Two years ago, Apple warned that it intended to stop allowing developers to access iPhone users' unique device identifiers.
Now, the company has given developers a firm deadline: May 1. As of that date, the App Store “will no longer accept new apps or app updates that access UDIDs,” Apple announced in a notice to developers. The company is advising developers to replace unique device identifiers -- 40-character alphanumeric strings -- with the “advertising identifiers” rolled out in iOS6.
Advertising identifiers differ in at least one critical way from unique device identifiers: Consumers can delete and reset ad identifiers.
Even before Apple's announcement about the new ad identifiers, some mobile companies rolled out their own opt-out tools. But using them wasn't nearly as easy as hitting a reset button. The tools required users to enter their devices' unique identifiers to an ad network's site. The network then kept records of which devices opted out of online behavioral advertising, and didn't serve targeted ads to those devices.
It seems likely that Apple's decision to limit access to unique device identifiers was driven by criticism the company faced for enabling developers -- as well as mobile ad networks -- to track users without first notifying them, let alone allowing them to opt out. Two years ago, researchers at the Technical University of Vienna reported that more than half of the 1,400 iPhone apps they studied collected users' device IDs. Dozens of those apps accessed the phone's location, while a handful gleaned information about the users' contacts. Another, slightly earlier study by a Bucknell University official found that 68% of the most popular iPhone apps transmitted the devices' unique identifiers to outside servers owned by either the developer or an advertiser.
Those reports sparked a slew of bad press for Apple. They also resulted in a class-action lawsuit against Apple. That case is still pending in federal court in the Northern District of California.
Despite Apple's new policies, any ad networks determined to continue tracking users can probably find a way to do so. If those companies can't use unique device identifiers, they might be able to track users via MAC addresses, device fingerprints, or other methods that are hard for users to control. Of course, circumventing devices' privacy settings is a dubious practice at best, and illegal at worst. Still, it's worth noting that the potential for bad publicity, and even lawsuits, didn't stop companies from evading privacy settings in the past.