Blog

Link Tracking Protection in iOS 17 & macOS Sonoma: Important changes for marketers

Nicole Merlin

By Nicole Merlin

·

Updated Jan 31, 2024

Published Jun 30, 2023

Link Tracking Protection in iOS 17 & macOS Sonoma

Update: Marketo has responded to the changes here

At this year’s WWDC, Apple announced the upcoming release iOS 17 and iPadOS 17, both scheduled for release in September, along with macOS Sonoma, scheduled for sometime in the fall.

These updates will bring a range of security and privacy updates, many of which have significant implications for marketers.

This is the big change for marketers, as Apple has committed to reducing the number of tracking parameters that can be used in URLs across Mail, Messages and Safari.

From Apple’s press release:

“Some websites add extra information to their URLs in order to track users across other websites. Now this information will be removed from the links users share in Messages and Mail, and the links will still work as expected. This information will also be removed from links in Safari Private Browsing.”

In short, Apple plans to remove what they call “known trackers” from links when they are clicked on or shared.

They’ll do this by stripping away certain URL tracking parameters, while leaving the remainder of the URL intact, as shown in this video from Apple.

Which tracking parameters are affected?

Jeff Johnson reported in a recent blog post that Apple will be using a static list of trackers, rumoured to be taken from this list of “Tracking query parameters” from PrivacyTests.org.

ParameterPrivacyTests.org Description
__hsfpHubSpot tracking parameter
__hsscHubSpot tracking parameter
__hstcHubSpot tracking parameter
__sDrip.com email address tracking parameter
_hsencHubSpot tracking parameter
_openstatYandex tracking parameter
dclidDoubleClick Click ID (Google)
fbclidFacebook Click Identifier
gclidGoogle Click Identifier
hsCtaTrackingHubSpot tracking parameter
mc_eidMailchimp Email ID (email recipient’s address)
mkt_tokAdobe Marketo tracking parameter
ml_subscriberMailerLite email tracking
ml_subscriber_hashMailerLite email tracking
msclkidMicrosoft Click ID
oly_anon_idOmeda marketing ‘anonymous’ customer id
oly_enc_idOmeda marketing ‘known’ customer id
rb_clickidUnknown high-entropy tracking parameter
s_cidAdobe SiteCatalyst tracking parameter
vero_convVero tracking parameter
vero_idVero tracking parameter
wickedidWicked Reports e-commerce tracking
yclidYandex Click ID

Our internal tests so far also confirm that it’s only parameters on this list (and their values) that are being targeted by these changes. Any other custom parameters (such a customer_id=xyz or utm_campaign=xyz) do not appear to be affected at all.

These results also stack up with research shared by Steve Atkins from Word to the Wise, and Peter Jakuš from Bloomreach Engagement.

What is removed and where

URLs with parameters

Steve Atkins shared his research on clicking links in the Mail app, where the actual href of each link contained the parameters, e.g:

<a href="https://www.example.com?customer_id=abc&mkt_tok=abc">Link</a>

His tests showed that the parameters in the PrivacyTests.org table (shown above) were all removed, whereas any parameters not on that list remained. The resulting URL after clicking our example in Mail would be this URL opening in Safari:

https://www.example.com?customer_id=abc

URLs that point to a redirection server

Peter Jakuš also shared his research, which involved clicking links from Mail and Messages and opening them in Safari and Safari Private Browsing on iOS 17.

His links were all using a redirection server, meaning the href of each link in the email was something like this, which is set up to redirect to the URL above once opened in a browser.

<a href="https://click.track.example.com/8743b52063cd65d1633f5c74f5">Link</a>

After clicking this link in Mail, it would resolve to the full URL in Safari normal browsing mode, with all parameters intact:

https://www.example.com?customer_id=abc&mkt_tok=abc

However, if the redirect link was opened in Safari Private Browsing mode, it would resolve to a URL with any parameters in the PrivacyTests.org table (shown above) stripped away:

https://www.example.com?customer_id=abc

We ran some of our own internal tests which corroborate both Steve and Peter’s research. Below is a breakdown of the behaviour across all the affected apps and types of links.

