multi-device authentication

| V

IEW

POIN

TS

___________________________

Multi-Device Authentication

How Google, Facebook and (maybe) Microsoft could make the tracking cookie obsolete November 2013

Neo@Ogilvy Viewpoints | Multi-‐Device Authentication

1

Multi-Device Authentication

Alejandro Correa


2

Contents 3 Introduction 3 Executive Summary 4 What is a Cookie? 4 How do Marketers use Cookies? 5 What are the Limitations of Cookies? 6 What is Multi-Device Authentication? 6 How does [Multi-Device Authentication] Work? 7 When will [Multi-Device Authentication] be Available? 7 Why is it Important? 8 Some Considerations 8 Next Steps


3

Introduction Several media outlets, including the Wall Street Journal1, have reported that Google, Facebook (Atlas) and Microsoft are planning to shift away from cookie-based measurement and to Multi-Device Authentication (MDA). The following paper will:

• Provide some background on this subject • Summarize some of the allegations by the press • Attempt to explain how companies may leverage their data for tracking purposes • Provide our perspective on this change along with next steps.

Executive Summary

• Cookies are currently used by digital marketing companies to anonymously associate a user’s actions across a period of time (i.e. viewed banner a, clicked on banner b, visited site 1).

• This is done so that a) advertising performance may be measured and b) users who engage in certain actions (i.e. visit a travel website) can be targeted by advertisers (i.e. airlines).

• Cookies are becoming increasingly inadequate for this task due to their technical limitations. • In order to overcome this, Google, Facebook and Microsoft, among others, have announced

their intention to leverage their internal data to replicate and allegedly improve some of the functionality of the cookie; we are calling this Multi-Device Authentication (MDA).

• If executed correctly, these measures are likely to result in vast improvements in functionality over the existing cookie-based approach.

• Aside from functionality, other factors must be considered, such as backlash due to privacy concerns, capabilities surrounding adoption of HTML5, and of course, the quality of the data that the main proponents (i.e. Google, Facebook and Microsoft) could bring to the table.

1 Online.wsj.com/news/articles/SB10001424052702304682504579157780178992984


4

What is a Cookie?

How do Marketers Use Cookies? Marketers use cookies in many different ways; here are some examples: Conversion Tracking: Ad exposure is used to associate an impression with a conversion event (e.g. view-through conversions).

User Targeting: Past user behavior is used to target users. In the example below, a user who visits a travel site is identified as someone with an “interest in travel” and served a travel ad after leaving the travel page.


5

What are the limitations of Cookies? Since cookies were not originally designed to be used by marketers for the use cases illustrated in the previous section, there are a number of limitations to consider. We have highlighted some of the main ones:

• Only a limited amount of data can be stored in a cookie (128 characters worth) • Cookies are not permanent and may be deleted by users at any time • Cause delays when loading on a website or ad • Placed on a specific browser (i.e. Firefox) and a specific device (a laptop)

This last one is particularly important, as we will see below. As discussed in the previous section, cookies are siloed by device and browser. Since consumers regularly use an increasing number and variety of devices, cookie data is becoming fragmented. For example, when consumers relied mostly on their PCs, it was possible to use individual cookies as a proxy for individual consumers. If a user saw three ads from the same advertiser in 2007, it was likely that users would see all three ads on the same device and on the same browser; therefore, the tracking entity’s (i.e. ad server) data would say, “We served ads to one user at a frequency of three.”

The same scenario in 2013 might play out like this: a consumer sees one ad on her laptop, another on her phone and the third on her Xbox…assuming that each of these ads was correctly tagged, cookie-based tracking would report this as three different users, each with a frequency of one.


6

What is Multi-Device Authentication (MDA)? The problem, thus, is to create another proxy for an individual user that is not as fragmented as the cookie. For companies like Google, Facebook, and Microsoft, the answer is to associate each device that a consumer uses to log in to their various products to a single anonymous ID. As users “authenticate” their identity via different devices by logging in (hence, “Multi-Device Authentication”), websites may associate each of those devices to that single user. For example: a consumer may log in to Facebook using their work laptop, their smartphone and even their gaming console. If a user was served one ad on each of those devices, it is theoretically possible for Facebook to determine that each of those ads was served to the same person.

How does it Work? The example below is based on the potential Facebook model, but other media companies like Google or Microsoft would presumably use very similar methods to achieve the same end. To reiterate, since most of these products have not been released, it is impossible to know how they will function. Based on our conversations with vendors, we are reasonably confident that the explanation below is accurate. As described above, a single user who logs in to a site using multiple devices authenticates their identity on each of those devices. This allows the site to associate the behavior on any of those devices back to the same user, thus enabling accurate measurement and targeting.


