Richard Kahn
Online data privacy is an enormous (and complicated) issue. User privacy tools help protect regular website visitors from having their data tracked, taken, and used against them. Some consumers and advocacy groups have pushed hard for increased privacy protection online. However, privacy tools have often been co-opted for fraudulent activity by criminals.
Entire industries, such as the virtual private network (VPN) industry, have sprung up in response to privacy and data security concerns. But VPNs are often used to obfuscate ad fraud schemes and make it easier for invalid traffic from bots to go undetected.
Is Google making changes?
Recently, news articles started talking about Google making a major change to user privacy called the “Privacy Sandbox.” The basic intent of the change is to enhance privacy for Android device users .
While consumers will likely appreciate the intent of the Privacy Sandbox, marketers may (and should) be less sanguine about implications of these changes. Why? Because there’s a risk that the new privacy settings will not only negatively impact ad targeting, but will give fraudsters a chance to perpetuate their schemes more easily.
Let’s discuss some of the changes Google is making to user privacy, how they might inadvertently affect fraudulent activity targeting your marketing, and what you can do to protect your business.
How Is Google Changing User Privacy?
In February of 2022, Google announced a new “Privacy Sandbox” tool for Android that phases out third-party cookies online and eliminates “cross-app identifiers” such as Advertising ID while also limiting data sharing to third parties.
Google also wants to change how user agent (i.e. software acting on behalf of a user, like a web browser) identification works. As ScientiaMobile put it: “If things end up going according to Google’s plans, though, a partial freeze of the User-Agent will be rolled out on desktop browsers first during 2022… The frozen User-Agent string will no longer reveal the device model, and it will brazenly lie about the version of the browser and operating system.”
With this change, web browsers would make generic “initial” requests to websites instead of ones that are specific to that browser. This would require site owners to “ask” for more information in order to get browser-identifying information—which can prove to be incredibly difficult since there are a bunch of extra hoops to jump through.
This will make it harder for third parties to interact with device users. According to updates from The Chromium Projects, as of June 13, 2022 the phase 4 (of 7) rollout of the reduced user agent (UA) string reference “was enabled for 100% of clients on M101 and above via Finch.” The effect of this particular phase of the change would be to make “the reduced UA string would apply to all page loads on desktop and mobile OSes that do not opt into the reverse Origin Trial.”
A Potential Impact of User Privacy Changes on Advertising Efforts
Google’s new privacy change resembles one made by Apple in 2021. According to an article by Business Insider, Meta (the company behind Facebook) “said it stands to lose $10 billion this year due to the small but impactful change made by Apple.”
To summarize what Apple did: they added an alert to their iPhone devices that allowed users to opt out of allowing apps to track their behaviors across other apps. As Business Insider reported, “over 95% of iPhone users who had downloaded the update were opting out of ad tracking.” Since Meta/Facebook generates most of its revenue using targeted ads and relied on the ability to track activity in other apps to collect the necessary data, it’s easy to see how this change affected their revenue.
In light of Google’s new change, marketers will need to identify new ways to track user activities—possibly through methods that are more complicated and prone to error than the simple user agent string and third-party app tracking data that they previously used.
How Google’s New Privacy Change Could Accidentally Protect Fraudulent Activity
The major problem with any user privacy change is that it can dramatically impact the way that companies handle identity verification. By hiding the user agent string (the OS, the device type, and even the software name), this update makes positively identifying the source of fraudulent activity even harder for the average ad fraud solution.
Why does this make bot detection and fraud prevention harder? As noted by Security Magazine, bot detection solutions “rely heavily on device fingerprinting to analyze device attributes and malicious behavior… the information collected from the device fingerprint has become a major element of the information analytics engines [used] to decide whether traffic is bot or human.”
However, this difficulty shouldn’t be anything too new for ad fraud solution providers. For years, fraudsters have used device spoofing techniques to purposely hide this information from detection to help disguise their illicit activities. Google’s privacy change will just make this easier for the fraudsters.
In addition to incidentally helping to hide bot-based fraud activity, this change to privacy may also make human fraud farms more effective. Normally, a human fraud farm would have to go through the motions of changing their device spoofing settings to conduct fraud. However, with their user agent string data already hidden, the sweatshop workers in these fraud farms can skip that step—saving time and device processing power so they can carry out more fraud per hour.
Unfortunately, many ad fraud solutions simply aren’t sophisticated enough to cope with not being able to accurately track the user agent string information.
This is why you need an ad fraud solution that pulls more data about each website visitor than just the user agent string and one or two other data points that are only useful for tracking the most simplistic of bot-based fraud schemes.
What Marketers Can Do to Protect Their Online Ad Campaigns from Bot Traffic
So, how can you protect your online ad campaigns from bot traffic being hidden by new privacy settings that make it impossible to “fingerprint” the devices used to commit fraud? The same way that marketers have been fighting fraudsters who use device spoofing techniques that existed before this change: by using an ad fraud solution that tracks hundreds of data points about each website visitor to verify their identities and intentions.
Why let fraudsters get away with your company’s money? Stop ad fraud now with a proven, reliable solution that virtually eliminates false positives and is designed to thwart many of the techniques that fraudsters use to hide!
