Apple came under considerable flack last September after announcing that it was delaying protections against one of the ad industry’s ways to track internet users.
Ultimately Apple’s latest privacy step won’t make much difference: there’s already a new way for advertisers to track us, and there’s little Apple can do about it: device fingerprinting.
Apple’s three-stage approach to limiting tracking
Apple initially recognized that advertisers wanted to perform tracking (including things like Apple Search Ads), but wanted to ensure user privacy was protected. The first step it took was to develop something known as IDFA: IDentifier For Advertisers. This is a unique identifier for each device, randomly assigned by
Apple. Advertisers are allowed to use this for tracking, because Apple knows that there is no way to use it to identify a named individual.
Stage 2 was to put Users in control by going to Settings > Privacy > Tracking and set a toggle allowing or denying permission for tracking. That was no threat to advertisers, because only someone who strongly objected to tracking was going to enable these measures.
The update will add a new prompt screen to the App Store with information about app privacy, tracking data, and linked data:
Stage 3 is the change which upset Facebook, and which Apple has now agreed to delay until the iOS 14.5 release. With this change, iOS 14 will force apps to show a popup that asks your permission to be tracked. If you say no, the app doesn’t get to use your IDFA.
Named the App Tracking Transparency policy (ATT), Apple has confirmed that users will be asked permission before apps can use their unique Identifier for Advertisers (IDFA) for third party ad tracking. On the app side, developers will be required to ask permission to use certain information from other apps and websites for advertising purposes to comply with ATT.
Advertisers were already concerned about this, because many users will likely assume ‘tracking’ means that
they can be personally identified (which in this case it does not) so most people will say no.
The ad industry’s next step: device fingerprinting
Advertisers started with cookies; Apple and others let us block them. Apple then offered advertisers IDFA, but the delayed change in iOS 14 means that most users will deny access to that.
But as much as Facebook may be making a fuss about this, the ad industry already has another way to identify devices: device fingerprinting.
Whenever you visit a website, your browser passes data intended to ensure that the site displays correctly on your device. A website needs to display itself very differently on an iMac and an iPhone, for example.
As the ecosystem has matured, and websites have become more sophisticated, the amount of data your browser hands passes have grown. Here are some examples of the data which your browser sends to a
- Browser name and version (eg . Safari 13.1.1/605.1.15)
- Device operating system and version (eg. macOS 10.15.5)
- Fonts installed
- Device vendor (eg. Apple)
- Browser plugins installed
- Screen resolution
- Screen color depth
- Audio formats supported
- Video formats supported
- Media devices attached (for input and output, eg. webcams)
- Keyboard layout
- Preferred content language
- How your device renders a particular image on the webpage
Note that this isn’t a comprehensive list, rather just examples. When a website analyses all of the data available to it, the ability to uniquely identify a user is robust.
The aim of device fingerprinting is to try to identify each unique device, assigning to it a device fingerprint. This can then be used to track you in exactly the same way as IDFA.
Apple’s delayed change will largely render IDFA useless for advertisers, as so many people will deny
permission. But the ad industry will simply switch to device fingerprinting and carry on as usual.
Apple could fight this too, by allowing you to spoof some of the info just as you can for MAC addresses when connecting to a public WiFi hotspot. But much of the info can’t be spoofed, or web pages will stop rendering properly.
In conclusion, Apple’s delayed implementation of its IDFA popups will have but one effect: it will give advertisers more time to switch to device fingerprinting.