An interesting new study of 1,759 iOS apps before and after Apple implemented a major privacy feature last year which required developers to ask permission to track app users — aka App Tracking Transparency (ATT) — has found the measure has made tracking more difficult by preventing the collection of the Identifier for Advertisers (IDFA), which can be used for cross-app user tracking.
However, the researchers found little change to tracking libraries baked into apps and also saw many apps still collecting tracking data despite the user having asked the apps not to be tracked.
Additionally, they found evidence of app makers engaging in privacy-hostile fingerprinting of users, through the use of server-side code, in a bid to circumvent Apple’s ATT — suggesting Cupertino’s move may be motivating a counter movement by developers to deploy other means to keep tracking iOS users.
“We even found a real-world example of Umeng, a subsidiary of the Chinese tech company Alibaba, using their server-side code to provide apps with a fingerprinting-derived cross-app identifier,” they write. “The use of fingerprinting is in violation of Apple’s policies, and raises questions around to what extent the company is able to enforce its policies. ATT might ultimately encourage a shift of tracking technologies behind the scenes, so that they are outside of Apple’s reach. In other words, Apple’s new rules might lead to even less transparency around tracking than we currently have, including for academic researchers.”
The research paper, which is entitled “Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels”, is the work of four academics affiliated with the University of Oxford and a fifth independent U.S.-based researcher. It’s worth noting that it’s been published as a pre-print — meaning it has not yet been peer reviewed.
Another component of the study looked at the “privacy nutrition labels” Apple introduced to iOS at the end of 2020 — with the researchers concluding that these labels are often inaccurate.
Apple’s system, which aims to provide iOS users with an at-a-glance overview of how much data they’re giving up to use an app, requires app developers to self-declare how they process user data. And here the researchers found “notable discrepancies” between apps’ disclosed and actual data practices — which they suggest may be creating a false sense of security for consumers and misleading them over how much privacy they’re giving up to use an app.
“Our findings suggest that tracking companies, especially larger ones with access to large troves of first party, still track users behind the scenes,” they write in a section discussing how continued, consentless tracking may be reinforcing both the power of gatekeepers and the opacity of the mobile data ecosystem. “They can do this through a range of methods, including using IP addresses to link installation-specific IDs across apps and through the sign-in functionality provided by individual apps (e.g. Google or Facebook sign-in, or email address).
“Especially in combination with further user and device characteristics, which our data confirmed are still widely collected by tracking companies, it would be possible to analyse user behaviour across apps and websites (i.e. fingerprinting and cohort tracking). A direct result of the ATT could therefore be that existing power imbalances in the digital tracking ecosystem get reinforced.”
The paper may add fuel to arguments that try to pitch competition law against privacy rights as the paper’s authors suggests their findings back the view that Apple and other large companies have been able to increase their market power as a result of implementing measures like ATT which give users more agency over their privacy.
Apple was contacted for comment on the research paper but at the time of writing the company had not responded.
While a separate plan by Google to deprecate support for tracking cookies in its Chrome browser — and switch to alternative ad targeting technologies (which the tech giant has also said it will bring to Android devices) — has similarly been targeted for antitrust complaints in recent months.
As it stands, neither move by the pair of mobile gatekeepers, Apple’s ATT or Google’s self-styled “Privacy Sandbox”, has been outright blocked by competition regulators, although Google’s Sandbox plan remains under close monitoring in Europe following a U.K. antitrust intervention which led the company to offer a series of commitments over how it will develop the tech stack. The interventions have also very likely contributed to delaying Google’s original timeline.
The EU is also conducting a formal antitrust investigation of Google’s adtech, which includes probing the Sandbox plan — although, at the time it announced the investigation, it stressed that any decision would need to consider user privacy too, writing that it would “take into account the need to protect user privacy, in accordance with EU laws in this respect, such as the General Data Protection Regulation”, and emphasizing that: “Competition law and data protection laws must work hand in hand to ensure that display advertising markets operate on a level playing field in which all market participants protect user privacy in the same manner.”
