IP addresses – internet protocol, for the uninitiated – have been used as a mechanism for location targeting and cross-device measurement almost since the day digital advertising was born.
But it’s always been a dicey proposition from a privacy perspective – and now the writing’s on the wall with Apple’s plans to remove IP addresses from Safari and hide them in Mail by default.
Apple will automatically mask IP addresses in its browser via Intelligent Tracking Prevention, and people who subscribe to Apple’s new iCloud Plus service will also be able to doubly obfuscate their traffic through a feature called Private Relay.
The overall impact of Apple’s moves will likely be minimal at first, because they only apply to Apple’s universe.
But even so, it “definitely signals that IP-based geotargeting may not be available for much longer,” said Nishant Desai, director of technology and partnerships at Xaxis.
IP addresses have already been subjected to regulatory scrutiny.
They’re already considered personally identifiable information in Europe; their status as personal data under the California Consumer Privacy Act is ambiguous at best; much like cookies, IP addresses were never meant to be used as an advertising identifier. It’s difficult to do IP targeting without tripping the creepiness wire – and, on top of that, IP-targeted ads aren’t all that accurate.
Yet, IP addresses have long been co-opted as a proxy for location, an ingredient in cross-device identity graphs, a component of fingerprinting technology and as a pseudonymous identifier for targeting.
Here’s how IP targeting is used today – and what could replace this signal for advertisers in the future.
The DL on IP
To be clear, IP addresses – the numerical labels assigned to internet-connected devices that allow them to identify each other on the web – aren’t going anywhere. They’re a cornerstone of how the internet functions.
Internet service providers allocate IP addresses to their customers, which comes in two forms: static and dynamic.
Static IP addresses are generally used by businesses and stay the same over time, a bit like a phone number or a physical address. Most consumers, however, have dynamic IP addresses that cycle and refresh over time, usually when the router is rebooted.
That’s why B2B marketers often see success with account-based marketing campaigns that target a specific company’s IP address or group of IPs, while campaigns that are IP-targeted at consumers can be hit or miss.
By the same token, corporate VPNs can screw up targeting, because it might appear as if someone’s traffic is coming from New York City, when she’s working out of a home office in suburban Philadelphia.
“IP addresses can be valuable to identify users, but you can’t use it the same way you would a deterministic ID,” Desai said. “If you’re using an IP address in a device graph or to help fingerprint a user, you should know that at some point the ID will likely change or was never accurate to begin with.”
“Naive” use cases
One of the two main ways IP is used for advertising purposes is to approximate the location of a device or group of devices and to target based off that signal.
A company like Neustar that has a large database of IP addresses can help DSPs and other ad serving technology providers do a reverse lookup to figure out the geo associated with an IP so that it can be used to target by city, state or ZIP. These signals can be relayed by a publisher into the bidstream.
But although IP addresses are commonly used as a location-based targeting mechanism, the practice is simplistic, “naive and fraught with problems,” said Bosko Milekic, CTO and co-founder of data connectivity platform Optable.
Beyond the privacy concerns – IP addresses are a standard part of a request in the header along with a user agent string, which means that there’s no method for users to opt in or out – targeting based on IP can be extremely inefficient.
“Say you fly to Denver for 24 hours and your device is registered as having visited the city – for the next three months all you see are real estate ads for obscure Denver neighborhoods,” said Ana Milicevic, principal and co-founder of digital consultancy Sparrow Advisers. “It’s detrimental to the consumer experience, because the ads are so obviously mis-personalized, but it’s also not good from a buyer perspective, because they’re throwing money out the window – the signal that flashes you’re in Denver doesn’t necessarily flash again when you leave.”
Visitors to major metro areas are often tagged for campaigns on arrival because there are more campaigns running that are looking for users.
“And the way recency in interpreted in targeting, if someone displays a signal in a particular area, that person is still tracked as being there for around 30 days,” Milicevic said.
IP & CTV
But in the connected TV (CTV) space, IP targeting can be applied with a greater degree of sophistication, said Optable’s Milekic.
It’s possible, for example, to analyze the IP addresses found in network traffic so as to stitch together an understanding of the consumers and devices in a household over time. This requires detecting when household IPs change, which is nontrivial to do, Milekic said, because the frequency at which IP addresses refresh can vary by region, country and ISP.
“When implemented effectively, though, one IP address can be used to infer possible links between devices in a common household, which in turn can be used to improve the scale and depth of targeting and measurement in CTV,” he said.
The question is whether this type of analysis will remain viable – or even doable – if other browser makers and platforms follow in Apple’s footsteps.
This uncertainty is partially responsible for the shift toward logged-in authentication on streaming services. Even ad-supported services often require a login.
“While the walled gardens will still have their ways, the removal of IP addresses could be considered more of a loss for the open internet, the recipe sites and whatnot,” Milicevic said. “Advertisers and the monetization ecosystem will be affected, but will users care? Probably not.”
The slow-rolling removal of third-party cookies and the renewed focus on IP addresses as a vector for privacy problems are both evidence that the pendulum is swinging away from the widespread sharing of global identifiers that started with the advent of real-time bidding, Milekic said.
“We’re seeing it swing in the other direction now,” he said, “with a greater focus on enabling connectivity to happen more directly and in a way that’s more controlled, sanctioned, configurable – and, where possible, limits the amount of information being exchanged.”
For instance, location APIs developed by the big platform providers, including Google, Facebook and Apple, have begun to crop up as a way to add location awareness to an app. The API triggers a browser or app to ask for permission to access a user’s location.
People can also give their permission to allow specific apps and sites to figure out their location using a combination of cellular data, GPS, Wi-Fi and Bluetooth. Asking for consent means advertisers will have a smaller pool of people whose location they can pinpoint, but it won’t be impossible to do – if you ask.
But asking only really works at the individual level.
Household targeting is a different kettle of fish and will remain a massive challenge from a permissions point of view, particularly in the CTV environment where co-viewing is the norm.
Parents, for example, might not want a company to collect data generated by their children, Desai said, but there’s no easy way to say, “Use this data point in a profile, but don’t use that one.”
In the absence of an effective mechanism for managing permissions at the household level, advertisers, publishers and technology providers will need to be as transparent as possible, Desai said.
“People just want to know what data companies are collecting about them and how it’s being used – whether that’s an IP address or anything else,” he said.