7

When will it be available? Little is known about how Google, Facebook and Microsoft will roll out these products but, as of today, the following information is available:

Google is already using Gmail and other login data to tie ads served to a single user across multiple devices.i For now, the capabilities appear to be limited to ads run through Ad Words, but there are subtle hints that there are plans to expand these capabilities to DART, Google’s ad server. Facebook, who purchased Atlas earlier this yearii, is in active talks with Neo@Ogilvy regarding the methodologies and feature sets surrounding a product of this nature. We will provide updates when appropriate. They have projected limited release of some features on their Atlas ad serving platform starting in Q1 of 2014. Microsoft recently announced it would add the ability to track individual “devices” which would facilitate cross-device attribution.iii Although the Redmond Company has been less clear regarding its intentions, the implication is that their device ID would work across the spectrum of Microsoft products (Surface, Windows Phone, Windows 8.1, XBOX, etc.) to identify individuals. Launch is imminent.

Why is it important? If this approach is properly executed, it could have an enormous impact on the way advertising is measured and optimized. There are a number of reasons for this, and we’ve singled out some of the most important ones:

Better reach and frequency counts: Counts based on cookies are currently distorted for the reasons mentioned above. By improving the measurement of reach and frequency, it may be easier to compare performance of media cross channel. For example, trying to draw equivalencies between TV GRPs and MDA IDs might be easier and more accurate than trying to do the same with standard cookie-based measurement. Better attribution: There are a number of ways MDA improves attribution, but perhaps the simplest and most crucial is that it enables attribution for devices that limit the use of cookies (i.e. iPhones). If a user saw an ad on an iPhone, and then converted on a desktop, it would be impossible to attribute the conversion credit to the iPhone under the current system; by using cross-device data, companies like Google and Facebook could attribute the conversion to the mobile ad. Better Targeting: MDA will enable more accurate tracking of individuals across different devices. For example, if a user abandons their shopping cart while on lunch hour at work, the advertiser may want to re-target that same user later that night, when the user is at home. This would be very difficult, if not impossible, with the traditional approach but potentially easy to execute if the correct MDA IDs were targeted.


8

Some Considerations? There are a number of topics that deserve to be discussed under this heading but will not be analyzed in greater depth in this paper. There is a very short comment on some of these topics below:

Other approaches to cross-device attribution: There are a number of other approaches to cross-device attribution, but they do not involve the user self-authenticating (i.e. logging in). Instead, various user devices are associated by a) fingerprinting or b) using Wi-Fi signals to identify devices in the same network. In our opinion, these approaches are less accurate, harder to audit, present privacy challenges and are otherwise less desirable than cross-device tracking based on login. Privacy: There is much to discuss and we will limit ourselves to say that, in our view, Facebook’s, Google’s and Microsoft’s expected approach to cross-device tracking and attribution is likely to be consistent with existing privacy regulations and best practices. Any personally identifiable information (PII) would be stripped out, or not be part of the process from the start, and the anonymous cross-device user IDs need not be shared with third parties. With that said, there may be a consumer backlash; some publications have certainly focused on the potentially negative aspects of this type of tracking.2 Reliance on Facebook and Google data: Today, Google and Facebook (and to a lesser degree, Microsoft) have enormous amounts of data that can be leveraged for cross-device tracking. Although we think this data could be used to improve tracking in the long-term, it has yet to be seen whether these companies will be able to “replenish” their data sources to the degree that the accuracy of their data does not erode over time. In other words, will users continue to log in to sites like Gmail and Facebook at the volumes necessary to sustain accurate cross-device tracking? It is extremely difficult to project whether this will be the case, and/or whether these companies will continue to build and acquire (i.e. Google Plus and Instagram) products that will maintain the levels of data required.

Next Steps Neo will continue to provide updates on relevant product developments as information becomes available. We believe that there will be significant differences in tracking and targeting products released by the major tech companies. As we are given the opportunity to test and to discuss new features, we will provide analysis on potential advantages and use cases. i https://support.google.com/adwords/answer/3419678#estcon_works ii http://techcrunch.com/2013/02/28/facebook-‐acquires-‐atlas/ iii http://community.advertising.microsoft.com/msa/en/global/b/blog/archive/2013/10/23/what-‐advertising-‐id-‐means-‐developers-‐advertising-‐8-‐1-‐sdk.aspx

2 http://www.networkworld.com/community/node/83965

________________________________________________________ Multi-Device Authentication Written by Alejandro Correa Published by Neo@Ogilvy For the latest industry news, trends and happenings, follow us on Twitter at @neo_Ogilvy. For more information, please contact: Rachel Serton [email protected] 212-259-5289

multi-device authentication

Documents