This topic is very interesting and yet at the same time – at least to me – difficult to grasp. I’m hoping in my discussing this here, I’ll actually understand it better. Let’s get to the topic at hand. There is something in the domain space called the PSL (Public Suffix List). So the first step is understanding what the PSL is and does.


iThemes Security Pro

You don’t need an intergalactic bounty hunter to fight bad guys. iThemes Security Pro will secure and protect your WordPress sites from the wretched hive of scum and villainy across the internet! Prevent hacks, security breaches, malware and more. This is the way.


What is the Public Suffix List (PSL)?

The PSL is a community maintained text file that was first created to reduce super cookies in multi-level domain names. Huh? Let’s look at robertjacobi.com as an example of a fully qualified domain name (FQDN):

  • .COM is the top level domain (TLD)
  • ROBERTJACOBI is the domain name but more importantly in this example is also the second-level domain

Now what happens if use robertjacobi.co.uk as our FQDN:

  • .UK is the top level domain (TLD)
  • .CO is the second-level domain
  • ROBERTJACOBI is the domain name of record

Cookies were initially created to support second-level domains. That means that I could share cookie information with any subdomains of robertjacobi.com i.e. shop.robertjacobi.com or development.robertjacobi.com. Do you see the problem? Everything is a subdomain within the .co.uk domain name, so theoretically at one time cookies could be shared across microsoft.co.uk and amazon.co.uk.

The actual list in PSL is an open standard, available to review, and is part of a GitHub repository where requests can be made. I highly recommend going through the standard and list to see what’s happening behind the scenes to actually secure a level of privacy. It is not an official authority but it is utilized by all browser manufacturers.

The PSL is the least awful and only resource publicly available that provides this level of detail. It serves as a rainbow bridge between the complexity of ICANN and real world developers who have no place within nor tolerance for ICANN.

Jothan Frakes, PSL Maintainer, CEO Private Label Registrar

What did Apple and Facebook do?

Starting late March, the maintainers of the PSL started receiving a large number of requests and they determined that Facebook had started the stampede. In Facebook’s Business Help Center, How Apple’s iOS 14 Release May Affect Your Ads and Reporting:

Specifically, Apple will begin to require that apps in the App Store that engage in what Apple defines as “tracking” to show a prompt to iOS 14 users, in accordance with their AppTrackingTransparency framework. Apple’s policy will prohibit certain data collection and sharing unless people opt into tracking on iOS 14 devices via the prompt. As more people opt out of tracking on iOS 14 devices, ads personalization and performance reporting will be limited for both app and web conversion events.

In response to these changes, we will also start processing pixel conversion events from iOS 14 devices using Aggregated Event Measurement. This will support your efforts to preserve user privacy and help you run effective campaigns.

Aggregated Event Measurement (AEM) sounds a lot like FLoC (CASH) to me. The specific tool that Facebook uses is its magical Facebook pixel (which Apple’s upcoming privacy features will limit if not neuter).

Facebook has provided some suggestions with regards to enabling tracking via AEM (which I am guessing might support FLoC/CASH as well but don’t hold me to all the technology on this issue). Here is the key “fix”:

You may need to verify your website’s domain to help avoid any future disruption of your website campaigns. Domain verification must be done for the effective top level domain plus one (eTLD+1). For example, for www.books.jasper.co.uk, books.jasper.co.uk and jasper.co.uk the eTLD+1 domain is jasper.co.uk.

Additionally, we will support domains included in the Public Suffix List. This would enable businesses to verify their eTLD+1 domains if the hosting domain (eTLD) is registered in the Public Suffix List. For example, if ‘myplatform.com’ is a registered domain to the Public Suffix List, then an advertiser ‘jasper’ with the subdomain ‘jasper.myplatform.com’ would be able to verify ‘jasper.myplatform.com.’

Domain verification should be prioritized for domains with pixels used by multiple businesses or personal ad accounts. This will enable you to configure pixel conversion events when Aggregated Event Measurement becomes available.

Our current efforts are designed to support clients with preexisting Public Suffix List domain registrations or eTLDs. This support is in line with Apple’s recent Private Click Measurement update. There are other technical implications if a domain is registered as a Public Suffix that a business should consider (for example, the domain that is registered on the Public Suffix List cannot have its own cookies) and as such, we do not recommend that clients register their domains on the Public Suffix List specifically for Facebook event configuration.

The folks at PSL have been deluged because of this, and I’d love to know the list of PSLs being submitted to skirt privacy – you know – just to avoid those domains. The volunteers have put a hold on new submissions because there can actually be adverse effects for “good” domains. It’s complicated and a slight mess. So what previously took 15 minutes in a single completed request with no interaction required from the requesting parties, is now taking at least 45 minutes or more per request and multiple interactions.

The Effect on Websites

This whole situation effects a number of constituencies:

  1. Advertisers:

    Facebook and their ilk are destined to lose revenue as people opt-out of invasive and anti-privacy tracking methods. I don’t think most people are going to cry about Facebook losing money in this anti-privacy scheme. Shame on them for exploiting this in the first place.
  2. Sites relying on advertising:

    There certainly are media sites that will lose meaningful traffic data but there are is more than one way to be successful with advertising that doesn’t rely on intrusions provided by Facebook. The other sites are the ones who are trying to validate campaigns which send users to their sites. Think a site that sells hammers. It will be a bit more difficult to pipe and filter all that data but you know what, before the advent of all this hyper tracking business did quite well. They will adapt their spending and hopefully even lean into the fact that they are not tracking everything I do.
  3. End users

    Winner winner chicken dinner. End users are the biggest beneficiaries of enhanced privacy measures. Good for Apple leading the charge, boo AEM and FLoC/CASH for trying to game the system.

There are legitimate use cases for being on the PSL with regards to managing sessions and all sorts of user experience issues. Your site may be effected if there are dependencies which all of this may break. This is actually very complicated depending on your infrastructure. We also have to deal with submission and implementation lag. If you have legit reason for submitting to the PSL then you have to worry about the time to get on the list, and then, when the actual browsers will add the list to their instances.

Phew! It’s a lot of work. I’m sure there will be updates to clarify the tech and/or positions of all those involved.

Subscribe to the daily-ish #MorningCoffee today.