In Europe, cross-app, cross-browser & cross-device tracking is on very thin ice legally under the GDPR, so I'm not surprised Apple finally curbs the use of "sticky" identifiers on their devices. Honestly, it's a bit shameful that a device that is marketed as the gold standard in privacy would even support such an identifier in the first place, it has literally no purpose beyond mining peoples' data.
Now that the third-party tracking ecosystem is slowly drying out I'm curious what advertisers will come up with to circumvent these new measures. Anyone here that works in the industry and wants to share some plans?
Having been on both sides of the table, I would slightly disagree here. Fraud prevention for example will get an order of magnitude harder, plus this move will further skew the playing field towards FAANG who have the resources to puzzle the scraps back together for decent conversion tracking with the help of logins, IPs, SDKs with First Party IDs and a massive dose of machine learning.
Apple's privacy changes might seem like a good idea from the outside, but essentially or paradoxically leads to higher entry barriers for new competitors and cement the role the actual players have.
However, we do not have experience with so-called "big tech." It is relatively new, iPhone came to light in 2007. So I regard Apple's measurements as another experiment, and we will see how things further evolve.
I wonder if it would be profitable for Visa/Mastercard/Discover/AmEx to sell a verification service where people can authenticate with a $0.01 authorization or approval amount. Obviously, it wouldn't work with gift cards or other accounts not tied to a real person.
> FAANG who have the resources to puzzle the scraps back together for decent conversion tracking with the help of logins, IPs, SDKs with First Party IDs
Those are not exempt from the GDPR either. Granted, at the moment there’s very little enforcement around these (especially IP addresses despite their huge tracking potential) but once enforcement is stepped up there shouldn’t be any difference whether it’s a FAANG or a small company doing it).
- fingerprinting (especially if you don't own any premium inventory, as premium publishers generally dislike 3p targeting).
- contextual (target the content, make decisions based on _what I'm reading_ now, not who _I am_--less dubious ethically)
My favourite one: behavioural rebranded as contextual (I know some companies selling "contextual targeting", where some of the properties clearly define the user, these are mostly ML-based solutions, relying on mobile hardware)
Behavioural cross-platform targeting will exist but in a less deterministic form.
source: I used to work in AdTech and started a bunch of privacy-related initiatives.
I think it started as a compromise measure to hamper down on collection of other more persistent device identifiers (through AppStore regulation) so in a way it was a step in the right direction when introduced.
The purpose of IDFA was to provide an identifier that wasn't hardwired to the device - apps were going to absurd lengths to get the UDID, and IDFA gave them something ostensibly sufficient that users could in theory reset at will.
I give good odds ad frameworks will again start trying to circumvent the platform security to get a UDID or equivalent.
if i remember correctly they (apple) still dont block access to the devices name (e.g "Johns iPad Pro"), so thats also one easy way to fingerprint* even without idfa
* to say nothing about the fact that apps can easily get my first name without me knowing it being super creepy
Now that the third-party tracking ecosystem is slowly drying out I'm curious what advertisers will come up with to circumvent these new measures.
Probably fingerprinting – not to mention the fact that ad-people are lobbying both legislators (including the EU) and standards bodies (like W3C)... and in the latter case they're also directly contributing to the standards.
Things have changed really dramatically in in the last 13 years or so. When iPhone first launched, developers could (and did) just grab the UDID of the device and use that.
Apple has been restricting things almost from day one, and creating the IDFA in the first place was part of that, but this seems like the biggest step forward by far.
> it has literally no purpose beyond mining peoples' data
Its main purpose is targeted ads while repurposing or reselling peoples’ data is a nefarious secondary use.
Multi-sided markets are important revenue models that are tailored to user preferences and behavior. We are trying to strike a balance; we don’t need to demonize all advertising centric business models to win the argument for better privacy options.
I think both Apple and Mozilla are more aligned with my personal preferences but their positions are also perfectly aligned with their core business models.
> shameful that a device that is marketed as the gold standard in privacy
It's being marketed this way, that's it. It doesn't mean Apple care about privacy, and they prove every once in a while that they don't respect anyone's privacy at all. They spy on their users as much as anyone else (and overall, they have access to much more information than everybody else except Google).
All they want to do is prevent third-party tracking on their devices, so they have a monopoly on their users' data.
