How will online ad auctions function and preserve privacy after the third-party cookie is phased out? No one knows yet, but many in the industry are thinking hard about the possibilities. 

One approach is to add an optional extension to Chrome’s FLEDGE (First Locally-Executed Decision over Groups Experiment), a proposal that is part of Google’s Privacy Sandbox basket of initiatives.

Publishers have indicated that they are interested in the idea of being able to create audiences and decide how those audiences are used within the FLEDGE ecosystem rather than outside of it. This proposal remixes how much processing lives on a user’s device and how much is off-device in a trusted server. 

A trusted intermediary called a Trusted Audience Server positioned between a device, and ad tech buyers could benefit publishers, users, and even Chrome itself. 

New Opportunities for FLEDGE

The tweaks pertain to two facets of FLEDGE. For starters, consider that FLEDGE’s privacy model centers the creative as the grain of privacy control. The model assumes that information about the creative is the most crucial privacy consideration, rather than information about the user or the user’s attributes. 

The grain of privacy metering shouldn’t be the creative but rather the segment information about a user. For example:

• Did the user see a creative? 
• Why did a user see the creative?
• Who thinks the user is, say, a dad of two?
• Who learns that the user saw the creative?

There’s a way to do this where the element controlled in an auction is the segment unit. 

Secondly, FLEDGE prohibits the creator of an audience segment from allowing other entities to make use of its segment. For instance, with FLEDGE, a home goods retailer publisher couldn’t let a smaller retailer advertise to the publisher’s visitors who have looked at rugs recently. This aspect should be modified as well.

The Roles a Trusted Server Can Play

A trusted server is a computer partner that holds information about a user’s domain or site-scoped identity but can be trusted to maintain that data in a way that restricts outside parties from reconstituting it and gaining a picture of a user.

These trusted servers could be owned by publishers through data management platforms (DMPs) or supply-side platforms (SSPs) and maintain all the privacy guarantees of an ad being self-contained and malware-free.

In addition, segments could live on the trusted server rather than in the browser. Publishers would control these segments. For example, with a trusted server, that home goods publisher could allow the smaller retailer to purchase a segment of rug shoppers.

How an Extension of a Trusted Audience Server Would Work 

Although the current version of FLEDGE has notions of trusted signals on the seller side and bidding signals for the buy side, it ultimately relies very little on an external trusted server.

Here’s how a Trusted Audience Server could work in FLEDGE:

1. First, publishers would create segments in the trusted server with a publisher-scoped ID and segment IDs of their choice.

2. They would later get segments from the server, which decides which segments it is allowed to reveal in an auction.
   
   It can consider whether an ID is used on other sites and is therefore not allowed, for example. It can offer k-Anonymity for minimum group size. It can also ensure differential privacy so potential attackers can’t discern whether or not an individual is a group member.

3. Publishers could choose to run an auction off-device on the trusted server instead of on the browser.
   
   So, rather than asking Chrome to run an auction and put the winning ad in the slot, as FLEDGE would currently, an ad tech company could follow an optional route: “For this given ad slot, here’s the ad bundle that has won an auction. Please insert it.” This could happen if the FLEDGE API is extended with something like navigator.renderWinningad instead of runAdAuction.

A Beneficial Tweak That Preserves Core Guarantees

The proposal permits—but doesn’t require—auction mechanics outside of the browser. However, most benefits, including for Chrome, derive from running the auction off-device. 

What advantages would Chrome gain by not being the auctioneer?

• It wouldn’t have to manage millions of segments.
• It wouldn’t need to worry that segments stored on the user’s browser could slow it down. 
• It wouldn’t need to provide auction mechanics debugging support or build debugging tools that could be abused.
• It could focus on privacy, improving speed, and the user’s web experience.

Meanwhile, even if the browser doesn’t run the auction, it still receives a self-contained ad WebBundle and remains wholly responsible for rendering and attributing the ad. In addition, the ad continues to render in a FencedFrame that prohibits communication between the ad and the publisher and prevents publisher and advertiser collusion. 

A Trusted Server Can Do the Heavy Lifting While Safeguarding Privacy

There are substantial advantages in running auctions on a trusted server and storing segments on the server rather than in the browser. 

To sum up, a Trusted Audience Server would have these responsibilities: 

• Logging publisher-scoped segments
• Permitting and metering access to those segments from publishers that created them or publishers’ agents
• Ensuring no cross-site identifiers or identities are being used or produced
• Running a privacy-preserving auction
• Providing basic reporting on auction results

A version of FLEDGE with a trusted server could be the alternative publishers seek for the post-cookie world.

