Apple has been cracking down on apps that try to use a device’s UDID, a 40-character code that uniquely identifies each device the company sells.
The Cupertino company’s apparent turnabout (it used to allow apps to access the UDID) has spawned confusion and an abundance of theories. On one hand, Apple has indicated that users will reject its App Store if it allows UDID sharing without user consent. However, the company has not made any announcement, and we’ve yet to see an actual breakdown of the number of apps that have been rejected vs. the number that are passing where the UDID is accessed. Because Apple’s policy on UDID crackdowns has been vague, the market was caught off guard last month when Apple told its reviewers to reject apps that access UDID.
This issue is particularly relevant to mobile app publishers, mobile analytics providers, advertisers, and ad networks, who are scrambling for solutions that will survive a post-UDID world.
Why everyone is hooked on UDIDs
Why is this so pressing? In short, ad networks use UDIDs to measure conversion of a specific ad or campaign, a practice called attribution. It’s one identifier that’s sure to work across all different apps, because it’s consistent and unique to each iPhone or iPad. Also, when partners and advertisers have access to audience data, they use UDIDs to target their ads to users that are likely to be more interested and responsive.
The biggest weakness of UDIDs is that they are tied to a device and therefore cannot be deleted. So they’re not designed for opt-out mechanisms, and the actual device ID can be considered as “personally identifiable information” (PII), much like a given name, Social Security number, or driver’s license number. As concerns about user privacy have surfaced in the press lately, the reliance on UDIDs has started to look less and less defensible.
We’ve seen this before. During the height of the Web ad-targeting days, people raised concerns about privacy. However, the technology of the Web provided an opt-out for consumers who did not want their activity to identify them: Just delete your browser cookies. Only a tiny fraction of consumers actually opted out, and the reality is that those who opt out view just as many ads online; the ads are just not targeted to them. Back then, the cookie solved the problem for marketers.
Similarly, today’s UDID controversy obscures a key point: It’s actually a real opportunity for the mobile industry.
The UDID was never a perfect solution to begin with, and though some of the current alternatives leave much to be desired, the industry is attempting to work together on new standards. A new standard could alleviate Congressional concerns around user privacy and prevent a complete crackdown, dramatically lessen the mobile industry’s reliance on Apple, and give service provides more control over their ad operations.
It’s time to find alternatives
At Apsalar, we have chosen to support all current UDID alternatives for cross-app analytics and targeting — including SHA1 encryption of a device’s MAC address (a unique identifier used in network communications), an MD5 hash of MAC address, ODIN (a derivative of the MAC address), and OpenUDID — in our most recent SDK. We are supporting all the MAC address-related options because industry players have implemented them (the MAC address is programmatically accessible today through a well-publicized API) and they are current market realities.
However, we don’t see the MAC address as a lasting solution. If Apple eventually does away with the UDID because it is tied to the device and can’t be erased, the same fate will befall the MAC address, which is just as tied to each particular device. Although Apple has not deprecated the MAC address yet, to rely on this as anything but an interim measure is burying one’s head in the sand.
In the longer term, our position is that OpenUDID offers the most promise as the foundation for the new standard. First, OpenUDID is distributed by nature. Any participant can write and read OpenUDIDs and therefore no one party controls them. Further, OpenUDID does not rely on an ID tied to hardware, which means that it is delete-able, just like browser cookies, and less likely to be classified as personally identifiable information. Moreover, OpenUDID provides a framework for users to opt out, and that gives every publisher or network the flexibility to create its own opt-out policy.
In the end, a suitable mobile industry consumer privacy framework will focus on the following areas:
- Limited (or no) collection of PII
- Consumer notice of collection and use of behavioral data
- Targeting only on non-PII behavioral data
- Conspicuous choice to opt out of behavioral advertising
Amid the uncertainty, we as an industry can define a new standard that addresses users’ opt-out concerns while also developing audience measurement and targeting best practices that don’t rely on PII. If we get it right, we will reduce our reliance on a single platform provider as well as avoiding the intervention of an overzealous legislature. It’s up to us to develop the mobile audience measurement and advertising ecosystem in a responsible way.
Michael Oiknine is the chief executive and cofounder of Apsalar, which serves highly targeted mobile ads based on user segmentation and behavior analytics. Oiknine was previously founder and CEO of Kefta, a SaaS provider of behavioral targeting services for large Web entities.