#114: ITP 2.0? 2.1? Whatever It Takes

[music]

0:00:04 S?: Welcome to the Digital Analytics Power Hour. Tim, Michael, Moe, and the occasional guest discussing digital analytics issues of the day. Find them on Facebook at facebook.com/analyticshour and their website analyticshour.io. And now the Digital Analytics Power Hour.

[music]

0:00:27 Michael Helbling: Hi everyone, welcome to the Digital Analytics Power Hour. This is episode 114. Imagine you and your friends are at the bar, and it’s been a long night of drinking. Sure, there were some shenanigans, a couple of your friends have been doing some crazy stuff. I don’t think… You don’t think they meant it, but at the end of the day, it probably wasn’t cool. You yourself weren’t in on any of the bad stuff, but you probably still laughed and kept on drinking with them. Well, now the bouncer is headed to your table and it’s becoming increasingly apparent they don’t see a distinction between you and your friends. Is this the beginning of my fiction career, or just another way to describe the situation we’re facing with ITP, and maybe some of the other data regulations? Hey Moe, you ever been thrown out of a bar?

0:01:22 Moe Kiss: Only when I’m in your presence.

[laughter]

0:01:26 MK: Actually, I think that was my fault, but hey.

0:01:29 Tim Wilson: What? [laughter]

0:01:31 MH: Yeah, this story was about you. No, I’m just kidding.

[laughter]

0:01:39 MH: What about you, Tim?

0:01:41 TW: I aspire to being sufficiently rebellious when drunk and to be thrown out of a bar, some day.

[chuckle]

0:01:47 MH: Career goals.

0:01:48 TW: Career goals. [chuckle]

0:01:51 MH: Yeah, I don’t know that I’ve ever been thrown out. I think I’ve not been allowed in, there’s been plenty of those. [laughter] Anyway, we needed a guest, someone with a lot of experience doing the right thing even when inebriated with data. Kasper Rasmussen is one of the founders and the CEO of Accutics, which is a campaign management software. Prior to that, he was the head of reporting at Momondo and held consulting roles at eCapacity in Denmark. But now he’s our guest. Welcome to the show, Kasper.

0:02:24 Kasper Rasmussen: Thank you, Michael. Thank you.

0:02:26 MH: So to kick things off, I think we probably better give our audience a primer on ITP or Intelligent Tracking Prevention. So, anybody wanna step up to the plate and get us started?

[laughter]

0:02:40 TW: Not it. I guess that’s you, Kasper. [chuckle]

0:02:43 KR: I can do that. I can say take that on. So ITP is, as you said Michael, it’s for Intelligent Tracking Prevention. It’s released by Apple, for the WebKit browser. Originally, it was the 1.0, and then you had the 1.1, 2.0 and then 2.1. And the thing is, we’re focusing around the tracking abilities for media platforms here, for remarketing primarily, and that’s what we are… Apple is addressing here with the ITP solution or prevention. But it is regarding, I mean blocking of cookies.

0:03:17 TW: But it’s Apple, so it’s just Safari, which means Safari on the desktop, Safari on every iPhone except for ones where people have installed something else?

0:03:28 KR: Yes, exactly. So the ITP is Apple’s terminology for the setup here. So it’s hitting Safari browsers, desktop and mobile. Other browser vendors might come through. We heard from Firefox, they have the ETP, for Enhanced Tracking Protection.

0:03:45 MK: And so what are the key differences between the previous versions of ITP and this new 2.1? ‘Cause everyone seems to be panicking. I’ve never seen so many blogs on a topic.

0:03:55 KR: Well so the first versions of the ITP was mainly regarded for the third-party cookies. So blocking third-party cookie access and bounce sites, which turned out to be a circumvention for that. So we have only the major media platforms for marketing. Facebook is one. We have all the big display networks, affiliate networks and so on. And all of them are placing third-party cookies here in order for them to be able to retarget you on subsequent pages that you might visit. And the first versions of the ITP was focused around blocking that specific issue here. But again, people are smart, it’s a tic-tac here. And then a lot of these platforms started using first-party cookies and that’s what the new ITP prevention is actual hitting.

0:04:44 TW: So just to make sure we’re setting the stage, ’cause I feel like we’re first-party and third-party, first-party is, it’s my domain, things get a little murky, ’cause browsers, just to make sure I have all the basics right, that if a cookie is set and this is a web standard that the cookie can only be read by the resource that’s requesting an asset that it’s asking for the cookie to be a payload. Is that right?

0:05:12 KR: Exactly.

0:05:13 TW: So if I’m on analyticshour.io and I set an analyticshour.io cookie, that’s a first-party cookie, somebody else coming to analyticshour.io, they set it. If on analyticshour.io, I have a media tag, which is on adsite.com, I can request an asset from that, that will then set the cookie, but only adsite.com can read that cookie and that’s the third-party cookie that I could then go to some other site and that could request an asset from adsite.com and adsite.com could read it. So it’s like this weird sort of wall where you’re potentially getting cookied on multiple domains, but it can only be read by the same domain that you’re on. The third-party means there’s this kind of other site, the chances are, you never consciously visited it, you were just on the site that had a little asset of an image or whatever that it was requesting?

0:06:14 KR: Exactly.

0:06:16 TW: I feel like that was the worst explanation of first versus third-party cookies…

0:06:20 MK: Nah.

0:06:20 TW: But the idea of being that… And Google Analytics has used first-party cookies for when you have analytics.js running and it… When you’re getting cookied for Google Analytics, it’s a first-party cookie?

0:06:36 KR: It’s a first-party cookie. And that doesn’t mean… A bit more info to it because first party cookies can actually be set both server side as a part of the HTTP response and they can be set client side via JavaScript. So we have two different versions of first-party cookies as well.

0:06:50 MK: And so does this apply to both?

0:06:52 KR: Exactly. It’s the latter. So it will be the one set client side, so using document or cookies in JavaScript. Those will be the one, or those are the one that are purged by Apple.

0:07:02 TW: So I saw these references to an HTTP cookie, does that… Is that distinguishing that that’s one or the other set? What is an HTTP cookie? Or is that just another way to say “It’s a cookie, it’s a little file on your computer”?

