Why we're making fingerprinting opt-in

Paul Muller

Posted Feb 5, 2019

The days of fingerprinting having a place in the default attribution waterfall are over.

Adjust has made the decision to make all future use of fingerprinting opt-in only. New apps will no longer have the feature enabled by default, and trackers created in Campaign Wizard will also require an opt-in by the user to enable it.

You can read up on the technical details in our recent announcement, but if you want to know why we’ve made this choice, please scroll on.

Attribution as we knew it

Fingerprinting has been around for quite some time, and was the first attribution method developed and used by Adjust.

When we first started in 2012, iOS only offered the device hard-coded UDID as an identifier, and at the time many publishers didn't feel comfortable using it to track and attribute advertisement. So, while we used it for attribution, the number of network partners able to attach it to their clicks was extremely low.

Fingerprinting filled that gap and allowed us to connect clicks and installs that would have otherwise gone unattributed.

Even though we quickly started to implement fingerprinting based on matching operating system, version, IP address, language and device type specifically on iOS, the average amount of variety made fingerprinting an imperfect solution.

There are simply too many users with the latest iPhones, using the current iOS release, who also speak English and who are also being routed through the same Verizon IP to be adequately identified, which meant the solution fell short of what was really needed.

In September 2012, Apple introduced iOS 6 and with it the ID for Advertisers, commonly known as IDFA. A year later Google followed suit and introduced their Google Play Store Advertiser ID, which was used by ad networks and attribution companies from August 2014.

It would take years after Apple’s announcement for the industry as a whole to adopt these new purpose-built IDs. And yet, today, all in-app inventory is able to read and attach an advertiser ID to engagements tracked by Adjust.

This development helped to mitigate the biggest flaw of fingerprinting.

Due to very low variations for fingerprints on iOS, precision is heavily impacted by how many attributions appear within a certain time frame. The more inventory that is able to be attributed via IDFA, the less random matches between unrelated clicks and installs via fingerprinting can occur. With web-based inventory accounting for only around 10% of our overall traffic, fingerprinting often reached precision in excess of 90%.

At that time, using fingerprinting on clicks that came in without Advertising IDs as a default fallback provided good matching and a smoother user experience.

The end of innocence

But the world kept on turning, and the dinky fad that was apps became a multi-billion dollar business. The number of businesses also exploded and competition has grown fierce, trying to cash in on the rush of money being fed into mobile advertising.

Now our job was no longer about providing attribution for a market that hasn't figured out what Advertiser IDs were meant to be. Instead, our biggest fight is to protect our clients from the criminals that are trying to game attribution and steal credit for users they didn't drive.

We see that 15% of all attributions are matched on Android with fingerprinting. On iOS it's a bit more, over 20%, mostly due to the lack of Play Store Referrer equivalent, and the fact that iOS 11 removed the IDFA for users that enabled Limited Ad Tracking.

Looking at the inventory coming in that lacks an Advertising ID (that would be matched by fingerprinting) we can see a worrying but growing trend.

While legitimate web-based inventory has stayed fairly constant over time, there has been an increase of in-app inventory from bad actors that are able to send Advertising IDs, but don’t. This means we have to rely on fingerprinting to do so.

So why is it that these bad actors have suddenly "forgotten" how to attach Advertiser IDs? And what is the problem at the root of this?

An inconvenient truth

The answer is simple, they haven't forgotten - and this isn't being done by accident.

Click Spamming has become one of the biggest issues of our industry, and poaching organic users is the most common type of fraud we encounter.

Advertising-ID-based click spamming works by fraudsters hitting upon one specific device by random chance. This fact alone pushes down conversion rates typically around or below 0.1%. However, fingerprinted click spam on iOS can easily reach 0.5-1% random match rates.

The trick is to focus on IP ranges from mobile ISPs that are known to funnel thousands of devices through the same IP address. This, coupled with the lack of variance on iOS can lead to much better results than any Advertising-ID-based click spam, as thousands of devices could potentially match the fraudulent click.

As such, we had to turn fingerprinting off by default, as a way to drastically reduce instances of click spamming affecting your campaigns.

Of course, there are legitimate use cases for fingerprinting. Instances like clients redirecting from emails, or websites who rely on it to provide the best possible insight when Advertiser IDs are not an option.

Ultimately, we are aware that making these clients opt-in is not as comfortable as it was before, but the negative effect of bad actors abusing this feature can no longer be ignored.

If you’d like to contact us about this change, please reach out to us here.

Want to keep up with Adjust?