Researchers Find Shades of Opacity, Plenty of Tracking, After App Tracking Transparency

Dan Goodin, Ars Technica:

Last year, Apple enacted App Tracking Transparency, a mandatory policy that forbids app makers from tracking user activity across other apps without first receiving those users’ explicit permission. Privacy advocates praised the initiative, and Facebook warned it would spell certain doom for companies that rely on targeted advertising. However, research published last week suggests that ATT, as it’s usually abbreviated, doesn’t always curb the surreptitious collection of personal data or the fingerprinting of users.

If anything, Goodin underplays this rather scathing report (PDF), in which researchers describe finding minimal changes in app-based tracking after the implementation of App Tracking Transparency. There are some benefits — more apps chose to ask for certain permissions later rather than upfront, minimizing unnecessary data collection, for example, and a significant drop in IDFA use. Some tracking SDKs also saw reduced usage.

But ATT was not as aggressive an anti-tracking measure as Apple may have hoped for or portrayed in its advertising. While IDFA use dropped, other attributes about a user’s phone are collected more often. Plenty of apps and SDKs are still tracking users without their consent or knowledge — most often, sending data to Google and Facebook, but also Unity, Verizon, and Oracle. And nine apps went even further:

In our analysis, we found 9 apps that were able to generate a mutual user identifier that can be used for cross-app tracking, through the use of server-side code. These 9 apps used an “AAID” (potentially leaning on the term Android Advertising Identifier) implemented and generated by Umeng, a subsidiary of the Chinese tech company Alibaba. The flow to obtain an AAID is visualised in Figures 6a and 6b. As expected, the IDFA is only zeros because we used the opt-out provided by iOS 14.8; we observe, however, that the IDFV (ID for Vendors), a non-resettable, app-specific identifier is shared over the Internet, see Figure 6a. The sharing of device information for purposes of fingerprinting would be in violation of the Apple’s policies, which do not allow developers to “derive data from a device for the purpose of uniquely identifying it”.

As Apple was preparing to release the iOS 14.5 update that introduced ATT, it told a group of developers — also from China — to cease and desist creating a workaround to allow individual device tracking. The researchers of this more recent analysis reported this apparent synthetic tracking identifier to Apple and, when the researchers later tried to reproduce it in iOS 14.8, found that the identifier request was now encrypted but was likely similar. When they tried to reproduce using iOS 15, they were unable to do so.

This is only tangentially related, but Alibaba was the same company that was collecting users’ history from their web browser, even when it was being used in incognito mode.

This observation from the researchers’ report is upsetting:

At the same time, it is worrying that a few changes by a private company (Apple) seem to have changed data protection in apps more than many years of high-level discussion and efforts by regulators, policymakers and others. This highlights the relative power of these gatekeeper companies, and the failure of regulators thus far to enforce the GDPR adequately. An effective approach to increase compliance with data protection law and privacy protections in practice might be more targeted regulation of the gatekeepers of the app ecosystem; so far, there exists no targeted regulation in the US, UK and EU.

Regulators and companies like Apple are still trying to catch up to the underhanded mechanisms involved in the surveillance-powered economy. There is some progress, but it is slow and not nearly enough to undo such a deeply engrained, intrusive, and hostile system. Privacy needs to be treated as a serious public policy issue and the stewards of its enforcement must be adequately resourced. That simply is not happening.