0:07:15 KR: Well, if you are connected… So the cookie’s the same. It’s how it’s been set that are different. For instance, in… I remember when I was a consultant back in the years, we did some Adobe [0:07:29] __ for C where we use CNAMEs for first-party tracking servers, and then the, if I’m remembering correctly here, the cookie idea, the visit idea was actually restraint as a part of the response from the Adobe tracking server. And in the response from an HTTP response, you can put in cookies in that, and they will be set as HTTP cookies within the browser, meaning they’ve actually been instructed to be set on the client by the server.

0:07:58 TW: So let me back up just, so CNAME, and this goes back a few years, but the CNAME, that’s in the DNS record, is that basically where you’re saying, “Look, I’m setting tracking.analyticshour.io, but I’m actually saying this is this completely other… It may be an Adobe-managed server.” Is that what a CNAME or…

0:08:17 KR: Yeah…

0:08:17 MH: The end point is like the analytics provider.

0:08:21 TW: Okay.

0:08:22 KR: And it can be both analytics and marketing platform. It can be anything basically that you need to track.

0:08:27 TW: Anything can set a CNAME, but that’s basically adding a sub-domain that you actually aren’t controlling some other places, likely. Are you just setting an IP address or what’s actually going on when you do a CNAME?

0:08:40 KR: So just for people who are not familiar with CNAME, it stands for canonical names. So it’s basically pointing… Let’s say you have a sub-domain track.analyticshour.io, for instance, you can actually point that to the tracking server for that specific provider you have, meaning that from the browser, it seems like it’s making a first-party request to your own domain. That can be both a content fetching, but in this time it will be for tracking and meaning that all the content that I retain from that tracking request, cookies are an example, will actually be set in that first-party context.

0:09:13 TW: So what does Adobe do that is… ‘Cause I know when the call is being made to Adobe… Was that what Adobe now does? ‘Cause I think it sounded like one of you said that was… It used to be they used CNAMEs. I thought that was kind of still Adobe’s standard.

0:09:29 KR: Oh yeah, you can definitely still use it. You can definitely still use it.

0:09:32 MH: So yeah, it was in pretty common use with Adobe, especially for when you are doing tracking on secure servers and things like that. So it was always an option, you could set it up in Adobe analytics and call into client care and they would set it up on their end and you’d create a CNAME for your tracking server.

0:09:53 TW: But what do they do now?

0:09:54 MH: Same thing.

0:09:55 TW: Okay, sorry. I feel like this is one of those that to Moe, to your point of everybody’s off on… People are talking about it so much, I… Part of me feels like it’s because you start scratching the surface and you all of a sudden are down into the depths of how the internet works, which I have long preached that that’s important for an analyst to know. And then I’ve realized on this latest round how much I’m like, “Man, this stuff’s getting confusing.” I don’t know how many analysts who are talking about it are kind of in the world of, pick GDPR, pick Sarbanes Oxley, pick any new standard that comes out and it’s like, it’s sort of snowballs and people are like, “It’s scary, partly because we can’t fully wrap our head around it.”

0:10:48 MK: I think you’re gonna… I’m gonna drive you nuts, because I do think we need to get our head around it a little bit, but I don’t think… I don’t know, I just think from a business perspective, it’s more important to understand how does this actually impact our marketing efforts and what we haven’t even talked about is the seven-day expiration which to a marketer would be absolutely terrifying if you weren’t in an FMCG, but also, what are you gonna do about as business, and are you even set up to look at any of the workarounds? I feel like if you go down that tunnel, you might not come out the other end and actually have a strategy for how you’re gonna manage it.

0:11:22 TW: Well, but I think some of it depends on what you’re analyzing and how you’re analyzing. If you are looking… If you need… I think, I mean you guys, tell me if I’m wrong, I agree, I fundamentally agree, but I think there’s still, if you take the full landscape of what is being done, it’s kind of like a visits versus visitors or users versus sessions debate. There’s a ton of analysis you can do with sessions that’s very valuable around the value of your content and what works and what doesn’t, how trends are going on over time, and this basically, probably is not as big an impact on, that is just straight up blocking of tracking, right? And we’re not running around, flipping out about ad blockers which are getting increasingly rolling on to all browsers by default.

0:12:12 MK: The reason that this actually kind of frustrates me a little bit is I feel like GDPR could do any of these things, but I felt like it was the user’s choice. It was up to you to choose. My understanding is that the user has no choice in ITP 2.1 except switching to another browser which might not even prove fruitful if all the other browsers copy Apple, because Apple must know what they’re doing.

0:12:36 TW: What I think I read that ITP 2.1 actually makes Do Not Track become… Which was another WebKit thing. Let me, in full embarrassment… And just maybe there will be three listeners who are like, “Okay, Tim is dumber than I am,” and I don’t know, hopefully that’s not how they’re validating themselves. WebKit pretty much is the underlying what?

0:13:01 KR: Engine.

0:13:02 TW: Engine for what is Safari, but what is the WebKit equivalent for Chrome or for Firefox or for IE? ‘Cause I think even that, it gets kind of like, “Oh, it’s a WebKit standard.” Are there people out there who haven’t read it closely enough to say, “This is an Apple thing, it’s a Safari thing”? That yes, maybe adopted in other areas, but this is not a W3C standard, this is a WebKit standard, which is one company, one company that has just about as awesome of a record on privacy as every other major tech company right now, setting the standard. And I’m not heading down like a rant about… I don’t know. It’s not the fox watching the hen-house, it’s just… It is kind of a subset of a subset of a subset and that’s both the use cases and the browsers. And is this the biggest deal? And it kind of depends.

0:14:00 MH: Alright, so there’s five things. And so, let’s cover them in order. So first off…

[chuckle]

0:14:07 MH: Explanation of WebKit versus Chrome versus Firefox, then Apple as a player in the space and their role, and then what are the other alternatives? So, okay, back to you, Kasper.

[laughter]

0:14:22 TW: Wow.

0:14:22 MK: Well, at least we know he listens, right? [laughter]

0:14:27 TW: I wasn’t sure I was listening. I’m not sure I could have done that recap.

[chuckle]

0:14:32 KR: Okay, so WebKit is a web content engine. It’s open source. So the companies can basically fork it, I mean, clone it as they like and create their own versions of it. So yeah, Safari is based on WebKit, and Chrome used to be based on WebKit until they forked it themself and, let’s say, has their own version of it.

0:14:55 TW: So they literally… They literally forked WebKit and then now it’s no longer referred to as WebKit ’cause it’s… How long ago was that? Was that a…

0:15:03 MH: It’s probably been a while.

