How does Safari ITP and CNAME Cloaking affect marketing and analytics?

Are you seeing an increase in new visits from Apple browsers/products? Concerned about Apple’s ITP and CNAME cloaking updates?  How does this affect Google Analytics? 

You’ve probably heard rumblings about the latest update Apple has made in ITP to limit cookies set through CNAME cloaking. It’s less straightforward to understand compared to prior Safari’s privacy protection updates, but we’re here to help you out.

What is happening?

As a quick refresh, ITP (Intelligent Tracking Prevention) is what Apple calls the features they build into Safari to protect your privacy. This latest feature is designed to block 3rd party cookies that are trying to act like 1st party cookies.

A 3rd party cookie comes from a small piece of JavaScript which makes a request to a domain that is different from the page the script is sitting on. That JavaScript then gives the browser a cookie that can be read by other scripts wherever the visitor travels (hence the appeal).

(Left: 1st party cookies are accepted by default | Center, 3rd party cookies are blocked by default | Right: the 1st party domain request is redirected to a 3rd party domain, “cloaking” the true requestor.)

With 3rd party cookies being blocked by default, CNAME cloaking was invented.

Now the script initially sends a request to cookie.mysite.example but that request is redirected to mysite.3rdparty.example. So for the basic observer, the script is handing out 1st party cookies, but these cookies are actually coming from somewhere else. There are plenty of reasons to do this, most aren’t malevolent, but as with nearly every tool humans invent, it has been weaponized.

The folks working on ITP have figured out how to quickly discover this redirect, and label the cookie as a 3rd party cookie, which means Safari will automatically delete it after 7 days, regardless of the defined lifespan.

This leads to the question: how widespread is CNAME cloaking? Why did Apple (and others) think this particular technology was common enough to make blocking it a priority?

As it turns out, some mighty big names are employing this. The folks at Next DNS have found (and published)  a list of 6 vendors using this at length:

  • Adobe
  • Eulerian
  • Criteo
  • At Internet
  • Keyade
  • Commerders Act

Adobe Analytics and the related Marketing Cloud uses CNAME cloaking to set the ECID — Adobe’s universal ID for visitors. This is core to their visitor and device stitching capabilities (recognizing multiple devices as the same visitor) which fuels the value of multiple tools within the Experience and Analytics Clouds, Adobe Analytics, Adobe Audience Manager most obviously, but also the Device Co-op. The Device Co-op allows companies to participate in sharing the anonymous ECID device maps they have which means visitors can be recognized on different devices, even if they never visited your site on that device before – basically their answer to Google’s nearly universal login.

The others use CNAME cloaking for similar purposes — audience discovery and mapping — though with less emphasis on analytics and behavioral understanding than Adobe.

What is the problem this will create for organizations?

For orgs using any of the vendors mentioned above, the primary result will be an increase of new visitors from Safari browsers:  iPhones, Macs, and iPads. Since this is a Safari feature (at the moment) each time a Safari users returns to a site, outside the 7 day cookie deletion, and doesn’t authenticate during the visit, that user will be a New Visitor and without an authentication, even repeat visits will not be stitched to other devices the user may use.

The race for privacy protection means the rest of the browsers won’t likely be far behind making this an option at least, if not even a default protection. Several ad-blockers already actively block CNAME cloaking.

For now the greatest impact will be on those sites that:

  • visitors regularly frequent from multiple devices
  • but don’t visit at least weekly from each device and
  • don’t require authentication of some form (or some other method of identifying known visitors) at each visit

This is will especially impacts Adobe products:

  • Analytics will lose attribution data points and Unique Visitors will be less unique
  • Target can’t display consistent experiences to visitors across devices
  • Audience Manager will lose unity for visitor profiles, both for individual orgs, but also for the marketplace of profile based segments
  • Media Optimizer will lose ability to precisely target ads across device platforms

This actually might put Adobe at a disadvantage to Google for user tracking. Because the Google Login is so nearly universal, that allows for more robust device and profile stitching without needing to rely on CNAME cloaking, because Google can get all these IDs from first party cookies shared with them.

What can you do to mitigate the negative impact?

