Your attribution may be more wrong than right

The flip side of fingerprint attribution

Grant Simmons
6 min readJul 24, 2019

Today’s marketer is data-driven. With significant ad spend dollars on the line, accuracy in the attribution data that links advertisements to in-app conversions is vital. That data drives cost-per-install (CPI) and/or cost-per-action (CPA) bounties paid to ad platforms, performance assessments on campaigns, and channels, as well as optimization decisions to promote future growth.

But there’s a longstanding attribution hurdle compromising the accuracy of that attribution data.

The fingerprint attribution hurdle

To understand this attribution hurdle, let’s look at the two primary environments in which most advertisements are served to mobile users.

In-app ads are served to users inside of an app on their device. The ad-serving SDK in the app where the ad is served has access to the mobile advertising device ID of the user’s device (with certain exceptions like Apple’s Limit Ad Tracking). When a click is recorded, the device ID is passed to the measurement partner tracking the click. Since a mobile advertising device ID is globally unique, it is used to deterministically (precisely) match the click and subsequent conversion.

Mobile web ads are served on web pages that a user accesses through their mobile web browser (like Chrome or Safari). In most cases, the publisher serving the ad does not have access to capture the mobile device ID. Instead, the Internet Protocol (IP) address and the user agent (UA) of the mobile device are captured from header data by the measurement provider tracking the click. These two data points are combined to create a non-unique “fingerprint” which helps narrow the field of possible matches on downstream conversions by devices with the same fingerprint. Since users can have similar devices and be connected to the internet over common IP addresses, fingerprinting offers only a probabilistic method for attribution, which degrades in accuracy over a short time.

The attribution hurdle

Fingerprinting accuracy:

As shown below, fingerprint attribution is 81% accurate over 7 days. However, most fingerprint attributions occur within the first 10 minutes between click and conversion (54%) and are 98% accurate (ie, it garners the same result as a deterministic match).

As the time between click and conversion increases, fingerprint attribution becomes increasingly inaccurate. After three hours, accuracy drops by 85%. At the 24-hour mark, it drops to 50%; and beyond that, fingerprint attribution is more likely wrong than right.

The fingerprint problem: Accuracy decreases rapidly over time

Further complications on iOS

By comparison to the wide range of distinct Android devices, the world of iPhones is far less unique, with a small subset of device types and OS versions accounting for the majority of iPhone users. When combined with common IP addresses in densely populated areas, it becomes harder to distinguish one iPhone user from another. As such, the potential for inaccuracy grows in fingerprint attribution that relies on these two data points.

Further complicating attribution is the Limit Ad Tracking privacy function on iPhones that blocks the IDFA (the iOS mobile advertising device ID) from access. The typical percentage of users opted in to Limit Ad Tracking hovers around 24%, but for some verticals and specific niche apps, it can jump to as high as 70% or more. This means that for certain app marketers, even for in-app campaigns, the device ID is unavailable. Marketers are forced to rely on fingerprinting for iOS campaigns, and fraudsters have swooped in to take advantage of this.

An easy target?

In looking more closely at Android and iOS traffic, there’s a disconnect between the number of installs and clicks for iOS devices.

In 2018 across all of the ad traffic measured by Kochava, iOS made up 27% of installs, while Android came in at 73%. This would lead you to expect that Android would have greater click traffic by volume than iOS. However, when it came to total click traffic, that pattern was reversed: 66% of total click traffic was iOS and only 33% Android. Further, 74% of the iOS click traffic had no device ID and was thus only available for fingerprint attribution. If the average percentage of users with Limit Ad Tracking is 24%, why are nearly three-quarters of the iOS click traffic missing device IDs?

Instances have been observed where publishers purposely strip the IDFA from a click. This opens the click record up to more eligible matches than if it had a device ID and could only be matched to a conversion by one device.

According to our research, more than 80% of clicks on iOS traffic are fraudulent:

The numbers also point to a preponderance of fraudulent click flooding on iOS, as bad actors seek to flood the ecosystem with clicks that have highly common IP addresses and iPhone user agents.

Since iOS only identifies the type of device and the OS version for its user agents, iPhone UAs are remarkably non-unique and publicly available.

Further, wireless carrier IPs (Verizon, AT&T, Sprint, etc.) are also non-unique and publicly available. A fraudulent publisher needs only to pair up these data points and pump out a massive volume of fake clicks to steal organic conversions or those that were actually driven by other partners.

Kochava can help marketers overcome the hurdles

What can you do as a marketer? For iOS traffic, keep a close eye on Click Flooding in the Kochava Fraud Console. Since iOS makes up the majority of mobile traffic (mostly fingerprint attempts) but has fewer installs, a large number of iOS publishers get flagged for click flooding, ad stacking, and other views which point to unreasonable click-to-install ratios (clear indications of fraud). Get protection at the flip of a switch with the Global Fraud Blacklist and set frequency caps through Kochava Traffic Verifier.

For all traffic: As we discussed earlier, fingerprinting is accurate within a narrow timeframe. With configurable attribution by Kochava, marketers can tighten lookback windows to as little as 10 minutes for nearly 98% accuracy. Pushing the lookback window out to three hours will encompass more conversion volume and still hold the accuracy line at nearly 85%. Between three and 24 hours, accuracy drops by over 50%.

For this reason, Kochava recommends a fingerprint lookback window of three hours for a more conservative approach, and not beyond 24 hours for marketers who want to widen the conversion window for consideration. The point is, you as the marketer can configure the lookback window that best fits your unique thresholds.

Again, the accuracy of fingerprint attribution decreases rapidly over time

IdentityLink Bridge: A light at the end of the tunnel

In Q1 of 2019, Kochava announced the release of IdentityLink Bridge as a solution to bring deterministic attribution to mobile web traffic. IdentityLink Bridge links first-party Kochava cookies to device IDs within a user’s mobile web browser. This makes the device ID available to Kochava for attribution, even when a click originates from mobile web and the device ID isn’t sent by the publisher. As a result, Kochava can match mobile web clicks to conversions via the deterministic device ID rather than relying on fingerprinting.

Through IdentityLink Bridge, marketers see improved conversion performance and more precise attribution on paid and non-paid campaigns across all mobile web channels.

The Takeaway

Fingerprint attribution is unavoidable in certain circumstances, such as on iOS when Limit Ad Tracking blocks access to a device ID. Nonetheless, marketers can tighten lookback windows and get tough on fraud to maintain meaningful accuracy in attribution outcomes even when using fingerprint attribution. Further, the use of IdentityLink Bridge from Kochava provides marketers with more accurate deterministic attribution for mobile web.

If you have not yet opted into IdentityLink Bridge, contact your Client Success Manager today and learn how you can bring deterministic attribution to your mobile web campaigns.

Contact our Client Success Team for more information, or Contact Us.



Grant Simmons

Former Head of Retail Analytics at Oracle Data Cloud. Currently Head of Client Analytics at Kochava. Your data speaks volumes if you know how to listen.