Two years ago, Apple rocked the mobile privacy world by introducing its App Tracking Transparency framework, which requires app publishers to get peoples’ consent to track them. The resulting lack of available signals and attribution spurred many mobile advertisers to rely more on earned channels, eschewing paid media altogether.
But YouTube may still be tracking people who visit its iOS app, raising questions about whether the company is complying with industry privacy-focused efforts to give people more control over their data.
By observing over 300 clicks to ads, Adalytics found YouTube never asked consent to be tracked, with that tracker following each click to a website, said head researcher Krzysztof Franaszek.
The research found that YouTube’s iOS app appends an identifier called WBraid to people who watch and click on an ad and then land on the brand’s website. (WBraid is a parameter designed specifically to attribute conversions back to ad campaigns, according to Google documentation). WBraid is then available to other trackers and data brokers that communicate with the website. In the research, each WBraid appeared to be unique to each click on the ad, with the code changing significantly each time.
“There are serious doubts whether some ad click parameters such as WBraid are ATT compliant,” given that WBraid appears to track users without their consent, said Thomas Petit, a mobile ad-tech consultant. “Especially as YouTube doesn’t ask for consent, Google offloads the responsibility onto advertisers and yet is able to process [user behavior] to attribute and report conversions. There are both privacy and antitrust issues in this case.”
The research was one finding in a larger report about YouTube’s ad-tracking practices. The report focused on YouTube’s advertising practices to children, alleging the video platform improperly tracked children, claims which Google has vigorously denied. Google, set to deprecate third-party cookies in Chrome next year, is both one of the chief architects of the new privacy paradigm of the internet and one of the biggest targets for regulators looking to rein in big tech. Under this scrutiny, the research calls into question how much the advertising community can trust Google at its word.
Compliant or not?
This tracking paradigm might be noncompliant with ATT, said Laura Edelson, who has served as a postdoctoral researcher at New York University and chief technologist of the antitrust division of the Department of Justice. However, only Apple would be qualified to make that determination. Apple did not respond to comment by press time.
Google, for its part, said in a 2021 blog post that it will not use signals banned by ATT for advertising purposes, and as a result, not track people, thereby would not need to show user ATT prompts asking for consent.
Google also adopted WBraid in March 2021 in response to ATT, tech that it describes as a privacy-compliant identifier that relies on conversion modeling to obscure individual users’ identities.
“WBraid is designed to be used in compliance with another platform’s privacy requirements and is used for measurement purposes,” a Google spokesperson said. “It cannot be used to identify users.”
On ATT’s frequently asked questions page, Apple writes that an ATT prompt must be served to users if tracking occurs within an in-app browser. Adalytics observed clicking on ad links would bring users to YouTube’s in-app browser. Apple also says a company needs user permission to use any third-party services that pass unique identifiers for ad targeting and measurement, and that apps may not derive data from a device for the purpose of identifying it, also known as conducting fingerprinting.
According to these policies, WBraid appears to be the kind of identifier Apple needs to ask users’ consent to enable, Edelson said.
“[WBraid] is being shared—or at least observed being shared—between different ad intermediaries,” said Edelson. “At least theoretically, that is what that policy is designed to give users control over.”
The ambiguity of Google’s relationship with ATT
YouTube is a rare example of an app funded by advertising that does not serve users’ consent prompts post-ATT, said Eric Seufert, founder of mobile advertising newsletter Mobile Dev Memo. Still, the uniqueness of the world’s largest advertising company following a different playbook than other apps does not inherently mean a breach of policy.
“The only right answer is I don’t know if it’s compliant or not,” Seufert said. “Google very famously declared they wouldn’t show an ATT prompt, and that’s a decision that they made without sharing any context.”
Mobile ad-tech experts have debated how Google has designed its backend not to serve the ATT prompt, but the debate is not conclusive. However, whatever tech Google uses to accomplish this is the company’s intellectual property, which it isn’t obliged to share, Seufert said.
“It’s hard to argue that it doesn’t violate the spirit [of the policy] here, but whether it violates the letter is a bit of a separate issue,” Edelson said.
