Last year, Apple enacted App Tracking Transparency, a mandatory policy that forbids app makers from tracking user activity across other apps without first receiving those users’ explicit permission. Privacy advocates praised the initiative, and Facebook warned it would spell certain doom for companies that rely on targeted advertising. However, research published last week suggests that ATT, as it’s usually abbreviated, doesn’t always curb the surreptitious collection of personal data or the fingerprinting of users.
At the heart of ATT is the requirement that users must click an “allow” button that appears when an app is installed. It asks: “Allow [app] to track your activity across other companies’ apps and websites?” Without that consent, the app can’t access the so-called IDFA (Identifier for Advertisers), a unique identifier iOS or iPadOS assigns so they can track users across other installed apps. At the same time, Apple also started requiring app makers to provide “privacy nutrition labels” that declared the types of user and device data they collect and how that data is used.
Loopholes, bypasses, and outright violations
Last week’s research paper said that while ATT in many ways works as intended, loopholes in the framework also provided the opportunity for companies, particularly large ones like Google and Facebook, to work around the protections and stockpile even more data. The paper also warned that despite Apple’s promise for more transparency, ATT might give many users a false sense of security.
“Overall, our observations suggest that, while Apple’s changes make tracking individual users more difficult, they motivate a counter-movement, and reinforce existing market power of gatekeeper companies with access to large troves of first-party data,” the researchers wrote. “Making the privacy properties of apps transparent through large-scale analysis remains a difficult target for independent researchers, and a key obstacle to meaningful, accountable and verifiable privacy protections.”
The researchers also identified nine iOS apps that used server-side code to generate a mutual user identifier that a subsidiary of the Chinese tech company Alibaba can use for cross-app tracking. “The sharing of device information for purposes of fingerprinting would be in violation of Apple’s policies, which do not allow developers to ‘derive data from a device for the purpose of uniquely identifying it,’” the researchers wrote.
The researchers also said that Apple isn’t required to follow the policy in many cases, making it possible for Apple to further add to the stockpile of data it collects. They also noted that Apple also exempts tracking for purposes of “obtaining information on a consumer’s creditworthiness for the specific purpose of making a credit determination.”
Representatives from Apple and Alibaba didn’t immediately respond to emails seeking comment.
Based on a comparison of 1,685 apps published before and after ATT went into effect, the number of tracking libraries they used remained roughly the same. The most widely used libraries—including Apple’s SKAdNetwork, Google Firebase Analytics, and Google Crashlytics—didn’t change. Almost a quarter of the studied apps claimed that they didn’t collect any user data, but the majority of them—80 percent—contained at least one tracker library.
On average, the research found, apps that claimed they didn’t collect user data nonetheless contained 1.8 tracking libraries and contacted 2.5 tracking companies. Of apps that used SKAdNetwork, Google Firebase Analytics, and Google Crashlytics, more than half failed to disclose having access to user data. The Facebook SDK fared slightly better with about a 47 percent failure rate.
Enabling the data hoarders
Not only do the discrepancies underscore the limitations of ATT, but they also reinforce the power of what the researchers called “gatekeepers” and the opacity of data collection in general. The researchers wrote:
Our findings suggest that tracking companies, especially larger ones with access to large troves of first party, still track users behind the scenes. They can do this through a range of methods, including using IP addresses to link installation-specific IDs across apps and through the sign-in functionality provided by individual apps (e.g. Google or Facebook sign-in, or email address). Especially in combination with further user and device characteristics, which our data confirmed are still widely collected by tracking companies, it would be possible to analyse user behaviour across apps and websites (i.e. fingerprinting and cohort tracking). A direct result of the ATT could therefore be that existing power imbalances in the digital tracking ecosystem get reinforced.
We even found a real-world example of Umeng, a subsidiary of the Chinese tech company Alibaba, using their server-side code to provide apps with a fingerprinting-derived cross-app identifier… The use of fingerprinting is in violation of Apple’s policies, and raises questions around to what extent the company is able to enforce its policies. ATT might ultimately encourage a shift of tracking technologies behind the scenes, so that they are outside of Apple’s reach. In other words, Apple’s new rules might lead to even less transparency around tracking than we currently have, including for academic researchers.
Despite its flaws, ATT remains useful. I can’t think of any real benefits from allowing one app to track my usage of all other apps installed on my phone over months or years. The easiest way to enforce ATT is to access iOS settings > Privacy > Tracking and turn off “Allow Apps to Request to track.” People who want additional iOS privacy should uninstall any apps that are no longer needed or consider buying an app such as the Guardian Firewall. Ultimately, though, tracking and device fingerprinting are likely here to stay in some form, even in Apple’s walled garden.