Mar 22, 2021 6 min read

Will Sign in with Apple destroy universal identifiers?

Will Sign in with Apple destroy universal identifiers?

Sign in with Apple is a single sign-on service offered natively on all Apple devices that gives users the option to register with apps using a randomly generated and unique email address.

A single sign-on service (SSO) allows users to authenticate with multiple platforms or services using a single set of credentials. Popular examples of SSOs include Facebook Login or Google Sign-In.

Unlike other SSO solutions that reveal a user's email address, Sign in with Apple provides an option to "hide" a user's personal email address from app developers. Hiding a personal email address is the killer privacy feature of Sign in with Apple.

Unfortunately, this killer feature may also kill personalized advertising on Apple devices and the web.

What is Sign in with Apple?

In September of 2019, Apple announced that they would require Sign in with Apple if an app offers a third-party SSO service such as Facebook Login or Google Sign-In. This new requirement immediately gave Sign in with Apple a sizeable footprint on iOS apps that would eventually equal all other third-party login services.

When a user chooses to Sign in with Apple, an app presents them with two choices:

  1. Share My Email
  2. Hide My Email

The second option should send shivers down the spines of advertisers hoping to track users with universal identifiers powered by hashed email addresses.

If a user chooses the "Hide My Email" option, Apple will generate a unique random email address. Apple will then share this pseudonymous email address with an app rather than the user's actual personal email address. The email will follow a standard format:

<unique-alphanumeric-string>@privaterelay.appleid.com

So when registering, a developer will receive an email like:

[email protected]

If the same user signs in with Apple on another app and chooses to hide their email, Apple will generate a different unique random email address. Apple will forward all emails sent to these generated email addresses to the user without revealing their personal email address.

Sign in with Apple Kills Universal Identifiers

In the wake of Chrome deprecating third-party cookies and Apple making the iOS IDFA opt-in, advertisers and ad tech platforms have scrambled for solutions to track users without the identifiers they know and love.

The Trade Desk and LiveRamp universal identifier solutions based on hashed email addresses have gained the most traction, but hiding a user's personal email address creates a thorny problem for any universal identifier based on email addresses.

The Trade Desk / PreBid Unified ID 2.0 and LiveRamp Authenticated Traffic Solution / IdentityLink rely on receiving a persistent email address as the identifier used to track users across the web and apps. If a user shares a one-time email address from a publisher, there is no common identifier to link audiences across publishers and platforms since no two emails from the same user will ever match.

To make matters worse, Sign in with Apple can work on other platforms or the web via Sign in with Apple JS. This JavaScript API provided by Apple allows web developers to integrate Sign in with Apple into their website. The one prerequisite is that the developer must have an accompanying app approved on the App Store.

So if anybody thinks this is just an iOS problem, think again. Apple wants to make this product ubiquitous across all platforms.

Apple vs. Advertising

Apple made a prescient and calculated business decision by introducing Sign in with Apple. A common criticism of the new Apple policy to require user opt-in to collect an IDFA is that Apple wants to curtail advertising on the platform in general. Introducing Sign in with Apple follows that same pattern of decision making.

Apple does not take a revenue share from developers displaying in-app advertisements, but Apple does take a 30% revenue share on any subscriptions or in-app purchases. It benefits Apple to disincentivize publishers from focusing on advertising as their primary business model. Compelling developers to shift focus to digital products and subscriptions grows Apple revenue.

Essentially killing IDFA and obfuscating user email addresses hamstrings the main value proposition of digital advertising — precise user-level targeting.

Without a persistent identifier, advertisers cannot retarget users, layer on 1st and 3rd party data, apply a frequency cap, or track conversions.

Additionally, without these distinct advantages of personalized digital advertising:

  1. Spend will shift to walled gardens and other platforms that can support personalized advertising
  2. CPMs on iOS will decrease as advertisers need to spread their message more broadly
  3. Users will see much less relevant ads

Apple has positioned its business in a more competitively advantageous position under the guise of user privacy. Similar to the recent decision by Google to lob a grenade on universal identifiers, these moves by Apple simultaneously increase their dominance as a company and engender trust from users and politicians.