The post Extending FLEDGE’s Wings to Embrace a Trusted Server for Audiences appeared first on TripleLift.

Chrome’s announcement to deprecate third-party cookies and provide alternative rails for some functionality that currently relies on third-party cookies via Privacy Sandbox hit the advertising industry like lightning. The Privacy Sandbox is a set of proposals to make the internet more privacy-friendly for users.

At the same time, providing a route for ad-supported content creation for publishers and a valuable advertising channel for brands. To know what’s possible, the Chrome team publishes and iterates on proposals under the auspices of the W3C community groups. Most of the coordination is happening via W3C regular meetings and Github. Additionally, other companies have carefully crafted proposals to protect user privacy while preserving the value of personalized advertising.

Understanding the differences between the proposals requires awareness of where the conflict lies. Each proposal puts a stake in the ground. All of the details flow from that. However, knowing which proposal elements were deliberate and which elements simply flow from deliberate decisions takes some investigation.

Here we analyze each proposal’s core design decision and separate its essential statement from its thesis’s technical consequences. The core Privacy Sandbox question is, “Who can the browser trust, and with what information?”

On one side is the status quo. Most parties can send and receive information from the browser if the publisher permits or delegates the interaction. Conversely, the user’s browser sits between the user and every website they visit. The browser extracts information from the site but prohibits the site from understanding its audience.

Each Privacy Sandbox proposal answers this question at its core, with substantial consequences for publishers, advertisers, and the future of the ad-supported web.

Google’s Bird of a Feather

The bird name puns began on August 19, 2019, when Google published the original FLOC proposal. FLOC, or Federated Learning of Cohorts, provides some of the value of cross-site behavioral advertising. Although, without enabling cross-site identity for anyone other than the browser. FLOC places users into cohorts based on common web browsing behaviors and patterns. There are no predefined buckets of “similar” browsing patterns; they emerge organically, and browsers are grouped based on common observations. Chrome doesn’t know what a particular cohort ID represents, but users in the same cohort exhibit similar browsing behaviors. This would enable advertisers to identify which cohorts appear valuable for their campaigns. And, therefore, target advertising to those cohort IDs on other sites, but without needing a user identifier.

Advertising audience data can be split into two sources: publisher-side and advertiser-side. The publisher has some information about the impression that may be relevant to advertisers. Advertisers have some information about the kinds of users they want to reach. This audience’s intersection creates a good ad opportunity. FLOC provides publisher-side information about an ad impression’s value to advertisers that may not have previously interacted with this particular browser. Therefore, it’s intended for prospecting use cases. Chrome ran an origin trial for FLOC in early 2021 and is redesigning based on participants’ and interested parties’ feedback.

FLOC’s answer to the question of whom to trust and with what information is to trust the browser with cross-site browsing information and to distrust all other parties. This includes the publisher, but with the promise that the results will be available to the publisher and its advertisers.

Just One TURTLEDOVE

The bird name puns continued when Chrome published the original TURTLEDOVE proposal on January 16, 2020. TURTLEDOVE stands for Two Uncorrelated Requests, Then Locally-Executed Decision On Victory. In Turtledove, the browser holds the auction on-device by soliciting bids in two separate requests. The first is a contextual request that includes items like the website URL. The second request includes information about what ads the user may be interested in seeing.

Whereas FLOC is helpful to advertisers for general interest-targeting or prospecting, FLEDGE attempts to fill the use-case gap of retargeting or advertiser-driven audience selection.

TURTLEDOVE’s Origin Trial is known as FLEDGE (“First Locally-Executed Decision over Groups Experiment”). So, when you hear about FLEDGE changes, those changes are the direct evolution of TURTLEDOVE via the FLEDGE experiment.“The FLEDGE proposal” is TURTLEDOVE plus modifications made in the trial stages.

So, where does TURTLEDOVE draw the line between trust and openness? TURTLEDOVE’s core thesis trusts only the browser. This is evidenced by the design decision to have all InterestGroups live on the browser, regardless of membership size. To protect individuals’ privacy and mitigate de-identification attacks based on placing users in very small segments, TURTLEDOVE took the extreme design decision of keeping all InterestGroups on the browser, whether they presented a privacy risk or not.

SPARROW — Criteo Spreads its Wings

Next, Criteo’s SPARROW, published on GitHub on April 22nd, 2020, offered a different path to achieving the same privacy desiderata as TURTLEDOVE. But with an alternative mechanism. SPARROW stands for Secure Private Advertising Remotely Run On Webserver. SPARROW’s primary iteration on the slightly-earlier TURTLEDOVE is the introduction of a publisher-side “Gatekeeper” function fulfilled by a server. This Gatekeeper is a server trusted by the publisher and browser to protect the user’s privacy. It enables a solution that relies on server-side processing instead of keeping everything in-browser, regardless of privacy impact.