0:15:04 KR: Yeah, so apparently it’s in April 3rd, 2013. Google has… That was when they forked the WebCore, which is a part of the WebKit engine, and they forked it to be used in the future versions of Google Chrome, and also the Opera browser engine.

0:15:20 TW: But that means since they forked it, ITP 2.1, that’s forked, they’re not… That fork hasn’t… Isn’t gonna somehow reverse merge that, so…

0:15:29 KR: No.

0:15:29 TW: Okay. So that would be up to up to Google to decide whether they wanted to do something the same, or more likely they would do something different, I assume.

0:15:39 KR: Yeah, I agree with that. They probably want you to move there before they have… I don’t know, Google is pretty big as well, and if they do the same move as Apple did with the ITP, [0:15:50] __ using Google Chrome.

0:15:52 MK: I just… I keep coming back to, what would I do if I were in a business and I were responsible for sessions per user? How the hell would I tackle this? Would I try and get the engineering team on site to build a hack-around? Would I try and estimate the difference in new user counts so that I could approximate… I actually really genuinely… I’m struggling about how I would tackle this.

0:16:25 MH: You wanna drive authentication, right? If it’s… But again, that doesn’t apply to everybody, but if you get someone to authenticate, you’d wind up basically being authenticated sessions per user.

0:16:40 KR: That’s a stunning hypothesis in regard for people saying that we’re gonna see a lot more payables for public content.

0:16:48 MK: Sorry, why would we see more payables?

0:16:50 KR: Simply because, if you wanna go behind that, you’ll need to sign up, and then you’re a known user, and then you basically have a user ID and you won’t be affected, because you can recognize the user anyway.

0:17:00 TW: So it’d be a paywall, not necessarily paying.

0:17:02 KR: Not necessarily paywall, just a sign-up process.

0:17:05 MK: Do you think there’s any possibility though that this could actually lead to a worse user experience and therefore people would leave Safari? Or, I don’t know, is that a possibility? Would you have to authenticate more often?

0:17:17 KR: I think it’s a very real hypothesis, so yeah, I think so.

[chuckle]

0:17:23 TW: Only if the sites are saying, “You need to authenticate because you’re on Safari.” If there was a browser-specific…

0:17:30 MK: Well, maybe that’s a good strategy to come back to it, like, “Hey, Apple, take this.”

0:17:36 TW: It feels like all companies need to band together and take on Apple, sounds like. I would not put that into my strategic plan.

[chuckle]

0:17:47 MH: Well, it goes back to one of those points which was Apple as a company stepping in and essentially attempting to regulate the space. And so then there’s pluses and minuses to that, but you also have to go back to why they did it in the first place. And I think you can’t get into why Apple did it without recognizing that it’s most likely Facebook that they were specifically addressing with a lot of this stuff, and the way that Facebook has used data collection in ways that Apple doesn’t agree with. And there’s sort of this ever-escalating sort of war between Facebook and Apple over the course of last year and this year, where Apple de-authorized Facebook’s web developer license, which took all of their apps offline.

0:18:41 MK: That was pretty dodgy on the way that they navigated around that in the first place, so…

0:18:46 MH: So as we go into that space, that’s a really big deal and then it remains to be seen how other browsers will respond and as marketers, to your point, Moe, it’s a minefield now. ‘Cause you can’t just sort of throw your pixels out there and track everybody and do what you used to do. You have to be much more focused and much more specific, and I don’t know that there’s necessarily a panacea except to set up some kind of server side forwarding for all over your cookies.

0:19:15 MK: So can I… I wanna make sure I’ve got this right, because in my head, this is how the scenario is and I don’t actually know if this is accurate. So, because your first-party cookie will expire after seven days, seven days of inactivity as in you haven’t come back to the site within seven days, so if I’ve looked at a pair shoes 10 days ago, no one will be able to remarket me because my cookie won’t exist. What if I wanna see the stupid ad for the shoes that I probably don’t need to buy, but I wanna buy anyway? I don’t know…

0:19:47 TW: Well, you and the other seven people who are like, “Yes, I inherently just want to be tracked more broadly across the web.”

0:19:54 MK: No…

0:19:55 TW: There’s a human… Intellectually, being in the space we’re in and looking at it saying, “Yes, there is value, there is value that can be delivered,” I think the overwhelming sentiment is, “Yes, there is value, but there is also risk and damage and lack of trust in all these other things.” I think about being… I, generic human, think more about being annoyed about being re-marketed for something that I already bought. Then I think, “Oh, look, there’s a relevant ad that’s being presented to me and that’s both the same underlying fundamental tech, but I am more annoyed and I’m more distrustful of the marketer.” And so, I think it’s a tough and nuanced sell to make to the populace because there’s no… Even the standards like Michael, to your point, if Apple is trying to say, “We’re going to define the standard,” like whatever happened to the W3C?

0:20:53 MH: Ineffectual.

0:20:55 TW: Yeah, it was ineffectual, but at least it was a body that was trying to not be linked to a single or corporate interest, right?

0:21:04 MH: So, I think that’s where you’ve gotta go back and look at the structures that are there to do that. And obviously, and Kasper, I’d love to hear your thoughts on this, but obviously, the EU, I think, has been a little more progressive in this, and as far as being a regulatory body that’s looking at things like privacy and trying to address it. And I don’t know… What do you think, Kasper?

0:21:29 KR: Well, I think, especially with the… I guess you all heard about the GDPR we’re struggling with here in Europe, and we have a lot of cookie policies as well and it’s… I think we’ll see much more for this. The intention was for marketing purposes, but we’re actually moving into a phase now where we’re getting a lot of casualties, I would say. A lot of people don’t mind that they’ll track us for analytics purposes, but for remarketing purposes, that’s something completely different, but it’s very difficult to isolate that from one another.

0:22:05 TW: Well and even splitting between re-marketing… There’s re-marketing which is, I did something, you’re marketing basically the same or a similar item to me from the place that I saw it. But I think the broader media… You were browsing for shoes on site X that put your cookie into a pool. There was a look-alike model being done and now you’re being marketed a dress across everywhere, and that I think is the pool. There’s enough hype around machine learning and AI and the world of programmatic and DMPs and all of that, that I think there’s higher distrust that this is being used irresponsibly, and there’s just enough media stories trickling out where that’s happening; data breaches or nefarious overuse… Nefarious use of data by a company that… I think it’s a heck of a waive to try to offset with, “Yes, but you’re throwing out the baby with the bath water. We just wanna make your on-site experience better,” or even, “We just want to slowly build a more relevant experience for you when you come back to our site over time.”

