StrikeAd Demystifies Mobile Privacy: Whitepaper Excerpt

There are two ways to store the user ID on the mobile device. The first is through using the impression cookie – we go into more detail in StrikeAd’s full whitepaper that this article is excerpted from (PDF). On iOS, i.e. iPhones, iPads and the iPod Touch, however, it is not possible to set cookies which are not from the same domain as the domain of the page you’re on. This is covered in detail in the StrikeAd App Tracking Without UDID White Paper about download attribution, so we won’t go into it again here.

To get around this limitation, another way to set data on the client side is to save it using a function of JavaScript and HTML5 (if the browser supports it), which provision client-side (i.e., in the browser) data storage. This does involve executing some JavaScript in the user’s browser, however – not necessarily a big issue.

In other words, a server can save data it can read later from the browser by executing more code on the HTML page. Some sites use it to store data which will be accessed again and which may be needed quickly or whilst the device is offline. For example, Google Web Mail does this and thus allows users to read emails they’ve downloaded previously without having to re-download them again and even if they’re offline. This same approach is now being used by some advertisers to store the said device and user IDs.


Another way to track user is to identify them from observed data, instead of tagging them. One such way is fingerprinting, or device profile-based tracking. The name that has stuck is pretty unfortunate as it sounds very “Big Brother” and has been getting some negative press.

A more appropriate name would be “Device Distinction” – as in, trying to distinguish a unique device amongst many that look the same. When a user visits a website server, a number of properties that describe the device and browser are communicated to help format the web site right for the device. It could be screen size, color capabilities, preferred language, browser versions (useful to avert bugs) and availability of plug-ins such as Flash, and ability to view certain types of audio and video. The process of Device Distinction is based on using all sorts of properties from the information that comes to the advertising server from the users’ device to build a unique combination, which becomes the device identifier.

Again, there is no sinister process of recording deeply personal data about the user involved here – i.e. the swirls and curves of their fingerprint are not being secretly extracted and logged. Rather, generic and non-personal information is noted and used to form a profile. Companies that are utilizing this method use properties such as the device time zone, country, device manufacturer name, model, OS, browser vendor and version, time locale, pre-set language and so on to build the combined device ID.

For example, one such profile may look like this: “GMT; GB; Samsung, Galaxy Tab, Android, 4.0, Chrome 1.2; English”

As you can see, there are no surnames, passport numbers or anything else sinister. It is a bit like using a combination of hair color, height, weight, shoe size and so on to uniquely define a person. On their own the said properties are not unique, but put together, you will probably only find one or two people that match out of thousands. The principle is the same with the above mobile device properties. In a way, fingerprinting is better than cookies as it does not store anything on the user’s device. This is great, especially since some devices don’t work well with cookies – but it is not as precise as a cookie.

It also has the added benefit of being compliant with the EU regulation, which does not allow storing of data on the client device but does not say anything about storing data about users on the server. Read more about the EU regulation further below.

What Gets Companies Into Trouble?

With all this technology explained, what is it actually that gets companies into trouble, get them sued and portrayed negatively in the press? Typically, it is a lack of two processes within their tracking system(s):

  • Disclosure 
  • Opt-out or difficult-to-execute opt-out 

Pretty much all the trouble in advertising around tracking has been to do with a lack of disclosure and opt out or doing something without providing either, e.g. handling PII data without disclosure or opt out. The simple truth is: if you clearly tell the user what’s going on and allow them to be excluded from the process, no laws are broken and the user, regulatory bodies and the government are happy.


We’ve all seen the little “i” icon in the corner of online ads. When clicked, this icon takes the user to a page, where the whole ad preferences and matching, its intended use and benefits to the user are explained. That’s all you need to do for “disclosure.”

On this page, the user is also allowed to opt out of the tracking by just clicking a big “don’t track me any more” button. This sets the cookie on their device with a “do not track” flag and the next time the server reads the cookie, as soon as it sees the “don’t track me” flag – it does not do any tracking.

Explicit Opt-In – The End of an Era?

All this is soon to change and users will be required to opt into cookie-tagging. EU is about to release a regulation requiring third parties to explicitly ask the user to allow the cookie to be set, as opposed to the above opt-out. Once this goes live, many sites and apps – or advertisers and agencies themselves – will have to facilitate this or the advertiser will not be able to carry out frequency capping or retargeting any more.

There are a number of ways to go here – a header info block on sites, asking the user to allow this. A header block is extra information that a browser and server can use to pass invisible information to each other. For example, the browser passed to the server via the header block its User Agent String, which contains the browser name, version etc.

The information then would be passed to the advertiser, who would set the cookie. If the “allow tracking” information was not sent, the advertiser would not set cookies. With apps, a similar approach would be possible – when the app is first started, the user is asked if they are happy to opt into “ad choices” which will try and show them ads that are more suitable by remembering their preference.

If the user allows this, the publisher would pass the information to the advertiser, who can then track the user.


Interested in learning more about mobile advertising? OPS Mobile will bring digital advertising leaders and ops professionals together to discuss and develop best practices for operational excellence in a world of connected devices. Register today for OPS Mobile, AdMonsters’ mobile advertising conference, which will be held April 19, 2012, in New York.