Companies on Apple’s App Tracking Transparency

Apple introduced App Tracking Transparency (ATT) in iOS14.6 several months ago. The idea is that any app that wants to track users even after users stop using the app has to ask for permission. If permission isn’t granted, the app or developers can’t follow users around off premise. Such a lack of signal could result in weakened…tracking, targeting, measure and of course, advertisers’ income. Since the introduction of ATT, some advertisers and developers have voiced fierce criticisms towards Apple for abusing its power. The criticisms grew harsher after Apple debuted its own advertising network. Even though Apple doesn’t rely on 3rd party data for tracking, the move and the awkward timing make it look like Apple doesn’t do it for user privacy, but merely for its own pocket. Privacy proponents, on the other hand, praise this move by Apple as it gives the end users a choice to allow tracking or not. Both sides have strong opinions. But what do the stakeholders have to say? How have companies been affected by the change from Apple?

In this post, I’ll cite as many opinions from relevant parties in this debate as I can, so readers can form their own opinion. I’ll add my own thoughts on this debate in the end

Again, look, I think from our perspective, we haven’t really seen a negative impact of the Apple changes. As we said before, it’s beginning to become a more complex world from a data and privacy perspective.I think that makes the advice to give our clients more important. It will have an impact on individual media owners, depending on their business model. And I think those that have been impacted have been those companies that tend to have sort of a big app download business, which is linked very carefully to the ability to track what’s happening. That’s not part of the business in which we really operate, so I think accounts for the — perhaps the surprises that you saw there.

WPP CEO Mark Read – Q3 Earnings Call

Yes. So for us, it didn’t really have much of an impact. We did — like a lot of people, we’re very aware of it. We have a very big brand business which wasn’t significantly impacted at all. And the fact that we are — have a ton of first-party data with all of our users being logged into the service really helped us grow. So we didn’t really see much of an impact at all. We don’t see much going forward, although we’ll continue to monitor it. And Q4, for us, the biggest impact on Q4 will just be continued growth in podcast and in inventory. We know the demand is there. We know the advertisers are there.So for us, it’s just continuing to expand the inventory available for advertisers.

Spotify CFO Paul Vogel – Q3 2021 Earnings Call

Let me also spend a moment on ATT. We continue to see opportunities around personalization on Twitter as we better leverage our unique signal to improve people’s experience and show their more effective ads across both brand and direct response. The revenue impact we experienced from ATT in Q3 increased on a sequential basis but remains modest. The impact of ATT is likely to vary across ad platforms given the unique mix of ad formats, signal and remediations on each as well as other factors, the mitigations we put in place and the speed with which we’ve adopted new standards like the SKAdNetwork and resulting changes across our technical stack have contributed to minimizing the impact to us.

Since the launch of ATT in April, we’ve invested in supporting SKAdNetwork, opening up 30%-plus more inventory and scale on iOS and launch support for view-through attribution and SK Campaign ID management features in the Twitter ads manager. It’s still too early for Twitter to assess the long-term impact of Apple’s privacy-related IOS changes, but the Q3 revenue impact was lower than expected, and we’ve incorporated an ongoing modest impact into our Q4 guidance. We’ve seen our revenue product development, both related to and distinct from ATT, improved the performance of our products, and we expect that to continue.

Twitter CFO Ned Segal – Q3 2021 Earnings Call

In terms of the iOS 14 changes specifically, they had a modest impact on YouTube revenues. That was primarily in direct response. I think as you all know well, focusing on privacy has been core to what we’ve been doing consistently

Alphabet/Google CEO Ruth Porat – Q3 2021 Earnings Call

Rich, thanks so much for the question and share your disappointment. This has definitely been a frustrating setback for us. But I think over the long term, these privacy changes and protecting privacy for users of iOS and, of course, the Snapchat community is really important to the long-term health of the ecosystem and something that we fully support.

I think when we saw these changes coming, our primary focus was the performance of our advertising platform in the face of this signal loss. So could we still really drive advertising performance, optimize campaigns, make sure our ads were in front of the right people. And we spent the vast majority of our engineering time and effort and energy making sure our ads were still really effective. And we did all sorts of revenue back testing to make sure that we could be revenue neutral. And we were really confident in our ability to drive results with our advertising platform despite the signal loss.