0:23:20 MK: I think personalization is hugely gonna suffer from this. Obviously not if you’re logged in user, that’s fine, but how do you build that relationship with a person that comes to your site if every time they come to your site, they’re registered as a new user? People actually want more personalization.

0:23:37 MH: So, I think you can still personalize, you just need to set cookies that are coming from your own domain. So, set the cookies… So, use personalization tools that allow you to do that.

0:23:53 TW: But no, you still have to come back often enough or be requiring authentication. And I think the studies… Some of the… I get the little trickle of studies, it goes back and forth with people saying… I don’t know how many people say, “When I’m browsing the web, I noticed that sites that I go to regularly are tailored for me.” Even really good personalization, maybe you wouldn’t notice, you would just be drawn back to this site. And I think the lion share of sites or just sites writ large, media, FMCG product sites, e-commerce, whatever, I would think the overall majority are not doing any personalization.

0:24:35 TW: So, how do I as a consumer… I don’t know. I feel like personalization isn’t done really well, so it’s not like people are saying, “These couple of sites surprise and delight me.” People piss and moan about the Facebook feed showing them stuff they don’t wanna see and blocking and not surfacing stuff they do.

0:24:54 MK: I totally disagree. I think that the companies that are doing really well are the ones that do surprise and delight and their customers love the absolute shit out of them. I get people sometimes find remarketing a bit creepy and I don’t blame them, I think that’s true, but seeing relevant content to you or items or whatever it is or only showing you what you need, lots of customers want that and you need to execute it well. If you do a shitty job, it does feel creepy.

0:25:23 TW: But you can’t… You can minimally personalize on the first trip. So yes, recurring traffic, if you’ve learned enough, if they’ve given you enough information, yes, you can personalize. It’s really, really tough to say, I’m gonna personalize based on, basically your geo, the weather, what browser I’m using. So you haven’t done any browsing, so… And again, and I’m not gonna be able to quote it but I feel like I see studies, different studies that say, “Yeah, customers are kind of like, “Yeah, I’m not sure I’m that keen on personalization”. ‘Cause you’ve gotta think about browsing the web at large, the 25 sites you’re gonna visit today, how many of those are ones where you could give two shits about whether it’s personalized and they have anywhere near enough information to personalize for you, even if they are tracking you cross-session? My guess is it’s gonna be the minority. Yes, if you’re a retailer with a deep… If you’re a consumer with a deep relationship with a retailer, yes, you want it to be personalized. Amazon.com should be personalizing, although that’s weird ’cause it’s personalizing for my family, which we’re kind of a diverse set of interests. But…

[chuckle]

0:26:40 MH: Yeah, you have multiple accounts, Tim.

0:26:41 TW: My point is I think we have to be really… Think about… The consumer is a very broad, very diverse group doing very diverse things and it’s very easy to get into a very narrow scenario where personalization is beautiful and wonderful and feasible and being done. But that’s a really, really small sliver of what’s out there, and companies have been struggling to do it. So when ITP comes along, they’re like, “Yeah, you guys can go pound sand. We’re trying to serve the masses and not have them beaten over the head with marketing they don’t wanna see.”

0:27:16 MK: Okay, so Kasper, if a business is set up and their tracking is going to be affected by ITP 2.1, how big of an effort is it for them to change that they can circumvent it? In terms of tech debt, is it a considerable amount of work?

0:27:35 KR: Well, there’s a lot of different versions or possibilities to circumvent that, but there are also a lot of drawbacks with these possibilities here. We need to keep in mind, ITP 2.1 is probably not the latest we’re gonna see to the ITP sequence here. And I guess in 2.2, that will be up blocking for using local storage for these things here. And just to elaborate a bit on that, we have cookies in the browser and we just heard that we can have third-party and first-party and server-side set and the client-side set, but we also have a concept called local storage. We also have a session storage, that’s not that relevant for now. But local storage is basically persistent data as well. And you can use that for your visitor IDs.

0:28:22 TW: What is that doing? Is that the same as… Are flash cookies a form of local storage or is that another…

0:28:28 KR: I would say the main difference is… And cookies is, first of all, older. It’s an older technology that was incorporated into the browsers. And you also have the functionality of cookies, that they are actually being sent as a part of the request to first-party domain. So if you have a cookie that’ll send abc.com, when that website is making the request to abc.com, that cookie is a part of that request automatically. So it’s a way of exchanging data there. You don’t have that possibility with local storage. That’s basically just a… It’s a hard drive. You can dump some data there, you can read it at some later point.

0:29:07 TW: So I know how to go view my cookies for a site. Is it similarly easy to go see, for a specific domain, what is stored in local storage? Is that…

0:29:18 KR: Oh, yeah.

0:29:18 MH: Yeah, you can access it through to the console.

0:29:21 TW: Oh, okay.

0:29:22 KR: Yeah, it’s similar to… If you use the Safari browser, it’ll be, I can’t remember, underneath or above the cookie.

0:29:29 TW: Okay, so it’s actually shown there as well?

0:29:31 KR: Yeah.

0:29:32 TW: But it’s not automatically going with the payload with every request to that domain?

0:29:36 KR: Exactly. No. And you can’t share. That’s a big drawback here. Say you’re having multiple different sub-domains, you can have market-specific sub-domains through your root domain, so you’ve… Us.abc.com, dkabc.com and so on, or it could be helpsupport.abc. There’s so many versions in sites that are using sub-domains, effectively, in the production environment. But the problem with local storage, you cannot share data across these sub-domains here. In order for… Knowing the same user is on help dot something-something and on their actual root domain itself, you’ll need to somehow pass the data along in order to recognize it as the same user. And normal use case for that would be to… And now it’s getting a bit technical here, but to embed iframes… So if you’re standing on help.m6power.io, for instance, you would embed an iframe with m6power.io into that, which would read the local storage value and post that back to the parent iframe, parent website, basically. So basically creating a window into the [0:30:44] __.

0:30:45 MK: Yeah, wow.

