Safari for iPhone Lets Advertisers Track Your 'Clicks' — Here's How to Disable It

Feb 3, 2021 05:19 PM
Apr 20, 2021 03:29 PM
637479407037917102.jpg

Apple wants to support the advertising economy, but its primary focus of late has been user privacy and security. In Safari, cross-site tracking, which lets content providers track you across websites and apps to show you more targeted ads, is disabled by default. However, content providers can get around that using less privacy-invasive ad measurements, but you can stop that too in iOS 14.5.

The feature in question is called Private Click Measurement, or PCM, which is something Apple has been working on for years and hopes will become a web standard that all web browsers will implement, not just Safari. Mozilla has been actively discussing the project with Apple, and it could be included in Firefox one day. And Apple is also talking with Brave, Chrome, and Edge about it.

PCM Is Good for Advertisers & Users

Overall, PCM is actually a good thing. It's already been implemented in Safari for website-to-website ad tracking since at least November 2019, six months after the WebKit team first announced it in May. Now, in iOS 14.5, PCM also works from apps-to-websites, which can help developers.

Overall, PCM makes it possible for advertising networks to measure the effectiveness of advertisement clicks across websites and from iOS (or iPadOS) apps to websites while maintaining anonymity for users. It doesn't help kill the advertising industry — it gives them another way to do what they need to do without compromising the security of the people opening the ads.

Without PCM, cross-site tracking disabled, or content blockers, advertisers would know that you tapped on an ad from an iOS app or website to get to the ad's website in Safari. But there's no reason advertisers need to know that you tapped the link. That's why Apple has the "Prevent Cross-Site Tracking" option for Safari already baked in — to help delete this kind of data periodically.

How PCM Works in Safari

What PCM does is anonymize those taps, or "clicks," so that advertisers only see that somebody tapped the ad, not that you did. This helps support the app developers and the advertising system by giving them more knowledge without adding any risk to you. According to Apple:

[N]either advertisers, merchants, nor Apple can see what ads are clicked or which purchases are made. This solution avoids placing trust in any of the parties involved — the ad network, the merchant, or other intermediaries — so none of them are able to track users as they click on ads and make purchases in Safari.

But how do advertisers get the information they need? Also from Apple:

[A]ttribution reports [to advertisers] with limited data in a dedicated Private Browsing mode without any cookies, delaying reports randomly between 24 and 48 hours to disassociate events in time, and handling data on-device.

PCM utilizes an 8-bit identifier on the click source side, while it's only a 4-bit identifier on the conversion side. An earlier implementation of PCM set it at 6 bits for each side. Eight bits means "256 parallel ad campaigns can be measured per website or app," and 4 bits means "16 different conversion events can be distinguished," according to WebKit. These numbers make it hard for advertisers to create a unique ID that can track users across websites and apps.

You can find out more detailed information about Apple's new Private Click Measurement standard and better explanations on how it works from its Safari white paper and WebKit site.

If you were curious about the types of tracking that apps and websites can perform with iOS 14.5's newly required tracking requests that app developers must incorporate using the AppTrackingTransparency framework, this would be one instance since "PCM app-to-web [does not ] require the app to be granted permission to track according to AppTrackingTransparency."

How to Delete the Stored Clicks

The new feature definitely helps support advertisers and app and website owners by not blocking ads, but it also protects user privacy. Still, if you want to clear the stored ad measurements clicks in your Safari browser, you can.

Stored clicks can be deleted whenever you delete website data, and that can be done by navigating to Settings –> Safari –> Advanced –> Website Data. Here, you can tap "Remove All Website Data" to start clean. You could also delete them from Settings –> Safari –> Clear History and Website Data, but that will also erase your browsing history.

637479403786041950.jpg
637479403664635079.jpg
637479403786041950.jpg
637479403664635079.jpg

When Safari Won't Store Clicks

PCM won't record any data when using Private Browsing Mode, and content blockers can add parameters to detect and block the .well-known path, which will block Private Click Measurement. Also, WebViews within apps can't use it, but apps that use SFSafariViewController may be able to use PCM in the future. More importantly, you can opt-out altogether if you're still not comfortable with content providers and advertisers learning from your ad interactions.

How to Disable PCM in Safari Entirely

To opt-out of PCM, go to Settings –> Safari and toggle off the "Privacy Preserving Ad Measurement" switch. With it off, "no click metadata will be stored and no attribution reports will be sent out." It's that easy.

637480340042760620.jpg
637479402632916704.jpg
637480340042760620.jpg
637479402632916704.jpg

PCM is still a work in progress, and fraud prevention via unlinkable tokens will be coming soon — something that Mozilla and other browser creators have agreed is important.

Note: iOS 14.5 also includes "SKAdNetwork 2.2," which, according to Apple, "supports view-through attribution for advertisement formats such as video, audio, and interactive advertisements. This allows [a developer] to display [its] choice of advertising formats and measure which creatives are most effective, while preserving user privacy."

Cover photo and screenshots by Justin Meyers/Gadget Hacks

Comments

No Comments Exist

Be the first, drop a comment!