As you may have read today, Kontagent is no longer a partner in Facebook’s Mobile Measurement Program (MMP). I’d like to take this opportunity to offer some clarity on the situation. We have held a longstanding relationship with Facebook. As a social and mobile analytics provider, we work with Facebook data to provide our many customers with important information like virality and app install tracking. We will continue to provide our customers with this information; however, we will not be accessing Facebook data to attribute app installs moving forward.
UPDATE: Of our 22,000 customers, only 15 were affected by this development. So it’s an isolated portion of our business.
As background, Facebook has been auditing all of its mobile measurement partners. We received the results of the audit last week and were notified yesterday that we’re no longer a part of their Mobile Measurement Program, which shares information we use to attribute app installs generated by its Mobile App Install Ads product*. The rest of our relationship with Facebook remains intact, but we are no longer participating in this narrow, but important area. More specifically, we will continue working with Facebook as a market-leading provider of analytics for their social and mobile app developers as well as for attribution on the web.
Addressing our participation in the Mobile Measurement Program, I’d like to mention that no data leakage, user privacy or security integrity failures occurred. Data security and privacy are primary concerns at our company and is also a growing and important global issue. We’ve been in the business of data for 7 years and have never had a privacy and data security issue. We take this issue very seriously and I can strongly state privacy was not the concern as communicated to us by our representatives at Facebook (and their auditing firm).
We ran into issues with Facebook’s policy due to the length of time we stored MMP data and the ultimate location where that data was stored. The details on that follow.
The Nuts and Bolts
So how did we not comply with Facebook’s policy? In an effort to be fully transparent, I’ll get into the specific details. This is a lengthy explanation, but we think it’s important to convey all of the details about the situation and the steps that we take everyday to protect end user data.
1. We stored data beyond the length required by Facebook’s policy (with a caveat)
Facebook’s auditor determined that we stored MMP data for more than the time period allowed by Facebook’s policy. Our intention was to go above and beyond what was asked to protect this data, but we dropped the ball on an important data storage timeline requirement.
In the interest of privacy and security, we encrypted all of the data we collected via MMP. This was not required by Facebook, but we did this because it has significant end-user privacy benefits. Specifically, no raw ad campaign information is ever stored unencrypted. This means that if our systems were hacked or our customers downloaded this data, as we permit since it’s their data, they would receive encrypted, useless data without the keys.
If you’re familiar with how encryption works, then you know that it involves keys that allow us to encrypt and decrypt data. We used a unique encryption key per each day of data, which demonstrates our serious commitment to privacy and security. Addtionally, these keys were stored on separate hardware from the MMP data. Our method for “deleting” this data was to destroy the unique daily keys according to the timing requirement outlined in Facebook’s policy. The underlying unencrypted data was never stored, and the daily encryption keys were deleted promptly.
To be very clear, retaining the data even without the keys does represent a risk because hackers could try to break in and attempt to decrypt it. Storing the encrypted data beyond the required timeframe was an error on our part and could have been easily resolved had we been given the opportunity to remedy the situation.
2. The partitioning of Facebook’s MMP data
The policy states that data collected via MMP is to be stored separately from all other data collected. As noted above, we stored our encryption keys separately, but not the encrypted data. As a result, we did not comply with the MMP.
We understand there may also be a concern that by commingling the data, it is easier to use MMP data for purposes other than attribution. Kontagent absolutely DID NOT use it for any purpose other than attribution.
3. Our TOS needed an update
Facebook requested that we notify our customers who utilized this information of Facebook’s requirement that they notify their own end users that this information was being collected. This could have been accomplished through a simple change to our Terms of Service (and was actually changed yesterday morning).
Update: During Facebook’s audit we learned that the issue was not a failure to communicate with our clients, but that we did not display the program’s disclosure requirement in a prominent location in our marketing materials.
In short, Kontagent created an encryption policy that we designed to completely protect user privacy while addressing Facebook’s policy in one elegant solution. In hindsight, while our intentions were good, we overthought the solution when a more basic approach would have better met Facebook’s requirements.
I completely respect the audits that Facebook conducts to ensure their partners are properly compliant. We will address each of the issues noted in Facebook’s audit despite not being a member of the MMP. You’ll be the first to know if, at some point in the future, we have the chance to participate in the MMP, although there is no clear timeline or expectation of that at the moment.**
Facebook has built a tremendous platform in mobile, and in a breathtakingly short period of time, has become a dominant player in the mobile performance ad space. User acquisition is but one component of the Kontagent+PlayHaven combination, but it’s important that we are able to help our customers measure users from every relevant channel and we will continue to do so. In the meantime we will be working hard to continue to grow the relationship with Facebook and hopefully expand it in other ways as we look to integrating more social capabilities into our platform – a common request from our customers.
Thanks for the time,
*Updated to reflect the official Facebook product name.
**Updated to provide more clarity on the lack of a timeline for reconsideration for the MMP.