0:30:47 KR: So that could be a solution. But now Apple said that, “Hey yeah, if you’re doing that thing here, that’s the reason why we call it intelligent tracking prevention.” So we gotta take that and kind of remove the possibility of doing that as well.

0:31:00 MK: So, but that’s not in the current version or they’ve already… Had they already built that out, or they’re just basically seeing what’s happening and they’re gonna just do it in the next iteration?

0:31:11 KR: I’m pretty sure it’s a part of the the current, of the ITP 2.1.

0:31:17 MK: So, basically, even if you did spend all this time implementing a workaround, it’s pretty likely that Apple will, by the next version, work out what your workaround is and then update it to exploit that?

0:31:27 TW: Well, but local storage… And this is like… We definitely need to reference, so I’ll have an excuse to put in the show notes. So Simo Ahava has written a couple of posts on this and he has one about using local storage and it does get kind of involved. But even on the iframe front, if you’re on a site where you expect most people to come to the homepage or to a specific sub-domain or something like… Local storage is… Local storage, it sounds like one of the big drawbacks is if you’re trying to cross sub-domains on your site. So if you say, “Yeah, we have a support dot or help.analyticshour.io, but you know what, those aren’t the traffic that’s actually buying from us.” Maybe it’s not the biggest deal that our local storage won’t cover across that. Maybe we can use plain old HTTP cookies somewhat within analytics, right? So it feels like that’s the other thing, is that when we come up with a, “Here’s an alternative,” every alternative is gonna have some drawbacks. The drawbacks tend to require a deeper understanding of what’s going on. The drawbacks aren’t necessarily material to every site. Is that a fair statement?

0:32:42 KR: Yeah, I agree.

0:32:42 TW: Okay, right. So that drawback is specifically, I’m trying to span sub-domains or domains with my site legitimately that the user would see as all being my site, but that’s really the main drawback?

0:32:57 KR: Yeah, I would say that. But again, the new… [chuckle] Okay, that’s another drawback. [laughter] [0:33:04] __. So the thing is Safari is still… I mean a minor… Or maybe not a minor. I’m not gonna go insult someone here. Safari is still not the highest percentage of… Not the highest percent of your user base are coming from Safari browsers, on desktop at least. On mobile, the figures might look differently but that’s probably region-specific due to iPhone and some iPads. So in order to see how big this affects you, you need to look at the traffic that are coming from these devices here and is operating these browswers. And you also need to make sure that if… Let’s say 80% of the Safari user base actually revisiting your site within seven days on a continual basis, then their cookie would keep being extended. So they won’t face the issue where they’re being on you, basically.

0:33:55 MK: I just feel like it’s unfair to certain business types. If you’re a company that your visitors come back a couple of times a week, great, but if you’re a company like an insurance that comes to twice a year, then kinda sucks to be you.

0:34:09 TW: But I think insurance, financial institution, a lot of those that really, really do care about how often, how long, a lot of those, the ones I’ve worked with, there’s a legitimate need for the user to authenticate because they’re coming to check their account or do something. So if you look at the micro-conversion of that came to the public site, did they successfully authenticate? Maybe I care less about the cross-session tracking, I need to just optimize the heck out of that experience. Now granted, I won’t be able to tell of the ones who don’t successfully authenticate, what percent or returning users versus new users potentially, but once you’ve logged in, in theory, you should be using… If you’re a GA, you should be using user ID, if you’re Adobe, you should be using the ECID and you should say, “Look, we’re gonna use what the user has identified as themselves,” right? And this whole issue goes away if that’s how we’re actually tracking users based on their authenticated ID.

0:35:12 KR: Mm-hmm.

0:35:13 TW: Is that right?

0:35:14 KR: Yeah, for those users at least, if they log in. Say you need to log in, if they have a session, where they would log in, for instance, that will still be treated as an unknown user, of course, and be subject to the ITP [0:35:25] __.

0:35:27 TW: So Moe, to your sessions per user question, it does seem like even right now, or going back six months or a year and looking at the sessions per user by browser, would start to tell you, on the one hand, there’d be the risk of saying, “Oh my Apple users are just way less loyal,” which instead it could be…

0:35:49 MK: Which some stupid person will probably interpret it as.

0:35:53 MH: So let’s take this in a different direction. If we look at this sort of from a different perspective, say like the end user… I think it’s a little problematic to think about how it affects us as marketers and analysts without kind of considering what was happening on the other side, right? And so from a privacy perspective, the reason why ITP even got put in place in the first place was because people were misusing the data collection capabilities that they had. And so it’s unfortunate on one hand, but on the other hand, I really kind of feel like Apple is probably not the right player to create a set of standards or governance around this stuff. We’ve pushed, as an industry, so hard and for so long to maximize our value on the marketer and the analyst side without ever kind of contemplating whether or not it was appropriate. And you always… Every article you’ve ever read over the last 10 years about personalization goes something like, “We’ve got all this data that we can collect about end users and we can use it to do all kinds of market things parenthetical,” but not in a creepy way, right? But the reality is, is plenty of companies have blown right past the creepy way and gone right into, theoretically, maybe not even legal type things.

0:37:16 MK: But isn’t that the whole point of GDPR, is that you give the user the choice, you let them choose what they’re comfortable with?

0:37:25 MH: Yes, I think. Well, and so, yeah, GDPR, the way that [0:37:31] __ explained it to me one time, which is what I’ve used as my framework from then on, is that yeah, GDPR attempts to set data as a human right. In other words, your data as a person is fundamentally tied to you and you have rights associated with that data. It is challenging in a lot of ways because the data you produce on another person’s platform is sort of, kind of an open question. So I have viewed data transfer as more of a market. So I would like to have a market-based approach to my data. So if my data has value to you, then I would wanna get an exchange on that value or be able to choose or have agency around that. But it’s actually that lack of agency that led me to actually delete my Facebook account. So even I had a negative reaction to Facebook and the way that they were using data, and so I made the choice to remove myself from that platform. But I’m also somebody who’s looking at this as someone who’s in this industry, I’m making those choices. I don’t know many other people who’ve chosen to delete their Facebook accounts after Facebook did some of the things that they did. And so, Apple…

0:38:46 MK: But I think it’s a trade-off.

0:38:47 MH: Of course.

0:38:48 MK: I see it as, as a company, it’s your obligation to prove to a customer that you deserve their trust and that you need to inherently make their life and their experience better and that you deserve access to that data so that you can better service them as a customer. It’s not about like I get this for free or whatever. And I think the companies that aren’t doing that are paying for it right now.