But what I think we really underestimated were the tooling changes. And so what I mean by that specifically is that advertisers have essentially for a long time now, used a set of really sophisticated tools to measure and optimize their campaigns. So that allows them to test out a bunch of different creative and see what’s performing more effectively and so on and so forth. And the big change there was that with these new Apple changes, those tools were essentially rendered blind. And in their place, Apple released a new product called SKAdNetwork that allows advertisers to measure across different advertising platforms but without a lot of the flexibility that they’re used to. So for example, you can only really measure your advertising results using the success parameters that Apple is already defined. The reporting is delayed for a significant period of time and often unavailable, if you don’t hit a certain threshold of conversion. It’s very hard to see performance on a creative level.

Snapchat CEO Evan Spiegel – Q3 2021 Earnings Call

A dozen e-commerce companies interviewed by The Wall Street Journal said they now have to spend a lot more money on these ads to get the same number of sales from them that they could expect before the new feature was rolled out. They also can’t get enough data to know how effective these ads are at driving purchases. Many have reduced their ad spending on targeted-ad platforms. In a July poll of 118 e-commerce store owners by eCommerceFuel, 62% said they had decreased their Facebook ad spending since the iOS upgrade.

Source: WSJ

We’ve been open about the fact that there were headwinds coming, and we’ve experienced that in Q3. The biggest is the impact of Apple iOS 14 changes, which has created headwinds for others in the industry as well, major challenges for small businesses and advantaged Apple’s own advertising business. We started to see that impact in Q2, but adoption on the consumer side ramped up by late June, so it hit critical mass in Q3.

Overall, if it wasn’t for Apple’s iOS 14 changes, we would have seen positive quarter-over-quarter revenue growth. And while we and our advertisers will continue to feel the effect of these changes in future quarters, we will continue working hard to mitigate them.

On targeting, we focused on improving campaign performance even with the increased limitations facing our industry. We’re building commerce tools to help businesses reach more new customers and get more incremental sales. And over the longer term, we’re developing privacy-enhancing technologies in collaboration with others across the industry to help minimize the amount of personal information we process while still allowing us to show relevant ads. Progress in these areas will take time and will be a focus for us throughout 2022 and beyond.On measurement, as we wrote in a recent blog post, we believe we are underreporting iOS web conversions. This means real-world conversions like sales and app installs are higher than what’s being reported from many advertisers, especially small advertisers. We’re making good progress fixing this. We think we’ll be able to address more than half of the underreporting by the end of this year, and we’ll continue to work on this into 2022.

Facebook COO Shreyl Sandberg – Q3 2021 Earnings Call

Kathy Huberty: And Tim, as a follow-up. We recently surveyed 4,000 consumers in the U.S. and China, and the feedback is most of them don’t want to pay for apps or services direct with the developer. They value the security, privacy, ease of transactions with the App Store. So how do you think about balancing the regulators push for more choice with a customer base that’s happy with the existing experience?

Tim Cook: The main thing that we’re focused on, on the App Store is to keep our focus on privacy and security. And so these are the 2 major tenets that have produced over the years a very trusted environment where consumers and developers come together and consumers can trust the developers on the developers and the apps or what they say they are and the developers get a huge audience to sell their software to. And so that’s sort of #1 on our list. Everything else is a distant second.

Apple Q4 2021 Earnings Call

My take

This issue features different stakeholders with varied interests. Even from the advertiser side, companies receive the change from Apple in various ways, depending on whether they are affected by it more or less than their rivals. Hence, when it comes to the question of whether ATT is a net benefit change, then we have to ask: for whom? For consumers, I do think it’s a great development. The surveillance tracking has been the standard practice in digital advertising for years. However, it doesn’t have to continue this way in the future. Consumers used to not have a say in the matter. Now they do. The choice is totally up to them and I think it’s great.

For businesses that rely on digital marketing, it’s undeniable that there is a short-term pain. As you can see above, some have to invest more money in digital ads for the same result. While I feel for them, the fact and the matter is that changes in external environments are part of doing business. Something that business owners have to encounter and overcome.

Regarding advertisers, I’ll say the same thing. The big change has finally arrived. Advertisers can either adapt to a society that is more conscious of privacy or keep complaining. Based on the commentary above, some advertisers have had little adverse impact so far from ATT. They invested in new tools, first-party data, distribution and products to overcome the obstacle. Even Facebook, the biggest whiner, also talked about how they tried to minimize the impact on their business. I don’t blame Facebook or any advertiser for vocal opposition. They do what they have to for their interest. But if millions of dollars is created in spite of violation of consumer privacy, then perhaps it’s time to change.

