Decorative Header Image

The Privacy Pendulum

Last October Yieldmo hosted a client summit in Park City, Utah. I was fortunate enough to kick off the first day with a trip down memory lane… privacy memory lane. Often I find myself acting as Internet historian since I’ve been enamored with the thing since the late 80s, logging on to the local BBS and playing Trade Wars 2002 late into the night.

Foucault’s Pendulum, credit: sylvar

At the summit I traced back online advertising’s rise to the creation of the humble cookie in 1994. It was a seminal moment for the web as it allowed a browser to maintain state between web pages. I rambled on through a series of events, highlighting each milestone’s impact on advertising as well as noting the privacy implications. As the years went by, society at large took notice of the wealth of information being distributed across the globe and eventually cried out loud enough to force governments and large companies to address their concerns.

I documented swings between discrete tracking and privacy safeguards in a post on The Drum called The Privacy Pendulum. I’m finally posting the unabridged text here, enjoy.

The Humble Cookie

The year was 1994. I was a student at the Illinois Institute of Technology and had switched majors to Computer Science. The Internet, with a capital I, had me in its grasp. I was enamored with all things web. Looking back I think I must have been easily impressed, because gray backgrounds with blue and black text don’t seem all that impressive today. The promise of the web was readily apparent, though. It just needed a few more features to really take off.

1994 was also the year Lou Montulli, a Netscape engineer, invented the cookie. He wasn’t trying to open the door to an industry to revolve around audience tracking and targeting. He just wanted a shopping cart to work properly on the web.

Cookies allow publishers to set data inside a browser, and retrieve it when the browser requests assets from the domain used to set the data. They are very useful for keeping a browser logged into a service, like shopping carts, banks, the DMV… anything that would otherwise repeatedly have to ask for credentials or pass credentials from page to page. Before cookies, keeping you logged in was a pretty clunky affair.

By 1998 I had graduated from college and was working for a fiercely competitive advertising technology (ad-tech) company called L90. The web had grown in popularity. Enough people were online so marketers and emerging ad-tech companies started to leverage the cookie to create audience cohorts. All it took was a simple pixel, placed on a web page, allowing the image host to retrieve & set cookies, and infer a user’s interest based on the pages they visited. With enough pixels on enough pages a company could effectively track a user across the internet.

Of course, cookies also allowed for some incredibly functional elements of advertising, most notably, frequency capping and attribution. Marketers started to enjoy the benefits of less waste from overserving an ad to a single user, gained the ability to optimize campaigns based on performance, and show the return on their investments.

Brands seized on the power of ad-tech and their marketing budgets shifted online, giving rise to high (and low) quality online media. The web went from a fun, technical hobby with hilarious, poignant, and dark corners, to a mainstream outlet for news, social, and entertainment content.

What’s Your Geo?

2012 was the year of mobile, or was it 2013, maybe 2014. Let’s back up to 2008 because something important happened that year. The first iPhone with GPS hit the market. This wasn’t the first phone with the satellite tracking system built in. That honor goes to the Benefon Esc! Launched in 1999. While I’m sure it was a remarkable device, I didn’t own one and neither did you. But we’ve all owned an iPhone.

After moving to LA in 2009, I started working at the Rubicon Project. I was the product manager building out their first supply-side platform (SSP). They currently have about four stacks, but the one I built is still running. Color me prideful. Go, Red Car, Go!

At some point in about 2010 or so, I was asked to host a round table at an AdMonsters event in San Diego. I recall sitting in a room full of publishers who were grappling with monetizing their mobile web content. The crux (krux?) of the problem was that the user experience on a mobile device was just not great once you started dropping ads on the page. They were eager to employ any tactic to increase mobile revenues. I strongly advocated getting the user’s permission for geo tracking. “Come up with an excuse to get it,” I said. “Offer localized content, or the weather, or traffic.”

The idea was that with a user’s geographic coordinates a whole new targeting paradigm would open up: Geo Fencing. Clever campaigns could target you with ads based on your precise location. Advertisers for Burger King could geo-fence all the McDonald’s locations and serve up competitive ads, enticing users over the fast-food monarchy, away from their arch rivals.

I was not thinking about the privacy concerns around broadcasting everyone’s geo coordinates to every corner of the ad-tech ecosystem. This was 2010. This was the wild west of programmatic advertising. Consequences were things that public companies had to worry about. I was too busy trying to win to think of such things.


Adapting the OpenRTB protocol to handle mobile app inventory took a lot of tweaking. As I recall it, working on these aspects of the protocol was probably the last time I made a major contribution to the standard. It had grown in complexity since that first meeting in 2010. Huddled in Admeld’s office, we produced a seven page document that was just enough to enable transactions.

The SDK wars were heating up by 2011. I have no idea how the industry settled on the idea that an ad-tech player’s library files that empowered apps to serve ads should come to be known as a Software Development Kit, but there we were. In the OpenRTB protocol, mobile app capabilities happened somewhere between version 1.0 and 2.0.

Suddenly we’re passing device IDs from everyone’s phone through the bidstream, along with their GPS coordinates. Then one day, Apple started paying attention to the data leakage. A team led by Erik Neuenschwander created the Identifier for Advertisers (IDFA) that let the user reset what was effectively a virtual device ID. This seemed like the lightest possible touch a platform could have applied to privacy concerns. It was in the shape of things to come from the fruitless behemoth.

As soon as Google followed suit with their Android platform, these identifiers gained a new moniker, Mobile Advertising Identifiers (MAIDs). This was the first indication that the pendulum swing was reaching its amplitude. In addressing user privacy concerns, the platforms saw favorable market sentiment from their users.

ad-tech wasn’t quite done pushing the privacy envelope yet. One more barrier had to be broken.

