Security news that informs and inspires

Apple Details Crackdown Efforts On Invasive Ad Tracking

By

Apple is detailing new tools that it says will curb advertisers’ abilities to track users' behavior while they browse apps and websites on their devices. The new features are part of an overarching crackdown by Apple on tracking mechanisms, which will be enforced in its upcoming release of the iOS 14.5, iPadOS 14.5 and tvOS 14.5 operating system versions.

The two mechanisms described this week aim to give advertisers the flexibility to measure how users interact with their ads, without using invasive tracking tactics. The first feature, called SKAdNetwork, lets advertisers track the number of times an app was installed after users saw ads for it, but does not share any user or device-level data. The second feature, called Private Click Measurement, exists for apps in iOS and iPadOS 14.5, and enables advertisers to analyze the impact of ads that lead users to websites, but minimizes data collection that uses on-device processing.

“After a user clicks on an ad for a product in an app, the web browser itself, using Private Click Measurement can give advertisers information that a user clicked on their ad, and that it led to a certain outcome on their website, such as a visit or a purchase — without giving them information about who specifically clicked on the ad,” Apple said.

The tools are part of Apple's App Tracking Transparency rules, which will be enforced in its upcoming operating system versions and require explicit permissions by users in order for developers to access advertising identifiers. These identifiers, which Apple calls Identifiers For Advertisers (or IDFA), are assigned by iOS to each device and allow developers to track user behavior across websites and apps, in order to target them with ads. Any number of identifiers could also be used for tracking beyond IDFA, such as email addresses or phone numbers, according to Apple.

When a user is browsing websites or opening apps on their phone, in the background advertisers are bidding in an auction to show their ads on that app or website. As part of this bidding process, typically advertising networks gather data from user devices, including the app being used, location and an advertising ID. This information gives potential advertisers a better sense of users' behavior and whether their characteristics align with the advertiser’s target audience.

SKAdNetwork and Private Click Measurement apply to the winner of this auctioning process, whose ad appears in front of the app user. This advertiser then has an option to measure how the ad affects user behavior, in a process called ad attribution. For instance, if the ad is for an app, the advertiser would try to track whether the user installed that app.

“The latest privacy changes are part of an unstoppable trend to increase the protection of user privacy."

Chris Hazelton, director of security solutions at Lookout, said the change gives users more control over how much of their personal information is being shared.

“Now, Apple has created levers for users to more easily pick and choose the developers with which they share personal information,” said Hazelton.

In addition to blocking IDFA access, users will also be able to see which apps have requested permission to track them under their Settings and make changes. Apple warned, if developers are found to be tracking users who opt out of this tracking measure, they will be required to update their practices or may be rejected from the App Store.

For developers, unless they have received permission from the user to enable tracking, the device's advertising identifier value will be all zeros and they will not be able to track them. The app will be sent a signal that shares that the user has asked not to be tracked, according to Apple. App Tracking Transparency has generated pushback from developers who argue that the rules will create obstacles for small businesses by affecting their ability to use their advertising budgets efficiently. One such critic, Facebook, has previously argued that the rules are “about profit, not privacy” and that “it will force businesses to turn to subscriptions and other in-app payments for revenue, meaning Apple will profit and many free services will have to start charging or exit the market.”

Privacy experts hope that Apple’s new measures will lead to a privacy push overall by other mobile device companies. According to a Bloomberg report, Google is weighing the development of its own Android alternative for Apple’s tracking opt-in requirement, for instance. Google, which assigns users its own version of an advertising identifier called Advertising ID, did not respond to a request for comment.

“The latest privacy changes are part of an unstoppable trend to increase the protection of user privacy,” said Lookout’s Hazelton. “The goal is to create a common, easily understandable format for users to see how their personal data is collected and used by developers and their partners. It will make it easier for users to question whether free services from developers are worth the cost in terms of privacy and security of their own data.”

While no official date has been revealed for the release of iOS 14.5, iPadOS 14.5, and tvOS 14.5, Apple said that App Tracking Transparency will roll out in the next few weeks.