The Tyranny of the First-Party

“The greatest trick the devil ever pulled was convincing the world he didn’t exist.”

— Roger “Verbal” Kint, “The Usual Suspects”

Over the last 9 months, I’ve attended hundreds of hours of W3C and related meetings on topics of web advertising, privacy, browser technology, and many other topics. From those discussions, I’ve come away with a new understanding of how and why the digital world is changing, as well as some big questions. User privacy is the definitive driver of these discussions, at every level.

One of my biggest takeaways from these discussions is a strongly held belief that permeates much of browser vendors’ decision-making: “first parties” are good and “third parties” are bad. This leads to one of the biggest trends in privacy today, the elimination of cross-site tracking. But why?

The thought process progresses this way:

Users are harmed by their data being misused -> User privacy needs to be increased -> Data sharing across companies reduces user privacy -> Cross-site tracking in browsers needs to be shut down

That’s a reasonable flow for someone to follow, but when you start to unpack it, it’s clear that the pathway has been laid out by people with a vested interest in the outcome.

First, what are the harms that come from users’ data being misused? Significant research and press have been dedicated to this topic over the years.

A summary of some of the biggest issues — certainly not exhaustive:

• Apps and sites revealing sensitive information to others (health, finance, sexual orientation, etc.)
• Advertisers targeting campaigns based on that sensitive information
• People being radicalized by filter bubbles
• Algorithms spreading misinformation and hate
• Government agencies getting access to private information

Those are unequivocally major problems, and issues that we should all want to shut down. And who are the companies that are most responsible for these issues? Tech platforms like Google, Facebook, and Apple.

And what about digital advertising and adtech? Certainly, this industry isn’t the most savory. And some adtech firms do bad things. But when you really dig into the issues, most of the user issues that have materialized in the real world are caused by the platforms, and few will be stopped by the elimination of cross-site tracking.

Speaking at an industry event in 2019, a Mozilla engineer gave examples of these societal harms. Four of the five examples given were perpetrated by platforms. Cross-site/app tracking is an irrelevant factor in these issues. Dig into more research and more articles and you’ll find it over and over again — the harms to users from their data being misused come from platforms, not from cross-site tracking issues.

All of the browsers are pushing heavily towards privacy, but Apple’s Safari browser started the trend in 2005 and has become more and more aggressive in recent years. So why is it, when the world’s largest company decided “user privacy” was a really important topic, they decided that cross-site/app tracking was the demon to attack?

Apple’s Strategy

Currently, Apple is the world’s largest company, the developer of the world’s #2 web browser (Safari), and the owner of the largest app ecosystem (the App Store). Apple has been trying to diversify its business model for quite a while. Nearly all of Apple’s revenue and profit comes from the sale of hardware. The company has aspired to grow its services business model for many years and has generally been successful but it’s still a small portion of the total.

This desire to grow the business has lead to a number of nefarious decisions about how Apple can extract its pound of flesh from other companies in the space. But Apple’s biggest success has been with digital subscriptions and products in the App Store, commonly known as in-app purchases (IAP). On nearly all purchases in any app on iOS, Apple collects 30% of the revenue (now dropped to 15% for small developers).

As an enormous company, Apple is under enormous pressure to keep growing at a fast rate. So it needs to find huge areas of growth to keep its shareholders happy. Growing the App Store is one of those strategies. And two of the best ways to grow revenues from the App Store are:

1. Get more developers to make more apps
2. Push more developers to use IAP to monetize their apps

Not surprisingly at all, these goals map perfectly to Apple’s privacy initiatives:

1. Shut off all cross-site tracking, which hurts advertising revenue significantly, and drive web developers to new ecosystems, like the App Store
2. Shut off all cross-app tracking in the App Store ecosystem to damage advertising as a means of monetization and push more apps to use IAP

And the recent antitrust attention on Google’s search monopoly has surfaced the fees that Google pays to Apple to be the default search engine in Safari. This revenue stream, probably the largest single component of Apple’s “services” business is now at risk. As Apple may need to replace this revenue, it’s very likely that Apple’s focus on “privacy”, particularly on the open web, will be stepped up in the coming months. And then of course, Apple is building its own ad network, with much laxer rules on how it can access user data.

In my opinion, it’s pretty clear why Apple is so focused on cross-site tracking. It’s an evil-sounding technology that fits neatly into the bucket of “privacy”, that if they shut down, can help grow their services business.

Apple’s approach to privacy is about growing their business. It’s not about protecting users at all. This doesn’t (necessarily) make Apple evil, it just makes them an enormous company with very aggressive growth targets.

Back to First- and Third-Parties

So now maybe it’s more clear why Safari (and other browsers) is so focused on first- and third-parties. Google and Microsoft have also picked up on this thread. These giant companies know that they have to solve user privacy issues, but they want to do so in a way that helps their core businesses grow even faster.

With the first-/third-party delineation, they have found an amazing pivot point. As fully-integrated first parties (they own all of their technology), they don’t need any third-parties to power their business. But nearly every other company does need third parties. But by focusing on the “information sharing across companies is bad” adage, they can draw a clear delineation that is privacy-focused that simultaneously helps their businesses.

This focus on 1st vs 3rd parties allows these enormous companies to point regulators and consumers in a direction that is directed away from themselves, and in ways that benefits them. It allows them to convince the world that they aren’t part of the problem.

P.S. The original quote that was popularized by “The Usual Suspects” (one of the best movies of all time — watch it if you haven’t already!) is actually a corruption of a quote from the French philosopher Charles Baudelaire. In my opinion, it’s even more fitting here.

“La plus belle des ruses du diable est de vous persuader qu’il n’existe pas.”

“The devil’s finest trick is to persuade you that he does not exist.”