It’s Official: Bye-Bye UDID

This weekend’s news of Apple rejecting apps due to their exposing UDID’s to third parties makes official one of the most anticipated events (and not necessarily positively for everyone) for mobile this year.  This leads to two very big questions:

  1. What does this mean to the future of mobile advertising on the IOS platform?
  2. Are Android and other platforms going to follow?

Both of these questions are clearly uncertain at this point, but below are a few points we felt are worth mentioning based on our extensive involvement in this area recently:

  1. UDID was removed from usage as a tracking identifier by Apple because it is permanent and non-deletable.  It incorporated less privacy than web cookies which can be controlled by browsers, usually expire, have a notice and choice system that works with 100% certainty and can be ultimately deleted by privacy-sensitive users.  Whatever subsequent solution is adopted by the industry needs to include these elements.
  2. MAC address is considered by some as an alternative but it does not reflect all of the above criteria. As such, it should be considered only a short term bridge solution and ONLY if there is at least a notice and choice system in place along with it.
  3. This is a tough problem to fix and TRUSTe supports new technology approaches that explores device-id alternatives including OpenUDID from AppsFire and newer device fingerprinting methods, as long as there is a path forward to providing integrated notice/choice frameworks along with some of the stated requirements above.
  4. But, we ultimately believe the final tracking solution needs to be integrated with the privacy system by design.  Privacy systems needs to work with 100% certainty: an opt-out must opt a user out. If an ad system is off by a 1%, that is OK, the user just sees a non-relevant ad or a metric is off a little. But there is not the same tolerance for a privacy system.
  5. We see a role for the DNT header here but not in the near term as there are too many elements that need to retrofit in the stack and there is no common user interface with which to build into. Longer term, we do support Mozilla’s effort and technology demonstration via Boot2Gecko as an example of how this can work.
  6. Ecosystem fragmentation.  Any system that is ultimately chosen must reach critical mass and widespread adoption, else it will not succeed and multiple systems will co-exist creating unnecessary complexity.  The industry needs to reach consensus on that approach and the system needs to be INDEPENDENT from the ad and data companies using it. It should be operated or overseen by a neutral or trusted third party or set of third parties that are not competitive with their ecosystem partners.

From a high level, like most things in privacy technology, there is usually a limitation to the design of the near-term solution, due to what is available technology and deployed footprints of user devices.  As such, a roadmap is usually required to build the higher-integrity solution and in this case it is no different.

It will be a very interesting point forward for sure around this topic. TRUSTe will be releasing its technology solution later in April and we encourage you to take a deep look.  We have been working with ad networks and publishers on thinking through our approach and are excited to put forth our thinking for feedback.

VP Product