This week, Apple released a new whitepaper describing how apps typically track users and manage their data, outline the company’s privacy philosophy, and offer more details and clarifications about the upcoming change in transparency in App Tracking, which (among other things) will require app developers to get the user’s permission to engage in common practice of creating an identifier (called IDFA) to track the user and their activities between multiple apps.
The newspaper says that the change will take effect with the release of an update to iOS and other Apple operating systems in “early spring” (Apple has previously said that this would happen in iOS 14.5, which is now in a late phase of beta testing), but the company has reportedly already begun enforcing some aspects of the new app submission policy, suggesting that full transition is very imminent. A recent survey found that only around 38.5 percent of users plan to choose tracking.
Most of the paper is dedicated to explaining exactly how apps track users in the first place, using a hypothetical example of a father and daughter traveling to the playground with their personal mobile technology and apps in tow. There are no new revelations in this section for people who are already familiar with how these systems work, but the information is accurate, and most people do not actually know much about how their data is tracked and used, so it may be useful to some.
Apple also uses a section in the paper to describe the app privacy labels, which are like food labels, but instead of describing the nutrients in a meal, they describe the ways an app tracks you or accesses your data. However, it is of no value that these apps’ privacy labels are largely self-reported, and independent observers have found many examples of apps that have inaccurate or incomplete information in these labels.
Trust and antitrust
While the paper is partly aimed at users who want to know more about iOS ‘privacy features and how personal data is handled by mobile apps in general, it also repeatedly tries to make the case known that the upcoming change in transparency in app tracking will not negatively affect most ads businesses in a serious way. “The introduction of previous features, such as Safari Intelligent Tracking Prevention, has shown that advertising can continue to succeed while improving users’ privacy,” the authors claim.
Some companies, such as Facebook, have explored the idea of making an antitrust case against Apple, claiming that Apple makes third-party apps according to rules that the smartphone maker’s apps do not have to follow. However, this article claims that Apple’s own apps do not present an opt-in tracking command because they do not track third-party apps for advertising purposes to begin with.
Most of the meaty clarifications are in the newspaper FAQ (frequently asked questions). For example, Apple writes that “app developers can not require you to allow tracking in order to use the full capabilities of the app” – this means that users will not have reduced functionality in apps if they opt out of tracking. This will be a critical warning about Apple’s upcoming change: the policy prevents tracking across multiple third-party apps if a user opts out, but both Apple and another company can still track users across multiple apps if all relevant apps are run by the same company. The same thing that gives Apple a pass can also apply to saying that Google tracks you across Gmail, Google News, Docs and so on. But as soon as Google wants to use a technique that can also see what you are doing in Apple’s or Facebook’s apps, for example, then opt-in is required.
Apple offers a separate “Personalized Ads” switch – completely different from the IDFA-related opt-in message – that lets users decide if they want to be tracked in Apple’s first-party apps.
And related to the recent rejection of the App Store submission, Apple points out that a developer “is also required to respect your choice beyond the advertising identifier.” This means that once a user has opted out of IDFA tracking, the developer must not track the user through any other method that generates a similar result, such as a device fingerprint. Unit fingerprints were apparently what caused the wave of rejections we reported last week. “If we learn that a developer is tracking users who request not to be tracked, we will require them to update their practices to respect your choice, otherwise their app may be rejected from the App Store,” the newspaper said.
Frequently asked questions also address criticism of the effectiveness of App Store privacy labels, though not very effectively. It confirms that the data is self-reported and says “if we learn that a developer may have provided inaccurate information, we will work with them to ensure the accuracy of the information.”
Listing image by Samuel Axon