We may not know if the genesis of these privacy-focused features introduced by Apple were motivated by profit or nobility, but they are a win-win for the tech giant any way you look at it.

Sign in with Apple Alternatives

Sign in with Apple is not the only service looking to shield user email addresses from publishers and advertisers. More generic solutions exist that do not require a developer to integrate a third-party service.

Some of these solutions, similar to Sign in with Apple, render any universal identifier based on hashed emails useless.

Services like Firefox Relay, SimpleLogin, and Burner Mail create an email alias per service that the user can provide during registration instead of a personal email. Emails sent to the email aliases will forward to the user's personal email without revealing that address to any third-party.

These services exist solely to preserve the privacy of their users' identity without considering the impact they may have on digital advertising powering the open web.

I had a chance to chat with Keith Petri, CEO of lockrMail, and he believes there is room for harmony between user control, privacy, and personalized advertising:

"The forced registration of users on sites is actually the impetus for machine-generated email solutions to take off - consumers want to control what hits their inbox. We are the only solution that provides this benefit for consumers and doesn't break the business model of the open and free internet."

Keith's company provides the same privacy benefits as other email alias services, but not in a way that breaks personalized advertising. lockrMail creates a single public-facing email alias for users rather than an email alias per service.

Since there is a one-to-one relationship between a user and email address, publishers can still use the lockrMail email alias with hashed email universal identifier solutions.

"The value exchange of the Internet was originally negotiated without consumers at the table. The death of the cookie presents an opportunity to redefine the Internet’s value exchange and incorporate consumer choice & consent. lockrMail is at the table to represent the best interests of the consumer in this renegotiation."

Unfortunately for the digital advertising industry, Keith's competitors do not share the same concerns around the advertising business models supporting publishers. While lockrMail strategically aligns itself with publishers, other email alias services pose a significant threat to personalized advertising in a post-cookie and IDFA world.

If user adoption of email-per-platform services continues to grow, then the value proposition of universal identifier solutions will proportionally disintegrate.

Sign in with Apple will destroy universal identifiers

Each user that chooses to Sign in with Apple or use a similar service that hides their email address creates one less individual that advertisers can track across apps and websites.

Publishers and platforms can choose not to offer Sign in with Apple, but they would have to remove any option in their iOS apps to sign in with another third-party service like Facebook or Google. To take it a step further, these companies would probably want to block emails from any email alias services.

In addition to advertising concerns, Sign in with Apple can cause account management issues. The team behind AnyList decided to remove Sign in with Apple, and consequentially all SSO options. In a blog post describing the reasoning, AnyList Co-Founder Jeff Hunter cited customer service, usability, and security issues.

Obfuscated emails add complexity to any digital business, and developers may increasingly choose to ban them. But at what cost to their reputation and user base? Will users demand the privacy protections offered by services that can hide their personal information and rebuke companies that actively prevent their use?

Maybe publishers can explain the value exchange of advertising and how it powers the creation of free content. The explanation is simple, right?

Publishers merely have to explain to non-technical individuals how email addresses are the new universal identifier of choice to power personalized advertising in the wake of the deprecation of the third-party cookie and mobile advertising identifiers...ok now I'm even starting to bore myself.

The fact of the matter is that Apple is priming users to believe in one simple mantra — "Tracking bad. Privacy good."

Apple is riding the wave of privacy all the way to the bank, and users are lining up with their surfboards. If Sign in with Apple gains enough traction, then universal identifier solutions like The Trade Desk Unified ID 2.0 and LiveRamp IDL are dead in the water.

Ad Tech Explained
Ad Tech Explained
Let's face it, ad tech can be confusing. I created this site to break down complex digital advertising topics, specifications, and news to make it all easier to understand.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ad Tech Explained.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.