Cookie cutter

Apple is rolling out a new mechanism to measure click-through ad campaigns in a manner that better maintains user privacy.

The WebKit browser engine technology – dubbed Private Click Measurement (PCM) – is designed to chart ad clicks across websites and from iOS apps to websites with using privacy-threatening cookies.

PCM is being trialed in iOS/iPadOS 14.5 beta releases.

In a blog post, Apple WebKit developer John Wilander explains the tech firm’s design goals in developing the technology.

“Classic ad attribution on the web is done with cookies carrying user or device IDs,” Wilander explains. “Such attribution constitutes cross-site tracking which WebKit is committed to preventing.

“Websites should not be able to attribute data of an ad click and a conversion to a single user as part of large-scale tracking.”

Wilander added: “At the same time, we want to support measurement of online advertising.

“PCM achieves this trade-off by sending attribution reports with limited data in a dedicated Private Browsing mode without any cookies, delaying reports randomly between 24 and 48 hours to disassociate events in time, and handling data on-device.”

Click management

PCM supports 8-bit identifier on the click source side and a 4-bit identifier on the conversion side, features than allow separate campaigns and conversion events to be identified.

Wilander latter clarified through Twitter that “PCM data should not be attributed to individual users or devices”.

A fraud prevention mechanism through unlinkable tokens is in development but not yet available.

Apple proposed the technology as a web standard back in May 2019. It has been the topic of discussion among other browser developers but none to date have taken it up, a necessary precondition for the technology to become a recognized web standard.


Read more of the latest browser security news


The technology measures ad clicks across websites (web-to-web) and from iOS apps to websites.

The latter measures ad clicks from iOS and iPadOS apps to Safari.

It doesn’t yet work in the opposite direction between web-to-app, though Wilander concluded Apple would be interested in enhancing the technology in this direction.

Privacy more generally has high up on the agenda for browser developers. For example, Mozilla recently upped the ante against supercookie tracking by introducing cache partitioning.

The overall security design push by teams at Google and Mozilla over the last 12 months is covered by our recent browser security feature.


RECOMMENDED Nmap project becomes latest victim of Google’s ‘wrongful blocking’ of cybersecurity resources