Personal Tech

Apple iOS privacy clampdown 'did little' to reduce tracking

Double-standard rules have strengthened iGiant's gatekeeper power

Apple's ramp up in iOS privacy measures has affected small data brokers, yet apps can still collect group-oriented data and identify users via device fingerprinting, according to a study out of Oxford.

What's more, the researchers claim, Apple itself engages in and allows some forms of tracking, which serve to strengthen its control over the iOS market.

In a paper titled, "Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels," due to be published in June for the ACM Conference on Fairness, Accountability, and Transparency 2022, Oxford academics Konrad Kollnig, Max Van Kleek, Reuben Binns, and Nigel Shadbolt, with independent US-based researcher Anastasia Shuba, describe what they found after analyzing 1,759 iOS apps from the UK App Store, both before and after the introduction of iOS 14.

"While Apple’s changes make tracking individual users more difficult, they motivate a counter-movement, and reinforce existing market power of gatekeeper companies with access to large troves of first-party data," they state in their paper.

Apple's iOS 14, initially released on September 16, 2020, introduced two privacy initiatives that had a significant impact on iOS app developers: the App Tracking Transparency framework, an API that defines how system-permission alert requests and app-tracking authorization alerts are presented to the app user; and app privacy labels (which the researchers refer to as Privacy Nutrition Labels) that disclose data handling practices.

Google and Facebook complained bitterly about iOS 14 and warned about reduced ad revenue. Both, coincidentally, would later be accused of colluding to bypass prior Apple privacy measures implemented in its Safari browser.

A common problem

Kollnig's team found that other ad companies have behaved similarly, by sharing a fingerprint-based tracking identifier, and that Apple itself tracks users and exempts certain data gathering from its privacy rules.

While information gathering firms that engaged in invasive data collection now face higher barriers, thanks to Apple's iOS 14 privacy measures, the researchers observe that the number of tracking libraries within apps, on average, has remained more or less the same.

"Many apps still collect device information that can be used to track users at a group level (cohort tracking) or identify individuals probabilistically (fingerprinting)," they explain.

"We find real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code, thereby violating Apple’s policies and exposing the limits of what ATT can do against tracking on iOS."

They say this is particularly concerning because they explicitly refused to opt-in to tracking in this study and apps ignoring such consent violate both EU and UK data protection law.

The academics also observe, "Apple itself engages in some forms of tracking and exempts invasive data practices like first-party tracking and credit scoring from its new rules, and that the new Privacy Nutrition Labels were often inaccurate."

This, they say, violates customer expectations and company marketing claims – recall Apple's 2019 billboard ad campaign, "What happens on your iPhone, stays on your iPhone." Chinese users will find terms and conditions don't apply in their locality.

The researchers looked at the number of tracking libraries in iOS apps, both before and after the implementation of ATT, and found the numbers remained about the same – the median number of tracking libraries included in an app was 3.0 in both cases; the mean before was 3.7 while the mean after was 3.6.

The most common libraries also remind the same: Apple's SKAdNetwork library (in 78.4 percent of apps before, and 81.8 per cent after); Google Firebase Analytics library (64.3 percent of apps from before ATT, and 67.0 percent after), and Google Crashlytics (43.6 percent before, 44.4 percent after).

Apple's SKAdNetwork, when integrated into an app, sends information about the ads the app user has clicked on to Apple. The academics say Apple could, in theory, use this data to build user profiles for its own ad system. When they asked Apple about this, citing their right to be informed under GDPR Article 13, they say the company "did not deny the fact that this data might be used for advertising, but assured us that any targeted ads would only be served to segments of users (of at least 5,000 individuals with similar interests)."

All told, they say Apple's privacy measures seem to have had negligible impact on the integration of tracking libraries within existing apps.

