Mozilla intends to block the DigiTrust consortium from tracking users in its Firefox browser, a blow for the IAB-led effort to create a standardized online user ID that’s designed to reduce the online ad industry’s reliance on third-party cookies.
DigiTrust, a non-profit acquired by the IAB Tech Lab last year, is working to create a universal, persistent and anonymized user ID. Member companies include prominent ad tech players MediaMath, OpenX, LiveRamp and others. Buy-side DigiTrust members pay a monthly fee to participate, while publisher participants access the service for free.
Similar to other shared identity solutions, DigiTrust offers a pseudonymous and encrypted identifier that can be stored in a first-party cookie provided by the publisher. Other participants can utilize the same identifier on subsequent bid requests and user visits to that publisher’s site via the browser, instead of needing to submit third-party network requests each time a person loads a publisher’s webpage.
Theoretically, shared IDs using first-party cookies offer multiple benefits, such as quicker page-load times due to less third-party cookie-syncing behind the scenes. They can also mitigate the risk of data leaks in the bid-stream (a big concern as it relates to Europe’s General Data Protection Regulation.) Meanwhile, third-party cookies are increasingly being throttled by browsers.
The immediate impact of Firefox’s move to block DigiTrust isn’t clear. Firefox only has a 4% share of the global browser market, according to Statcounter. That’s behind leading browsers, Google’s Chrome (65%) and Apple’s Safari (16%), latter of which has sophisticated tracker prevention features. Still, it’s a setback on the quest toward a common ID solution.
IAB Tech LAB svp of Membership and Operations Jordan Mitchell said in an emailed statement that Firefox’s decision did not come as a surprise.
“We know certain companies take the position that there is no sufficient consumer value to justify ‘tracking’ — anonymous audience recognition — of any kind, not even for use in communicating privacy choices,” Mitchell said. “They believe no third party can be trusted. We take a different position: that trust should be established directly between consumers and the brands, and publishers they trust, and with the third parties that those brands and publishers trust.”
He added, “IAB Tech Lab will continue to work on improving mechanics for privacy and trust, through consumer privacy choices and system-level, industrywide accountability — and we think there’s value for DigiTrust as a shared resource and utility in this context.”
Mozilla leans on an open-source list of trackers compiled by privacy software company Disconnect to inform its Enhanced Tracking Prevention feature, which was introduced in September.
On Nov. 11, John Wilander, an Apple WebKit engineer who works on Safari’s ITP, filed an issue on Mozilla’s “Bugzilla” forum asking why Firefox did not treat the Digitru.st domain as a tracker. (Apple, which relies on machine learning rather than block lists, already prevents DigiTrust cross-site tracking on Safari.) The same day, Mozilla privacy engineer Steven Englehardt raised an issue on Disconnect’s developer forum asking whether DigiTrust should be added to the list.
“We reviewed this issue in the normal course of business beginning that week and determined that although DigiTrust’s service may not track users directly, which is why they were not previously blocked, they clearly enable other services to track, and therefore we updated our definition of tracking to encompass this type of behavior, which we see as a growing threat to consumer privacy,” said Casey Oppenheim, Disconnect co-founder.
A Mozilla spokeswoman confirmed that “cookie-based tracking for DigiTrust will be blocked in a future version of Firefox.”
DigiTrust isn’t the only player pushing for the adoption of a universal ID. LiveRamp and The Trade Desk are among the other organizations offering ID solutions. The Trade Desk and LiveRamp domains are also on Disconnect’s blocklist — although LiveRamp’s ID solution doesn’t rely on cookies.
Regulation could prove the bigger roadblock to universal ID solutions. The California Consumer Privacy Act takes effect in January and there is still a level of uncertainty in the ad tech industry as to exactly how the privacy law will apply to third-party cookies used for advertising. The U.K. data regulator has warned that the current real-time-bidding ad tech landscape is not compliant with the European Union’s General Data Protection Regulation.
“The industry seems to think there is a basic industry right for tracking and targeting of users for advertising purposes, but I don’t see the regulators following this logic at all,” said Ruben Schreurs, CEO of consulting firm Digital Decisions.
Meanwhile, Google is set to make an announcement in February about how it will treat third-party cookies in Chrome.
David Kohl, CEO of ad tech company TrustX, a member of DigiTrust, said the entire cookie-based advertising infrastructure needs a rethink that involves prioritizing consumer interests, rather than ad tech’s commercial interests.
“We need to start again with a clean sheet and say, how do we create a capability for consumers to understand what identity means on the internet, how it’s used, and how to control it,” Kohl said.