On-Prem

Personal Tech

Apple iOS privacy clampdown 'did little' to reduce tracking

Double-standard rules have strengthened iGiant's gatekeeper power


Apple's ramp up in iOS privacy measures has affected small data brokers, yet apps can still collect group-oriented data and identify users via device fingerprinting, according to a study out of Oxford.

What's more, the researchers claim, Apple itself engages in and allows some forms of tracking, which serve to strengthen its control over the iOS market.

In a paper titled, "Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels," due to be published in June for the ACM Conference on Fairness, Accountability, and Transparency 2022, Oxford academics Konrad Kollnig, Max Van Kleek, Reuben Binns, and Nigel Shadbolt, with independent US-based researcher Anastasia Shuba, describe what they found after analyzing 1,759 iOS apps from the UK App Store, both before and after the introduction of iOS 14.

"While Apple’s changes make tracking individual users more difficult, they motivate a counter-movement, and reinforce existing market power of gatekeeper companies with access to large troves of first-party data," they state in their paper.

Apple's iOS 14, initially released on September 16, 2020, introduced two privacy initiatives that had a significant impact on iOS app developers: the App Tracking Transparency framework, an API that defines how system-permission alert requests and app-tracking authorization alerts are presented to the app user; and app privacy labels (which the researchers refer to as Privacy Nutrition Labels) that disclose data handling practices.

Google and Facebook complained bitterly about iOS 14 and warned about reduced ad revenue. Both, coincidentally, would later be accused of colluding to bypass prior Apple privacy measures implemented in its Safari browser.

A common problem

Kollnig's team found that other ad companies have behaved similarly, by sharing a fingerprint-based tracking identifier, and that Apple itself tracks users and exempts certain data gathering from its privacy rules.

While information gathering firms that engaged in invasive data collection now face higher barriers, thanks to Apple's iOS 14 privacy measures, the researchers observe that the number of tracking libraries within apps, on average, has remained more or less the same.

"Many apps still collect device information that can be used to track users at a group level (cohort tracking) or identify individuals probabilistically (fingerprinting)," they explain.

"We find real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code, thereby violating Apple’s policies and exposing the limits of what ATT can do against tracking on iOS."

They say this is particularly concerning because they explicitly refused to opt-in to tracking in this study and apps ignoring such consent violate both EU and UK data protection law.

The academics also observe, "Apple itself engages in some forms of tracking and exempts invasive data practices like first-party tracking and credit scoring from its new rules, and that the new Privacy Nutrition Labels were often inaccurate."

This, they say, violates customer expectations and company marketing claims – recall Apple's 2019 billboard ad campaign, "What happens on your iPhone, stays on your iPhone." Chinese users will find terms and conditions don't apply in their locality.

The researchers looked at the number of tracking libraries in iOS apps, both before and after the implementation of ATT, and found the numbers remained about the same – the median number of tracking libraries included in an app was 3.0 in both cases; the mean before was 3.7 while the mean after was 3.6.

The most common libraries also remind the same: Apple's SKAdNetwork library (in 78.4 percent of apps before, and 81.8 per cent after); Google Firebase Analytics library (64.3 percent of apps from before ATT, and 67.0 percent after), and Google Crashlytics (43.6 percent before, 44.4 percent after).

Apple's SKAdNetwork, when integrated into an app, sends information about the ads the app user has clicked on to Apple. The academics say Apple could, in theory, use this data to build user profiles for its own ad system. When they asked Apple about this, citing their right to be informed under GDPR Article 13, they say the company "did not deny the fact that this data might be used for advertising, but assured us that any targeted ads would only be served to segments of users (of at least 5,000 individuals with similar interests)."

All told, they say Apple's privacy measures seem to have had negligible impact on the integration of tracking libraries within existing apps.

Check the data

The boffins found that the average number of tracking domains contacted by apps prior to any user consent interaction increased a bit after the introduction of ATT, from 4.0 to 4.7. The most commonly seen domains were associated with Google Analytics services. For example, firebaseinstallations.googleapis.com got called by 4.1 percent of apps prior to ATT and 47.4 percent after.

