Ask the Expert

In 2022, Google began changing the availability of the information available in User-Agent strings across their Chromium browsers. The change is to use the set of HTTP request header fields called Client Hints. Through this process, a server can request, and if approved by the client, receive information that would have been previously freely available in the User-Agent string. This change is likely to have an impact on publishers across the open web that may use User-Agent information today. To explain what this change means, how it will impact the AdTech industry, and what you can do to prepare, we spoke with Nate West, our Director of Product. What is the difference between User-Agents and Client Hints? A User-Agent (UA) is a string, or line of text, that identifies information about a web server’s browser and operating system. For example, it can indicate if a device is on Safari on a Mac or Chrome on Windows. Here is an example UA string from a Mac laptop running Chrome: To limit the passive fingerprinting of users, Google is reducing components of the UA strings in their Chromium browsers and introducing Client Hints. When there is a trusted relationship between first-party domain owners and third-party servers, Client Hints can be used to share the same data. This transition began in early 2022 with bigger expected changes beginning in February 2023. You can see in the above example, Chrome/109.0.0.0, where browser version information is already no longer available from the UA string on this desktop Chrome browser. How can you use User-Agent device attributes today? UA string information can be used for a variety of reasons. It is a component in web servers that has been available for decades. In the AdTech space, it can be used in various ad targeting use cases. It can be used by publishers to better understand their audience. The shift to limit access and information shared is to prevent nefarious usage of the data. What are the benefits of Client Hints? By using Client Hints, a domain owner, or publisher, can manage access to data activity that occurs on their web properties. Having that control may be advantageous. The format of the information shared is also cleaner than parsing a string from User-Agents. Although, given that Client Hints are not the norm across all browsers, a long-term solution may be needed to manage UA strings and Client Hints. An advantage of capturing and sharing Client Hint information is to be prepared and understand if there is any impact to your systems and processes. This will help with the currently planned transition by Google, but also should the full UA string become further restricted. Who will be impacted by this change? Publishers across the open web should lean in to understand this change and any potential impact to them. The programmatic ecosystem supporting real-time bidding (RTB) needs to continue pushing for adoption of OpenRTB 2.6, which supports the passing of client hint information in place of data from UA strings. What is Google’s timeline for implementing Client Hints? Source: Google Do businesses have to implement Client Hints? What happens if they don’t? Not capturing and sharing with trusted partners can impact capabilities in place today. Given Chromium browsers account for a sizable portion of web traffic, the impact will vary for each publisher and tech company in the ecosystem. I would assess how UA strings are in use today, where you may have security concerns or not, and look to get more information on how to maintain data sharing with trusted partners. We can help you adopt Client Hints Reach out to our Customer Success team at tapadcustomersuccess@experian.com to explore the best options to handle the User-Agent changes and implement Client Hints. As leaders in the AdTech space, we’re here to help you successfully make this transition. Together we can review the options available to put you and your team on the best path forward. About our expert Nate West, Director of Product Nate West joined Experian in 2022 as the Director of Product for our identity graph. Nate focuses on making sure our partners maintain and grow identity resolution solutions today in an ever-changing future state. He has over a decade of experience working for media organizations and AdTech platforms. Latest posts

Up next in our Ask the Expert series, Ben Rothke, Senior Information Security Manager, reviews two certifications that should be part of your information security strategy: Service Organization Control (SOC) 2 Type 2 and International Organization for Standardization (ISO) 27001. Tapad, a part of Experian, is 27001 and SOC 2 Type 2 compliant. Two information security certifications you can trust Seals from Good Housekeeping and Underwriters Laboratories give consumers confidence that they can trust the product that they’re buying. For IT solutions or service providers, what, or who can you turn to for that seal of approval?  There are many equivalent third-party attestations you can use. But which should you trust? The International Organization for Standardization (ISO) 27001 The American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) International Organization for Standardization (ISO) 27001 is an international standard for information security from the ISO. ISO 27001 is globally acknowledged and sets requirements for controls, maintenance, and certification of an information security management system (ISMS). This international standard provides organizations with a framework to identify, manage and reduce risks related to the security of information System and Organization Controls (SOC) The SOC, as defined by the AICPA, is a set of audit reports. SOC reports, like 27001 certificates, are used by service organizations to give their customers the confidence they have adequate information security controls in place to protect the data that they handle. SOC 2 is an assessment of controls at a service organization regarding security, availability, processing integrity, confidentiality, and privacy. The purpose of the report is to provide extensive information and assurance to a broad range of users about the controls at a service organization that are relevant to the security, availability, and processing integrity of the systems that process user data, as well as the confidentiality and privacy of the information processed by these systems. Why ISO 27001 and SOC 2 are important The value of these third-party attestations is two-fold: Organizations can show they have passed an independent external audit Third-party attestations save organizations the time of having to do their own audits In addition to 27001 and SOC 2 Type 2 compliance, we are also certified with ISO 27017 and 27018, which are add-ons to 27001 that are specific to cloud computing. We take the security and privacy of our customers’ data as seriously as they do. Every cloud service provider (CSP) has a responsibility matrix that details what security and privacy tasks they are responsible for and which ones the customer is responsible for. Any cloud customer that needs to be made aware of what their security tasks are is putting themselves at risk. So, when you want to engage a CSP, ask them for their attestations. They worked hard for them and will be proud to share their compliance. We’re powered by decades of setting standards in marketing services At Experian, we’re a privacy-first business. We’re highly focused on respecting people, their data, and their privacy. We continue to show our dedication to information security by completing these security audits every year. The constant changes to data compliance regulations can be challenging to navigate, but you don’t have to do it alone. Contact us today. We will be your guide so you can ethically and confidently reach your customers. Contact us today About our expert Ben Rothke, Senior Information Security Manager Ben Rothke, CISSP, CISA, is a Senior Information Security Manager at Tapad, a part of Experian. He has over 25 years of industry experience in information systems security and privacy. His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, cryptography, and security policy development. Ben is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill), and writes security and privacy book reviews for the RSA Conference Blog and Security Management magazine. Latest posts