0:39:12 TW: I think all companies are paying for it.

0:39:13 MH: How are they…

0:39:14 TW: There’s an economic…

0:39:15 MH: Oh.

0:39:15 TW: Right. It’s… If the majority companies aren’t doing that, all companies are gonna pay the price.

0:39:22 MH: My perspective is, this is a reckoning that’s been coming for a long time and we’ve avoided it because we didn’t really know and nobody really cared. And then Apple basically… Yeah, a lot of people got painted with a really broad brush here, right? Apple took out a lot of tracking capabilities for a lot of people. But the reality is, is we’ve needed to have this conversation for a while, and the… I mean heck, the DAA had a ethics code, the W3C has things, even GDPR attempting to roll out, like it’s not moving as fast as some people would like it to. And apparently, Apple was like, “Well, we’ll go faster and then we’ll see what happens.” And I think Firefox sounds like they’re gonna adopt some of what Apple has rolled out.

0:40:12 TW: But is this gonna be like privacy where Firefox says, “We think we can do something better, which is similar”? So it’ll be like GDPR meets the California privacy law which meets the…

0:40:24 MH: Well, yeah.

0:40:24 KR: Oh, so that sounds unpleasant. [chuckle]
[laughter]

0:40:29 TW: ‘Cause now not only do you have to figure out ITP 2 for web 2.1 for WebKit, but now whatever the standard is gonna be for Firefox, and what if Google ever gets in on the act. I think Google will be the last, if ever, because their own technologies, they understand more than some of these others, what it means to be an advertiser.

0:40:49 KR: Yeah, I guess… I haven’t seen that yet, but still, Google is what we called is a wallet gun. I mean, they have everything within the walls, basically. They have the marketing tools that do themselves, I mean Google Ads, Double Click have all the display networks, and then have analytics themself. They have a pretty big email service as well, meaning a lot of huge, huge user base for that. They can probably have a bit more up their sleeve and can do a bit more than the other platform or browser members can do.

0:41:23 TW: Well, if people aren’t running around up in arms, even if they go to Google, at some point they created a Google account or they have a Gmail account, it just means that when they go to Google… When they do a search, they are authenticated that… And I don’t see the masses up in arms about that and that is this big pool of data that Google has. But now there’s a market that they’re selling, their ads, which are probably a lot richer than the pixel I dropped on you on my site or my competitor’s site and my ability to build a reliable audience pool is not gonna be nearly as powerful as what Google has because Google tracks an enormous amount of what I do, but they’re keeping it, or they’re trying to keep the wall between what’s known and what’s private.

0:42:17 TW: Like if I’m driving down the street and I drive over one of those little tubes that’s a counter because somewhere is doing a traffic study, I’m being tracked without my consent that I drove over the little thing and it ticked a little mark. I’m anonymous, but then what if there’s cars being counted by vision recognition? So, there’s a camera that’s counting. Well now, maybe that means at least temporarily, an image of my car, my face is being stored. It’s a blurred line, I worry, that are… Just as a society, we don’t really have the structures in place to look out for the best interest of the consumer. Even if you say this inherently is a governmental thing to do. We don’t have the nuance of understanding, and the depth and the purity of vision and mission in any global government to take care of it either. It’s easy for it to seem pretty hopeless to say this is what would be great and that’s never, never, never gonna happened. We were way off in philosophical land.

0:43:23 MH: Well, and you certainly can’t entrust it to anyone who’s directly incentivized financially to do the opposite.

0:43:30 TW: And what is Apple’s… I mean outside of poking Facebook in the eye and maybe to a certain extent, Google in the eye, is Apple actually trying to say, “We care more about your privacy,” and therefore, they’re trying to use IT… Are they thinking of ITP 2.1 as being a way for them to say, “Use our platforms, our mobile devices, and our browser because we are protecting you more than others”?

0:44:01 KR: I think that’s been a big, big saying going around. Everybody knows how Facebook… You have on all the blogs and every newspaper site, you have this little Facebook window at the bottom where I can comment that or share it to your friends and so on, and you can only do that because you are logged in and Facebook knows what you’re doing and they can record that. I know personally, I know a lot of people don’t like that. So I think Apple is especially seeing this as a big entry point into that mess because we have been in a time where we have all these social platforms; Facebook, Instagram, you have Snapchat going around, we have Twitter, we have LinkedIn, all these social sites and all of them want to track us as much as possible. But I think we’re going into a time where… Well people want to control what they’re actually sharing with these platforms here and then to do that easily. I mean Safari is a good guess. It’s a good bet for that because they do… They’re blocking it now automatically.

0:44:58 MK: Has the Google Analytics team or Adobe Analytics team or, I don’t know, any of the players in the analytics space… Everyone that I’ve heard from about ITP 2.1 has been consultants or analysts or… I haven’t actually heard from any of the vendors. Has anyone seen anything?

0:45:19 TW: Tealium from a tag management. And I think there’s this company out of… I think it’s Denmark that actually has kind of more of a campaign tracking management.

0:45:31 MH: Yeah.

[chuckle]

0:45:34 TW: Actually, can we… We’re obviously not having people pitch products. Part of the reason we wound up, Kasper, getting you on was because when we were at Summit, we weren’t even really talking about that and you had this little flier with a QR code in it that you had some thoughts about ITP 2.1.

0:45:52 KR: Yeah.

0:45:52 TW: Can you kinda walk through that?

0:45:54 KR: Well, I’m gonna tell you a little funny story first. All those fliers, we printed so many. ITP is… I think it’s huge. I’m having a developer background, I’m a computer scientist. I think it’s technically set up here. It’s gonna ruin so much here. And then a lot of people, a lot of companies actually are not aware of ITP and what it means. And we’re talking about a lot of financial institutes for instance, huge financial institutes worldwide, and like, “ITP? What is that? Is that now?” “Yeah, it’s actually being rolled out right now, the new Safari release.” “Oh, I need to check on that one.” “Yeah, you’ll probably see a spike in new visitors pretty soon for your Safari users.”

0:46:35 KR: I’ve actually printed out a lot of this fliers and I was… Every single day I placed them outdoor and in the men’s room so they can look at that when they’re standing there doing nothing.