Action taken from Mail or MessagesLinks that point to a full URL with parametersLinks that point to a redirection server URL
Click link → Open in Safari❌ Affected parameters are removed✅ Resolves to full URL with parameters intact
Click link → Open in Safari Private Browsing❌ Affected parameters are removed❌ Resolves to full URL with affected parameters removed
Copy link → Paste (anywhere except Safari in Private Browsing mode)❌ Affected parameters are removed✅ Full redirection server URL is pasted
Copy link → Paste in Safari Private Browsing❌ Affected parameters are removed❌ Resolves to full URL with affected parameters removed
Click “Share…” menu → Share to destination of choice❌ Affected parameters are removed✅ Full redirection server URL is shared

Peter Jakuš’s research also indicates that Apple is not ‘pre-visiting’ the links before stripping the parameters, further confirming that no visits with the parameters will register on the server at all.

Removal of affected parameters when browsing the web in Safari

ActionLinks that point to a full URL with parametersLinks that point to a redirection server URL
Click link✅ Parameters remain intact✅ Resolves to full URL with parameters intact
Tap and hold link → select “Copy Link” → paste into destination of choice✅ Parameters remain intact✅ Full redirection server URL is pasted
Tap and hold link → select “Share…” → share to destination of choice❌ Affected parameters are removed✅ Full redirection server URL is shared

Removal of affected parameters when browsing the web in Safari Private Browsing Mode

ActionLinks that point to a full URL with parametersLinks that point to a redirection server URL
Click link❌ Affected parameters are removed❌ Affected parameters are removed
Tap and hold link → select “Copy Link” → paste into destination of choice❌ Affected parameters are removed✅ Full redirection server URL is pasted
Tap and hold link → select “Share…” → share to destination of choice❌ Affected parameters are removed removed ✅ Full redirection server URL is shared

Impact on Marketers

How might these changes impact Marketers and specifically Marketing Operations professionals?

Well, Marketo users reading this may have noticed mkt_tok in the table above.

As Adobe defines, mkt_tok is “the parameter used by Marketo Landing Pages and Munchkin to ensure proper tracking of person activities (like when a person unsubscribes from an email).” Simply, this parameter is vital in tracking the subsequent web session activities for the lead.

Apple’s release means when a recipient opens an email on their Apple device using Apple Mail — the mkt_tok will be stripped.

In other words, tracking that relates to person activities post link-click will be impacted.

According to our tests, it also breaks key system functionality in Marketo, where that functionality relies on the use of mkt_tok. For example, in our tests following the “View as webpage” link, the mkt_tok in the URL is removed, which means the link cannot resolve properly, resulting in the view online failure page.

This is something that Marketo will no doubt be looking to address as quickly as possible.

These changes are part of Apple’s commitment to new privacy features

These changes come as part of Apple’s growing commitment to blocking the use of technologies that track individual user behaviour, as per their Tracking Prevention Policy.

Their policy acknowledges downstream effects of these changes:

There are practices on the web that we do not intend to disrupt, but which may be inadvertently affected because they rely on techniques that can also be used for tracking. We consider this to be unintended impact.

The policy also makes clear that they are aiming to drive adoption of alternative methods for tracking, such as Private Click Measurement or PCM, a technology that has been a part of iOS and iPadOS designed to enable more anonymous click attribution.

What’s next?

Some of the details may change before the final versions are released, but we can be certain from Apple’s press releases and policy details, that they are committed to making these changes in one form or another.

While the finer details may change, it’s clear that these behaviours will be implemented in all of the upcoming releases, so we will be keeping a keen eye on the situation as it develops.


Share this article

Nicole Merlin

Author

Nicole Merlin

Head of Email Strategy and Development, Knak

Why marketing teams love Knak

  • 95%faster speed to market

  • 22 minutesto create an email*

  • 10K+marketers using Knak

* On average, for enterprise customers

Built by marketers, designed for everyone

Discover the future of no-code email and landing page creation.

See it in action