For Apple, even though apps and developers are important stakeholders in their ecosystems, the number one priority is still consumers. Whether you like Apple or not, the company is trusted by consumers, especially on the privacy front. For years, they have implemented services, software and hardware features that promote privacy. Because of this track record, for the time being, I believe in Apple. Of course, the company also wants to grow their highly profitable advertising network. Where Apple earns credit is that they manage to find a sweet spot that overlaps the two interests. With that being said, the introduction of Apple Search Ads after ATT plants the seed of doubt over their motive. Does it mean that what Apple did is inherently wrong? Not really. Companies exist to make money and look out for their and their shareholders’ interest. Apple is doing what it believes to be the best for their business. Is Apple a bit too much when it speaks from an ivory tower while launching its own ads network? Yeah, but that’s what every corporate Marketing department does.

Based on what I have seen so far, and I will continue to follow this issue, the advent of ATT is a significant change with big consequences in eCommerce, mobile ads and digital ads. I think a year from now, we will not decry ATT as something that wrecks peoples’ livelihood. Instead, it will bring about positive changes and innovation. Perhaps a similar move from Android within the next 2,3 quarters?

Disclaimer: I have a position on Apple, Facebook, Snapchat, Spotify

Weekly readings – 21st December 2019

Argument against direct listings

What Happens After Prisoners Learn to Code?

Google Culture War Escalates as Era of Transparency Wanes


The Wilderness of Suburban Saigon in 1904. Source: Saigoneer

Popcorn is a serious business at AMC theaters

Why Kansas City’s Free Transit Experiment Matters. Regardless of how this experiment will turn out, it will provide a valuable case study, data and motivation for other cities.

The Man Who Built Amazon’s Delivery Machine

The curtain on Vision Fund and Masa was pulled back a little bit more.

The fall from an icon of Sheryl Sandberg

The horrifying truth behind the track of our location data

Weekly readings – 14th November 2019

FDA Approving Drugs at Breakneck Speed, Raising Alarm

Climate change: Oceans running out of oxygen as temperatures rise

Should I delete Tinder? These millennials think so

The lesson to unlearn

Why some of America’s top CEOs take a $1 salary

The Video-First Future of Ecommerce

How Airbnb Profits From Our Love of Experience

This article talks about how Apple’s stance on privacy makes life harder for advertisers.

Startups and Uncertainty

A very interesting study on podcasts

How Apple’s Find My feature works

Wired published details on how Find My feature on Apple devices will work. the feature allows Apple users to find lost or stolen devices even when the devices are offline. Below are my understanding of the process and attempt to illustrate how it works with visuals for easier interpretation

Here’s how the new system works, as Apple describes it, step by step:

When you first set up Find My on your Apple devices—and Apple confirmed you do need at least two devices for this feature to work—it generates an unguessable private key that’s shared on all those devices via end-to-end encrypted communication, so that only those machines possess the key.

Each device also generates a public key. As in other public key encryption setups, this public key can be used to encrypt data such that no one can decrypt it without the corresponding private key, in this case the one stored on all your Apple devices. This is the “beacon” that your devices will broadcast out via Bluetooth to nearby devices.

That public key frequently changes, “rotating” periodically to a new number. Thanks to some mathematical magic, that new number doesn’t correlate with previous versions of the public key, but it still retains its ability to encrypt data such that only your devices can decrypt it. Apple refused to say just how often the key rotates. But every time it does, the change makes it that much harder for anyone to use your Bluetooth beacons to track your movements.

Say someone steals your MacBook. Even if the thief carries it around closed and disconnected from the internet, your laptop will emit its rotating public key via Bluetooth. A nearby stranger’s iPhone, with no interaction from its owner, will pick up the signal, check its own location, and encrypt that location data using the public key it picked up from the laptop. The public key doesn’t contain any identifying information, and since it frequently rotates, the stranger’s iPhone can’t link the laptop to its prior locations either.

The stranger’s iPhone then uploads two things to Apple’s server: The encrypted location, and a hash of the laptop’s public key, which will serve as an identifier. Since Apple doesn’t have the private key, it can’t decrypt the location.

When you want to find your stolen laptop, you turn to your second Apple device—let’s say an iPad—which contains both the same private key as the laptop and has generated the same series of rotating public keys. When you tap a button to find your laptop, the iPad uploads the same hash of the public key to Apple as an identifier, so that Apple can search through its millions upon millions of stored encrypted locations, and find the matching hash. One complicating factor is that iPad’s hash of the public key won’t be the same as the one from your stolen laptop, since the public key has likely rotated many times since the stranger’s iPhone picked it up. Apple didn’t quite explain how this works. But Johns Hopkins’ Green points out that the iPad could upload a series of hashes of all its previous public keys, so that Apple could sort through them to pull out the previous location where the laptop was spotted.

