Ad Blocking

Safari ITP: Intelligent Tracking Prevention Version 1.0 to 2.3

For a long time, the ad tech industry relied heavily on third-party data for targeting ads. 

Users, however, had no idea how their personal data was being used, who had access to it, and whether it was being used responsibly. 

Thanks to privacy laws, users are not only aware of how their personal data is collected and used online, but can also control sharing.

The onus of abiding to these laws fell upon web browsers. Apple took the lead and pioneered inclusion of privacy features in web browsers. In 2017, Apple launched the Intelligent Tracking Prevention (ITP) for protecting the privacy of its users. 

While this solution benefits Safari users, it has made life tough for publishers and advertisers. However, there are definitely certain ways that publishers can use to recover from the impact of ITP.

In this blog, we will cover details about how ITP has affected publishers, what ITP is, and how it has evolved since its first version. 

What is Intelligent Tracking Prevention?

Intelligent Tracking Prevention is a feature of Webkit, an open-source browser engine that powers Apple’s default browser – Safari. 

We’re all aware that Safari blocks third-party cookies by default. But what many people are not aware of is that sometimes first-party cookies can act as trackers. This is where the importance of ITP comes in with goal to prevent tracking

Webkit extends its ITP feature to Safari users by limiting the tracking of first-party cookies. These cookies help in creating a better user experience by storing login credentials, language settings, etc. But as stated before, they can also be leveraged by ad tech platforms as trackers. This use-case of first-party cookies is what the ITP intends to block. 

ITP uses the Machine Learning Classifier, a machine-learning model, for identifying domains that can be leveraged for cross-site tracking and identification. After the Machine Learning Classifier successfully identifies a domain with cross-site tracking capabilities, it restricts cookies that are created by that domain.  

Moreover, ITP deletes all cookies of any user who hasn’t visited the website in 30 days.

Also read: What Are Cookies? Different Types of Web Cookies, Explained

The Evolution of ITP

The Intelligent Tracking Prevention has had many revisions in the last three years. But before we get into details, here are the major developments that came with each update.

VersionChanges
1.0First-party cookies trackability allowed for returning users (within 24 hours only). 
1.1Storage Access API included for allowing websites with embedded content to access third-party cookies
2.024 hour window for first-party cookie trackability scrapped.
2.1First-party cookies created through JavaScript’s Document.cookie API got expired in 7 days
2.2Prevention against link-decoration. 7 day window in ITP 2.1 shortened to 24 hours
2.3More prevention against link decoration. All non-cookie storage data, which includes localStorage expires after 7 days

Version 1.0 

With the very first version of Safari ITP, it was possible for first-party cookies to behave as trackers, given the user visits the destination website within 24 hours. 

When a user clicks on an ad after visiting a website, a first-party cookie is created by the adtech platform. If the user visits the destination website of the ad they previously clicked within 24 hours, the first-party cookie could be used for retargeting.  

In case the user doesn’t visit the website in 24 hours but after 3 days, the tracker could not be used for retargeting. However, purposes such as maintaining single sign-on sessions were still enabled.  

Version 1.1

The purging of trackers if a user doesn’t visit a website within 24 hours caused a few problems when it came to embedded content. Video-subscription services or third-party payment providers were affected the most. 

Source: webkit.org

In order to take care of this, ITP 1.1 was released with a Storage Access API. This solution paved a way for embedded content across websites to authenticate users that are already logged in to first-party services, such as Facebook.   

Version 2.0

ITP 2.0 was introduced in June 2018. The 24-hour cookie access window was scrapped in this update, heavily impacting affiliate marketing. 

The integration of Storage Access API in the previous version still provided access to first-party trackers of authenticated embeds. However, this update prevented companies from tracking users by default. A prompt was now displayed on the user’s screen providing them with a choice to accept/refuse cookie storage.

Safari ITP
Source: webkit.org

Additionally, Safari ITP 2.0 protected users against first-party bounce trackers. The Machine Learning Classifier detected domains that were present for the sole purpose of tracking users via navigational directs. If a user clicked on a social media link but instead of being directed to the site, a series of bounce trackers were opened, then the user’s browsing history was being stored as first-party cookies.  

Tracker collusion is another thing that was taken care of by ITP 2.0. The machine learning algorithm detected situations where trackers are communicating with each for sharing information regarding the user through a collusion graph. 

Lastly, ITP 2.0 ensured that the referrer information is not passed on to third-party trackers. This only if the user happened to visit a website containing such trackers. However, user information was shared with these third-party trackers in case the user clicked on their ads. 