Check the data

The boffins found that the average number of tracking domains contacted by apps prior to any user consent interaction increased a bit after the introduction of ATT, from 4.0 to 4.7. The most commonly seen domains were associated with Google Analytics services. For example, firebaseinstallations.googleapis.com got called by 4.1 percent of apps prior to ATT and 47.4 percent after.

"Overall, data sharing with tracker companies before any user interaction remains common, even after the introduction of the ATT," the researchers say. "This is in potential violation with applicable data protection laws in the EU and UK, which require prior consent."

Apple's ATT has had a clear beneficial effect with regard to the Identifier for Advertisers (IDFA). Some 26 percent of apps shared it before ATT and none were found doing so afterwards.

Apple's privacy efforts, however, have led to attempts to skirt its rules. The boffins found nine apps capable of generating a mutual user identifier that can be used for a cross-app tracking via server-side code.

"These 9 apps used an 'AAID' (potentially leaning on the term Android Advertising Identifier) implemented and generated by Umeng, a subsidiary of the Chinese tech company Alibaba," the researchers explain. They add that deriving data from a device to form an identifier and sharing the identifier across devices violates Apple's rules.

According to the paper, this was reported to Apple on November 17th, 2021, and the company promised to investigate. When the researchers conducted a followup check on February 1, some apps still received the identifier from a Umeng endpoint. Others now contact a different Umeng endpoint using custom encryption for both requests and responses.

Noting that the encrypted data is still roughly the same size and the request/response mimetypes haven't changed, the boffins conclude the identifier is still being used, "but has now been hidden away from the public through the use of encryption."

The Register asked Apple whether it considers these allegations to be a violation of App Store Guidelines and whether it intends to take any action. The company, ever keen to respect The Register's privacy, has not responded.

The researchers conclude that large companies still track iOS users behind the scenes and they express concern that a private company, Apple, has changed privacy more than years of regulatory involvement.

They further note that Apple’s definition of tracking exempts its own advertising technology and makes other exceptions for fraud detection, fraud prevention, and credit reporting that provide cover for tracking companies to operate and potentially violate consumer privacy expectations.

Finally, they argue that Apple's double standards give it a competitive advantage: access to data. Apple's data limitations, they contend, have empowered Apple to track while helping large rivals like Alphabet/Google and Meta/Facebook to consolidate their market dominance.

"We conclude that the new changes by Apple have traded more privacy for more concentration of data collection with fewer tech companies," they argue. "Stricter privacy rules may encourage even less transparency around app tracking, by shifting tracking code onto the servers of dominant tracking companies." ®

Send us news

Pentagon whistleblower Ellsberg given months to live

The man leaking vital data before it was fashionable

Critical infrastructure gear is full of flaws, but hey, at least it's certified

Security researchers find bugs, big and small, in every industrial box probed

Privacy fail: Pictures cropped, redacted by Google Pixel phones can be recovered

aCropalypse Now, starring any 2018-or-later device

Journalist hurt by exploding USB bomb drive

Now that's a flash bang

Cop warrant orders Ring to cough up footage from inside this guy's home

Don't say you weren't warned

Google taps Fastly to make cookie-free adtech FLEDGE fly

Online ad colossus hopes it can still make money when users want privacy

BBC to staff: Uninstall TikTok from our corporate kit unless you can 'justify' having it

Those with 'sensitive' work-related information told to contact Beeb's security team

Secret Service, ICE break the law over and over with fake cell tower spying

Investigations 'at risk' from sloppy surveillance uncovered by audit probe

German Digital Affairs Committee hearing heaps scorn on Chat Control

Proposal to break encryption to scan messages for abuse material challenged as illegal and unworkable

UK govt adds £4B to value of delayed tech procurement

Hardware, software, kitchen sink: it's all in there

Indian state turns off internet for 27 million, for four days, to stymie one man

Digital rights org criticizes use of fill-in-the-blank template used to quell separatist protests

UK spy agency: Don't feed LLMs with sensitive corporate data

Oh gosh. Looks like that bot just spilled that you plan to fire 20k staffers in Q4