Ever since Apple announced iOS14 and the AppTrackingTransparency framework (ATT) there has been a lot of confusion in the ecosystem about what is allowed — and what isn’t.
What’s important to keep in mind is that Apple’s goal with ATT is very similar to the purpose of privacy regulations like GDPR. The rules exist to allow users to choose whether a first-party can share their unique, identifiable, and persistent data with a third party.
Sounds simple, right? So why is there so much debate over what is covered by the rules?
Part of the confusion stems from a lack of a common language across the entire industry. A lot of industry players are using different terms for similar concepts.
One complicating factor is that the industry had been using ‘fingerprinting’ as a catch-all, encompassing both actual fingerprinting and methods of probabilistic attribution. With the upcoming 14.5 changes, some companies (Adjust included) moved from fingerprinting to strictly probabilistic attribution. This has meant picking apart what people understand by ‘fingerprinting’ and explaining what is still allowed.
I wanted to define a few terms that are important to understand and differentiate:
- What is fingerprinting? A method to track users cross-site by utilizing device information to create a persistent and unique ID. Some techniques used to achieve this fingerprint include capturing font metrics, using WebGL (and canvas) properties, combined with using certain hardware properties. This data makes the fingerprint persistent and uniquely able to identify a user. The main use of fingerprinting and fingerprint IDs is to track users across different websites and apps that would otherwise not share any common ID. For example, fingerprinting is used to create device graphs, which are clearly against Apple’s guidelines.
- What is probabilistic? As an MMP we don't track or target users across sites or apps. All we care about is attributing an install to an engagement with some degree of certainty. As 80% of installs happen within the first hour after click, such attribution does not require any persistent ID. We can make our predictions with temporary data that becomes obsolete within a few hours. Therefore probabilistic attribution for us is simply based on device entropy and patterns. We look at parameters such as time of click, time of install, and basic device info. These limited parameters allow us to estimate the source of an install for a few hours after a click.