Apple returns the encrypted location of the laptop to your iPad, which can use its private key to decrypt it and tell you the laptop’s last known location. Meanwhile, Apple has never seen the decrypted location, and since hashing functions are designed to be irreversible, it can’t even use the hashed public keys to collect any information about where the device has been.

THE CLEVER CRYPTOGRAPHY BEHIND APPLE’S ‘FIND MY’ FEATURE
Exhibit 1 – Two devices have its own public key and a shared private key
Exhibit 2 – A step-by-step illustration of the process, from top to bottom

If you think there are any errors in my understanding of the how this works, please leave me a comment and share your thoughts.

GDPR – Positive impact on firms

Last May, GDPR officially went into effect. Under GDPR, users are given more privacy rights and firms have to adhere to stricter privacy regulations than ever unless they want to be subject to hefty fines. Under GDPR, fines can go up to 20 million euros or 4% of a firm’s global revenue. In the case of companies such as Google or Facebook, which earns to the tune of billions of dollars in annual revenue, the fines could be significant.

I have been in favor of GDPR. Even though it’s not perfect as in the case of any laws enacted for the first time, I believe that with GDPR, we are going in the right direction. Below are a few examples:

According to Cisco 2019 Data Privacy Benchmark Study:

GDPR-ready companies are benefitting from their privacy investments beyond compliance in a number of tangible ways. They had shorter sales delays due to customer’s privacy concerns (3.4 weeks vs. 5.4 weeks). They were less likely to have experienced a breach in the last year (74% vs. 89%), and when a breach occurred, fewer data records were impacted (79k vs. 212k records) and system downtime was shorter (6.4 hours vs. 9.4 hours). As a result, the overall costs associated with these breaches were lower; only 37% of GDPR-ready companies had a loss of over $500,000 last year vs. 64% of the least GDPR ready

Ads trackers were reduced, leading to faster loading pages and more pleasant user experience. Big firms are held more accountable. Google was fined $57 million for its GDPR violations. Without the new regulation, I believe that the amount would have been much less. California passed their toughest privacy laws after being inspired by GDPR.

There is an argument that GDPR might lead to less competition in the advertising fields as only the likes of Google and Facebook have the resources to meet the requirements. An initial study seemed to support that.

Nonetheless, I think that even without GDPR, who could challenge Facebook and Google when it comes to serving ads? At least when there are more rights and protection given to the end users, we get some power back to the users and hold firms to a higher standard. After all, innovation comes only from our raising standards, doesn’t it? Hence, GDPR is still a good move in the right direction and should be improved incrementally in the future. As a result, firms should pay more attention to privacy and security. It will no loner be a check-off-the-list item. It will be a competitive advantage moving forward, especially when everything goes digital.

Facebook & Privacy First Mentality

Quite a week for Facebook

It has been quite a few days for Facebook. First, two days ago on Techcrunch:

Facebook has confirmed it does in fact use phone numbers that users provided it for security purposes to also target them with ads.

Specifically a phone number handed over for two factor authentication (2FA) — a security technique that adds a second layer of authentication to help keep accounts secure.

Then, a bombshell was dropped yesterday. Per Wired:

ON FRIDAY, FACEBOOK revealed that it had suffered a security breach that impacted at least 50 million of its users, and possibly as many as 90 million. What it failed to mention initially, but revealed in a followup call Friday afternoon, is that the flaw affects more than just Facebook. If your account was impacted it means that a hacker could have accessed any account that you log into using Facebook.

Facebook’s track record in data security and privacy hasn’t been particularly stellar recently. 2018 is not 2010. Facebook doesn’t have the same dominant position as it used to in the social network market any more. Users have plenty of alternatives and substitutes to spend their time on. These scandals, coupled with its role in the “free speech vs hate speech” row, don’t do any good to Facebook’s image as well as its appeal to users when privacy has become more and more pressing as a concern to users.

Privacy & regulations

I have been resigned to the fact that there is no anonymity on the Internet and that complete privacy isn’t possible. Yet, when users trust a company with their data, whatever the data is, it’s the company’s responsibility to protect such data. As many important aspects of our lives take place on the Internet, the need to feel safe online is more overwhelming than ever. Without feeling safe, how could users feel comfortable using a service? Privacy and data security will be, if not already is, expected by default of companies. It’s not a nice-to-have feature any more. It’s a do-or-see-your-competitors-get-ahead game.

