An illustration shows a shield, with binary numbers in the background.

Understanding Apple’s Private Click Measurement

Private advertising technology proposals could greatly improve privacy for web users. Web advertising has a reputation for poor privacy practices. Firefox, other browsers, and the web community are collaborating on finding ways to support advertising while maintaining strong, technical privacy protections for users.

This series of posts aims to contribute to the ongoing conversation regarding the future of advertising on the web by providing technical analyses on proposals that have been put forward by various players in the ecosystem to address the questions of what might replace third-party cookies. In this installment, we look at Apple’s Private Click Measurement (PCM).

PCM differs from the subject of our other analyses in that it is more than a mere proposal. PCM is available in Safari and iOS today.

The goal of PCM is to support conversion measurement through a new in-browser API. Conversion measurement aims to measure how effective advertising is by observing which advertisements lead to sales or other outcomes like page views and sign-ups. PCM measures the most direct kind of conversion, where a user clicks an ad on one site then later takes an action on the advertiser’s site, like buying a product.

The way that PCM works is that the browser records when clicks and conversions occur. When a click is followed by a conversion, the browser creates a report. PCM aims to safeguard privacy by strictly limiting the information that is included in the report and by submitting reports to the websites through an anonymization service after a delay.

Our analysis concludes that PCM is a poor trade-off between user privacy and advertising utility:

  • Although PCM prevents sites from performing mass tracking, it still allows them to track a small number of users.
  • The measurement capabilities PCM provides are limited relative to the practices that advertisers currently employ, with long delays and too few identifiers for campaigns being the most obvious of the shortcomings.

The poor utility of PCM offers sites no incentive to use it over tracking for browsers that continue to offer cross-site cookies, like Chrome. For browsers that limit the use of cookies — like Firefox or Safari, especially with stricter controls like Total Cookie Protection in Firefox — tracking is already difficult. If Firefox implemented PCM, it would enable a new way to perform cross-site tracking. While some sites might choose to use PCM as intended, nothing in the design of PCM prevents sites from using it for tracking.

Overall, the design choices in PCM that aim to safeguard privacy provide insufficient privacy protections, but they appear to make the API less useful for measurement.

The Private Advertising Technology Community Group (PATCG) in the W3C are currently discussing options for measurement in advertising.

For more on this:

Building a more privacy-preserving ads-based ecosystem

The future of ads and privacy

Privacy analysis of FLoC

Mozilla responds to the UK CMA consultation on Google’s commitments on the Chrome Privacy Sandbox

Privacy analysis of and Unified ID 2.0

Analysis of Google’s Privacy Budget proposal

Privacy Preserving Attribution for Advertising: our Interoperable Private Attribution proposal

Share on Twitter