On-Prem

Personal Tech

Apple iOS privacy clampdown 'did little' to reduce tracking

Double-standard rules have strengthened iGiant's gatekeeper power


Apple's ramp up in iOS privacy measures has affected small data brokers, yet apps can still collect group-oriented data and identify users via device fingerprinting, according to a study out of Oxford.

What's more, the researchers claim, Apple itself engages in and allows some forms of tracking, which serve to strengthen its control over the iOS market.

In a paper titled, "Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels," due to be published in June for the ACM Conference on Fairness, Accountability, and Transparency 2022, Oxford academics Konrad Kollnig, Max Van Kleek, Reuben Binns, and Nigel Shadbolt, with independent US-based researcher Anastasia Shuba, describe what they found after analyzing 1,759 iOS apps from the UK App Store, both before and after the introduction of iOS 14.

"While Apple’s changes make tracking individual users more difficult, they motivate a counter-movement, and reinforce existing market power of gatekeeper companies with access to large troves of first-party data," they state in their paper.

Apple's iOS 14, initially released on September 16, 2020, introduced two privacy initiatives that had a significant impact on iOS app developers: the App Tracking Transparency framework, an API that defines how system-permission alert requests and app-tracking authorization alerts are presented to the app user; and app privacy labels (which the researchers refer to as Privacy Nutrition Labels) that disclose data handling practices.

Google and Facebook complained bitterly about iOS 14 and warned about reduced ad revenue. Both, coincidentally, would later be accused of colluding to bypass prior Apple privacy measures implemented in its Safari browser.

A common problem

Kollnig's team found that other ad companies have behaved similarly, by sharing a fingerprint-based tracking identifier, and that Apple itself tracks users and exempts certain data gathering from its privacy rules.

While information gathering firms that engaged in invasive data collection now face higher barriers, thanks to Apple's iOS 14 privacy measures, the researchers observe that the number of tracking libraries within apps, on average, has remained more or less the same.

"Many apps still collect device information that can be used to track users at a group level (cohort tracking) or identify individuals probabilistically (fingerprinting)," they explain.

"We find real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code, thereby violating Apple’s policies and exposing the limits of what ATT can do against tracking on iOS."

They say this is particularly concerning because they explicitly refused to opt-in to tracking in this study and apps ignoring such consent violate both EU and UK data protection law.

The academics also observe, "Apple itself engages in some forms of tracking and exempts invasive data practices like first-party tracking and credit scoring from its new rules, and that the new Privacy Nutrition Labels were often inaccurate."

This, they say, violates customer expectations and company marketing claims – recall Apple's 2019 billboard ad campaign, "What happens on your iPhone, stays on your iPhone." Chinese users will find terms and conditions don't apply in their locality.

The researchers looked at the number of tracking libraries in iOS apps, both before and after the implementation of ATT, and found the numbers remained about the same – the median number of tracking libraries included in an app was 3.0 in both cases; the mean before was 3.7 while the mean after was 3.6.

The most common libraries also remind the same: Apple's SKAdNetwork library (in 78.4 percent of apps before, and 81.8 per cent after); Google Firebase Analytics library (64.3 percent of apps from before ATT, and 67.0 percent after), and Google Crashlytics (43.6 percent before, 44.4 percent after).

Apple's SKAdNetwork, when integrated into an app, sends information about the ads the app user has clicked on to Apple. The academics say Apple could, in theory, use this data to build user profiles for its own ad system. When they asked Apple about this, citing their right to be informed under GDPR Article 13, they say the company "did not deny the fact that this data might be used for advertising, but assured us that any targeted ads would only be served to segments of users (of at least 5,000 individuals with similar interests)."

All told, they say Apple's privacy measures seem to have had negligible impact on the integration of tracking libraries within existing apps.

Check the data

The boffins found that the average number of tracking domains contacted by apps prior to any user consent interaction increased a bit after the introduction of ATT, from 4.0 to 4.7. The most commonly seen domains were associated with Google Analytics services. For example, firebaseinstallations.googleapis.com got called by 4.1 percent of apps prior to ATT and 47.4 percent after.

"Overall, data sharing with tracker companies before any user interaction remains common, even after the introduction of the ATT," the researchers say. "This is in potential violation with applicable data protection laws in the EU and UK, which require prior consent."

Apple's ATT has had a clear beneficial effect with regard to the Identifier for Advertisers (IDFA). Some 26 percent of apps shared it before ATT and none were found doing so afterwards.

Apple's privacy efforts, however, have led to attempts to skirt its rules. The boffins found nine apps capable of generating a mutual user identifier that can be used for a cross-app tracking via server-side code.