"Overall, data sharing with tracker companies before any user interaction remains common, even after the introduction of the ATT," the researchers say. "This is in potential violation with applicable data protection laws in the EU and UK, which require prior consent."

Apple's ATT has had a clear beneficial effect with regard to the Identifier for Advertisers (IDFA). Some 26 percent of apps shared it before ATT and none were found doing so afterwards.

Apple's privacy efforts, however, have led to attempts to skirt its rules. The boffins found nine apps capable of generating a mutual user identifier that can be used for a cross-app tracking via server-side code.

"These 9 apps used an 'AAID' (potentially leaning on the term Android Advertising Identifier) implemented and generated by Umeng, a subsidiary of the Chinese tech company Alibaba," the researchers explain. They add that deriving data from a device to form an identifier and sharing the identifier across devices violates Apple's rules.

According to the paper, this was reported to Apple on November 17th, 2021, and the company promised to investigate. When the researchers conducted a followup check on February 1, some apps still received the identifier from a Umeng endpoint. Others now contact a different Umeng endpoint using custom encryption for both requests and responses.

Noting that the encrypted data is still roughly the same size and the request/response mimetypes haven't changed, the boffins conclude the identifier is still being used, "but has now been hidden away from the public through the use of encryption."

The Register asked Apple whether it considers these allegations to be a violation of App Store Guidelines and whether it intends to take any action. The company, ever keen to respect The Register's privacy, has not responded.

The researchers conclude that large companies still track iOS users behind the scenes and they express concern that a private company, Apple, has changed privacy more than years of regulatory involvement.

They further note that Apple’s definition of tracking exempts its own advertising technology and makes other exceptions for fraud detection, fraud prevention, and credit reporting that provide cover for tracking companies to operate and potentially violate consumer privacy expectations.

Finally, they argue that Apple's double standards give it a competitive advantage: access to data. Apple's data limitations, they contend, have empowered Apple to track while helping large rivals like Alphabet/Google and Meta/Facebook to consolidate their market dominance.

"We conclude that the new changes by Apple have traded more privacy for more concentration of data collection with fewer tech companies," they argue. "Stricter privacy rules may encourage even less transparency around app tracking, by shifting tracking code onto the servers of dominant tracking companies." ®

Send us news
18 Comments

Allstate accused of quietly paying app makers for driver data

Insurance giant sued by Texas for using surveillance without consent to jack up premiums, deny coverage

Uncle Sam now targets six landlord giants in war on alleged algorithmic rent fixing

One of ya is gonna sing like a canary, prosecutors say

GM parks claims that driver location data was given to insurers, pushing up premiums

We'll defo ask for permission next time, automaker tells FTC

This is how Elon's Department of Government Efficiency will work – overwriting the US Digital Service

Tycoon's auditors to probe Uncle Sam's IT with full access to unclassified data

Look for the label: White House rolls out 'Cyber Trust Mark' for smart devices

Beware the IoT that doesn’t get a security tag

Sonos CEO steps down after smart speaker app upgrade hit bum note

Board appoints interim leader to stay in tune with its turnaround song, both execs hear sweet sound of cash landing in the bank

Apple auto-opts everyone into having their photos analyzed by AI for landmarks

Homomorphic-based Enhanced Visual Search is so privacy-preserving, iPhone giant activated it without asking

Free-software warriors celebrate landmark case that enforced GNU LGPL

On the Fritz: German router maker AVM lets device rights case end after coughing up source code

Google reports halving code migration time with AI help

Chocolate Factory slurps own dogfood, sheds drudgery in specific areas

Megan, AI recruiting agent, is on the job, giving bosses fewer reasons to hire in HR

She doesn't feel pity, remorse, or fear, but she'll craft a polite email message as she turns you down

Microsoft eggheads say AI can never be made secure – after testing Redmond's own products

If you want a picture of the future, imagine your infosec team stamping on software forever

Apple's interoperability efforts aren't meeting spirit or letter of EU law, advocacy groups argue

Free Software Foundation Europe and others urge European Commission to double down on DMA