The Privacy Arms Race May Kill Ad Tech

A dangerous digital advertising arms race is brewing as browser makers try to prevent cross-site tracking. The desire of digital ad companies to keep tracking users, despite browsers’ preventative privacy measures, is leading our industry down a hazardous path for users, browser makers, and ad tech.

In an effort to protect user privacy, browsers are taking away the conventional ability to track users. However, this move has inadvertently incentivized advertising companies to resort to shadier, more covert ways of tracking such as fingerprinting. The methodology involves collecting a number of data points that, individually, do not uniquely identify a person, but when put together, end up being unique. With fingerprint methodologies, the collection of ID information doesn’t actually live in the browser – so a user wouldn’t be able to ‘reject’ fingerprinting. They may not even know it is happening. While I believe this is wrong and refuse to engage in such practices, many companies are unprincipled and will do whatever they deem necessary to maintain the status quo for their business.

These tracking methods lack the user-controllability and observability that exists with cookies today. With cookies, at the very least, users could find the tools to block them if they don’t want to be tracked. With fingerprinting tactics, users cannot shield themselves from these – there are no user controls on browsers and devices. Users are being acted upon automatically. As a result, privacy-conscious users are left with no choice but to resort to ad-blocking as a means of preserving their privacy. We should not be incentivizing users to install ad blockers – that’s bad for the online advertising ecosystem as a whole.

Moreover, there are side effects as browsers react to covert tracking and attempt to stop it. These side effects affect everyone in ad tech, even those who do not intend to engage in covert tracking. For example, the ‘Hide my IP from known trackers’ feature in Safari now interferes with basic geotargeting and fraud prevention by routing all requests through iCloud Private Relay servers when the browser is connecting to any known advertising domain.

It’s easy to see our industry headed towards a vicious cycle, a cat-and-mouse game of increasingly covert (and difficult to block) tracking, with increasing countermeasures from browsers that have further negative side effects on ad tech. The stance of browsers makers is principled and ideological – that users should not be tracked across sites and apps. I am sympathetic to this view – if we could start ad tech all over again, we never should have assumed that we could track people on an opt-out basis.  But it would be foolish to try and simply will away the world that exists today.

Stopping the arms race before it’s too late. Next steps:

1. Industry self-regulatory bodies to prohibit covert tracking methodologies and only permit tracking via methodologies intended by browsers. If they won’t enforce, the regulators will step in.
2. Browser makers to try and meet ad tech in the middle. While I understand their ideological position, this may not get their desired outcome. They want no cross-site tracking, but what is going to result is worse, covert cross-site tracking. The attempt to take away “well-lit” ways to track makes it worse. A pragmatic path is to offer browser-provided, and critically, explicitly user-controllable mechanisms. Ban everything else. This dissuades covert tracking, and enables users to avoid tracking (if they wish).
3. Principled ad tech players to be proactive in calling out bad behavior and spreading the word.

The ongoing battle between browsers makers and the digital advertising industry is detrimental to all parties involved. It is crucial for industry self-regulatory bodies, regulators, and browser/OS makers to take practical steps to stop this dangerous path and find a way to end the arms race.