is interesting (geofencing, ho boy), but what about linking location and audience?
As a bidder on a mobile ad exchange, mobile DSP Sense Networks examines for location data (i.e., latitude and longitude) sent from apps (only if the user agreed to share location data, which can then be sent out on an ad call) against 20 million spots of interest – from specific retailers to recreational centers (e.g., golf course). Every time a bid request comes in with a unique identifier and Sense Network’s DMP recognizes it, it does not record the location point to a saved profile, but adds a tag noting the preferred retailer or logical characteristic (golfers go to golf courses!). No raw location or time data that could be considered sensitive are kept.
Sense is creating the equivalent of proprietary third-party cookies for targeting purposes. Major retailers employ Sense to target mobile users that have been in their stores. By ditching the identifying data and using an anonymous tag, Sense CEO David Peterson argues it is respecting user privacy.
Is that enough? While mobile device identification opt-out mechanisms were an essential first step for enhancing privacy controls, advertising technology companies need to offer a further level of transparency into mobile data collection and storage precisely because it’s based on device identification. A trip to the BlueKai registry will show you what every third-party cookie on your desktop browser means to advertisers. There’s no real analogy for device identifiers employed in the mobile app environment.
Industry associations are on the case. A recent MediaPost story reported that the Interactive Advertising Bureau filed notice with the Federal Communications Commission about its soon-to-be-released self-regulatory principles for mobile. These “will provide transparency and consumer control for precise location information, mobile multisite data, and mobile cross-app data, encompassing all parties in the mobile device ecosystem.” In addition, the DAA and Network Advertising Initiative just introduced mobile privacy guidelines.
However, the looming concern in the space is whether consumers – and thereby regulators – will accept device identification as an acceptable tool in digital advertising.
“We’ve always had unique identifiers on computers, but on mobile it’s tied closer to the individual using it,” says Daniel Castro, senior analyst at the Information Technology and Innovation Foundation (ITIF). “We’re kind of in a squishy area because historically we didn’t treat IP addresses or MAC addresses as unique identifiers, even though they are – they just weren’t closely linked to someone. Now they’re more likely to be linked, or you could link them if you had enough data.”
Definitions of personally identifiable information are constantly evolving, and privacy norms tend not to travel at the same pace as technology. What’s the distance between a user and his/her phone? Can you really say mobile is the most personal device and then suggest that tagging it with an ID on it doesn’t invade privacy? Mobile represents a crossroads for the technology – if device IDs are rejected by consumers here, the cross-device measurement and targeting dream may be doomed.
After reading Part I, an agency representative commented to me that his organization had run field trials employing probabilistic device identifiers and garnered proof the tech performs. The agency is set to deploy, but waiting to see if any regulatory restrictions will come to pass. That could be the equivalent of waiting for Godot considering the glacial pace digital privacy regulation – even more sluggish than privacy norms!
Movement on comprehensive digital privacy legislation – any of the competing bills in both houses of the federal government – has been nonexistent. The influx of lobbying cash from the digital advertising industry probably can be given some credit. Publishers and advertisers have far more worry around staying in line with renewed COPPA rules.
The W3C’s efforts to build a Do Not Track standard appears to have stalled, with prominent members publicly doubting the Tracking Protection Working Committee’s ability to eventually come to agreement. As mentioned in Part I, Microsoft’s embrace of default DNT in Internet Explorer and Mozilla’s third-party cookie ban in Firefox can be interpreted as shrewd marketing moves, differentiating their products against a fast-rising competitor very financially tied to the proliferation of third-party cookies. Apple may have developed Safari as a privacy-friendly browser, but building and sharing an identifier for its mobile operating system suggests it sees a big future with device IDs.
Besides, device identification has the advantage of not being nearly as obtuse as the cookie dropping game.
“The trouble with cookies is that most consumers don’t understand how the desktop browser works and what’s going on in the back-end,” Castro says. “With mobile devices, although I think people still don’t understand the technology, there’s a better recognition that it’s personalized to you, and that somehow some tracking is going on.”
The difference in consumer expectations regarding desktop vs. mobile will likely play a role in privacy reactions. The highly personal nature of mobile devices could actually be a boon for mobile tracking technology in both the editorial and advertising houses. Consumers may expect the majority of media they consume on mobile to be tailored to them.
“The goal going forward is to educate consumers on what we’re really doing, which is not crazy, heinous stuff,” Lamberti comments. “It’s about developing anonymous understanding of user context to make advertising better and drive healthier ROI.”
In addition, privacy concerns are pushing mobile privacy disclosures upfront and center. While they may not understand the specifics and internalize it, consumers are likely to be more aware of mobile identifiers. That’s the first milestone in building a media marketplace in which consumers actively understand the value of their data and use them to transact for content and services – replacing the overarching “Internet is free!” mindset with an upfront realization that data is digital currency.
“We’re not to the point of microtransactions some people envisioned, but we’re getting closer,” Castro says. “We have the option of letting people fine-tune their privacy settings in relation to how much they want to pay.”
Device identification technology is a bold step forward from desktop cookies. But as media technology evolves and fragmentation of consumption increases, the solution, it appears to be the appropriate path for advancing monetization efforts of both advertisers and content providers.