We’re excited to introduce our new Q&A series, Ask the Expert! Ask the Expert will feature a series of conversations with product experts. We’ll spotlight and dive into the areas you care most about: identity resolution, targeting, attribution, and more. Our first segment features a conversation on Hashed Email. Jeff Tognetti, the Product Development Team Lead at DealerX joins us to chat with Experian’s Chief Revenue Officer, Chris Feo. Chris and Jeff review how to future-proof your identity strategy by exploring Hashed Email use cases, technical details, and offer an expert point of view on the cookieless future.   Let’s review a few highlights from their conversation. DealerX’s use case  When DealerX first started working with us, we focused on digital identity. DealerX wanted to understand the browsing habits of their first-party shoppers that relate to their clients:   What they’re doing  How they’re interacting with client sites and products  Apply those learnings to target them across the web   Eliminate ad fraud and targeting waste  Our partnership gave DealerX the ability to take an anonymous consumer from anywhere across their portfolio of customers and understand who they are, while in an anonymous state. Then, they could activate on any channel where that consumer may be in the market for a product. This allowed DealerX to resolve who these people are as they browse the web, leading to reduced ad spend and targeting waste.   This was the original and primary use case for DealerX when partnering with us. So, when did Hashed Email come into the mix for DealerX? Before we dive into the specifics, let’s take a step back and understand Hashed Email.  What is Hashed Email?  Hashed Email is a privacy-safe identifier that can further enrich the connection between the online (digital) and offline (real world) ecosystems. When paired with the Tapad Graph with access to Tapad’s universe of email data, it can provide maximum coverage for targeting and measurement when combined with IDs such as cookies, mobile ad IDs (MAIDs), connected TV (CTV) IDs, and IP addresses.  Email hashing uses a method of coding to transform an email address into a jumble of numbers and letters so that it’s fully pseudonymized and privacy safe. Hashed emails can then be used as a digital identifier when a user is logged in to that email and trace their activity – without linking back to the user’s real email address. This allows marketers to collect data on their users and understand their behavior without knowing their email address – a win for both consumer privacy and marketer insight.  DealerX & Hashed Email  DealerX was one of our first customers to onboard Hashed Email to the Tapad Graph. Adding Hashed Email gave them a privacy-compliant way to work with identity and resolve what a user did on their site. This allowed them to gain insight into where an ad and impression was served; even the day and time these actions occurred.  Now, we’re not the only data partner that DealerX works with. Many companies offer the notion of converting email to a digital ID in a privacy-safe way. How does DealerX evaluate the right data partner?  Evaluating the right data partner  When we say, ‘data partner,’ we’re referring to the data, the service, and the support. The most important characteristics to consider when choosing a data partner, according to DealerX, include:  Technical prowess  Efficiency  Agility  Scalability  Why did DealerX choose to partner with us? Our services met the characteristics they were looking for in a data partner. We grew the product by iterating on features that worked best for Jeff and his team. The rollout was organized, efficient, and lacked bureaucracy, which can slow down an implementation timeline.  While we started our relationship with DealerX as a vendor, now we're partners. How did we transition from vendor to partner? Transitioning from vendor to partner  The key to a great partnership is trust. It’s tough to navigate an ecosystem with numerous companies that claim to have the same products and services. The relationship will start off as vendor-client, and both teams will get to know each other’s strengths and weaknesses. As the vendor makes your work seamless and offers an efficient implementation process, the relationship turns into a partnership.  There’s more!  This is just a taste of Chris and Jeff’s conversation. Visit the Ask the Expert content hub to watch a recording of the conversation. Stay tuned for future segments in our Ask the Expert series. We’re just getting started!  About DealerX In just a few short years, DealerX has grown to serve 1,000’s of Tier 3 dealerships across all brands, enterprise partners and OEMs. Their keen approach to data, analytics, machine learning and programmatic initiatives have led DealerX to quickly become the most savvy player in the automotive space. DealerX has helped automotive retailers save 10’s of millions of dollars by avoiding fraud and eliminating wasteful ads pends, while dramatically reducing “cost per sale." In doing so, their partners significantly outperform those leveraging generic “one size fits all” competitive offerings. To learn more, visit their website at Dealerx.com.