[laughter]

0:46:45 KR: As an analyst, we put unique QR codes on them, so that’s the only ones placed on there, I mean how many people actually scan them and go into the website. There’s quite… It’s an interesting story.

0:46:56 MK: How many were from the toilet? Honestly, how many were from the toilet?

0:47:00 KR: I would say there was a good handful.

0:47:01 MH: Those are hot lead.

[laughter]

0:47:04 KR: Exactly. Actually, so the solution, we… The other the thing we’re working on is this… When I hear that Apple is gonna block all first party cookies at client side, I’m like, “Well, why not just set them service side then?” It’s not magic. We basically just need to return the cookie as part of the server response and they’re persistent and nothing will change and you can still continue doing all your reporting and personalization and ROI reports and all that, and… But how do you get that for the tools? Because it’s not only Adobe, it’s not only Google or Facebook, it’s all your different marketing platforms, it’s your personalization tools. That’s a lot.

0:47:49 TW: How does setting it server-side… I thought you said that when you set it server-side, you’re still… It’s still the same cookie, it’s just where you’re setting it from.

0:47:57 KR: Yeah, exactly. It’s just coming from the server’s path of response. And when the cookie is coming from your server, it’s actually not being affected by ITP.

0:48:05 TW: It’s no longer a seven-day expiration, first party cookie?

0:48:09 KR: Exactly. No, you can have it two years, you can have it one year, as long as you like, basically.

0:48:13 TW: Just whatever expiration you put on and if you set it server-side?

0:48:17 KR: It would basically be prior to ITP 2.1. I mean, you’ll never be affected by it. It’s like it’s never gonna hit you. But the thing is, it requires some technical work in here because these platforms here does not set their cookies server-side per default. Let’s take a [0:48:34] , it’s a big social network for instance. If you want to have their cookie set, it’s a first party cookie but server-side, you first of all need to create a sub-domain with your domain and point that to Facebook tracking server. That’s the CNAME part we talked about before, because then the response from Facebook is actually coming. It looks like it will be coming from your own domain basically, or your own sub-domain. And then the cookie in that response header will be able to be set persistently on your machine. But you need to do that for all your platforms. Companies tend to have 10-20 different platforms running on the the website, and not to mention any plugins that you’re running in your site manager. Who doesn’t know all the visit number plugin and channels [0:49:23] plugin, and then all these different things you’re running through your site manager? Even your cookie consent cookie is gonna be pushed.

0:49:30 TW: So I think in one of Simo’s posts, he talked about a shared web service reference with a CNAME record. Would that be… Is that what you’re describing?

0:49:39 KR: So that’s actually… That’s our approach. So I think that’s a good solution because then you only need to have one CNAME. And again, there’s a lot of technicalities behind this, but if, say, for instance, you would have all your cookies suddenly returned as a server response, then they will be persistent on your website and you will be able to continue working as normal.

0:49:58 TW: Now wait a minute. So, he’s crediting Lars Gundersen who is also in Denmark.

[overlapping conversation]

0:50:04 KR: [0:50:04] __ yeah.

0:50:06 TW: Okay, so he credits Lars as being the one who kinda gave him the idea, but this all has a certain very geographic-centric area that this is…

[overlapping conversation]

0:50:15 MH: [0:50:15] __ Denmark.

0:50:17 KR: Yeah, [0:50:18] __.

0:50:21 TW: To Moe’s question though, is that something that Adobe and Google could do? It would actually… It would make the implementation a little bit more involved, but could they do the heavy lifting?

0:50:33 KR: They could do the heavy lifting. So right now we’re still using image request to send out data. Again, that’s a major hack in the browsers because you’re not allowed to make trust domain tracking requests out of your servers. You’re actually hiding the whole tracking package within an image request to a third party server, and then utilizing that weakness or you can have, say, a loophole.

0:50:54 TW: That’s fundamentally JavaScript page tag tracking is a complete hack…

0:51:00 KR: Exactly.

0:51:00 TW: Of just saying, “Let’s pretend we’re requesting a… “

0:51:02 KR: 100%.

0:51:04 TW: Okay. Sorry, that just got to one of my pet themes. Okay.

0:51:09 KR: 100%. So yeah, you could actually… These platforms could do it themselves, but you will still need to maintain then a sub-domain or your own tracking domain, you’ll need to have multiple tracking domains, one per platform, basically. And again, it’s a lot of these platforms are…

0:51:23 MK: I’m sorry. Can you say that again? You’d need multiple tracking domains, one per platform…

0:51:29 KR: So say for instance, let’s take a [0:51:31] __ in Google Analytics and Facebook, for instance, you have those two vendors deployed on your website. In the Google Analytics part, you would need a sub-domain that you could have ga.analyticspower.io for instance, and that would point to Google Analytics tracking server, basically, meaning that when a Google Analytics tracking request is happening, that is fired out to ga.analyticspower.io and the response from Google will then look like a response from your own first party domain, basically. And again, if Google then have updated their library, they would return the visitor ID cookie, so with underscore ga cookie as a part of that response because it will be set server-side and it will be set persistently on the new browser. And the same will need to be set up for Facebook, and the same for Adobe target are optimized and so on.

0:52:25 MK: Okay, I might be saying a really stupid thing…

0:52:27 TW: We gotta stop.

0:52:28 MK: Man.

[laughter]

0:52:29 TW: We have to stop.

0:52:31 MH: This is probably the first episode we’ve done where it’s probably more beneficial for our listeners to start at the end and listen backward. [laughter] [0:52:39] __. Alright, there is a lot more to discuss. And Kasper, thank you so much for coming on and helping illuminate some of this for us and for our audience. One of the things we love to do is go around the horn and do a last call. So Kasper, you’re our guest, do you have a last call you wanna share?

0:52:57 KR: Well, besides I’m using a lot of time on creating a technical solutions to circumvent [0:53:05] _ releases by the big software vendors, I’m actually spending a lot of time with my little kid now, he’s four months old. So it’s a lot of time going into that. But otherwise, I would simply recommend [0:53:21] that’s where I met Tim and had our first talk about the ITP and then cookie stuff and all that and some interesting… And we met up again at the Adobe Summit. Yeah, [0:53:33] ___ is very practical. Me as a developer, it’s a great opportunity to meet like-minded people here. And actually, I heard some rumors about they wanted to move it to, or they wanted to have another one in Canada.

0:53:46 MK: Hmm.

0:53:47 S?: Ooh.

