Apple's iCloud Private Relay is said to be causing problems for online advertisers, with an actively used exploit potentially costing U.S. firms over $65 million in 2022.
Apple poses iCloud Private Relay as a way to protect users' privacy on the Internet, using a complex infrastructure to mask the user from tracking. However, that same system may be a headache for some online advertisers, who may have lost money due to potential fraud.
The Ad Fraud and Compliance research team of Pixalate claims there is a potential exploit in the system that relates to IP addresses used by iCloud Private Relay. Dubbed "iP64," it is believed that ad fraudsters are taking advantage of the trust in iCloud Private Relay by the ad industry, as well as other factors, to get away with ad fraud.
An unexpected problem for advertisers
Ad fraud consists of ways to serve ads in underhanded ways, such as displaying them in non-compliant ways to gain impressions, or to fake impressions or clicks. By doing so, the fraudsters can earn revenue from "displaying" ads, despite not doing it legitimately.
According to Pixalate, Apple's assertions that iCloud Private Relay traffic is safe from fraud is one thing fraudsters count on. Since "Websites that use IP addresses to enforce fraud prevention and anti-abuse measures can trust that connections through Private Relay have been validated at the account and device level by Apple," advertisers add the ICPR iP addresses to "allow lists."
Secondly, programmatic advertising uses a complex supply chain where bids go through multiple "hops." Since there's a lot of intermediaries involved, companies in the ad supply chain don't have direct access to devices to verify "declared" IP addresses, so therefore work on trust.
Fraudsters then use techniques such as spoofing data centers to insert an Apple-published iCPR IP address into an ad request. The result is that ad-serving firms see the iCPR IP address and "blindly trust the request," says Pixalate.
The level of click fraud could be high, with Pixalate believing that while 21% of Safari traffic claims to come through iCPR, more than 90% of that traffic appears to be spoofed.
In examples offered by Pixalate, end user IP addresses were declared to be an iCPR address, but were really from T-Mobile, or provided from Amazon AWS data centers. In some versions, purported iCPR traffic was coming from the Firefox browser, which is an impossibility in daily use since iCPR is only available on Safari.
On how the ad industry can mitigate such fraud, the researchers believe that ad tech firms should have a better understanding of the ad supply chain, to analyze the sources, and to work with ad sellers to reduce misrepresented traffic.
Fix could have collateral damage
However, a near-term proposal involves adding iCPR IP addresses to "block lists," to explicitly not trust traffic sources from iCPR.
"While this approach may result in blocking real iCPR users - true adoption numbers appear to be low enough that, in the near term, most companies would not see any material impact (other than IVT reductions)," Pixalate offers.