Everything, Everywhere, All at Once

2014 brought a game-changing programmatic technology that upended the remnant-based RTB ecosystem. Humble beginnings and a tiny bit of javascript opened the door to Google’s ad server, allowing SSPs to essentially bid into the publisher’s ad stack, allowing them to programmatically buy media at any priority level.

Major exchanges would build out their own javascript wrappers, or throw their weight behind the open source solution called prebid.js. Header bidding, another slightly misnamed technology, supplanted the old way SSPs serviced the publishers. Now they had access to inventory above and beyond the remnant. Every single ad opportunity could flow to multiple SSPs, and the entire universe of DSPs. Each impression carried with it the user’s cookie ID, or device and the geo coordinates.

Every web page or app with ads became a tracking point. Not only could a user’s journey across the web be mapped, but their journey across the physical world as well. You want to know why ad selection is uncannily good, this is why. We, collectively as an industry, had built the largest, most sophisticated distributed human tracking and intent detection system the planet has ever seen.

Safari Comes Out Swinging

The backswing momentum started with IDFA in 2011, but that was quickly followed in 2012 with new restrictions on the cookie coming, again, out of camp Apple. While the official time of death of the third-party cookie has yet to be called, Safari’s restriction was an obvious symptom of its fatal trajectory.

I started blogging about the demise of the cookie and trying to leverage some foresight to make a guess as to what the world would look like after it was gone. My early suspicion was that page context would win out. Instead of aiming for car enthusiast users, an automotive brand would aim at car enthusiast content. I thought, ultimately, that enhancing user privacy would give publishers a leg up in monetizing their content. Buyers couldn’t target their audiences on cheap, unrelated media.

Of course, the market response to Safari was muted at first. Safari wasn’t a big part of the media mix for most campaigns. It was isolated to Mac computers and the nascent smartphone channel. It just wasn’t important enough to address in 2012.

Safari’s popularity grew slowly and mostly as a result of the iPhone. Even as it grew, solutions for the lack of insight on the inventory were scarce. Nearly the entire ecosystem continued to spend where the light was good, Chrome, and ignored the growing footprint of Apple’s privacy-friendly browser.

General Data Protection Regulation (GDPR)

The European Union made a big flex when they dropped the anvil on ad-tech’s head. A ring of stars reminiscent of the gold stars on the EU’s flag kept everyone bedazzled, and some stumbling for an exit.

Firms relying heavily on probabilistic data exited the market almost immediately after the regulation became law. Others stayed and took a financial hit. Eventually a few got sued. And then a few more. And then the big ones. And then a few more smaller ones… and so on.

With GDPR came quite a terrible user experience. Publishers wanting to leverage advertising for revenue all had to implement the annoying user notification about … well about using advertising for revenue. The user had to accept the terms, or not. When they didn’t, though, the publisher still had to serve up the same content to them as they would to someone seeing ads.

The pendulum, as it turns out, is sharp on both sides. Even when privacy wins, the user can still suffer.

ITP for my Bunghole

Apple, not being satisfied with just crippling advertising on the browser, rolled out a program dubbed Intelligent Tracking Prevention in 2017. It wasn’t, or isn’t a single feature. It’s a collection of features under an initiative to protect user privacy and sell more phones by hyping said privacy.

With ITP there are limits on trackers on the web and in Apple’s mobile app ecosystem. The latest additions to the program offer throw-away email addresses, proxy’d web requests, and even more restrictions on cookies.

At this point some in the industry see Apple as advertising hostile, while others are waiting for a broader push into advertising monetization by the phone maker. I don’t think I’m breaking any news by suggesting that Apple is evolving into a media company. Walling up their garden will pay dividends in the same way that it did for Facebook.

With a stronger reputation in privacy, they might avoid many of the pitfalls of the social media networks. But I digress.

A Cookie by Any Other Name

Finally, we have Chrome cookies. It’s the last vestige of the old republic. A technology based on an idea nearly three decades earlier could see its most prolific use case cut down in 2024. Many don’t think they’ll do it. I think they will.

The privacy hawks (buzzards?) continue to circle over top of Google’s EU headquarters. They know they’ve won. They are waiting for the 3rd party cookie to die before they swoop down to eat the crumbs.

The funny thing about team Chrome is that they’re working on a privacy sandbox that’s supposed to empower ad-tech while protecting user privacy. In the process, however, some of their solutions actually stick the ad-tech right into the browser. FLEDGE (aka: Google Protected Audience API) requires that the browser receive and store a retargeting ad in the browser, and wait to spring it on the user when a partner publisher is found. Now, instead of ad-tech tracking the user from afar, it can track them right up close. Will it survive the next swing of the Privacy Pendulum?

Where Do We Go Now?

As the pendulum swings we must take a balanced approach in the near term. We will continue to leverage cookies and identity when available. We will use audience and attribution in the traditional ways. All this tech exists and the vendors are still in most markets. Carry on using them for the time being. But look to the future.

The future is privacy compliant user engagement. In general this means that both marketers and publishers must establish first party relationships with their customers (cough users). Only a subset of them will want to get close, and that’s good enough. Incentives can and should be leveraged to bring in more. These become the model citizens of marketing’s future.

These users fill out surveys, give up attribution signals, willingly allow themselves to be the seeds, to let you, us track them. We need these folks, so we should make sure we take care of them. They’re going to drive all this fancy machine learning everyone’s been talking about, including us here at Yieldmo.

Take some solace in the fact that while we can’t track everyone anymore, even today, we can still and will still have these subsets to pin our machine learning models to. From there we reach into our audience expansion tool box. In your partnerships look for terms like prospecting, cohort marketing, panel-based attribution and look-alike (or act-alike) audiences.

Leave a Reply

Your email address will not be published. Required fields are marked *