Mobile Tracking: How it works and why it’s different


The principles of tracking in mobile are fundamentally the same as those used in the online world.  Specifically, you want to have an identifier that works across different domains and if that identifier is short lived, you need to be able to tie it to domain specific identifiers that have greater persistence.  There are just a couple of wrinkles that make things a little more difficult in the world of mobile.

The following blog describes some of the techniques used in mobile and highlights the differences with the online world.  Being able to identify and track users is something under taken by a number of the entities in the delivery of a mobile advertisement.  For the sake of brevity, in this blog it is assumed the advertisement is coming from and the tracking being undertaken by ad networks.  This brevity is not meant to imply that ad networks are using practices not used by others in the delivery chain.  It should also be stated that due to some of the problems consumers have passing their privacy preferences to the various entities in the mobile advertising chain, those entities in general and for the purpose of this paper, ad networks specifically, do not necessarily use consumer identification for behavioral analysis and may limit its use for campaign frequency capping or unique user calculation.

Mobile Web and Applications

The main challenge that mobile ad networks face is that they deliver advertisements to consumers while the consumer is accessing content through both applications and mobile web sites. On mobile devices, applications and web sites are separate domains, in separate sandboxes, utilizing separate identifiers.  That means for the ad network, a single user may look like one or more separate individuals unless the ad network takes steps to try to tie the multiple identities together.  More on that later.

Initially, let’s confine the conversation to mobile applications.  In mobile apps, developers have been using an operating system (OS) identifier to uniquely identify the consumer.  Focusing on the two most popular mobile platforms Android and iOS, the identifiers are the Android_ID and UDID respectively. The Android operating system also allows other system identifiers to be made available.  These include the equipment identifier (IMEI, MEID or ESN depending on the cellular technology) and the subscriber identifier (IMSI from the SIM) if the android device is a phone as well as the WLAN MAC address if the device is WiFi capable (MAC address is also accessible on iOS).  The use of OS based identifiers has been good news for the ad networks since the same value will be passed regardless of which publisher created the application.  In effect, this means the ad network can track the individual across different applications.

This practice and the fact that consumers have little control over it, caused Apple to deprecate UDID in iOS5.  Deprecation doesn’t mean that it isn’t still available for use by developers and ad networks (they still do use it), but it means they should not use it and is an indication that it will be removed (made unavailable) in future versions of iOS very soon.

Instead of UDID, Apple recommends developers create a unique user identifier for their application.  Of course, this doesn’t help the ad networks as each app on a consumer’s mobile device could identify the user differently.  A number of alternate solutions have been proposed to help cross application tracking, while managing the privacy concerns that led to the UDID deprecation by Apple.

Moving the conversation onto mobile web, like online, third party cookies are used by ad networks to identify consumers across different mobile web sites.  Unlike online, the absence of security software on mobile devices means ad networks can count of third party cookies remaining on the device browser when they are able to write them.   Third party cookies are effective on Android devices.  However, on mobile devices consumers typically don’t use other browsers than the one the device shipped with or change the factory set defaults for those browsers.  As a default, Apple ships Safari browser with third party cookies disabled which means that ad networks cannot use them for cross domain tracking Apple devices.  Instead ad networks have developed a variety of techniques to track iphone and ipad users through their browser sessions.

One technique relies on exploiting a security hole in the Safari browser that allows cookies to be written if the ad network writes a form in an invisible iframe to the browser.  This technique was widely reported from the work of Stanford graduate Jonathan Mayer (http://webpolicy.org/2012/02/17/safari-trackers/ ).  Another approach is to collect information disclosed by the browser itself to build up a “fingerprint” for that device.  Depending on the browser, whether javascript is enabled and how heavily the consumer uses the browser, accuracy over 94% is readily achieved (https://panopticlick.eff.org/browser-uniqueness.pdf ).

Another technique is to rely on domain specific persistent identifiers being made available to the ad network and tying that identifier with a transient cross domain identifier.  The persistent identifier is typically passed to the ad network as a UID in the ad request and is related (one to one mapping) to the first party cookie.  The transient binding could be the IP address that typically remains the same during a consumer’s browsing sessions or an identifier passed by the mobile carrier’s WAP gateway (all browsing sessions pass through a network element called the WAP gateway).  Depending on the carrier and the relationship between the carrier and the publisher(s), the gateway identifier may be long lived (even always the same in the extreme case) or short lived.  Obviously this technique is only effective for identifying a user across sites that they regularly visit and it takes time for an ad network to build up their view.  This technique may be used with the device fingerprint technique to either increase the accuracy of the fingerprint or reduce the number of times a fingerprint has to be calculated.  This technique is illustrated in the following diagram.


Tying Mobile Web and Application identities together

As the preceding sections have already stated, mobile web and application are separate domains, with separate identifiers.  From the ad network’s point of view, this means one individual, using one device can look like two different people.  From a consumer’s point of view, this means that any opt-out (of tracking and behavioral analysis) preference expressed in one domain (e.g. opt-out cookie or do not track preference in the browser), may not be respected in the other domain simply because the ad network doesn’t recognize it as the same individual.  This gets confusing for the consumer as they may not understand the interplay between mobile web and mobile apps as they often bounce between each other.

The most common method to tie identifiers across application and mobile web domain only works when the user clicks on an ad within an application.  The click through URL is unique to the user, containing a parameter that has a one to one mapping with the application domain user identifier.  When the consumer is redirected to the advertiser’s mobile web site, the ad network is able to tie the application domain identifier passed in the click through URL with the web domain identifier(s).   Ad networks may use a myriad of techniques to map in the alternate direction (a key use case for ad networks is when a consumer clicks on a mobile web ad for a new application such as the latest, coolest game and the ad network wants to see if the ad click resulted in the game being downloaded).  These techniques rely on the ad network having access to shared storage between the two domains which is easier on some OS compared to others.

Privacy by Design

It is hard to talk about targeting without privacy. The inventive solutions developed to overcome default factory settings and application sandboxes indicates the industry needs to rethink its approach to privacy and the persistent identifiers that enable tracking.  The consumer should be faced with a simple choice of whether they want content and advertisements delivered that are tailored to their interests and be able to control it.  That control should extend across the browser and application domains.  It should be easy for them to find out who has what information about them.  By taking such a fundamental approach to privacy management and tying it to a revocable identifier, the industry will win by having a reliable identifier for those consumers happy to be tracked and consumer will win by finally having true privacy transparency, choice and control.