But they do collect those data and they share them with third party “partners”. Don't trust me, just look at their privacy policy, it's explicitly written there: https://www.apple.com/legal/privacy/en-ww/
Please familiarise yourself with Apple's history in consumer privacy and what they've done so far, including inadvertently forcing others to follow (looking at you Google).
They only share data with partners at the direction of users and only to provide specific services, and use for marketing is banned. That privacy policy?
> They spy on their users as much as anyone else (and overall, they have access to much more information than everybody else except Google).
This is easily disproven by making a GDPR access request to see what various companies have retained on you, or if you’re extra paranoid inspecting what the device is sending back over the network.
You can't say things like that, can you imagine how Apple device owners (which are plenty here) would feel about their purchases? I've seen the argument of 'using Apple if you are privacy conscious and rest is subpar' here a thousand times as a main justification for the higher price.
Say what you want about Apple but they are by far the most privacy focused big company. Their income is from selling physical devices. Typical megacorps in 2020 are leveraging economies of scale to sell their users' attention. Apple has a unique value add in that when their users benefit they benefit.
Apple revenue for the last year was $275 billion. So you've listed 3.5%, 7%, and probably-rounds-to-0% of their revenue, which doesn't seem like it actually counters the original point.
Not hard to be the most privacy focused big company when the competition Google , Facebook or Amazon...
I don't understand why we should always have good guys and bad guys and we can't accept that none of those company respect us.
Nothing will change if we relay Apple's propaganda about privacy. People will think that the solution is already there and it's Apple. And it's not. Apple has catastrophic Privacy, just a bit less catastrophic than Google but that's it.
They don't even encrypt your cloud, how's that remotely close to "privacy focused company"
“Catastrophic privacy” is quite a huge claim - do you have any actual examples? My perspective is that iphone privacy protections have actually gotten better and more sophisticated over time, and I’m much more comfortable having older non-techie relatives on iOS for that reason. When it comes to providing them tech support ios has always been less finicky than android.
Agreed, we should be careful not to champion them as the saviours of consumer privacy just because they have lately been marketing themselves as an improvement over Google and Microsoft.
It's odd though, they have these contradictory actions. For the iPhone, they are pushing for privacy, but on MacOS, we are now dealing with things like excessive telemetry to the point of phoning a authorization server for running local binaries. Not to mention the new firewall issues, where Apple utilities are able to bypass local firewall rules.
Surely you know this ‘telemetry’ statement isn’t really true. They use badly designed open protocol to do certificate revocation. It’s not like they designed this as a way to collect user data.
That's a very good point. Their primary revenue stream is from hardware or sources that aren't based on collecting user data.
I also think this is why Apple and Microsoft have bright futures but companies like Amazon, Google, and Facebook will only see more legal hurdles from here on out.
Apple gets on the order of $12 billion a year from Google to make Google Search the default search engine in iOS. All that money comes from ads. They care about privacy until it hits their pocketbook.
If I’m looking at HomeKit for example, this is not true.
Also people would want google anyway. After all it’s still the most useful search engine for almost everyone. Apple is primarily still a device maker for people who want stuff to justwerk and people who have no interest in tech.
I treat Apple being privacy-focused the same way I treat a politician that has a platform that I like: alignment of interests at the present moment. It doesn't mean that we want the same thing for the same reasons.
IMO Pine64 is more privacy respecting than Apple. I don't have to send them an email address to install software and I don't have to send them my drivers license to be allowed to compile it.
Apple had its own advertising platform called iAd that was abandonded a few years ago. Cynical me thinks that them disabling the IDFA could be a ploy for them to corner the adtech market for themselves.
As a reminder (from first hand experience with mobile development for major companies), the iOS versions of those apps do the same. Even more so, all of those tracking SDKs are targeting iOS first, Android second.
Please don't feel safe on iOS just because Apple marketing is blasting misleading claims at you.
You can see a list of apps that share you activity with facebook here (even if you didn't install any facebook app on your phone or didn't use facebook login feature) :
Wow. I had no idea this existed. In my case, over 600 apps and services that I had no idea were connecting to Facebook. Is there no way to turn this off?
