Commentary

Study: Gaps In Apple's Rules Enable Privacy-Hobbling Workarounds

The following was previously published in an earlier edition of Mobile Insider.

It's been about a year since Apple rolled out new mobile settings that prohibit apps from tracking iPhone users without their explicit consent.

Specifically, Apple prohibited developers from accessing devices' Identifier for Advertisers -- an alphanumeric string that can be used to track people from app to app.

While the company's move appears to have curtailed cross-app tracking, the new settings are hardly foolproof. On the contrary, some app developers deploy a workaround that allows them to continue tracking mobile users from app to app. That's according to a recent paper by University of Oxford researchers.

The workaround relies on device fingerprinting -- or collecting data about users based on the unique characteristics of their devices, such as operating systems, fonts installed, even battery life. Apple prohibits companies from using fingerprinting techniques to circumvent users' privacy preferences, but has apparently been unable to enforce that restriction.

“We find real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code, thereby violating Apple’s policies,” researchers write in “Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels.”

The researchers, who examined more than 1,700 apps for the report, say they discovered that Alibaba subsidiary Umeng provided several apps with a “fingerprinting-derived cross-app identifier.”

Additionally, some developers can also gather enough data about users' identities -- such as their email addresses or Facebook log-ins -- to track them across apps.

“Our findings suggest that tracking companies, especially larger ones with access to large troves of first party [data], still track users behind the scenes,” the paper states. “They can do this through a range of methods, including using IP addresses to link installation-specific IDs across apps and through the sign-in functionality provided by individual apps (e.g. Google or Facebook sign-in, or email address).”

The paper also notes that Apple itself collects iPhone users' unique device identifiers, serial numbers and other data -- which the company can use “to enrich its own advertising services.”

Apple's privacy policy allows it to draw on users' App Store searchers, their activity in Apple News and Stocks, downloads and other data to classify users into marketing categories, and then serve people in those categories with targeted ads -- provided the category has at least 5,000 people. Apple doesn't consider that type of information gathering and ad-serving to be “tracking,” because the data comes from its own apps and services.

Apple's concept of tracking notwithstanding, the researchers say Apple's practices “might be unexpected for some users,” given the company's privacy-touting ads.

“Apple’s privacy changes have led to positive improvements for user privacy,” the paper concludes. “However, we also found various aspects that might go against users’ legitimate privacy expectations, e.g. that the new opt-in tracking prompts would stop all tracking ... or that Apple would be subject to the same restrictions to data access and privacy rules as other companies."

Next story loading loading..