0:53:47 S?: Sure.

0:53:50 KR: I don’t want to put anything here [0:53:51] __ but I heard something about the…

0:53:53 S?: You heard it here first, folks.

0:53:55 KR: In North America. So I’m crossing my fingers here.

0:54:00 MK: I’m not gonna lie, I think the quality comes from all the Europeans, so moving it to America might…

0:54:05 KR: [0:54:05] __.

0:54:05 MH: Oh, look at you, just dissed the Canadians.

0:54:11 MK: Well, I don’t know, I think very highly of the Europeans in the analytics space.

0:54:15 MH: Just for that that, Moe, I’m gonna ask Tim what his last call is next.

[laughter]

0:54:20 TW: So mine’s actually gonna come sort of from Canada. And that a few weeks ago, I was at the Web a Quebec Conference, and one of the, which most of the sessions I couldn’t understand ’cause they were in French, so I didn’t try, but one of the key noters was a guy named Colin Megill. He’s got a company/open source platform called Polis or pol.is, but really, he referenced an article about using the software that was in Technology Review called “The Simple but Ingenious System Taiwan uses to Crowdsource its Laws”, and it’s this idea that using polls and using machine learning, and he kind of in his talk actually talked through sparse data sets of having people make statements around an issue. You kinda seed it, and then you have people agree or disagree, and you wind up with this big table of data.

0:55:10 TW: So his talk at Web a Quebec was how machine learning can actually change the political discussion by not breaking things down into binary or, “I am this party or that party” kind of identification politics, and instead gets to the root of what do we agree on, what are the fundamental differences, getting more nuanced. It’s kind of a somewhat mind-blowing to me kind of set of ideas. His platform, you can use it for anything, for a company, but the side of it, on the political side, and the example, there are other examples in that Technology Review article that are all kind of fascinating, machine learning put to good use.

0:55:50 MH: Very nice. Alright, Moe, what about you?

0:55:53 MK: I thought you were still punishing me.

0:55:56 MH: No, I can’t stay mad at you.

[laughter]

0:56:00 MK: I’m not gonna lie, the first time I read Simo’s blog I was kind of scratching my head. And so, if anyone out there does wanna learn more about ITP 2.1, what I would actually recommend doing is, Rod Jacka from Panalysis has written a blog on it, which I think is quite a bit easier to follow and not quite as technical. Simon Rumble from Poplin Data has also written a blog post on it. And then once you’ve read both of those, then go back and read Simo’s and you’ll be like, “Oh, this makes more sense.” So yeah, recommend having a read of both of those.

0:56:32 MH: A guided reading journey for ITP. Nice. [chuckle]

0:56:37 TW: Alright. What do you have, Michael?

0:56:38 MH: My last call is something I saw in the Measure Slack, and I think it was Corey Underwood who posted it first, which was Stack Overflow does a developer survey every year, and it’s phenomenal. There’s a couple of really key points that came out of it really clear to me. First off, Python, way more successful than R, Tim, so just FYI.

0:57:03 TW: I’m sorry, we’ll cut this out.

[laughter]

0:57:08 MH: And I also remember from our data science episode with Ian Thomas, Moe, you were talking about whether or not women were less confident in asking for jobs and literally the survey addressed that, and it was really interesting by gender, they showed that men do express more confidence in their skills, generally speaking. It’s surprising that I think some 80% of all developers are actually above average according to the survey, which is interesting. But it was really neat because we were just talking about that and then the survey came out, it was pretty neat to see some real world data collection around that topic, which lends credence I think to your point from that episode, Moe.

0:57:51 MK: Oh, thank you. I will have to have a read.

0:57:54 MH: But the big takeaway was Python, way more popular than R.

0:57:58 TW: And we’re out of time.

0:58:00 MH: Okay. Okay. You’ve probably been listening and you’ve probably been thinking, “When are they going to get to something that could help me?” And the answer to that question was when we finally let Kasper talk near the end of the episode and explain a lot of things. So relisten to that part, read the blog posts and things like that. There’s a lot of good information out there. It’s not the end of the world. But I imagine you might have questions and you may have thoughts, so we encourage you to reach out. We’d love to hear from you. The best way to do that is through the Measure Slack, or our LinkedIn group, or on Twitter, and we’d love to hear from you. Kasper, thank you so much for taking the time to come on the show and help our audience and us understand the ITP issue a little bit more and think about our world in a little bit better way.

0:58:45 KR: Thank you for having me, it was a pleasure.

0:58:48 MH: And I’m sure I say for both of my co-hosts, Tim and Moe, no matter how they try to keep us down and hurt our data collection, we as analysts will never stop analyzing.

[music]

0:59:05 MK: Thanks for listening. And don’t forget to join the conversation on Facebook, Twitter or Measure Slack group. We welcome your comments and questions. Visit us on the web at analyticshour.io, facebook.com/analyticshour or @AnalyticsHour on Twitter.

0:59:25 S?: So, smart guys want to fit in, so they’ve made up a term called analytics. Analytics don’t work.

0:59:34 S?: Analytics, oh my God, what the fuck does that even mean?

0:59:42 MK: So Kasper, I have to warn you, whenever I stay up really late for the podcast, I go a little batty and just the filter just ceases to exist. So you’re welcome. It’s gonna be fun.

0:59:52 S?: Can you guys hear me?

0:59:56 MK: Okay, so if you get the flu vaccine when you’re tired, it doesn’t actually work. So basically, when you get the flu vaccine, your body needs to respond and create the antibodies and be like, “Yeah, I’m gonna fight this.” And your body doesn’t actually do that if you’re tired, they’ve measured it. So now they’ve been able to prove that the flu vaccine is actually ineffective if you get it when you’re run down. Isn’t that amazing?

1:00:19 S?: Don’t write checks that your enthusiasm can’t cash.

[laughter]

1:00:22 S?: I may cut this whole thing out.

[laughter]

1:00:30 MK: No one would expect me to know that.

1:00:32 S?: Way to help break down stereotypes, Moe.

1:00:36 S?: I don’t know where that was going. I apologize.

1:00:38 MK: I’ve never seen you stop literally mid-stream.

1:00:48 S?: Rock flag and ITP…

1:00:48 MK: I think that was your saddest Rock flag ever. [1:00:49] __ be like…

[vocalization]

Podcast: Download | Embed

Subscribe: RSS