Joint working by the U.K.’s competition (CMA) and privacy regulators (ICO) has also been the approach undertaken throughout the CMA’s Privacy Sandbox procedure. And in an opinion last year, the outgoing U.K. information commissioner told the adtech industry it needed to move away from tracking and profiling-based ad targeting — urging the development of alternative ad targeting technologies that don’t require processing people’s data.
In discussion in their research paper, the researchers go on to speculate that reduced access to permanent user identifiers as a result of Apple’s ATT could — over time — “substantially improve” app privacy, pointing exactly to these wider shifts underway to recast ad-targeting technologies (such as Google’s Sandbox) which claim to be better for privacy, although as the researchers also note those claims need to be interrogated — as having the potential to flip economic calculations away from privacy-hostile techniques like fingerprinting.
However they predict that this migration away from tracking is further concentrating the market power of platform gatekeepers.
“While in the short run, some companies might try to replace the IDFA with statistical identifiers, the reduced access to non-probabilistic cross-app identifiers might make it very hard for data brokers and other smaller tracker companies to compete. Techniques like fingerprinting and cohort tracking may end up not being competitive enough compared to more privacy-preserving, on-device solutions,” they suggest. “We are already seeing a shift of the advertising industry towards the adoption of such solutions, driven by decisions of platform gatekeepers (e.g. Google’s FloC / Topics API and Android Privacy Sandbox, Apple’s ATT and Privacy Nutrition Labels), though more discussion is needed if these new technologies protect privacy meaningfully.
“The net result, however, of this shift towards more privacy preserving methods is likely going to be more concentration with the existing platform gatekeepers, as the early reports on the tripled marketing share of Apple, the planned overhaul of advertising technologies by Facebook/Meta and others, and the shifting spending patterns of advertisers suggest. At the end of the day, advertising to iOS users — being some of the wealthiest individuals — will be an opportunity that many advertisers cannot miss out on, and so they will rely on the advertising technologies of the larger tech companies to continue targeting the right audiences with their ads.”
The paper also calls out the failure of European regulators and policymakers to crack down on tracking by enforcing privacy laws such as the General Data Protection Regulation (GDPR), writing that: “[I]t is worrying that a few changes by a private company (Apple) seem to have changed data protection in apps more than many years of high-level discussion and efforts by regulators, policymakers and others. This highlights the relative power of these gatekeeper companies, and the failure of regulators thus far to enforce the GDPR adequately. An effective approach to increase compliance with data protection law and privacy protections in practice might be more targeted regulation of the gatekeepers of the app ecosystem; so far, there exists no targeted regulation in the US, UK and EU.”
Targeted regulation is coming down the pipe for internet gatekeepers, though. Albeit at a pace that’s orders of magnitude slower than the ads which get auctioned off and microtargeted at eyeballs every millisecond of every day.
The European Union reached political agreement on its flagship ex ante competition reform for gatekeepers, aka the Digital Markets Act, just last month — and lawmakers said then that they expect the regime to come into force in October. (Although it’s unlikely to really kick in until 2023 at the earliest and there’s already debate over whether the Commission has adequate resources to enforce against some of the world’s most valuable companies with their expanding armies of in-house lawyers.)
The U.K., meanwhile, has its own bespoke version of this sort of Big Tech competition reform. Its “pro-competition” regime was trailed back in 2020 but is still pending legislation to empower the Digital Markets Unit. And recent reports in the U.K. press have suggested the Digital Competition Bill won’t now be presented to parliament until next year — which would mean further delay.
Germany is ahead of the curve here, having passed a competition reform at the start of last year. It has also — earlier this year — identified Google as subject to this special abuse control regime. Although the country’s FCO still needs to complete the work of investigating the various Google products that are causing it competition concern. But it’s possible that we’ll see some gatekeeper targeted enforcements by the FCO this year.