Google has shared details of upcoming changes to Android including the ability to blank a device's advertising ID, and a new safety section for apps in the Play store.
The advertising ID is an identifier unique to an Android device which is supplied by Google Play Services. Since every app on that device can retrieve the same ID, it can be used for profiling the user of the device. Users can set an option to "Limit ad tracking", and the API that supplies the advertising ID also indicates whether the user has opted out, but respecting this option is on a trust basis.
Privacy advocate Max Schrems filed a legal complaint against Google last year, arguing that the advertising ID is personal data and that the option to reset it, which automatically creates a replacement ID, was "like cancelling a contract only under the condition that you sign a new one."
Why supply the advertising ID at all if the user wishes to limit ad tracking? Google has accepted this idea, and director of product management Krish Vitaldevara posted that "when users opt out of interest-based advertising or ads personalization, their advertising ID will be removed and replaced with a string of zeros."
Developers were informed of the upcoming change last month. The change will be implemented by an update to Google Play Services on the device, and will affect Android 12 devices from late this year, and "all apps running on devices that support Google Play" in early 2022.
There is also a new feature whereby when a user deletes their advertising ID, developers will receive a notification "so they can promptly erase advertising IDs that are not in use."
Are there other ways of uniquely identifying a device? There are, including the hardware IMEI, the serial number, the Wi-Fi or Bluetooth MAC address, and the Android ID. Vitaldevara said that Google is "prohibiting linking persistent device identifiers to personal and sensitive user data or resettable device identifiers."
Once again it is a matter of trusting the vendor, though Android permissions play a role here too. Apps that ask for permissions that appear to have nothing to do with their functionality should give users pause for thought. Note Android 12, currently in beta, has fixed a long-standing complaint, that apps scanning nearby Bluetooth devices need location permissions. This is not the case in Android 12.
- Mozilla ups its VPN game – and the price – with split tunneling for Android, iOS
- Google to bake COVID-19 vaccine passport support into Android with Passes API update
- Android devs prepare to hand over app-signing keys to Google from August
- Samsung commits to 5 years of Android updates... for its enterprise smartphone users at least
That said, Google is also introducing a new device identifier, called the app set ID, which will be the same for all apps on a device that are published by the same developer. This is intended for "analytics or fraud prevention." Vitaldevara said that "you cannot use app set ID for ads personalization or ads measurement." Developers can only use the advertising ID for this, and further, apps "primarily directed to children" are not allowed to collect the advertising ID.
While these changes will no doubt be welcomed by those who care about their privacy, note that the advertising ID will be present by default, unlike Apple's changes in iOS 14.5 which require developers to ask users to opt into tracking across apps and websites. Figures collected by analytics company Flurry show an opt-in rate of just 13 per cent across apps, gradually increasing as more users respond to prompts. The opt out is likely to have much less impact.
Doubts remain, both over how effective these new privacy controls will be at curbing ad tracking on Android, and whether Google's changes will also happen to give the company a further advantage over its competitors. In its latest financial statements for calendar Q2, Google's parent company Alphabet reported quarterly revenue from advertising of $50.44bn from $61.8bn total revenue. ®