Mobile Technology Tracking Methods other than cookies.

Introduction

When you browse online using your desktop or laptop computer, online advertising networks rely on browser cookies to track your behavior including sites visited, actions taken, searches, etc. These cookies are small text files placed in your browser directory when you visit websites that deploy them. Sites also use cookies to store your preferences, user ID, password, etc., making your online experience smoother and more efficient.

This includes not requiring you to reenter that information each time you leave the site and return or even load a different page. Using similar technology, Google optimizes your searches based on your search history and which results you’ve selected in the past. The industry term for this is “state management.”

State management allows sites to do more than simply recognize you so you don’t need to reenter the same user ID and password. They allow sites to adhere to your privacy preferences such as opt-outs, maintain your personalized themes and appearance preferences, etc. Users have come to appreciate and even expect this sort of personalized online experience. While many users dislike ads, they have become a fact of online life, compensating publishers and content providers without their charging visitors for access to the content. Further, ethically personalized ads do provide value to site visitors.

Why Cookies Don't Work Well on Mobile Platforms

As recently as 2012, users still did the majority of their online browsing using desktop and laptop computers, but no more. Estimates from 2013 show mobile platforms such as phones and tablets have now overtaken computers as our technology of choice for non-voice online activity. With mobile device market penetration continuing to go up, we can only expect this tilt to increase further. The problem for ad networks and others in the industry is that state management in mobile is much more challenging than in computers.

Where most consumers use the same computer consistently, each of us may have several mobile devices. A single person may have a work cell phone, a home cell phone, a tablet, an Internet-connected game console, a car-based Internet-connected device, and more. How can ad servers and other players identify that person as the same person when she surfs the Web on different devices? Worse yet, since mobile applications (apps) use a different “sandbox” from each other and the mobile browser uses its own sandbox, even though they’re all on the same device, sites have a hard time identifying a visitor as the same person when she uses one app, a different app, and her mobile browser.

The upshot is that on mobile platforms, cookies are much less effective than on traditional computers. Another rising issue is that as Microsoft and others try to unify the user experience between mobile and laptops (think Windows 8), this challenge is creeping into the laptop arena too. Tracking individual users across multiple apps and browsers, on multiple devices, running on different networks has become a nearly insuperable challenge.

Types of Tracking Solutions on Mobile Platforms

Given the challenges discussed above, the industry is in the process of developing alternate technical options. Most of these solutions fall into one of the following classes: client/device-generated identifiers, statistical IDs, and universal logins.

1. Client- or Device-specific IDs: These include Apple’s UDID and its replacement ID For Advertisers (IDFA), Google’s Android ID, MAC address, etc. Users cannot alter or opt out of tracking with most of these solutions, raising the privacy concerns discussed above. The IDFA does allow such alterations and opt-outs, making it nearly ideal from the user’s perspective. However, the IDFA and other dynamic device identifiers make it hard to attribute ad performance across channels and devices. They also fail to tie together different devices when used by the same consumer.

2. Statistical IDs: Algorithms operating off the user’s device, but using information provided by it, and/or by the gateway it uses to access the Internet. This class includes services such as those provided by TapAd, DrawBridge, and AdTruth (see below). These statistical solutions are probability-based, and thus suffer from a certain lack of certainty and stability, especially where an employer may offer a large number of employees the same types of device, with centralized software control and updating.

3. Universal login tracking: This solution, which does not yet exist, would offer users the option of setting up a login, where they can specify their preferences. This solution, most likely synchronized “in the cloud,” would require the agreement of all parties to collaborate. If consumers agree, this solution would allow them to register their devices and applications through a single dashboard, where they could indicate their privacy preferences. Those willing to participate would gain the benefit of increased personalization, and potentially free access to ad-supported services and content that those opting out would be required to pay for.

Another direction that may yet develop and gain traction, but has not yet done so, is so-called “network-inserted management,” implementing state management through intermediaries such as Wi-Fi networks, Internet Service Providers (ISPs), and other third party servers. Such a solution allows unified identification and preference management for all devices in the same household or office. Partnerships between the relevant third parties could potentially allow the solution to persist when mobile devices travel to a new network.

Digital Fingerprinting – New Tracking Solutions Emerge

Apple attempted to provide a tracking solution that solved the mobile challenge, at least while the user stayed on the same iOS device (iPhones, iPads, etc.). The so-called Unique Device ID (UDID) allowed mobile ad servers to digitally “fingerprint” a user based on his device, no matter whether he went online via an app or his device’s mobile browser.

Privacy concerns due to the lack of opt-out options for device owners ultimately scuttled that attempt, as well as a similar method based on devices’ MAC addresses. That concern applies to any static fingerprinting that uniquely identifies a user’s device. Further, such device-specific fingerprinting fails to identify a user across platforms.

A similar, but not quite as static technique uses the plugins and software installed on a device, as well as user-controlled settings such as time zone, fonts, etc. A study from the Electronic Frontier Foundation reveals that more than 94% of Flash- and Java-enabled browsers can be uniquely identified, and while updating your browser and/or plugins changes the fingerprint, in more than 99% of cases, a simple set of rules can identify the new fingerprint as connected to the earlier one.

The privacy concern is clear here, While a user could always delete the cookies from his browser, the more he changed his plugins and settings relative to the default, the more unique and easily-identifiable his browser becomes. While this type of solution can identify and track the user across apps on a single device, tracking across platforms is beyond its reach.

Several rising players, such as TapAd, DrawBridge, have developed and are selling digital fingerprinting information that tries to track you across platforms. At this point, their algorithms offer accuracy varying from 60% to more than 85%, and these will improve as they continue to tweak and optimize. These algorithms use large proprietary blends of data points including device IDs, which Wi-Finetwork or networks you use to access the Internet, your time zone, language settings, the types of sites you visit (think financial sites, sports sites, news sites, etc.), and many others.

Each company tries to tie together ownership of different devices, allowing their customers to better track their prospects across multiple platforms. Such technology solves the mobile tracking challenges discussed above. However, it raises an even greater privacy concern. While many in industry dismiss such concerns as overblown, as more and more people raise louder and louder cries against such “digital stalking,” the likelihood increases that Congress will feel compelled to act and regulate such technologies.