In SPARROW, the browser sends a bid request to the Gatekeeper server that contains contextual and behavioral information colocated in that request. But the Gatekeeper ensures that the colocated behavioral and contextual data doesn’t leak further. Contrary to TURTLEDOVE, which triggers two bid requests, one with and one without contextual data, SPARROW posits separating contextual from behavioral data in a bid request doesn’t need to occur on the browser. By enabling an off-device server to perform the separation, SPARROW offers some advantages without compromising the user’s privacy guarantees.

First, reporting, pacing, and some attribution can occur in real-time or near-real-time instead of delayed or not in a world where the browser has no trusted off-device server to trust.

Second, SPARROW claims introducing this Gatekeeper function into the ad tech ecosystem can occur much more quickly. This is because it can be implemented in parallel with the current infrastructure, causing smoother and less disruptive fast adoption. 

What core argument is SPARROW making about whom to trust? SPARROW makes two arguments. First, SPARROW argues the trust boundary can be enlarged to include the browser. Parties that act on the users’ and publishers’ behalf can be fortified with technical guarantees that don’t require blind trust. SPARROW’s second core argument is for a substantial amount of online advertising, individual profiles are unnecessary. They say advertisers want to buy audiences and measure the effectiveness of the audiences. They don’t need large-scale individual-level cross-site analysis to be effective.

PARAKEET — Microsoft Edge’s Final (Bird) Word

Finally, Chrome isn’t the only browser adopting new privacy-protecting measures. The Microsoft Edge team published the PARAKEET proposal in February 2021. PARAKEET stands for “Private and Anonymized Requests for Ads that Keep Efficacy and Enhance Transparency.” Building on TURTLEDOVE’s goals and SPARROW’s insights, PARAKEET zeroes in on limiting the amount of granular high-fidelity information leaving the browser. However, it attempts to optimize user privacy and ad efficacy simultaneously. PARAKEET rejects the assumption that user privacy and ad effectiveness can’t coexist and redefines the challenge of solving for both.

The PARAKEET proposal, like SPARROW, introduces the idea of a trusted server doing some off-device computation to gain the benefits of an aggregated view of what information has been shared with parties previously. It’s something the browser can’t feasibly do alone today. Think of PARAKEET as a filter that constantly checks how much information about a particular browser has been shared with each recipient. And in real-time, it obfuscates or removes key pieces to ensure that the recipient can’t meaningfully single out that browser. This obfuscation and information removal can be done in a way that’s mathematically guaranteed to make it nearly impossible for a bad actor to re-identify a browser.

What’s Next

Each proposal has clarified the options in front of us and which tradeoffs are unavoidable. By Q3 2023, we expect the Privacy Sandbox APIs to be launched and generally available in Chrome. As developers adopt these APIs, we now intend to begin phasing out third-party cookies in Chrome in the second half of 2024. You can always find up-to-date timelines and milestones on the Privacy Sandbox website. The immediate path forward continues iterating on these proposals. It develops technical specifications that work for all major publishers and advertisers to continue monetizing content. This also includes advertising products to potential customers and protecting consumer privacy.

The post Privacy Sandbox, Parakeet & the Birds: What’s all the Squawking About? appeared first on TripleLift.

Digital advertising is changing rapidly. This is in response to increasing demands for consumer privacy from governments, privacy advocates, companies, and consumers worldwide. These changes impact the digital advertising ecosystem and force companies to reconsider how they understand advertising and the internet.

For over a decade, digital advertising has focused on reaching individual consumers with tailored ads. Based on insights or inferences about their online behavior. However, this is being challenged due to the global shift towards greater privacy and data security.

When Apple updated iOS devices to iOS14.5, the ad industry saw how addressability would change when third-party cookies are deprecated. According to mobile app analytics company Flurry, the global opt-in rate for IDFA on iOS is 25%. However, the US opt-in rate is only 18%. So, advertisers will track only 18% of all US-based iOS users on their iPhones or iPads, and only on individual apps that earn permission.

This shift forces the industry to redefine how digital advertising is understood and delivered.

What’s Addressability?

“Addressability” is a term often used in digital advertising. It describes how much of an audience is identifiable for ad targeting and online measurement.

Third-party cookies and device identifiers, like IDFA, enable high addressability across websites and mobile apps. As a result, companies in the digital advertising value chain can recognize individual consumer devices as people use them for browsing the internet or using mobile apps.