The only real solution is to require authentication (which is where most of the web will wind up, we are very nearly there as it is between Facebook and Google). The user’s logged in ID needs to be synced with the platform’s uui (e.g. Adobe’s ECID) which will allow for cross cookie/device stitching.

In lieu of requiring login you can also utilize email capture as a pseudo authentication, creating a unique identifier based on the email, this can be used similar to a login generated ID. This can be deployed at any point an email address (or representative) is provided, from clicks from link within emails to forms that capture a user’s email address.

Server side tagging offers some benefit since the cookies remain truly 1st party because all the requests and responses are server to server, distinct from the client, but also introduces complexity, and is outside the capacity for many organizations at this point.

Now what? 

It’s great to see the web offering more options for consumer privacy while still allowing analysts and marketers to understand & offer outstanding digital experiences. This is an incredible opportunity to deepen customer relationships with hyper relevant experiences – let’s talk about what it means for you, or drop us a comment below to discuss!

Staying Professional and Personal during COVID-19

Business is always personal. Your teams need you to remember this more than ever. They need you to show up and lead in ways that are personal, not just professional. And your leaders need your personal encouragement more than your professional encouragement.

We are more than a month into distancing to “flatten the curve”. Week 1, the world had suddenly turned upside down and we were all just trying to figure out how to work from home. We’ve now had several weeks of this as commonplace and so we are finally getting used to it. But these upcoming may be the hardest weeks yet. We don’t know how much longer this will continue, and in many ways we are beginning to fatigue. Kids and their parents, roommates, spouses and partners are wearing out and wearing each other out, it feels like economic uncertainty is on an endless spiral. If ever there was a time, in these next few weeks we need to show up for our colleagues.

So what to do? First, you need to remember that our peers and colleagues need space to breathe, some will need more space than ever this week.

I think a great risk right now is a constant attempt to “cheer-up” one another (though there has been loads of beauty found in these attempts). We also need to let each other mourn. We each need to give the space, permission, and grace to mourn our individual and collective losses, alone and together.

Your loss matters. The losses of your loved ones matter. Our societal and cultural and economic losses matter. The comparison of loss (while tempting, and occasionally noble seeming) DOES NOT matter. Yes it can be a foundation for gratitude, but just because someone has lost more than you, does not mean your loss is meaningless or shallow or not worthy of grieving.

It’s impossible to ever really “get over” or move beyond loss, without acknowledging it in a way that validates the magnitude. And our individual and collective mourning is not a one-time event, it will be an on-going state during these current uncertainties, and well into the future. And each of us, to one degree or another, will experience moment to moment swings from hope to despair as we attempt to process.

But we can’t live there. There is still work to be done and some of us are busier and more overwhelmed than ever. The way we work needs to adjust though, and not just shifting from co-locating to remote locating.

Communication – What your team needs is to hear (or read) your voice. They are looking for and need consistent, daily, honest, positive, and personal communication. Voice memos, videos, slack, email, texts, conference calls. And while you’re at it, remember your customers/prospects/leads are people, too. Besides is there anyone who doesn’t appreciate someone checking in on them right now?

Have (extra) patience – None of us have ever done any of this in a pandemic before, and for many of us our business objectives have shifted dramatically. Add to this the difficulties and stress from everything swirling around and what we each need most is patience from each other and ourselves.

This is not business as usual – and that’s ok. We can’t expect the same results. We can’t generally expect the same productivity (I’ve even heard of some orgs trying to demand more productivity) or even level of activity.

What has always worked is no longer relevant, there’s not a playbook yet and there won’t be one soon, so just try something, anything, and then try something else (and if it fails, welcome to the party, remember the #failfaster mantra?)

Research shows it takes about 2 weeks to acclimate to changed environments, and now things are beginning to both get easier and get harder, now is when teams will be made or broken, and now is when you may very well begin finding inspiration and creativity in spades.

So what do you do now? You find the moments where you can help yourself and others.

  • Give your team interesting work to do – even if it isn’t immediately useful
    • Now could be a great time to let individuals noodle on a pet project for an hour a day
    • Can you skunkwork or hackathon something that’s been on the backburner
    • Challenge them to learn new a new skill, deepen, or broaden their expertise
  • Specifically look for ways to help your customers (leaders), even if it can never tie back to revenue. Even a simple 15 minute call to let them unpack their current state of uncertainty and how their objectives have changed could be invaluable.
  • Look for opportunities to celebrate. These opportunities are abundant, and the more we celebrate each other and our successes, the easier it becomes to identify, and the less focused we will be on doom and gloom.

