Hello Web AdAttributionKit … the new Private Click Measurement

When Apple released AdAttributionKit for iOS, they called it App AdAttributionKit. In a curious mirroring of Google, which has Privacy Sandbox on Android as well as Privacy Sandbox on Web, Apple also hinted at the existence of something called Web AdAttributionKit, the successor to Private Click Measurement.

We’re only now starting to see what that might really mean in upcoming versions of Safari.

And we’re also seeing the future of privacy — and marketing measurement — on Apple’s default web browser. Which actually matters, given how popular Safari is … particularly in rich countries.

Lots of new privacy tech in Apple’s Safari browser

Apple’s desktop and mobile browser, Safari, is built on the open source WebKit project. 

While Google’s Chrome rules the desktop web, Safari is fairly dominant on mobile where Apple has significant iOS market share, thanks to its position as the default and pre-installed iPhone/iPad browser. Almost 30% of global mobile web use happens via Safari, and in countries like the U.S. where iOS is dominant, that browsing share hits 54%.

Plus, since WebKit is open source, others can use the engine that powers Safari, and a couple of Linux projects like Epiphany and Midori do just that.

WebKit just announced significant new privacy changes unrelated to Web AdAttributionKit:

• Private browsing updates (think “incognito” in Chrome)
  • Link tracking protection
  • Blocking network loads of known trackers
    Including those that attempt to appear as first-party domains when they are not
  • New fingerprinting blocking tech
    Safari will inject noise into APIs for checking device configurations, and will set default values via overrides to fixed values for “certain web APIs related to window or screen metrics”
  • Extensions with website or history access are off by default
• Standard browsing privacy updates
  • Third-party cookies capped at a 1-week lifespan
    Safari blocks third-party cookies by default, but users can turn them off security features. This new feature refers to cookies set by cloaked third-party IP addresses … in other words they were masquerading as first-party cookies
  • Partitioned session storage
    Components on a web page, which can be from third parties, can’t access data (you could interpret this as fixing cookies’ original sin)
  • Partitioned blob URLs
    Again ensuring data from an iframe or component on a page can’t be accessed by other sites, components, or iframes

Will this break stuff on the web? 

Probably … keep reading.

Web AdAttributionKit: part of the updated Safari browser

App AdAttributionKit is the new SKAdNetwork, and it’s even harder to say 3 times quickly. But it’s pretty much the SKAN 5 mobile marketers were expecting.

Web AdAttributionKit is part of the fix that Apple is offering to web marketers in exchange for blocking ad measurement via links, third-party cookies, and fingerprinting. But it’s more of a rebranding than any new technology: the “learn more” link Apple offers on the “Measuring ad performance with AdAttributionKit” page is literally a click through to a 3-year-old blog post that introduces, repeat INTRODUCES Private Click Measurement.

3. Years. Old.

So we can expect (hope?) to see actual Web AdAttributionKit documentation coming at some point, likely with an updated list of capabilities, and likely more closely mirroring the functionality of App AdAttributionKit.

But what we have so far is this:

• Privacy-preserving ad click measurement across websites and from iOS apps to websites
• No use of cookies; instead, data is stored on-device
• 8-bit click source identifier (256 possible values) and 4-bit conversion identifier (16 possible values)
• Delayed reporting (24-48 hours) to prevent linking events in time
• Fraud prevention through unlinkable tokens (upcoming)

Some of that totally sounds familiar: source and conversion identifiers, delayed reporting, on-device storage, limited numbers of values. 

The new morsels of information just announced is that attribution in private mode is only scoped to individual tabs, and tabs you open from those tabs via a link. In addition, when a private browsing tab is closed, any pending attribution requests are discarded.

That’s minimal new information, but the only bits we’ve gotten on Web AdAttributionKit since literally February of 2021.

Will Safari’s updated privacy protections break websites?

In a word, absolutely.

For publishers and marketers who are using components or iframes on a website to serve ads and set cookies as first-party, that’s going to break. And for users who have turned off privacy protections to accept third-party cookies, they’ll be eaten within a week, limiting attribution functionality as well as long-term tracking capabilities.

The question for users is more about whether websites legitimately use similar techniques that communicate between iframes and components to create functionality. For them too, there’s a problem: “there is a risk that some parts of some sites won’t work,” Apple’s WebKit blog post says.

Oh, and remember the enhanced security solutions that Apple is implementing for private browsing mode? 

They’ll all also available for standard browsing in Safari settings. most won’t select them, but it’s possible some will.

The suggested solution from Apple: a real-time per-site reduction in privacy protection capabilities built into Safari, which are only remembered for a current browsing session. Of course, that’s challenging, time-consuming, and requires some knowledge of iOS or iPadOS, so it’s likely not going to be something that 99.9% of users will actually do.

What’s next for Web AdAttributionKit?

Good question.

My hope is some actual documentation on the actual Apple developer website with actual details in-depth about how everything works, including any new features Apple has added or plans to add to Web AdAttributionKit since February of 2021, will soon be forthcoming.

Plus any new features developed since Web AdAttributionKit was introduced as the new name for Private Click Measurement in WWDC 2024.

One thing we know to not expect is anything like Privacy Sandbox’s Topics API, which the WebKit team sees as easily fingerprintable.