Marketers frantic to preserve their ad tracking capabilities in advance of Apple’s iOS 14.5 privacy restrictions have overwhelmed a volunteer-maintained database used to oversee domain names and improve web security.
The Public Suffix List (PSL) is a Mozilla-founded, community-run project to provide a list of domain suffixes, from .com and .co.uk to things like github.io and pvt.k12.ma.us, that can be used to build effective top-level domains (eTLDs) that form the basis of the web’s same-origin security model.
eLTDs exist as a designation because top-level domains (TLDs) themselves aren’t sufficient to define the scope of a site.
The issue is that browsers can’t look at domain names in URLs and automatically know for certain where individual websites begin and end. For example, theregister.com and google.com are clearly two distinct sites, and cookies set by Google shouldn’t be send to The Register just because our domains both end in .com. And then there are things like github.io, which allows people to host webpages on GitHub’s infrastructure: you wouldn’t want cookies set by yourcoolproject.github.io to be visible to snoopingmiscreant.github.io.
Thus, the PSL is employed by browser makers and other software developers to ensure that domains can’t be used to create super-cookies that track users across multiple web domains.
Two weeks ago, Jothan Frakes, senior product manager at PLISK and PSL volunteer, reported a surge of new pull requests to be included on the list, attributed to Facebook’s guidance to advertisers that they may need to verify ownership of their domain to continue using the Facebook Pixel tracker when Apple implements its App Tracking Transparency rules in iOS 14.5 in a few weeks.
Apple begins rejecting apps that use advertising SDKs for fingerprinting users
Facebook says it will support domains included in the PSL, despite efforts by developers like Google software engineer Ryan Sleevi to discourage people from using the PSL because it’s obsolete. And so, companies that use Facebook’s ad tech, among others, are trying to register with the PSL.
For example, Dave Sanders, co-founder and CTO at Service Magnet, filed a pull request with the PSL repo on GitHub to add the domain (eTLD+1) used by his company – magnet.page – to be included on the PSL so that Facebook’s ad tech will recognize customers pages hosted at [customer].magnet.page subdomains as separate origins.
A week ago, Frakes observed these pull requests accelerating and announced no new requests of this sort will be merged until Apple and Facebook have sorted things out among themselves.
Nice idea, but…
That may be easier said than done. For months, developers at Facebook and Apple have been trying to figure out a way to continue to allow advertisers to track ad conversions – to understand which ads people click on – in the web’s increasingly complicated technical environment.
Since January, Benjamin Savage, a software developer at Facebook, has been trying to solve what he referred to as the Etsy problem. Etsy, he explained, offers its merchants the ability to set up their own Facebook Pixel to run ads on Facebook and measure conversions.
“We can’t support these merchants using [Apple’s] ‘Private Click Measurement‘ [PCM] right now,” he lamented. “The way the spec is currently written, ALL ads that run on facebook.com and direct to ANY part of etsy.com would be eligible to take credit for ANY conversion fired from ANY part of etsy.com. Unfortunately, this is not a particularly useful statistic for the individual merchants who sell their wares on etsy.com.”
John Wilander, a WebKit security engineer at Apple, has been corresponding with Savage, trying to come up with potential solutions that fit with Apple’s evolving privacy requirements.
So far, the discussion has yielded, as Savage put it, “a pretty grim set of options.”
It was Savage who on Tuesday opened a new issue in Apple’s Private Click Measurement [PCM] repo to call attention to the PSL submission freeze, and addressed his concerns to Wilander.
Browser tracking protections won’t stop tracking, warns DuckDuckGo
“We have a problem,” he said. “As this GitHub issue explains, there is an increased volume of requests to add entries to the Public Suffix List.”
Pointing out that this is not specifically a Facebook problem but a concern of anyone running ads under Apple’s privacy policies, he argues that Apple should step in to help support the PSL, or come up with another solution, because its impending ATT changes have created the situation.
The issue is basically that merchants operating on hosted platforms can’t measure their ads under the limitations from Apple’s privacy regime unless the platform domain is listed on the PSL, which PCM uses to determine what is a registrable domain.
“Apple created this issue in the first place,” said Savage. “The need for multi-tenant websites to add themselves to the PSL exists only because of the PCM design decision to limit measurement to registrable domains. The urgency exists because [of] Apple’s planned ATT enforcement.”
Google meanwhile has been trying to solve a related problem – letting different domains operate as if they were the same origin – through a technology called First-Party Sets. The W3C’s Technical Architecture Group, however, considers the proposal to be harmful to the web.
It would be so much easier for advertisers if everyone just gave up on privacy. ®