We know business is personal. We may be just beginning to find out how personal it really is, and that is an exciting opportunity.

Check out my detailed thoughts on navigating these times and where the opportunities lie ahead. What do you think?

Full Transcript

[00:00:00] Here we are. A month into the great American Stay-at-Home experience. In the first couple weeks we were all just trying to get our bearings; figure out how we were going to do this. Most of us hadn’t had the opportunity to work remotely, and even those of us that worked remote were used to having offices that we could at least go to — whether it was the coffee shop office, the co-working office, or client offices where we could at least commandeer a desk or a boardroom for an hour or two. Now we’re all stuck at home. And it’s starting to feel somewhat commonplace. Some of us may even be feeling normal about it.

[00:00:37] But there’s still so much uncertainty swirling around. There’s economic uncertainty, there’s uncertainty about COVID. There’s uncertainty about even the environments in our own homes. Parents and kids are wearing out and wearing on each other — spouses, partners, roommates, friends we sheltered with so we wouldn’t be alone — and now we’re wishing we maybe had chosen different friends.

[00:01:02] If ever there was a time to show up for the people that you work with, it’s going to be in the next couple of weeks. I think these next couple of weeks are gonna be the hardest ones we have seen yet. Because of the uncertainty, I’ve been thinking about what that means…”showing up for your colleagues”. Business is personal. It always is. We all know that.

[00:01:28] And now, more than ever, our peers and our teams and our leaders need us to remember that business is personal, and to lead that way — “leading down” to our teams that report up to us, and “leading up” to our leaders who are looking to us to get things done for them. So what does that mean? I think there are three things that we can practically do.

[00:01:54] The first one is we need to give each other, and give ourselves space to mourn. We have suffered tremendous societal and individual losses, and comparing our losses doesn’t matter. Your loss matters. The losses of your teams matter. Our individual, and our joint experiences matter. We need to give each other space. We need to be patient with each other. And we need to be honest when we ourselves are also grieving.

[00:02:30] I think secondly we need to celebrate. We need to celebrate small things, we need to celebrate small things in big ways. Mourning and celebration can coexist. They’re not mutually exclusive. In fact, they both demand their space to exist in our current experience. There are plenty of small things to celebrate. And in many ways celebrating can help give voice to our mourning and to our grief.

[00:02:59] Third, we need to be communicating intentionally and personally with each other. If you lead a team, your team needs daily communication from you; and not just professional task-based communication, but they need updates about you. Your celebrations and your mournings. And you need to give them space to communicate those same things back. And likewise, you need to be communicating to your leaders giving them encouragement that is personal, giving them updates that are personal, and giving them space to update you on how they are doing and how things are going in their family and in their household, and requesting those updates and let them know that you care and are listening.

[00:03:42] And we need to be patient with each other’s productivity. We are in a moment of nationwide trauma that is a slow burn. It is ongoing. We can’t expect the same levels of productivity. And even though some of us may be experiencing creative bursts and inspiration right now because we’re finally beginning to feel normal (and environments have changed enough that our synapses are now firing in different ways and coming up with great new ideas), we need to be patient with ourselves with the kind of productivity that we can bring to that and what we can actually accomplish. And then to be patient with our teams about what they can actually accomplish. Remember that people handle trauma differently.

[00:04:27] But nobody makes amazing decisions and nobody is super super productive right now. We may get a lot of tasks done but we’re not productive; we don’t really bring the value that we’re capable of bringing because we’re tapped out and we’re taxed emotionally. We need to remember that business is personal. We know it is.

[00:04:53] The best thing that we can do for each other right now is to remember that and act like that and to lead from that – to encourage from that space. We’re all in this together. If we collapse we collapse together and if we rise up we’re going to rise up together. And if we remember that, there are amazing opportunities here. Opportunities to impact the people around you, opportunities to do things you never thought you could possibly do.

[00:05:32] Stay safe. Stay healthy. And remember that business is personal.