I don't want to minimize Apple's efforts on privacy, but this is only happening because the Overton window on privacy is finally shifting. Let's not pretend that Apple 'cares' all of a sudden. They only 'care' because it's a convenient position for them to take. Their business model isn't directly tied to the collection of data, which allows them to differentiate themselves from Google and make surgical changes like this. I propose we ask Apple to go further:
If Apple really cared, they'd make IDFA opt-in only. Why are we now applauding the option to disable a feature that the EU deemed illegal from the start? [1]
If Apple really cared, they'd remove Google as the default search engine and forgo the $8-12 billion they make from Google. Then, allow a fair bid for privacy focused search engines (or make their own). [2]
If Apple really cared, they'd stop tracking you in Apple Services like Apple TV+ and stop sharing your data with third parties. [3]
Apple can make an anti-tracking computer but nothing they do can make an anti-tracking phone. It is a "cell" phone. The very nature of cell phones means the basestations have to decide where you are and which cell takes your connections. With precise clocks and multi-lateration the position of your handset is known to about 50m. All US telco keep this location data (which is constantly updated) for 2 to 5 years. And they sell it too.
No, there is no privacy oriented, no anti-tracking, cell phone. None of them are capable of this. And no amount of "privacy" functions in the user computer will make up for the intrinsic nature of cell phones. Because cell phones are so incredibly useful people bend over backwards mentally to try to ignore this. They get angry when it's pointed out because it's "irrelevant". But it isn't. This is real tracking of you. Far worse than any "internet" tracking.
Your carrier has that correlation. They route all your packets. It doesn't matter if it is Comcast at home or Verizon/Att on the go. They know where you live and work and track you 24/7. Facebook is simply going to make a deal to have a unique ID added to URL metadata and then tracking is even more trivial. We need legislation to guarantee true net neutrality. Just like the electric company doesn't track/sell what I use my electricity on, the ISP shouldn't
track/sell what I use my data.
Although for what its worth, I wonder if it's possible for a cell to throw telcos off by broadcasting at higher power and connecting randomly between more and less distant antennas.
This is probably one of the dumber ideas I've come up with given that I have no idea how the different protocols for handshakes between cells and towers work. Looking to be educated on it here in the comments.
Sounds like a great way to get your IMEI blacklisted by the carrier (and drop/miss calls a lot), and would not really stop them from triangulating your position (because you still have to be physically in range of all the towers, and would still be a determinable distance from them, being that distance is calculated using timing).
Cellular modem firmwares are also generally pretty closely guarded and not flashable.
The client handset's location is not determined by the power. It's determined by timing. Higher power would only give more basestations ability to receive your signal and add greater resolution to their position solution.
You can't make any internet-connected computer any more anonymous than a cell-connected computer. Your internet connection is as traceable and mostly using the same methods as your computer minus triangulation if you turn off wifi. Your provider knows the service address and pretty much everything else.
I still want a phone with an open software ecosystem, so I'm excited that the Pinephone and Librem 5 exist. But I'm glad that Apple has been able to at least make privacy a selling point of their products. That's the way it should be.
My impression was that IDFA was a concession provided by Apple a while ago when they restricted APIs to the stable device identifiers. The IDFA was an identifier that advertisers could use and could be controlled by the user, which was seen as a privacy improvement on advertisers just using the device serial number.
I could be very much wrong, but this was my understanding.
That is correct. The IDFA is a compromise to get rid of older, more invasive tracking methods that ad networks used. Apple blocked access to the more sensitive data, and instead provided the IDFA which allows users to opt out, and limits the ability to combine data from different sources.
Making the IDFA opt in is now a second, stronger step towards user privacy.
I think removing the IDFA is great but .... most people probably login via the same IDs, either the same email address or facebook login, google login, github login, etc...
Once you've done that your app activity will be exchanged behind the scenes associating your data with your email or account so I'm not sure how many people this is going to really help.
IIRC Apple was trying to fix this hole too by having login via Apple give each app a different user IDs. Unfortunately that's not useful for the majority of people who need to be able to use non Apple devices.
Apple doesn’t need to fix this for users who aren’t using Apple devices. However:
The privacy feature of “Sign In With Apple” uses an email address for each service that you can use to access your accounts from other non-Apple devices, as long as the site implements a Reset Password process that accepts account email addresses (which virtually all do). The private email addresses are under Settings > iCloud > Apps Using Apple ID for apps where you hide your email.
