We are writing in-depth analyses of various categories of mobile ad fraud. We’ve previously covered Phantom Installs and Junk Installs. This is our first post on a series covering methods of Organic Poaching, in which we look at Fingerprinting.
What Is Fingerprinting?
Fingerprinting is a practice carried over from the legacy days of desktop web advertising. Attribution on desktop was more difficult than mobile, so advertisers needed methods of capturing user metadata (a fingerprint) and trying to match this profile to a known user. This became a standard practice on desktop advertising because of the difficulty of accurately identifying users.
Mobile in-app advertising does not generally face these issues due to the prevalence of unique advertising identifiers. All in-app inventory is tied to an IDFA or other similar advertising ID that is unique to a single device. The ID can always be reset by the user, but the device will always be tied to a unique identifier at any given time. There is still some value to using fingerprinting on mobile, as we will see later, but first let’s take a look under the hood of how fingerprinting works.
How Does Fingerprinting Work?
Whenever an MMP detects a click without an associated IDFA, they will use their fingerprinting algorithm to try to match the click to an impression. Advertisers sometimes have the capability of setting fingerprinting thresholds, so they can reject fingerprinting matches outside a certain window of time or below a certain confidence interval.
Fraudsters who are able to reverse engineer the fingerprinting methodology can pass deliberately vague advertising events to MMPs with a profile that may get matched by fingerprinting algorithms. If they are successful, the MMP will misattribute the click to an organic install and assign credit to the fake click event. This is most dangerous if there is a very large number of organic installs. If very few people are installing the app then the odds of stealing credit from a fingerprint match are simply too small.
When Is Fingerprinting Useful?
Since it is far easier to exactly identify users on mobile, the concept of fingerprinting is generally considered less useful for mobile marketers. However, fingerprinting persists for a few reasons. One is that a significant percentage of mobile traffic is accessed through mobile web as opposed to mobile app. Mobile web traffic does not pass an IDFA and therefore relies more heavily on fingerprinting.
Additionally, some ad networks will not pass IDFA or advertising IDs back to the advertiser. When this happens then the MMP must use fingerprinting to try to identify the user and tie them to an impression. However, we argue that there is no valid reason for an ad network to suppress the IDFA, and if they are suppressing this information there’s few legitimate explanations other than intent to commit fraud.
When Is Fingerprinting Problematic?
Fingerprinting is generally less accurate on mobile than on desktop. One reason is that desktop browsers provide a greater amount of data (like window size, for example), that can serve to uniquely identify users. On mobile, particularly iOS and its limited number of device types, the data used for fingerprinting is far more limited.
Mobile will often rely on less precise factors to try to assign a match. If you see two impressions from an iPhone 10 from the same IP address one hour apart, it is possible this is because it is the same user. Or it is possible that two different travelers connected their iPhone 10 to the free wifi at O’Hare Airport. You may be confident fingerprinting an individual user from an IP address used by a shack in the Wyoming outback, but you should have significantly less confidence if it is the IP address is that of the Empire State Building. Identifying an individual user with fingerprinting is, at this point, more pseudo-science than science.
At the moment, the fingerprinting algorithms used to identify a user are kept secret. From our analysis, we believe these algorithms are pretty accurate, but fraudsters are always working to find new ways to add a lot of noise and confuse them. For example, many MMPs have attacked the problem of shared IP addresses by dynamically adjusting the conversion window. However, to account for this, fraudsters simply generate a higher volume of fake clicks to increase the odds of landing in this conversion window. Fraudsters have a very strong incentive to reverse engineer and exploit MMP fingerprinting algorithms.
For this reason, MMPs have need of keeping their fingerprinting methodology secret, to provide another hurdle for fraudsters. The secretive nature of fingerprinting, however, opens MMPs up to a lot of questions. Skeptics could accuse MMPs of using deliberately loose criteria to assign fingerprint matches, as many are paid per install. MMPs could credibly counter that they have a stronger incentive to uphold a reputation for accuracy. We generally believe MMPs are genuinely trying to make fingerprint algorithms accurate, but staying ahead of fraudsters is a difficult cat and mouse game.
Best Practices for Using Fingerprint Attribution.
We recommend advertisers to completely disable fingerprinting if they are only using in-app advertising. All in-app inventory should provide an IDFA, and therefore there is no need for fingerprinting.
If they are using mobile web advertising as well, we still recommend disabling fingerprinting completely on Android and using it sparingly on iOS. Android uses a referrer string, a sort of temporary device id used to confirm click, that renders fingerprinting unnecessary. For iOS, where this isn’t a concept, protect yourself by using a a short window (ie 1 hour).
If you do choose to allow fingerprinting, you can perform the following two checks to protect yourself
Check the number of installs attributed by fingerprint algorithm.
Check the percentage of clicks that pass IDFA
The good news is these checks rely entirely on data you can easily get from your MMP. The purpose of these checks is to keep an eye on fingerprinting attribution and make sure it is used sparingly. The interpretation of these numbers may depend on your specific circumstances and we offer some rules of thumb here.
1. Check the number of installs attributed by fingerprint algorithm.
If you are using fingerprinting, your overall volume of installs attributed by fingerprint should be very low. If any network has a high percentage of installs come from fingerprinting, they should be considered suspicious. On Android, we recommend <10% of installs should come from fingerprinting attribution (or <5% if mobile web is disabled). On iOS we recommend a stricter cutoff of <5%.
2. Check the percentage of clicks that pass IDFA
For mobile in-app advertising, we see no good reason why any upstanding network would not send an advertising identifier. This should be universally available, so if they are choosing to withhold the IDFA then it is likely because they are attempting to conceal fraud.
The mitigating factor here is that fingerprinting is more necessary for mobile web advertising. Therefore, you can consider the percentage of clicks that pass IDFA in the context of the percentage of traffic that comes from mobile web. If you have a large percentage of mobile web traffic, you can allow more fingerprinting, but if it is solely in-app then the fingerprinting percentage should be negligible.
A major mobile commerce app in Korea used several channels for mobile advertising. They turned to DoubleCheck to evaluate their paid channels for signs of fraud.
While evaluating networks, they were interested to observe the effect of fingerprinting. As an experiment, they stopped sending IDFAs. The results were clear and immediate:
Immediately upon removing the IDFA, installs increased by a factor of 10x. Additionally, conversion rates (click to install) jumped to over 1%, a relatively large number.
Without IDFAs, the fingerprinting algorithms kicked in to try to match these installs. Many impressions and clicks that had not been attributed when IDFAs were enabled were suddenly getting matched up. Clearly none of these installs should actually have been credited, but the fingerprinting algorithms were very loose at assigning credit. Based on these results, the app took a very strict stance against fingerprinting installs.