6 Burning Questions About Apple’s ATT Privacy Framework

Comic: Pivotal Moments In History

AppTrackingTransparency enforcement officially began in late April.

But advertisers, publishers and mobile ad tech vendors are still grappling with a lot of head scratchers – and the dust is far from settled.

Until the release of iOS 14.5 last month, among the biggest unknowns consuming the mobile ad ecosystem was the agita-inducing question of timing for Apple’s new privacy framework.

That was only the beginning.

Here are the top unanswered questions that developers and ad tech companies still have about ATT opt-in rates, SKAdNetwork, how ATT functions (or doesn’t) and the impact that Apple’s policies will have on ad targeting and measurement.

1. Will Apple give advertisers more transparency into SKAdNetwork?

SKAdNetwork is Apple’s homegrown attribution API for iOS 14. Tracking is limited to the campaign level so that advertisers and publishers only can see aggregated user insights.

This limitation is in place by design as a privacy-preserving mechanism. If a user installs an advertised app within a certain attribution window, the user’s device sends a postback directly to the ad network that deserves the credit. The ad network then shares that information with the advertiser.

But that process introduces opacity, said Alasdair Pressney, director of product strategy at AdColony, and there’s no reason for the extra step.

“In order to increase transparency across the industry, it would be a logical evolution for the postback to be delivered directly to both the advertiser and the network simultaneously by Apple, Pressney said.

2. Will Apple address the issue validation to ensure that all of the information in a SKAdNetwork postback is authorized and unaltered?

In order to prevent fraud, a cryptographic signature is added to postbacks. Third parties are able to validate that signature through the use of a public decryption key supplied by Apple.

Mobile measurement partners (MMPs) have been positioning themselves as one-stop-shops to verify and aggregate SKAdNetwork postbacks on behalf of advertisers working with multiple ad networks.

But SKAdNetwork postbacks aren’t impervious to meddling. As it stands, conversion values – the six bits of data that developers can use to map to different conversion events or revenue information – are not verified using the cryptographic install signature, Pressney said.

Because conversion values aren’t part of the cryptographic signature, MMPs could “obfuscate and therefore devalue SKAdNetwork signals in favor of their own products,” he said. “And this makes it harder for everybody to build products that support SKAdNetwork properly.”

Comic: "Sir, the people need more time!"3. When will web-to-app campaigns be supported by SKAdNetwork if a user doesn’t opt in?

SKAdNetwork exists to help advertisers and publishers with their app-based attribution. Apple also built an attribution tool called Private Click Measurement (PCM) to help track app-to-web campaigns as well as purely web-based customer journeys.

For now, PCM app-to-web is only supported for Safari, iOS and iPadOS, although Apple is eventually planning to enable other default browsers down the line.

But there is currently no attribution solution on iOS for web-to-app user flows, such as when a user is directed to the App Store after clicking on a mobile web display ad.

“If the user does not opt in,” said Paul Müller, CEO and co-founder of AppLovin-owned Adjust, “iOS 14 does not offer any solution to get campaign performance.”

4. How long will it take for ad targeting performance to diminish in apps and will opt-in rates improve?

Depending on whom you ask, ATT opt-in rates aren’t too bad, all things considered … or they’re in the toilet.

“There is an impending sense of dread creeping into the targeted ad ecosystem,” said Mike Shaughnessy, COO of Kargo, pointing to The Trade Desk’s stock, which fell by 25% last week in part due to the uncertain future of targetability.

One of the reasons why the ATT opt-in numbers are all over the map is because people are using very different methodologies to calculate the rates.

But math aside, there’s no disputing the fact that developers will need to do a lot of testing to figure out the best practices for their ATT prompts and pre-prompts if they want to secure opt-ins.

For example, “is there a specific step or moment in the user’s journey that generates the highest opt-in rates, especially in the gaming vertical?” said Moshe Vaknin, CEO and founder of mobile monetization company YouAppi.

According to Adjust’s internal research, the size of the pre-permission prompt, when it’s displayed, and the placement and copy used in the call-to-action button, can all have a direct impact on whether a user chooses to opt in.

5. Will publishers change the way they evaluate their SDK partners now that Apple is enforcing ATT?

Developers should always be careful about who they work with, but vetting third-party partners is even more important now.

If an app includes third-party code that combines user data with other developer data to target or measure ads, Apple considers that to be a violation of its ATT policy – even if the app doesn’t use the SDK in question for those purposes.

Apps that use SDKs that engage in fingerprinting could be rejected from the App Store.

In other words, and in Apple’s own, “developers are responsible for all code included in their apps.”

The question now is whether app developers will start to increase their vigilance about which SDKs they use since the stakes are so high, said Paulina Klimenko, chief growth officer at PubMatic.

In April, a little less than three weeks before iOS 14.5 was released, Apple started flagging apps that had the Adjust SDK integrated for allegedly fingerprinting users. Adjust quickly updated its source code.

6. Will Apple be able to enforce ATT consistently?

Apple has publicly denounced the use of alternative universal identifiers, such as hashed email, as a replacement solution for IDFA, said Charles Mi, CTO of data company Adara.

That’s the case even if the data was collected with consent elsewhere. Apple requires that any data used in its app ecosystem be collected via the ATT framework.

But it’s unclear exactly how Apple will effectively enforce its own policies. As Craig Federighi, Apple’s SVP of software engineering, told The Wall Street Journal last month, “We can’t ensure at the system level that [developers] are not tracking. We can do so at the policy level.”

So, watch this space. In the meantime, it’s messy out there.

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!