Max Schrems is back... and he's challenging Apple's 'secret iPhone advertising tracking cookies' in Europe

US giant breaks privacy law by generating per-user 'digital license plate' without permission – claim


Privacy activist Max Schrems is back, and this time he has filed complaints against Apple for privacy violations over a cookie it places in iPhones for some advertisers.

His digital rights group Noyb has targeted the tech giant in Germany and Spain, claiming Cupertino's “Identifier for Advertisers” (IDFA) tracking ID, which is automatically generated on every iPhone during setup, allows Apple, app makers and ad networks to follow an individual user's activities and use that data to show them ads targeted at their interests.

Here's Noyb's gist of its own complaint:

Each iPhone runs on Apple’s iOS operating system. By default, iOS automatically generates a unique “IDFA” (short for Identifier for Advertisers) for each iPhone. Just like a license plate this unique string of numbers and characters allows Apple and other third parties to identify users across applications and even connect online and mobile behaviour (“cross device tracking”).

Apple’s operating system creates the IDFA without user’s knowledge or consent. After its creation, Apple and third parties (e.g. applications providers and advertisers) can access the IDFA to track users’ behaviour, elaborate consumption preferences and provide personalised advertising.

Schrems has a track record of winning against tech giants, most famously forcing the collapse not once, but twice, of the transatlantic Privacy Shield data-sharing agreement between the European Union and the United States by focusing on Facebook’s data policies.

In this particular case, Noyb argues Apple's IDFA effectively acts like a cookie, and so requires a user’s consent under European law – and yet the tech giant creates the ID code in secret. As such, the team reckons Apple breaks the EU’s 2002 e-Privacy Directive aka “Cookie Law” and Article 5(3) which it says “requires informed and unambiguous consent from users to store their data.”

The complaint [PDF] states that “in practice, the IDFA is like a ‘digital license plate.’ Every action of the user can be linked to the ‘license plate’ and used to build a rich profile about the user. Such profile can later be used to target personalised advertisements, in-app purchases, promotions etc. When compared to traditional internet tracking IDs, the IDFA is simply a ‘tracking ID in a mobile phone’ instead of a tracking ID in a browser cookie.”

In recent years, Apple has made big play out of its approach to privacy, pointing out repeatedly that, unlike, say, Facebook and Google, it does not seek to gather as much information on users as possible so it can then sell access to advertisers. But, according to Noyb, Apple is effectively doing exactly that by tracking users across applications using the IDFA, and even connecting the ID with online and mobile behavior.

Data breach

“EU law protects our devices from external tracking. Tracking is only allowed if users explicitly consent to it. This very simple rule applies regardless of the tracking technology used,” said Noyb’s privacy lawyer Stefano Rossetti. “While Apple introduced functions in their browser to block cookies, it places similar codes in its phones, without any consent by the user. This is a clear breach of EU privacy laws.”

The complaint provides an exchange between Noyb and Apple back in February in which the privacy group asked for information about IDFA, and Apple claimed that consent is not required from users for its installation because it is randomly generated and not associated with Apple’s own ID system, Apple ID.

But Noyb took issue with that characterization, noting that the IDFA will be shared with several apps, and with Facebook, and so became linked to private information. “I believe this pseudoanonymous identifier is private data under GDPR precisely because it can be tied to me personally,” Noyb quoted a complainant, whose name is redacted, in the case as saying.

Privacy policy on a tablet

Apple: Yeah, about those ground-breaking privacy features in iOS 14 – don't expect them until next year

READ MORE

Apple replied to that response by stating it was “not in a position to comment on how a third party may handle such matters,” and then followed its usual rule book: it went silent and failed to respond to all subsequent communication.

Four months later, in June, Apple announced it was going to cut off guaranteed third-party access to IDFA. The announcement sparked horror in the online advertising industry, and Facebook even publicly griped about it. One week later, Apple announced it was delaying the changes, which would require permission from users before their devices would use the IDFA system.

'Factually inaccurate'

Apple responded briefly to the complaint on Monday, saying the claims were "factually inaccurate and we look forward to making that clear to privacy regulators should they examine the complaint."

Apple has good reason to be worried, however. Since Noyb claims the code breaks the e-Privacy Directive, rather than, say, GDPR, European governments can directly fine the iPhone maker if they finds it has broken the law.

Even if/when Apple does implement the changes it highlighted in August, it is still insufficient, Noyb argues in its complaint. “These changes seem to restrict the use of the IDFA for third parties (but not for Apple itself),” it said. “However, the initial storage of the IDFA and Apple’s use of it will still be done without the users’ consent and therefore in breach of EU law.” It argues that the IDFA shouldn’t be restricted but permanently deleted.

The advertising industry has also recognized the threat posed by the complaint, and has started arguing that folks should be given an opt-out option to being tracked, and that such code should not be removed.

COO of adtech company TrafficGuard, Luke Taylor, noted: "As an advertising industry, we’ve done a very poor job of communicating to the end user as to why we’re tracking them, and why this is beneficial... Few consumers understand how any of this works, and with lack of understanding it’s simple to just say no and block it. Importantly though, they should have the option to be able to opt-out.

"Many people think of ‘advertisers’ as big headless corporations and digital advertising as this sinister dark art. But it is an ecosystem and businesses of all sizes depend on online advertising to reach consumers." ®


Biting the hand that feeds IT © 1998–2020