Readit News
Now that the third-party tracking ecosystem is slowly drying out I'm curious what advertisers will come up with to circumvent these new measures. Anyone here that works in the industry and wants to share some plans?
First Ad Fraud != Fraud. It is low grade hacking.
Second. Trading the privacy of every iPhone user so that advertisers can prop up a sketchy/ poor industry is a terrible trade.
They’re not supposed to do that. Their dogmatic refusal to see the writing on the wall is ridiculous.
Apple's privacy changes might seem like a good idea from the outside, but essentially or paradoxically leads to higher entry barriers for new competitors and cement the role the actual players have.
However, we do not have experience with so-called "big tech." It is relatively new, iPhone came to light in 2007. So I regard Apple's measurements as another experiment, and we will see how things further evolve.
Also: boohoo
Those are not exempt from the GDPR either. Granted, at the moment there’s very little enforcement around these (especially IP addresses despite their huge tracking potential) but once enforcement is stepped up there shouldn’t be any difference whether it’s a FAANG or a small company doing it).
Dead Comment
- contextual (target the content, make decisions based on _what I'm reading_ now, not who _I am_--less dubious ethically)
My favourite one: behavioural rebranded as contextual (I know some companies selling "contextual targeting", where some of the properties clearly define the user, these are mostly ML-based solutions, relying on mobile hardware)
Behavioural cross-platform targeting will exist but in a less deterministic form.
source: I used to work in AdTech and started a bunch of privacy-related initiatives.
I give good odds ad frameworks will again start trying to circumvent the platform security to get a UDID or equivalent.
* to say nothing about the fact that apps can easily get my first name without me knowing it being super creepy
https://www.verizonmedia.com/insights/overcoming-identity-he...
And probably a dozen other ID solutions out there that require you to be logged in and thus have some first party data to match you with.
Honestly I'm not sure what the value proposition is for the user if it's not required to log in, so who knows what the uptake will be.
Of course some smaller one will still try to do it, don't get me wrong.
Apple has been restricting things almost from day one, and creating the IDFA in the first place was part of that, but this seems like the biggest step forward by far.
Its main purpose is targeted ads while repurposing or reselling peoples’ data is a nefarious secondary use.
Multi-sided markets are important revenue models that are tailored to user preferences and behavior. We are trying to strike a balance; we don’t need to demonize all advertising centric business models to win the argument for better privacy options.
I think both Apple and Mozilla are more aligned with my personal preferences but their positions are also perfectly aligned with their core business models.
Exactly and tracking companies such as Adjust or AppsFlyer carry on IFDA-ing/fingerprinting users. GDPR seems to be just a nice-to-have.
It's being marketed this way, that's it. It doesn't mean Apple care about privacy, and they prove every once in a while that they don't respect anyone's privacy at all. They spy on their users as much as anyone else (and overall, they have access to much more information than everybody else except Google).
All they want to do is prevent third-party tracking on their devices, so they have a monopoly on their users' data.
But they do collect those data and they share them with third party “partners”. Don't trust me, just look at their privacy policy, it's explicitly written there: https://www.apple.com/legal/privacy/en-ww/
This is so dishonest.
Please familiarise yourself with Apple's history in consumer privacy and what they've done so far, including inadvertently forcing others to follow (looking at you Google).
https://youtu.be/08IC1AZTxls?t=2941
This is easily disproven by making a GDPR access request to see what various companies have retained on you, or if you’re extra paranoid inspecting what the device is sending back over the network.
Sent from my Thinkpad.
Not entirely true anymore:
1) About $8-12 billion paid by Google to have their search engine default. [1]
2) About $20 billion from their 15-30% cut of third party app developers. Where the App Store is protected from competition. [2]
3) Apple services (like Apple TV+), which collects usage data for itself and third parties. [3]
[1] https://www.macrumors.com/2020/10/25/google-apple-search-def...
[2] https://www.theverge.com/2020/6/15/21292203/apple-app-store-...
[3] https://support.apple.com/en-us/HT208511
The trailing 12 month revenue for Mac, iPhone, iPad and Apple Watch (+ HomePod, AirPods, etc.) was over $220 billion.
