18 September 2020

Safari tightens the ITP screws again

This time CNAME cloaking is under the hammer.

Safari ITP targets CNAMES

A little background refresher

Safari’s Intelligent Tracking Prevention (ITP) refers to a set of features designed to protect user privacy, primarily aimed at technology that tracks user behaviour across multiple websites.

Previous iterations have targeted the use of third party cookies, with ad tech and analytics vendors feeling these impacts due to their reliance on cookies to identify users, and in many cases, track them across the internet. To counteract the effects of these updates, many vendors changed the way their pixels worked, allowing them to set cookies in a first party context. Safari responded by limiting the lifespan of most of cookies, set by ad tech platforms, by targeting only those set in javascript, not by the web server (server-side cookies).

Some ad tech vendors worked around the limitations imposed by Safari by using a technique referred to as CNAME cloaking, allowing them to continue setting long-lived cookies.

The latest update to ITP catches products that use CNAME cloaking and, similarly to the earlier changes, it restricts the maximum cookie lifespan to 7 days or less across impacted domains. The ability to retarget users and complete thorough attribution analyses will be reduced, particularly for products that have a longer consideration time.

Which products will this impact?

We have not assessed the full impact yet, but from initial investigations we believe that it will include the Adobe Experience Cloud products including Adobe Analytics.

How significant is this?

That will depend on the number of users who visit your web properties via Safari. In the Australian market this is typically around 50%, but it can vary by site.

There are broader repercussions to analytics, from potentially over-reporting new visitors to misattributing conversions. Again, the scale of the impact will vary between websites.

What should you do now?

It is important to note that Apple is on a journey to build more individual privacy into its browser product. Any workarounds that potentially function now, may come under fire in the future if Apple considers them to be subverting their ITP efforts. However, there are a few things you can do now to help mitigate the effects:

  • Determine whether, and how, this impacts your business. Investigate if there is any ad tech that is currently using CNAME cloaking and if so, identify the proportion of your user base that is running Safari as their browser.

  • Consider whether there is a viable server side tagging solution that can help to alleviate the issue. Google Tag Manager, for example, has released a feature allowing Google Analytics data to be sent to a genuine first party domain and then forwarded from there to Analytics. This should not fall within the scope of this ITP change. Several other tag managers offer server side tagging features, which are worth assessing, as they may also provide a solution.

  • Work with your product vendors to understand their view on the impact and their roadmap to address the issue.

A final thought

As the awareness around how cookies are being used to target and track people grows and pushback on these use cases from companies like Apple intensify, now may well be the time to start planning for a future without cookies in ad tech.

Since preparing this article for publication, we have noticed two more significant changes in this space:

  1. Firefox Enhanced Tracking Protection (ETP) is now blocking Google’s floodlight conversion and audience tags

  2. Apple have updated their ITP to apply to all webkit browsers rather than just Safari, meaning that ITP measures will impact even Chrome users on iPhone.

More updates will be provided as this impact is more fully understood.


Further reading :