IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
Mobile privacy and the cross-device conundrum...
Tue, 2nd Sep 2014
FYI, this story is more than a year old

Imagine you're starting a journey. You strap into the exit row to enjoy a sweet listen to Miley Cyrus' latest when the flight attendant pokes out your earplugs and says, “Do you realise you're sitting in an exit row … ?” and so on.

And then: “I need a verbal yes.

Not a nod. Not a thumbs up. Not some shrug and repo of the plugs. Nothing less than a whole-hearted, full-throated, mano a mano, “Yes, sir, I understand.” In English, no less.

Now imagine if digital marketers demanded the same level of informed consent when asking us to opt into their various outrages. Targeting as we know it would grind to a halt — and mobile marketing would end.

Most mobile apps ask us kindly to agree to all kinds of data sharing up front. We do, assuming the app won't work if we don't (it will).

One of these consents may be our location. We use the app and move on to another. Did you realise that first app is probably still running and collecting location data, transmitting it back to advertiser HQ? No?! But you “consented.

Now take the question of cross-device identification. This is a hot topic, and it comes up daily in conversations with startups and established players, many of whom have active and well-funded efforts under way to ride this dragon down.

What is cross-device identification? Consider how most of us engage with the online world: we have a browser at work, a different browser or two at home, a smartphone or two, a tablet, an X-Box, maybe a connected TV, all of which use the Internet protocol to connect to the same potential marketers … and all of which are owned by me. Trouble is, to the web world, these “devices” all look like different people. Who's to say they aren't?

In a world of one-to-one marketing, where we expect our favorite sites and brands and publications to recognise us — “It's me, your old pal, Marty!” — the difficulty of assembling a unified picture of “me” across my devices is a marketing mosh pit.

Mobile makes it worse. Apple notoriously rejects third-party cookies, and mobile apps don't lend themselves easily to casual tags. I wrote a blog post last year identifying cross-device identification as a problem but offering no solutions. Amazing what a year can do.

Whether we realise it or not, the market is triangulating on a solution that renders our “device graph” generally available to outsiders. We pass no judgement here.

This work is (for the most part) entirely legal and at least nominally under consumer control. We opted in. The need of marketers to know us is not necessarily at odds with our desire to be known.

How is it being done?

Each mobile device with a carrier has a unique ID. If we visit a website or see an ad on our device, that site or ad (through a pixel) receives our device ID, although not our identity. Carriers (and the NSA) know who we are, but have been reluctant to wade into the murky waters of ad targeting (until recently).

Apple provides an identifier called IDFA that maps its devices to people. Others, including Google's Android, use AdID. These identifiers are available for use, for example, by app developers who are selling advertising, but access is restricted by Apple and others.

Apart from these structural IDs, there are various other methods marketers use to try to stitch device graphs together. From most to least accurate, they are:

* Deterministic:

This is a euphemism for what the cops call a positive ID. It is available when a person authenticates herself on different devices and browsers.

For example, if I log in to Delta.com and the Delta iPhone and iPad apps using the same username, Delta knows those devices are mine.

The advantage Facebook, Google, LinkedIn, eBay, Amazon and other mega-communities have here is obvious. Many smaller DMPs such as Lotame, and tag management systems, such as Ensighten, offer this feature.

* Probabilistic:

This is a more complex process that uses multiple data points to determine likely statistical matches among devices, providing a higher or lower probability they belong to the same person.

Common data used here are IP address, browser configurations (fonts, headers, plugins), sites visited, time of day and location. DMPs with large data sets such as Oracle's BlueKai, and startups such as BlueKava, do this. Accuracy ranges from 50-80%, depending on who you're asking.

* Householding:

The most common method, widely offered by ad tech companies such as Collective, links devices using the IP address transmitted as part of the communication protocol.

Since many of us connect all our devices at home through the same wifi router, this is a useful way to link them — to households, not people. A subset of the probabilistic method above, it is also less accurate.

Obviously, the ideal scenario would be a huge data table somewhere that maps a set of device IDs and browser cookies to a single individual.

And — of course — there are companies doing just that. Facebook and Google's Universal Analytics/Chrome/Android aside, the most notable players here are Neustar, Drawbridge and Tapad.

The latter has accumulated a database of about 1.2 billion devices and relationships, pieced together using a complex process that relies on all the above techniques, and more. (Neustar uses deterministic methods.)

In fact, Tapad itself is the white label provider running behind many DMPs, attribution platforms, ad targeting companies, and data providers. It has run behind the aforementioned BlueKai, Google's Adometry, VisualIQ, Exelate, Datalogix, and others.

Recent history shows us that the amnesia of mobile, its inherent identity protection, is a fast-fading phenomenon. Marketers are finding us quickly. Tapad's founder told me, “Our product was very hard to build, but it's very easy to sell.

Don't blame the mobile marketers. We opted in...

By Martin Kihn - Analyst, Gartner