Apparently, there is an army of bots pretending to be Apple users surfing the web and looking at ads. According to new research, this ad fraud scheme is weaponizing Apple’s privacy feature called Private Relay — costing advertisers tens of millions of dollars in the process, researchers’ tests found.
In contrast, Apple has promised that the tool has “built-in fraud detection” and that advertising platforms can trust it; however, the researchers say the fraud has only gotten worse in the months since they first reported it to the company.
Apple’s Private Relay tool is available to users who subscribe to iCloud+, providing them with a dummy IP address to help stop companies from tracking them. The iPhone maker said that apps, websites, and ad tech companies could trust that these IP addresses represent real people. The company says Private Relay has “built-in fraud protection,” and it’s “designed to ensure only valid Apple devices and accounts in good standing are allowed to use the service.” Apple goes even further, proclaiming that “Websites that use IP addresses to enforce fraud prevention and anti-abuse measures can trust that connections through Private Relay have been validated at the account and device level by Apple.”
That’s not even remotely true, according to the study. Pixalate, the ad tech firm that authored the study, says the problem will cost US advertisers an estimated $65 million in 2022 alone. The study finds that 90% of web traffic that looks like it’s coming from Private Relay is actually fraudulent, which could mean there are well over 100 million robots cruising around the web, seeing a lot of ads.
The company used several techniques to identify the fraud, including analyzing where the traffic originated from. Private Relay is only available with the Safari browser, but they observed iCloud Private Relay (iCPR) IP addresses attached to Firefox, or to non-Apple devices, which can’t run Safari. That should be impossible. Pixalate also saw the IP addresses originating from data centers, which ad fraudsters often route their traffic through to hide their activity.
Pixalate also detected iCPR addresses involved in what’s known as a “bot ring,” where clusters of users exclusively visit a few websites or apps and don’t go anywhere else, which is a red flag of inauthentic behavior.
The problem doesn’t affect Apple users; rather, ad fraudsters are pretending to be among them. According to Pixalate, fraudsters are taking advantage of the complexity of ad tech, slipping bad traffic right under publishers’ and tech companies’ noses.
“Apple says you can trust that connections through Private Relay are secure and free of fraud, so scammers are just presenting their traffic as coming from Apple,” said Amit Shetty, vice president of product at Pixalate. “It seems like they’re just hoping people are going to put the traffic on ‘allow lists’ because it’s considered to be safe.”
While the ad fraud is widespread, the study found that the bots tend to cluster around groups of domains, and nine websites that display ads are affected in particular — including the websites for E! Online, ESPN, Major League Baseball, NBC News, and Weather.com.
Pixalate first reported on this problem in August, but the firm says the amount of fraud is accelerating. They are advising ad tech companies and websites to consider blocking Private Relay traffic altogether until there’s a better solution.
“The programmatic advertising system is so complex that nobody really understands it,” said Bob Hoffman, a former ad agency executive and author of the best-selling book ADSCAM. (Hoffman was not involved with Pixalate’s study.) “At least 15% of all the money just disappears and nobody knows where it goes.”
Apple did not respond to Gizmodo’s requests for comment.