Specifically, almost all programmatic ad targeting today is based on the ability to track consumer devices across websites and apps. When third-party cookies deprecate in all significant browsers, information about online consumer behavior will be available on a website-by-website basis. Still, it won’t be readily available across websites.

This change represents a tremendous shift in how advertisers need to think about targeting ads to consumers and measuring the success of their ad campaigns.

Introducing a New Response to Privacy Changes

The industry needs a more nuanced definition of addressability in response to every major browser moving to deprecate third-party cookies and mobile app platforms, like Apple iOS, making mobile advertising identifiers opt-in only.

The Addressability Spectrum (shown below) provides a visual framework for handling addressability once the web browsers and app platforms impending changes take effect.

Collectively, the categories displayed in this diagram represent the future state of addressability. Each ad impression will fall into one of these addressability categories. Working from left to right in the diagram, the definitions below explain what addressability will mean.

1. Unknown:

This segment of consumers is already working to hide their online behavior. They may be using multiple VPNs, the Tor browser, or taking other actions to prevent their online behavior from being tracked. This segment is tiny, and advertisers don’t generally target these consumers, but they’re included here for completeness.

2. Cohorts:

Cohorts are effectively groups of consumers with similar behaviors. They’re often referred to as “audience segments.” Privacy Sandbox proposals like FLoC and FLEDGE propose that cohorts be used to target consumers instead of targeting individuals.

3. First-Party Identified:

This is a segment of individual consumers identified on a website-by-website or app-by-app basis. Using first-party cookies or local browser storage can achieve this with pseudonymous identifiers. It may also be achieved when a consumer chooses to create an account on a website and provides an email address or other unique information.

4. Cross-Domain Identified

This is a segment of individual consumers identified across different websites or apps. Once third-party cookies are deprecated in all major browsers, this may only be achieved with identity solutions like Liveramp RampID or ID5. Consumers who opt-in to IDFA on iOS apps fall into this category.

Examining the Internet Through the Lens of the Addressability Spectrum

These impacts will apply to all channels, including web and mobile apps. Thinking about how the Addressability Spectrum will apply to websites provides a lens into the challenges advertisers will face once third-party cookies are deprecated, and mobile device identifiers are opt-in only. A similar analysis can be done for mobile apps as well.

Below, four stereotypical websites illustrate how the new definition of addressability along a spectrum creates challenges for advertisers compared to current advertising methods.

Note: Outlier websites don’t fit this model but are few and far between. Most websites will fall neatly into these descriptions.

• long-tail-site.com is representative of the vast majority of websites on the internet. These websites typically have low monthly traffic but monetize with programmatic advertising. Generally, these websites will be able to identify less than 2% of their consumers with cross-domain identifiers.

• Popular-publisher.com is representative of high-quality, high-traffic websites or high-quality niche websites that have consistent viewership. However, these websites can identify less than 2% of their consumers with cross-domain identifiers. In addition, many of these websites have tried to increase the number of cross-domain identifiable visitors. Still, they’ve been unable to compel their visitors to create accounts or sign up for emails at high rates.

• Login-publisher.com is representative of high-quality, high-traffic websites with consistent viewership. These websites can identify 10-15% of their visitors because they’ve found ways to incentivize visitors to create accounts or sign up for subscriptions. Further, these websites are some of the largest and most popular online websites.

• Popular-brand.com is representative of internet brands driving purchases or consumer signups for goods and services. The most popular brand websites may be able to identify as much as 20% of their visitors because they have products that people love and return for more.

Redefining Addressability in Digital Advertising 

When viewed through the lens of the Addressability Spectrum, it becomes clear that addressability will change significantly when third-party cookies are deprecated in all major browsers, and mobile device identifiers become opt-in only on iOS and Android.

While some websites and apps will be standout performers that can earn cross-domain identifiers from more than 10% of their visitors, the vast majority of websites and apps won’t.

As more privacy regulations are passed, technical blocks to workarounds like first-party click redirects and device fingerprinting are put in place, consumer transparency, control, and consent are increasingly required for the capture and use of consumer information to power digital advertising, and those cross-domain identifiers will be less and less valuable because consumers are expected to restrict the capture and use of their data to the websites and businesses they trust.

The digital advertising ecosystem must think about addressability differently to address this future state. The opportunity for advertisers lies in solving for cohorts of consumers as proposed in Google’s FLoC or FLEDGE and leveraging supply partners to use first-party audience information.

TripleLift’s Building for the Future

TripleLift is focused on a portfolio strategy to solve for the future of addressability. Our products will use the best available data from across the addressability spectrum on every ad impression to ensure that a campaign will reach the intended audience.

