<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=134132097137679&amp;ev=PageView&amp;noscript=1">

Pixalate Ad Fraud Study August 2022: 90% of purported iCloud Private Relay Traffic May Be Invalid (IVT)

Amit Shetty
Aug 25, 2022 8:06:02 AM

This blog was co-authored by Ian Trider, VP of RTB Platform at Basis Technologies.

Apple’s iCloud Private Relay has been a topic of interest - and contention - for the advertising industry over the last year. Pixalate conducted a study covering over 70 Billion transactions analyzed by Pixalate over a 3-month period, and provides insights into the apparent impact of iCloud Private Relay so far.

Key Takeaways :

  1. According to Pixalate’s analysis, iCloud Private Relay traffic appears to be associated with around 21% of the traffic purported to come from Apple Devices on both mobile and desktop Safari.
  2. However, there appear to be discrepancies in most of the traffic that are not in line with Apple’s description of the expected behavior. Almost all of such traffic appears to be invalid (IVT).
  3. Only around 1%-2% of traffic from purported Apple devices was detected as originating from an iCloud Private Relay IP and exhibiting the expected behavior of devices behind iCloud Private Relay, hinting at the actual adoption rate of the service.
  4. The cases where an iCloud Private Relay IP address is referenced is increasing. This number has doubled over the past 6 months (from about 10% to now about 20%). Most of this increase is due to the seemingly spoofed traffic, while the percentage of detected iCloud Relay traffic has remained relatively constant.
  5. There appears to be some amount of traffic (<1%) that is coming from non-Apple devices but is nonetheless claiming to be iCloud Private Relay.
  6. Overall, it appears that fraudsters might already be trying to take advantage of the concept of iCloud Private Relay. They may be trying to make their traffic look more legitimate in the hope that AdTech firms may just be adding these IP ranges to allow-lists and blindly letting them through. While Pixalate is able to detect this form of  IVT and protect our clients, the number of such attempts seem to be growing over the last 6 months. This seems to indicate that fraudsters may be having some level of success with this form of spoofing.

What is the iCloud Private Relay? 

iCloud Private Relay (iPR) is a service from Apple intended to allow iPhone, iPad and Mac users to connect to the internet in a secure and private manner. This is one of Apple’s recent privacy initiatives. It was announced in 2021, is currently in beta, and is expected to be expanded this year via iOS 16.  More information is available at this white paper from Apple and also from this excellent presentation by Will Law from Akamai for deeper technical details.

Why does it matter for advertising?

Apple’s iCloud Private Relay announcement has been met with some consternation in the media / advertising industry. In some ways it is considered the 4th wave of privacy technology solutions from Apple (Removal of 3rd party cookies on Safari, App Tracking Transparency/ATT updates & limiting of the IDFA, email obfuscation using “hide my email,” and now, hiding IP addresses). 

The concerns around iCloud Private Relay are driven by the fear of losing accurate user IP Address information, which could have impacts in the following areas.

  • Fingerprinting
  • Location based advertising 
  • Frequency capping
  • Measurement
  • Ad Fraud detection

Methodology of this study

This study covered relevant traffic analyzed by Pixalate over a  3-month period (5/15 - 8/15) for the topline numbers. We checked over 70 Billion transactions to conduct this research. In addition, we gathered some key metrics over a longer (6-month) period in order to gather a time chart to view the trends over time. We only covered US traffic at this time because iCloud Private Relay is in limited beta.

Apple publishes all the IP Address Ranges associated with iCloud Private Relay (i.e, any “egress IP” seen on an iCloud Private Relay connection will be included in the list).  Pixalate uses this published information to identify traffic that appears to be related to iCloud Private Relay.

We looked at overall Mobile and Desktop traffic, before zeroing in on the most relevant (per Apple’s beta description) device types & traffic - Safari on iOS & macOS. This allows readers to evaluate the data in either context.

Definitions used in the charts below:

  • Declared : impressions where the original ad request (in the bidstream) claims to have come from an iCloud Private Relay source
  • Detected : impressions where Pixalate detected (post delivery) the source to be an iCloud Private Relay source.

Analysis:

  • Overall numbers

These are the percentages of iCloud Private Relay traffic compared to ALL mobile and desktop traffic (not just iOS/MacOS) seen by Pixalate in the 3-month snapshot analysis. This is intended to give an understanding of the scale of iCloud Private Relay traffic.

image

  • Apple device numbers

This is the Breakdown of iCloud Private Relay related traffic across Mobile and Desktop Safari traffic (which are the 2 areas where iCloud Private Relay traffic is expected to be present). 

image (1)
  • Traffic Trends: 

This section presents the trendlines for iCloud Private Relay traffic on Mobile and Desktop Safari, across a 6-month period. 

  • Mobile iOS (Safari)

  • Desktop Mac OS Safari

Ad Tech Implications: 

The high percentage of ad requests claiming to be coming from iCloud Private Relay on Safari traffic suggests that all the ad tech platforms (DSPs, Exchanges, SSPs) may need to pay heightened attention to purported iCloud Private Relay traffic. In particular, they may need to think about implications to targeting, frequency capping, geotargeting, pre-bid fraud filtering (by IP), etc. Based on our research, it appears that iCloud Private Relay does not have immunity to fraud. 

Blindly adding these IP addresses to allow-lists may let in large amounts of IVT, as we see above. This IVT could come from bad actors falsely claiming an iCloud Private Relay IP in bid requests. In addition, traffic originating from published iCloud Private Relay IPs cannot be assumed to be per se fraud free. 

Pixalate is working on a follow up investigation to dive deeper into the sources of IVT related to this traffic. 

If you have any questions or feedback regarding this report, please contact us at info@pixalate.com.

Search Blog

Follow Pixalate

Subscribe to our blog

*By entering your email address and clicking Subscribe, you are agreeing to our Terms of Use and Privacy Policy.

Subscribe to our blog

*By entering your email address and clicking Subscribe, you are agreeing to our Terms of Use and Privacy Policy.