"These 9 apps used an 'AAID' (potentially leaning on the term Android Advertising Identifier) implemented and generated by Umeng, a subsidiary of the Chinese tech company Alibaba," the researchers explain. They add that deriving data from a device to form an identifier and sharing the identifier across devices violates Apple's rules.

According to the paper, this was reported to Apple on November 17th, 2021, and the company promised to investigate. When the researchers conducted a followup check on February 1, some apps still received the identifier from a Umeng endpoint. Others now contact a different Umeng endpoint using custom encryption for both requests and responses.

Noting that the encrypted data is still roughly the same size and the request/response mimetypes haven't changed, the boffins conclude the identifier is still being used, "but has now been hidden away from the public through the use of encryption."

The Register asked Apple whether it considers these allegations to be a violation of App Store Guidelines and whether it intends to take any action. The company, ever keen to respect The Register's privacy, has not responded.

The researchers conclude that large companies still track iOS users behind the scenes and they express concern that a private company, Apple, has changed privacy more than years of regulatory involvement.

They further note that Apple’s definition of tracking exempts its own advertising technology and makes other exceptions for fraud detection, fraud prevention, and credit reporting that provide cover for tracking companies to operate and potentially violate consumer privacy expectations.

Finally, they argue that Apple's double standards give it a competitive advantage: access to data. Apple's data limitations, they contend, have empowered Apple to track while helping large rivals like Alphabet/Google and Meta/Facebook to consolidate their market dominance.

"We conclude that the new changes by Apple have traded more privacy for more concentration of data collection with fewer tech companies," they argue. "Stricter privacy rules may encourage even less transparency around app tracking, by shifting tracking code onto the servers of dominant tracking companies." ®

Send us news
18 Comments

Quantum internet within grasp as scientists show off entanglement demo

Teleportation of quantum information key to future secure data transfer

Researchers in the Netherlands have shown they can transmit quantum information via an intermediary node, a feature necessary to make the so-called quantum internet possible.

In recent years, scientists have argued that the quantum internet presents a more desirable network for transferring secure data, in addition to being necessary when connecting multiple quantum systems. All of this has been attracting investment from the US government, among others.

Despite the promise, there are still vital elements missing for the creation of a functional quantum internet.

Continue reading

Drone ship carrying yet more drones launches in China

Zhuhai Cloud will carry 50 flying and diving machines it can control with minimal human assistance

Chinese academics have christened an ocean research vessel that has a twist: it will sail the seas with a complement of aerial and ocean-going drones and no human crew.

The Zhu Hai Yun, or Zhuhai Cloud, launched in Guangzhou after a year of construction. The 290-foot-long mothership can hit a top speed of 18 knots (about 20 miles per hour) and will carry 50 flying, surface, and submersible drones that launch and self-recover autonomously. 

According to this blurb from the shipbuilder behind its construction, the Cloud will also be equipped with a variety of additional observational instruments "which can be deployed in batches in the target sea area, and carry out task-oriented adaptive networking to achieve three-dimensional view of specific targets." Most of the ship is an open deck where flying drones can land and be stored. The ship is also equipped with launch and recovery equipment for its aquatic craft. 

Continue reading

Experts: AI should be recognized as inventors in patent law

Plus: Police release deepfake of murdered teen in cold case, and more

In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

"If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

Continue reading

Declassified and released: More secret files on US govt's emergency doomsday powers

Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

Continue reading

Stolen university credentials up for sale by Russian crooks, FBI warns

Forget dark-web souks, thousands of these are already being traded on public bazaars

Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

"The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

Continue reading

Big Tech loves talking up privacy – while trying to kill privacy legislation

Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

Continue reading

SEC probes Musk for not properly disclosing Twitter stake

Meanwhile, social network's board rejects resignation of one its directors

America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

Continue reading

Cloud security unicorn cuts 20% of staff after raising $1.3b

Time to play blame bingo: Markets? Profits? Too much growth? Russia? Space aliens?

Cloud security company Lacework has laid off 20 percent of its employees, just months after two record-breaking funding rounds pushed its valuation to $8.3 billion.

A spokesperson wouldn't confirm the total number of employees affected, though told The Register that the "widely speculated number on Twitter is a significant overestimate."

The company, as of March, counted more than 1,000 employees, which would push the jobs lost above 200. And the widely reported number on Twitter is about 300 employees. The biz, based in Silicon Valley, was founded in 2015.

Continue reading

Talos names eight deadly sins in widely used industrial software

Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

Continue reading

Despite global uncertainty, $500m hit doesn't rattle Nvidia execs

CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

"The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

Continue reading

Another AI supercomputer from HPE: Champollion lands in France

That's the second in a week following similar system in Munich also aimed at researchers

HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

Continue reading