Study by Lockdown Privacy Finds Big-Name Apps Like DoorDash, Peacock TV, and Yelp Ignore Tracking Opt-Outs

Johnny Lin and Sean Halloran:

When it comes to stopping third-party trackers, App Tracking Transparency is a dud. Worse, giving users the option to tap an “Ask App Not To Track” button may even give users a false sense of privacy: users who would have otherwise been more cautious with giving their data to an app might let their guard down, thinking that they’re “safe” from third-party tracking. Furthermore, we found that some apps didn’t even bother to show the ATT dialog, despite contacting numerous third-party trackers.

The core problem is that App Tracking Transparency is entirely based on the honor system, so it suffers the same fatal flaw as Apple’s “Privacy Nutrition Facts”. App developers can choose whether or not to be honest about tracking, and if all their competitors are lying, why would they choose to be honest? Since the App Store has millions of apps, slipping by the rules is not only easy, but as our testing showed, it’s the norm.

Contrast the tantrum thrown by privacy-hostile ad tech companies after App Tracking Transparency was announced against the results of this study: a tiny reduction in the amount of tracking in selected high-profile apps. Lin and Halloran say Peacock TV tried to track 57 times when permission was granted and 15 times when it was not — the biggest drop by percentage I could see — while there was no difference in many apps, and a few apps actually initiated tracking more times when the user declined. Private information was still being sent to third-party trackers even when tracking was denied.

But App Tracking Transparency is being blamed for some loss in tracking fidelity, according to Alex Kantrowitz, writing in his Big Technology newsletter:

“Just completely running blind” is how Aaron Paul, a performance Facebook marketer, described it. Paul said his company, Carousel, moved from spending millions of dollars each day on Facebook to a few hundred thousand dollars. Before the iOS changes, Facebook generated 80% of the traffic Carousel sent to its product pages. Now it accounts for 20%.

Apple’s iOS changes may lead to irreparable harm to Facebook’s ad business. This moment has demonstrated to Paul and his fellow performance buyers that relying on one channel (albeit a very effective one) is risky. So they’re looking to diversify their ad spend. Paul said he’s moved his ad budget elsewhere, including “Snapchat and TikTok, but also silent killers like email.” On Twitter, Facebook marketers discussing Apple’s changes almost unanimously agreed they needed to follow suit.

The disconnect in these findings may be explained by the many apps that are following the rules, particularly those from smaller or independent developers — who cannot afford to incur the wrath of App Review — and from really big developers where it would be obvious if they did not comply. In the middle lies this assortment of apps not quite notable enough to attract attention — at least, until this study came out.

I do not think it is surprising there are bad actors ignoring or abusing this feature. The nature of this feature is such that it is impossible to guarantee that apps will respect users’ privacy and choices. Groups of developers have already tried to create workarounds, though Apple has said that it would block any attempt to use them. What will Apple’s response be to this selection of apps?

Lin and Halloran:

In the Settings app, Apple needs to be extremely clear that iOS currently does not and cannot stop third-party tracking. Before iOS 14.5, every app permission (Camera, Contacts, etc) in the Privacy panel has always been enforced by iOS, ensuring that certain apps can or can’t access certain features. iOS 14.5’s Tracking permission breaks this ten-year-old iOS pattern and misleads users into thinking that it’s enforced like every other permission. In fact, iOS even claims something completely untrue here: that “new app tracking requests are automatically denied.”

A quick correction: the quote at the end refers to the dialog box that asks whether an app is allowed to track. If you have “Allow Apps to Request to Track” switched off, you will never see a tracking prompt, and all will be treated as though you tapped “Ask App Not to Track”. I do not think that it is “untrue”.

That aside, I do think the similarities between other permission prompts and the one for app tracking could be misleading. I do not think this is deliberate. But I can see how many people could view their effects similarly, even though the negative option is to “ask” for the app to comply with the user’s request instead of simply disallowing permission.