Wilander says the traditional method of ad click attribution has no practical limit on data, allowing for full cross-site tracking of users using cookies. "We believe this is privacy invasive and thus we are obliged to prevent such ad click attribution from happening in Safari and WebKit," he wrote.
Thus, Apple has proposed a modern solution that it says doesn't allow for cross-site tracking of users but does provide a means of measuring the effectiveness of online ads. The feature is built into the browser itself and runs on-device, meaning that the browser vendor does not see any of the ad data.
Here is Apple's summary of its privacy considerations for the feature:
- Only links served on first-party pages should be able to store ad click attribution data.
- Neither the website where the ad click happens nor the website where the conversion happens should be able to see whether ad click data has been stored, has been matched, or is scheduled for reporting.
- Ad clicks should only be stored for a limited time, such as a week.
- The entropy of both ad campaign ID and conversion data needs to be restricted to a point where this data cannot be repurposed for cross-site tracking of users. We propose six bits each for these two pieces of data, or values between 0 and 63.
- Ad click attribution requests should be delayed randomly between 24 to 48 hours. This makes sure that a conversion that happens shortly after an ad click will not allow for speculative cross-site profiling of the user. The randomness in the delay makes sure the request does not in itself reveal when during the day the conversion happened.
- The browser should not guarantee any specific order in which multiple ad click attribution requests are sent, since the order itself could be abused to increase the entropy and allow for cross-site tracking of users.
- The browser should use an ephemeral session aka Private or Incognito Mode to make ad click attribution requests.
- The browser should not use or accept any credentials such as cookies, client certificates, or Basic Authentication in ad click attribution requests or responses.
- The browser should offer a way to turn ad click attribution on and off. We intend to have the default setting to be on to encourage websites to move to this technology and abandon general cross-site tracking.
- The browser should not enable ad click attribution in Private/Incognito Mode.
Apple says the feature will be turned on for web developers later this year. The company has also recommended it as a web standard to the W3C.