Version 2.1

ITP 2.0 was paramount in protecting privacy of users through preventing trackability. But ITP 2.1 went a step ahead.. 

Storage Access API was made the major access point for all types of cookies, including partitioned cookies with ITP 2.1. Before third-parties could utilize partitioned cookies for getting access to first-party trackers. However, they were now required to use Storage Access API for getting cookies. 

Safari ITP 2.1 update
Source: webkit.org

Moreover, client-side cookies, i.e., cookies created through JavaScript’s Document.cookie API, got expired in 7 days. These cookies still had access to server-side cookies, created via server HTTP responses, provided they don’t have an HttpOnly setting.

Version 2.2

Webkit released ITP 2.2 (in April 2019) just 2 months after ITP 2.1 (February 2019) was introduced, and sought to prevent workarounds found for the previous version.  

Instead of a 7-day expiration period, client-side cookies just got a window of 24 hours. The machine learning algorithm identified first-party cookies dropped by a website for tracking users on behalf of other companies. 

A technique called ‘link decoration’ was being used by several companies to track users by passing unique user IDs in the URL. The user was getting redirected to the destination website after they clicked on an advertisement or a link. If a JavaScript tag was present on the destination website, the ad platform would have been able to collect the ID and generate a first-party cookie. This first-party cookie was then used for tracking users if they visit the destination website again. 

Link-decoration
Source: webkit.org

ITP 2.2 specifically prevented cross-site identification and tracking of users using link decoration. 

Version 2.3

Since ad tech companies managed to find workarounds for the previous Safari ITP update, Webkit had no choice but to crank up privacy features in this latest update of ITP. 

Ad tech companies started making use of the browser’s localStorage for storing data about users. This allowed them to track users without having to create first-party cookies.

But Safari is keen on protecting the privacy of their users. Therefore, ITP 2.3 now ensures that all non-cookie storage data, which includes localStorage, expires after 7 days. The expiry date, however, will be reset if the user visits a destination website within 7 days. 

Impact of Safari ITP on Publishers

It’s easy to underestimate the impact of ITP on publisher revenue because of Chrome’s overwhelming share in the browser market. But Safari is the second most popular browser with approximately 17% market share.

Source: StatCounter Global Stats – Browser Market Share

Here’s how publishers were impacted by Safari ITP in tandem with brands and the ad tech industry:

  • Limited Targeting: Behavioural targeting relies heavily on third-party cookies. If not for that, first-party cookies can be used as trackers. But with ITP making it extremely difficult to store cookies via localStorage or drop cookies via Javascript, ad targeting is greatly affected. This further hurts publisher revenue. 
  • Lower CPMs: According to Digiday, eCPMs on Safari inventory are around 30% lower than Chrome. On top of that, ITP impacts CPMs even more. ‘Link decoration’ which is a common technique in the ad tech industry is completely thwarted by ITP. This further impacts CPMs as DSPs rely on trackability which is not available. 

What Can Publishers Do?

Publishers and the ad tech industry have developed several workarounds for every ITP update. However, each new update has proved more stringent than its precursor. 

In that case, here are some other tips that publishers can use:

  • First-party Data: Publishers must immediately shift their focus to building first-party data solutions. With Chrome also gradually sunsetting third-party cookies, it makes sense for publishers to start experimenting with targeting through first-party cookies alone. 

Also Read: Scaling First-Party Data with Josh Peters, BuzzFeed’s Director of Data Partnerships

  • Direct deals: Instead of targeting, publishers should approach advertisers for direct deals. Brands are constantly on the lookout for unique placements that are of high value. We encourage publishers to partner with an ad network that provides unique insights into different ad placements (like AdPushup). Regularly testing ad placements will help in recognizing the ones that can earn the bang for the buck.
  • Native ads: Another tip for publishers is to delve in native advertising. Native ads mesh well with the content, are hardly intrusive, and users tend to like interacting with them too. 

Also Read: Guide to Creating and Running Native Ads in Google Ad Manager

Conclusion

Due to the absence of cookies, publishers are now only able to serve non-personalized advertisements, which is significantly impacting revenue generation. 

At this point, publishers can’t do much to deal with repercussions of ITP but ensure to prepare for a post-cookie era. By following IAB’s guideline, publishers can further manage to mitigate the impact of Safari ITP.

Advertisers are getting impacted just as much as publishers, if not more, due to ITP. Marketing strategies including attribution, audience segmentation, personalization, content performance data, and mapping customer journeys have either been rendered useless or have become harder to execute. 

The ad tech industry as a whole needs to work together and come up with solutions that can make things easier for everyone. 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.