Apple’s beefing up of iOS privacy protections has affected small data brokers, but apps can still collect group-centric data and identify users via device fingerprinting, according to an Oxford study.
In addition, the researchers claim that Apple itself engages in and permits some forms of tracking designed to tighten its control over the iOS market.
In a piece of paper titled “Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels, to be published in June for the ACM Conference on Fairness, Accountability, and Transparency 2022, by Oxford academics Konrad Kollnig, Max Van Kleek, Reuben Binns and Nigel Shadbolt and the Independent US researcher Anastasia Shuba describes what they found after analyzing 1,759 iOS apps from the UK App Store before and after the launch of iOS 14.
“While Apple’s changes make it harder to track individual users, they motivate a countermove and strengthen the existing market power of gatekeeper companies with access to vast repositories of first-party data,” their paper reads.
Apple’s iOS 14, originally released on September 16, 2020, introduced two privacy initiatives that had a significant impact on iOS app developers: the App tracking transparency framework, an API that defines how system permission alert requests and app tracking authorization alert messages are presented to the app user; and app privacy labels (what the researchers call privacy nutrition labels), which disclose data-handling practices.
Google and Facebook complained bitterly about iOS 14 and warned of reduced advertising revenue. Coincidentally, both were later accused of conspiring to circumvent previous Apple privacy protections implemented in its Safari browser.
A common problem
While information gathering firms engaged in invasive data collection now face higher barriers thanks to Apple’s privacy measures for iOS 14, the researchers note that on average, the number of tracking libraries in apps has remained more or less the same.
“Many apps still collect device information that can be used to track users at a group level (cohort tracking) or to probabilistically identify individuals (fingerprinting),” they explain.
“We find real-world evidence that apps are processing compute and agreeing on a fingerprint-derived identifier through the use of server-side code, violating Apple’s policies and exposing the limits of what ATT can do against tracking on iOS.”
They say this is of particular concern given that they specifically refused to opt-in to tracking in this study, and apps that ignore such consent violate both EU and UK data protection law.
The scientists also note, “Apple itself engages in some forms of tracking and exempts invasive data practices such as first-party tracking and credit scoring from its new rules, and that the new privacy nutrition labels were often inaccurate.”
This, they say, violates customer expectations and the company’s marketing claims – recall Apple’s 2019 Billboard ad campaign, “What happens on your iPhone, stays on your iPhone.” Chinese users will find that the terms and conditions do not apply in their region.
The researchers looked at the number of tracking libraries in iOS apps both before and after implementing ATT and found that the numbers remained roughly the same – the median number of tracking libraries included in an app was 3 in both cases ,0; the mean before was 3.7, while the mean after was 3.6.
The most common libraries also remind us of this: Apple’s SKAdNetwork library (in 78.4 percent of the apps before and 81.8 percent after); Google Firebase Analytics Library (64.3% of apps before ATT and 67.0% after) and Google Crashlytics (43.6% before, 44.4% after).
Apple’s SKAdNetwork, when integrated into an app, sends information to Apple about the ads that the app user has clicked on. The scientists say Apple could theoretically use this data to create user profiles for its own advertising system. When they questioned Apple about this, citing their right to information under Article 13 of the GDPR, they said the company “has not disputed the fact that this data could be used for advertising, but has assured us that all ads are only targeted to segments would be delivered by the user (from at least 5,000 people with similar interests).”
All in all, they say that Apple’s privacy measures have had a seemingly negligible impact on integrating tracking libraries into existing apps.
Check the data
The experts found that the average number of tracking domains contacted by apps before a user consent interaction occurred increased slightly from 4.0 to 4.7 after the introduction of ATT. The most viewed domains were associated with Google Analytics services. For example, firebaseinstallations.googleapis.com was viewed by 4.1 percent of apps before ATT and 47.4 percent after.
“Overall, data exchange with tracker companies before any user interaction remains common, even after the introduction of the ATT,” say the researchers. “This may breach applicable data protection laws in the EU and UK which require prior consent.”
Apple’s ATT has clearly had a positive impact on the Identifier for Advertisers (IDFA). About 26 percent of apps shared it before ATT and none were found after.
However, Apple’s privacy efforts have led to attempts to circumvent its rules. The tinkerers found nine apps capable of generating a common user identifier that can be used for cross-app tracking via server-side code.
“These 9 apps used an ‘AAID’ (possibly derived from the term Android Advertising Identifier) implemented and generated by Umeng, a subsidiary of Chinese tech company Alibaba,” the researchers explain. They add that deriving data from a device to form an identifier and sharing the identifier across devices is against Apple’s rules.
According to the newspaper, this was reported to Apple on November 17, 2021, and the company promised to investigate. When researchers conducted a follow-up on February 1, some apps were still getting the identifier from a Umeng endpoint. Others now contact another umeng endpoint using custom encryption for both requests and responses.
Considering that the encrypted data is still roughly the same size and the request/response mimetypes haven’t changed, the experts conclude that the identifier is still in use, “but now by using encryption before the was hidden from the public”.
The registry asked Apple if it considers these allegations a violation of App Store policies and intends to take action. The company, which strives to respect The Register’s privacy at all times, has not responded.
The researchers conclude that big companies are still tracking iOS users behind the scenes, and they express concern that a private company, Apple, has transformed privacy over the years through regulatory intervention.
They also point out that Apple’s definition of tracking exempts its own advertising technology and makes other exceptions for fraud detection, fraud prevention, and credit reporting, which secure the operations of tracking companies and potentially violate consumer privacy expectations.
Finally, they argue that Apple’s double standard gives it a competitive advantage: access to data. Apple’s data caps, they claim, have enabled Apple to track while helping major competitors like Alphabet/Google and Meta/Facebook cement their market dominance.
“We conclude that Apple’s new changes have traded more privacy for more concentration of data collection at fewer technology companies,” they argue. “Stricter privacy rules may encourage even less transparency in app tracking by moving the tracking code to the servers of dominant tracking companies.” ®