How campaigns are planned and success is measured will need to change to reflect the available data and capabilities. Still, TripleLift has the experts and experience to help guide your advertising to successful outcomes.

The post Addressability – How to (Re)define it in a Privacy-first World appeared first on TripleLift.

The major browsers, Chrome (65% market share), Safari (19% market share), Edge (3% market share), and Firefox (3% market share), are making significant changes to how the web operates in the name of privacy. Some of these changes happen in secret, and some in the open, if you know where to look. The browsers regularly chat in meetings organized by the W3C to reach broad adoption and standardization. 

Chrome’s Privacy Sandbox and Topics — What’s the Latest?

Google’s Chrome, the largest browser by market share, has been very open about its goals and methods to achieve them. This includes responding to critical feedback with product changes. The core goal of Chrome’s efforts is to end the “pervasive cross-site tracking that has become the norm on the web and on top of which much of the web’s ability to deliver and monetize content has been built.” While Google recently announced that the third-party cookie deprecation will be postponed until 2024, its aim remains. That is, to improve people’s privacy while giving businesses the tools to succeed on the open web. 

The goal is to ensure that Chrome can isolate a user’s activity within Chrome. Usually, per a first-party website, the website the user is visiting. The challenge is that advertisers have poured money into online advertising because of the ability to measure ad effectiveness across sites. This removes the ability to attribute ad effectiveness across sites and might cause advertisers to only fund a few sites. Chrome, and Google, recognize that a large part of the diversity of the web owes to the ease with which a new website can quickly monetize content. Removing cross-site attribution would reduce the number of new websites. 

Is Safari the Privacy King of Web Browsers?

Safari’s goal is a subset of Apple’s goal to ensure everything stays on the device. Apple sells devices. Apple’s primary customers are iPhone purchasers. Apple sees itself as a gatekeeper to access those device users, and keeping user data on the device is a cornerstone of that belief. Safari, the default web browser on iOS devices, aggressively removes cross-site linking capabilities. Safari essentially removed support for third-party cookies and is working on permitting some limited coarse advertising attribution that prevents cross-site user behavior correlations from being linked. As a result, Apple’s Private Relay will obscure Apple users’ IP addresses when they visit websites, making IP addresses unreliable to use to reach users. 

How Microsoft Edge Does Privacy (And Drives Revenue for Publishers)

Microsoft’s Edge browser is working to increase user privacy without breaking site monetization. Edge has worked with partners and users to develop variable levels of traffic blocking. Users can choose from several levels of content blocking. Depending on the user’s convenience/privacy preferences, they range from permissive to very strict. In addition, Edge has been working in the W3C to propose technical standards that protect user privacy using differential privacy mechanisms, most notably PARAKEET. Some of this computation will occur on the device, and others may be on a server trusted to calculate minimum privacy guarantees. 

Microsoft Edge has been making rapid improvements to upgrade its privacy bona-fides. Recently, Edge has added support for more nuanced third-party cookie handling, a revamped user privacy settings page, and a few other valuable enhancements in a nod to the growing importance of consumer privacy. 

Firefox — Cookieless By Design

Finally, Firefox has made its core selling point its privacy benefits compared to the other browsers. So Firefox’s dedication to privacy issues is core to its survival. Firefox has taken an aggressive stance concerning third-party cookies and has used a list of known advertising companies to block traffic and content. In addition, Firefox introduced the idea of “containers,” an early move to isolate first-party relationships from third-party relationships, now a common theme amongst browsers. 

They also recently implemented the “Total Cookie Protection.” This offers enhanced protection against online tracking by limiting a website’s ability to read third-party cookies. This new feature goes along the lines of Mozilla’s privacy-focused development strategy, which sharply contrasts with Google Chrome. 

What Do Web Browsers Have in Common? 

Each web browser comes at the issue of privacy a bit differently. Still, they converge in one essential respect: to isolate a user’s activity on one web property to only the browser and that web property. This means that cross-site linking of individual users is in the path of the browser bulldozer and won’t survive the next few years. Without cross-site linking of ad exposure and conversion, determining where to spend ad dollars will become increasingly difficult for brands that want to buy ads across the web or support smaller websites. 

This trend isn’t limited to web browsers; we expect devices like mobile phones, IoT devices, video-playing hardware, etc., to follow a similar trend of keeping data on devices. However, by leaning into the new reality and preparing now, advertisers and publishers can better prepare themselves for the future. TripleLift has been working with publishers and advertisers and compiling best practices and what-to-expect guides. As well as for the forward-thinking partners we work with. With third-party cookies going away, it’s time to get pragmatic. 

The post How Web Browsers Aim to Save Tracking and Preserve Privacy appeared first on TripleLift.