IAB Tech Lab's Jordan Mitchell on DigiTrust, Online Identity and Solutions to the 'Cookie Crumble'

Jordan Mitchell is Senior Vice President at IAB Tech Lab (Tech Lab), and was formally co-founder and CEO of DigiTrust, a neutral, non-profit consumer ID service, which was acquired by IAB Tech Lab in April 2018.

We spoke to Jordan, to find out the background, the problems Digitrust is aiming to solve, and how Nordic publishers can get involved:

What problem is Tech Lab trying to solve with its DigiTrust standard ID, and why is this so important?

The purpose of a standardized ID is to dramatically reduce the number of third-party requests and cookies that are placed on the web pages that we frequent as consumers. Everyone wins as a result: we dramatically improve web page performance for consumers, reduce data leakage and improve monetization for publishers, improve audience scale for advertisers, and improve consumer trust for our industry by being better stewards of consumer privacy.

Publishers and marketers use many different companies today to deliver to consumers personalized digital content and advertising over the web, across many different devices.

None of this can happen without the ‘HTTP cookie', which web standards bodies invented over 25 years ago for the basic ability to distinguish one consumer from another. As per HTTP cookie standards, every different online company must create their own proprietary, cookie-based user token to recognize a consumer device, which none of their partners are able to read.

That means in order to work together in real-time, each company must maintain elaborate systems and processes to synchronize the different tokens used by each of their partners, for each consumer, on each web browser in every connected device.

The conventional process to update those systems and synchronize tokens with each other is called “pixel syncing” (or “cookie syncing”), and this process — because it’s so widely deployed across so many companies — can result in more than 100 third-party requests on a given web page. This slows down the web experience publishers offer their consumer audiences and is costly for third-party companies to maintain.

The DigiTrust service creates a pseudonymous user token and stores it within a conventional cookie that may be read and propagated by DigiTrust members. With a standardized ID token provided to and used by all parties, pixel syncs are rendered obsolete. Hundreds of billions of unnecessary daily third-party pixel sync requests can be removed from web pages.

What is the rate of adoption of your solution?

We have nearly 6000 publisher websites that have deployed so far, who are already seeing up to 31% improvement to revenue. DigiTrust is being used by all of the major SSPs, and also supported by many of the leading DSPs too. As cookies continue to be challenged, the platforms appreciate the simplicity of a common identifier that improves their match rates (and revenue) and will reduce their operating costs. 

But we can still do better: there are a number of companies who are still focused on proliferating their own proprietary cookie-based ID. But our point of view is that the consumer device identifier needs to be a common utility coupled to each consumer’s privacy preferences. This standardized identifier layer forms the important bridge between first parties and the broader third-party ecosystem. So rather than developing as a proprietary, competitive advantage for third-parties, the standardized ID needs to be a web standard and not really owned by everyone – if anything, it’s owned by the consumer!

Is online identity a ‘one ring to rule them all’ problem, or can multiple offerings co-exist in future? What are the potential downsides/upsides, if that does happen? 

Online identifiers and third-party tracking (for any purpose) is being threatened by all the browser/operating system platforms, so it’s important that we work together as an industry to promote responsible consumer privacy and data practices. It remains to be seen whether those responsible practices will be limited to one “blessed” identifier or multiple, but in no way do we see the status quo of hundreds of fragmented identifiers and rampant “tracking” practices surviving.

Indeed, conversations with the browser/OS platforms imply that all third parties either win or lose together – that’s the potential impact. The upside is only possible if we as an industry come together in support of responsible, accountable consumer privacy practices tied to a standardized, privacy-safe identifier.

The challenges around cookies right now are pretty well documented. Could you explain how your solution is different - i.e. is it also cookie-driven, and if so, is that a sustainable, long-term solution? 

Everything we do in this sector comes back to three types of pseudonymous consumer identifiers: cookie-based (set by each company), provided by the device itself (like a mobile device ID), or inferred (aka “fingerprinting”). Those are the only three ways in which industry third-parties can do anything around personalisation, measurement, attribution or analytics. That extends even to our privacy practices, like recognising an opt out or respecting a GDPR-related consumer privacy setting. Everything comes back to one of those three identifiers – and all three of them are at risk. We think that browsers and OS platforms will continue the path they’re already on - deprecating functionality around 3rd party cookies and fingerprinting in favour of consumer privacy, regulation and mitigation of liability. And then they’ll move onto the device ID.

There are different “identity consortium” approaches in the market, all of whom (including DigiTrust) will be affected the deprecation of third-party cookies. However, most of them are tied to commercial endeavours and proprietary tech. DigiTrust is the only neutral, non-profit, standards-based approach, and only Tech Lab has the weight of the global ecosystem behind it, including 41 of the 47 global IAB organizations. Armed with supportive industry members and progressive consumer privacy and industry accountability proposals, we have the unique ability to collaborate with the browser/OS platforms on technical standards that move beyond the cookie.

We’re trying to eliminate the browser tech / ad tech arms race and solve the identifier issues for our industry at large while also advancing consumer privacy protection.  This is why IAB Tech Lab continues to push for adoption of DigiTrust – because we all need to come together around one solution that’s aligned with consumer privacy. And the more cooperation there is around one solution, the more appetite the browsers have to work with us. And once we solve this for the web, then we have a proven model we can use at the device level.

Is a move to fewer identifiers a positive for privacy?

Fewer identifiers does improve consumer privacy, and more importantly, it makes true industry accountability easier to achieve.

Currently, there are 100s of third-party cookies and requests being served on any given website, with thousands of proprietary data stores, where personal data is stored. It’s hard for consumers to get their heads around that. No doubt it’s hard for regulators too.

For improved consumer privacy and trust, we need to work towards a system with fewer cookies, which are very closely aligned with privacy settings. We need to put the consumer in charge of their privacy preferences, not the browser. Consumer choice is paramount. We must work together with the browser/OS platforms and the privacy community to make consumer choices durable, so they can propagate from party to party, and are respected uniformly by everyone in the digital media ecosystem.

In addition, we’re suggesting we establish technical mechanisms for enhanced accountability.  More information on our proposals, can be found here.

What does a publisher need to do today in order to activate with your ID solution?

We have a dedicated publisher area on the DigiTrust site that provides all of the information. Please contact DigiTrust@iabtechlab.com for more.

It’s free for publishers to use, they simply deploy Javascript on their pages to make the ID available to the platforms they work with. There’s a short agreement on site they need to sign off on. They test the Javascript, deploy it and then just really get behind the effort and tell platforms to deploy and use it everywhere they currently use IDs effectively.