And while $20 billion is not nothing, it's actually not that big a deal for Apple, especially when you consider its $2 trillion market cap.
And Mozilla, who wrote this article, also gets the majority of their funding through paid search, mostly from Google.
> Precisely 94% of Mozilla revenues came through royalties received by search engines to be featured on its Mozilla Firefox browser.[0]
[0] https://fourweekmba.com/how-does-mozilla-make-money/
I don't understand why we should always have good guys and bad guys and we can't accept that none of those company respect us.
Nothing will change if we relay Apple's propaganda about privacy. People will think that the solution is already there and it's Apple. And it's not. Apple has catastrophic Privacy, just a bit less catastrophic than Google but that's it.
They don't even encrypt your cloud, how's that remotely close to "privacy focused company"
Sent from my Huawei.
Sent from my Pinephone.
It’s also a good way to combat the push from companies like Google to bring down the prices of devices to allow for better tracking.
I also think this is why Apple and Microsoft have bright futures but companies like Amazon, Google, and Facebook will only see more legal hurdles from here on out.
It's a lot of money, but it's pocket change for Apple in the scheme of things—$220 billion in hardware revenue and a $2 trillion market cap.
Google needs to pay it far more than Apple needs the money. Google knows Apple customers are far more lucrative than Android customers.
Also people would want google anyway. After all it’s still the most useful search engine for almost everyone. Apple is primarily still a device maker for people who want stuff to justwerk and people who have no interest in tech.
You do not need to send Apple your drivers license to compile software for Apple hardware.
Dead Comment
https://9to5google.com/2018/12/31/android-apps-facebook/
Please don't feel safe on iOS just because Apple marketing is blasting misleading claims at you.
https://developer.apple.com/app-store/app-privacy-details/
https://www.facebook.com/off_facebook_activity/activity_list
(click "Manage Your Off-Facebook Activity" on the right if you're on desktop)
If Apple really cared, they'd make IDFA opt-in only. Why are we now applauding the option to disable a feature that the EU deemed illegal from the start? [1]
If Apple really cared, they'd remove Google as the default search engine and forgo the $8-12 billion they make from Google. Then, allow a fair bid for privacy focused search engines (or make their own). [2]
If Apple really cared, they'd stop tracking you in Apple Services like Apple TV+ and stop sharing your data with third parties. [3]
[1] https://www.thehindu.com/sci-tech/technology/what-is-apples-...
[2] https://www.macrumors.com/2020/10/25/google-apple-search-def...
[3] https://support.apple.com/en-us/HT208511
No, there is no privacy oriented, no anti-tracking, cell phone. None of them are capable of this. And no amount of "privacy" functions in the user computer will make up for the intrinsic nature of cell phones. Because cell phones are so incredibly useful people bend over backwards mentally to try to ignore this. They get angry when it's pointed out because it's "irrelevant". But it isn't. This is real tracking of you. Far worse than any "internet" tracking.
This is probably one of the dumber ideas I've come up with given that I have no idea how the different protocols for handshakes between cells and towers work. Looking to be educated on it here in the comments.
Cellular modem firmwares are also generally pretty closely guarded and not flashable.
It would be nice if there were regulations that protected my information from my telco provider.
What I heard was that at some point of time, Apple had an ambition for own advertising business.
I could be very much wrong, but this was my understanding.
Making the IDFA opt in is now a second, stronger step towards user privacy.
It's now just split away from IDFA. Basically Apple is using this to attack competitors while leaving their own tracking on by default.
Yes. Let's not forget about iAd and iBeacon, where Apple was traveling down the same road as FB and Google.
Once you've done that your app activity will be exchanged behind the scenes associating your data with your email or account so I'm not sure how many people this is going to really help.
IIRC Apple was trying to fix this hole too by having login via Apple give each app a different user IDs. Unfortunately that's not useful for the majority of people who need to be able to use non Apple devices.
The privacy feature of “Sign In With Apple” uses an email address for each service that you can use to access your accounts from other non-Apple devices, as long as the site implements a Reset Password process that accepts account email addresses (which virtually all do). The private email addresses are under Settings > iCloud > Apps Using Apple ID for apps where you hide your email.
I can use Apple devices and still have the need to use non-apple devices so Apple's solution isn't helpful.