Apple iOS privacy clampdown 'did little' to reduce tracking

Apple's ramp up in iOS privacy measures has affected small data brokers, yet apps can still collect group-oriented data and identify users via device fingerprinting, according to a study out of Oxford.

What's more, the researchers claim, Apple itself engages in and allows some forms of tracking, which serve to strengthen its control over the iOS market.

In a paper titled, "Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels," due to be published in June for the ACM Conference on Fairness, Accountability, and Transparency 2022, Oxford academics Konrad Kollnig, Max Van Kleek, Reuben Binns, and Nigel Shadbolt, with independent US-based researcher Anastasia Shuba, describe what they found after analyzing 1,759 iOS apps from the UK App Store, both before and after the introduction of iOS 14.

"While Apple’s changes make tracking individual users more difficult, they motivate a counter-movement, and reinforce existing market power of gatekeeper companies with access to large troves of first-party data," they state in their paper.

Apple's iOS 14, initially released on September 16, 2020, introduced two privacy initiatives that had a significant impact on iOS app developers: the App Tracking Transparency framework, an API that defines how system-permission alert requests and app-tracking authorization alerts are presented to the app user; and app privacy labels (which the researchers refer to as Privacy Nutrition Labels) that disclose data handling practices.

Google and Facebook complained bitterly about iOS 14 and warned about reduced ad revenue. Both, coincidentally, would later be accused of colluding to bypass prior Apple privacy measures implemented in its Safari browser.

A common problem

Kollnig's team found that other ad companies have behaved similarly, by sharing a fingerprint-based tracking identifier, and that Apple itself tracks users and exempts certain data gathering from its privacy rules.

While information gathering firms that engaged in invasive data collection now face higher barriers, thanks to Apple's iOS 14 privacy measures, the researchers observe that the number of tracking libraries within apps, on average, has remained more or less the same.

"Many apps still collect device information that can be used to track users at a group level (cohort tracking) or identify individuals probabilistically (fingerprinting)," they explain.

"We find real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code, thereby violating Apple’s policies and exposing the limits of what ATT can do against tracking on iOS."

They say this is particularly concerning because they explicitly refused to opt-in to tracking in this study and apps ignoring such consent violate both EU and UK data protection law.

The academics also observe, "Apple itself engages in some forms of tracking and exempts invasive data practices like first-party tracking and credit scoring from its new rules, and that the new Privacy Nutrition Labels were often inaccurate."

This, they say, violates customer expectations and company marketing claims – recall Apple's 2019 billboard ad campaign, "What happens on your iPhone, stays on your iPhone." Chinese users will find terms and conditions don't apply in their locality.

The researchers looked at the number of tracking libraries in iOS apps, both before and after the implementation of ATT, and found the numbers remained about the same – the median number of tracking libraries included in an app was 3.0 in both cases; the mean before was 3.7 while the mean after was 3.6.

• Man arrested, accused of trying to track woman using Apple Watch attached to car
• Apple delivers desktop, mobile OS updates, patches dozens of security holes
• How legacy IPv6 addresses can spoil your network privacy
• Airtag clones can sidestep Apple anti-stalker tech

The most common libraries also remind the same: Apple's SKAdNetwork library (in 78.4 percent of apps before, and 81.8 per cent after); Google Firebase Analytics library (64.3 percent of apps from before ATT, and 67.0 percent after), and Google Crashlytics (43.6 percent before, 44.4 percent after).

Apple's SKAdNetwork, when integrated into an app, sends information about the ads the app user has clicked on to Apple. The academics say Apple could, in theory, use this data to build user profiles for its own ad system. When they asked Apple about this, citing their right to be informed under GDPR Article 13, they say the company "did not deny the fact that this data might be used for advertising, but assured us that any targeted ads would only be served to segments of users (of at least 5,000 individuals with similar interests)."

All told, they say Apple's privacy measures seem to have had negligible impact on the integration of tracking libraries within existing apps.

Check the data

The boffins found that the average number of tracking domains contacted by apps prior to any user consent interaction increased a bit after the introduction of ATT, from 4.0 to 4.7. The most commonly seen domains were associated with Google Analytics services. For example, firebaseinstallations.googleapis.com got called by 4.1 percent of apps prior to ATT and 47.4 percent after.

"Overall, data sharing with tracker companies before any user interaction remains common, even after the introduction of the ATT," the researchers say. "This is in potential violation with applicable data protection laws in the EU and UK, which require prior consent."

Apple's ATT has had a clear beneficial effect with regard to the Identifier for Advertisers (IDFA). Some 26 percent of apps shared it before ATT and none were found doing so afterwards.

Apple's privacy efforts, however, have led to attempts to skirt its rules. The boffins found nine apps capable of generating a mutual user identifier that can be used for a cross-app tracking via server-side code.

"These 9 apps used an 'AAID' (potentially leaning on the term Android Advertising Identifier) implemented and generated by Umeng, a subsidiary of the Chinese tech company Alibaba," the researchers explain. They add that deriving data from a device to form an identifier and sharing the identifier across devices violates Apple's rules.

According to the paper, this was reported to Apple on November 17th, 2021, and the company promised to investigate. When the researchers conducted a followup check on February 1, some apps still received the identifier from a Umeng endpoint. Others now contact a different Umeng endpoint using custom encryption for both requests and responses.

Noting that the encrypted data is still roughly the same size and the request/response mimetypes haven't changed, the boffins conclude the identifier is still being used, "but has now been hidden away from the public through the use of encryption."

The Register asked Apple whether it considers these allegations to be a violation of App Store Guidelines and whether it intends to take any action. The company, ever keen to respect The Register's privacy, has not responded.

The researchers conclude that large companies still track iOS users behind the scenes and they express concern that a private company, Apple, has changed privacy more than years of regulatory involvement.

They further note that Apple’s definition of tracking exempts its own advertising technology and makes other exceptions for fraud detection, fraud prevention, and credit reporting that provide cover for tracking companies to operate and potentially violate consumer privacy expectations.

Finally, they argue that Apple's double standards give it a competitive advantage: access to data. Apple's data limitations, they contend, have empowered Apple to track while helping large rivals like Alphabet/Google and Meta/Facebook to consolidate their market dominance.

"We conclude that the new changes by Apple have traded more privacy for more concentration of data collection with fewer tech companies," they argue. "Stricter privacy rules may encourage even less transparency around app tracking, by shifting tracking code onto the servers of dominant tracking companies." ®