But companies are not in the business to lose money. If they are not legally required to bolster their security, don’t expect them to. That’s why companies fought hard against GDPR or privacy laws passed in California this year. And this is where I don’t understand the criticisms of some towards regulations such as GDPR. Yes, no law is perfect, especially in the beginning. That’s why we have amendments. GDPR is not an exception. It is a great first step to give power back to users and force companies to be liable for their actions/inactions.

A common criticism that I came across towards GDPR is that it makes it too expensive for small companies and startups to comply, widening the moat or competitive advantage gap between giants such as Google/Facebook and SMBs. Well, if a company with a deep pocket and better security measures has 10% of its 500,000 in user base breached, the impact is 50,000 users. If a small company with fewer recourses and much weaker security measures loses all of its 50,000 users, the impact is the same as in the first scenario. Hence, breaches at SMBs can have significant damages and ramifications as well.

Sure, the best case scenario is to have different levels of compliance applied to companies of different size. I’d love to see that happen. Nonetheless, without privacy regulations, imagine how much companies would care about our data and how much of a mess it would be. Despite having HIPAA in place, every year has been a banner year of cybersecurity in healthcare in the US and healthcare organizations spend 3% of their IT budget on cybersecurity. Verizon reported in their 2018 Payment Security Report that only 40% of all interviewed companies in North America maintained full compliance with PCI. Despite all the scandals related to data security in the past, Facebook still lets more unfortunate events happen. To be fair, I don’t imagine having impeccable security is easy. However, would companies even try to secure your data without any legal requirements?

Progress happens when we raise standards. Would cars be more environmentally friendly if we hadn’t enforced regulations on emission quality? If a university wants to raise its standard for incoming students, will it lower or raise the requirement for GMAT/SAT? Will a drug be safer for patients if the FDA enforces more or fewer tests? Big companies have the means to comply with stringent privacy regulations. Small companies/startups, though difficult, have more access to capital funding. Plus, public cloud providers are investing to have their infrastructure compliant with many compliance regulations (See more here for AWS compliance and Azure compliance). Regardless of size, companies have to take privacy seriously and consider it an integral piece of the puzzle, a competitive advantage if done right or a threat to their competitiveness if ignored.

Government or Tech Corporations for our data and privacy

I had a brief conversation with a few close friends on Whatsapp on how to remain anonymous on the Internet and the role of governments and technology corporations in the fight to protect our data and privacy from being abused. As much of our life involves Internet, whether it is for work or personal use, the issue of our personal data and privacy becomes more overwhelming than ever. The question is who we can trust with our data: the governments or tech corporations.

Regarding governments, it’s safe to say that they haven’t done much to generate confidence. Many of my peers express lack of confidence in the governments to handle a huge amount of data and protect it from breaches. Worst, some said that data could be used to violate their privacy. For instance, the US government requested Apple to build a backdoor to iPhone. The Australian government wanted to build backdoors into encrypted communications apps. Even though I am convinced that having access to encrypted content may be required in some extreme cases (investigation, terrorist threats), the fact that the governments forcefully want to build backdoors to our device/data doesn’t really feel so good.

On the side of technology corporations, there needs no introduction. They are motivated to acquire as much of our data as possible. In some cases, they know about us more than we know ourselves. But they don’t actually protect our data well, to say the least.

Personally, I don’t think it is possible anymore to remain anonymous in this day and age. We are past the point of doing anything about the technology companies having our data. As long as we rely on their services for productivity and social purposes, we cannot avoid them. The same goes for the governments. When served with subpoenas, corporations have no choice, but to surrender our data.

Both have motivation to go against our wishes. Both don’t have our full confidence. Nonetheless, it’s not possible to choose one over the other. I believe that governments can keep technology companies in check with regulations such as GDPR, HIPAA or PCI. Citizens can elect officials who care about consumers/users to the office. On the other hand, technology companies can push the governments to evolve and not to slack off.

DFD_Unroasted-3

Each has a role to play in this check-and-balance system. It may sound idealistic, but I believe that it is our reality. Governments and big tech corporations are not going away any time soon and from our perspective as citizens/consumers, we need both to keep the balance. How will it be achieved? I don’t know. But I don’t think that it’s a zero sum game and that it is in our interest to favor one side over the other.