In a November 19, 2020 letter to various non-profit groups, Apple reaffirmed its commitment to the App Tracking Transparency (ATT) permission feature first announced in June 2020: “We developed ATT for a single reason: because we share your concerns about users being tracked without their consent and the bundling and reselling of data by advertising networks and data brokers.” Slated for release in 2021, the ATT feature requires permission before certain data is accessed by advertisers, namely the identifier for advertisers (IDFA). Using the ATT feature, consumers will allow or reject tracking on an app-by-app basis.
The IDFA groups different users by similar search or browsing activity in an effort to limit advertisers from reverse engineering personally identifiable information. As described by Apple: “We create segments, which are groups of people who share similar characteristics, and use these groups for delivering targeted ads. Information about you may be used to determine which segments you’re assigned to, and thus, which ads you receive. To protect your privacy, targeted ads are delivered only if more than 5,000 people meet the targeting criteria.”
While touting its alleged “privacy forward” ATT feature, Apple threw down yet another privacy gauntlet against Facebook: “Facebook executives have made clear their intent is to collect as much data as possible across both first and third party products to develop and monetize detailed profiles of their users, and this disregard for user privacy continues to expand to include more of their products.” Letter, dated November 19, 2020.
in a November 20, 2020 statement sent to Business Insider, Facebook counterpunched: “The truth is Apple has expanded its business into advertising and through its upcoming iOS 14 changes is trying to move the free internet into paid apps and services where they profit. . . They claim it’s about privacy, but it’s about profit. . . This is all part of a transformation of Apple’s business away from innovative hardware products to data-driven software and media.”
In other words, Facebook suggested that Apple plans on using its dominant market position to prioritize its own data collection efforts while making it difficult for competitors to use the same data. Two months earlier, Facebook informed its business partners that it would “not collect the identifier for advertisers (IDFA) on our own apps on iOS 14 devices. . . . We may revisit this decision as Apple offers more guidance.”
Surprisingly, Facebook may actually have a point or two regarding Apple’s aspirations. On November 16, 2020, a group led by privacy activist Max Schrems filed complaints in Germany and Spain over Apple’s online tracking tool claiming a breach of the EU’s e-Privacy Directive.
Apple defines the IDFA as “an alphanumeric string unique to each device, that you [the third party app developer] only use for advertising. Specific uses are for frequency capping, attribution, conversion events, estimating the number of unique users, advertising fraud detection, and debugging”. [This IDFA] is “is very similar to a cookie: Apple and third parties (e.g. applications providers) can access this piece of information stored on the users’ device to track their behaviour, elaborate consumption preferences and provide relevant advertising. . . In practice, the IDFA is like a “digital license plate”. Every action of the user can be linked to the “license plate” and used to build a rich profile about the user. Such profile can later be used to target personalised advertisements, in-app purchases, promotions etc. When compared to traditional internet tracking IDs, the IDFA is simply a “tracking ID in a mobile phone” instead of a tracking ID in a browser cookie.
According to Reuters, Apple immediately disputed these claims, stating they were “factually inaccurate”. Apple curiously also said to Reuters that it “does not access or use the IDFA on a user’s device for any purpose”. Such a statement is curious only because on its face it means nothing when one considers the fact Apple allows “segmented” use and access to this “license plate” data. By creating an “identifier for advertisers” form of digital “license plate”, Apple most certainly uses the IDFA by proxy every time one of its ad partners uses it.
Moreover, days before its public Facebook spat, Apple was called out by a cybersecurity expert for perceived privacy shortcomings in Gatekeeper – the Apple system used for managing third-party application security. Pointing to flaws in how Gatekeeper relays and stores unencrypted information, Jeffrey Paul concluded: “Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. . . . This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns.”
According to a November 15, 2020 editorial in Apple Insider, these perceived risks were illusory. According to the editorial, “there’s not really much utility in knowing just what app is being launched, realistically speaking.” And to boot, “ISPs could have that data if they wanted to without the limited info that Apple’s Gatekeeper may provide.”
By claiming others could gather even more data and that the data in question does not have “much utility”, the editorial did not provide any real refutation of Jeffrey Paul’s basic concerns. Instead, the writer for Apple Insider hopes for the best: “There’s not even the prospect of Apple pulling a Google and using this data, as Apple has been a voracious defender of user privacy for many years, and it is unlikely to make such a move.” In other words, just trust Apple to do the right thing.
The very next day Apple actually did do the right thing and stopped collecting IP addresses related to Gatekeeper’s developer checks – likely in difference to Jeffrey Paul’s research. The Apple Support Update released on November 16, 2020 states: “To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs. In addition, over the the [sic] next year we will introduce several changes to our security checks: A new encrypted protocol for Developer ID certificate revocation checks; Strong protections against server failure; [and] A new preference for users to opt out of these security protections.” These new safeguards address the exact issues raised by Jeffrey Paul in his blog.
Apple’s aspirations regarding consumer data control will likely cause it to continue butting heads with social media platforms guarding their data oligarchies and privacy advocates protecting consumers. As the world’s largest market cap company, however, Apple may be uniquely positioned to take on such challenges. Unfortunately, governmental intervention may be the only viable check on Apple should the company ever fully stray from its prior data privacy commitments. Given the current dysfunctional political environment, Apple likely has a long runway should regulators ever come knocking.