This week, Apple released a new white paper that describes ways in which apps typically track users and manage their data, outlines corporate privacy philosophy, and offers numerous details and clarifications about the upcoming change in transparency in App Tracking, which (among other things) requires app developers for to get a user’s permission to engage in the common practice of creating an identifier (called IDFA) to track that user and their activities between multiple apps.
The newspaper says the change will take full effect with the release of an update to iOS and other Apple operating systems in the early spring (Apple has previously said this would happen in iOS 14.5, which is now in a late phase of beta testing), but the company has reportedly already begun enforcing some aspects of the new app submission policy, suggesting that the full transition is very imminent. A recent survey showed that only about 38.5 percent of users plan to sign up for tracking.
Most of the paper is dedicated to explaining exactly how apps track users to begin with, using a hypothetical example of a father and daughter traveling to the playground with their personal mobile technology and apps in a row. There are no new revelations in this section for people who are already familiar with how these systems work, but the information is accurate and most people actually do not know much about how their data is tracked and used, so it may be helpful for some.
Apple also uses a section of the paper to describe its app privacy labels, which are similar to food nutrition labels, but instead of describing the nutrients in a meal, they describe the ways an app tracks you or accesses your data. However, it’s not worth it that these apps’ privacy marks are largely self-reported, and independent observers have found many examples of apps that have inaccurate or incomplete information in these labels.
Trust and antitrust
While the paper is partly aimed at users who want to know more about iOS’s privacy features and how personal data is handled by mobile apps in general, it also repeatedly tries to make the case that the upcoming change in transparency in App Tracking will not have a negative impact on most advertising supported companies in a serious way. “The introduction of previous features, such as Safari Intelligent Tracking Prevention, has shown that advertising can continue to succeed while improving users’ privacy protections,” the authors claim.
Some companies, such as Facebook, have explored the idea of suing Apple, claiming that Apple makes third-party apps that follow rules that the smartphone maker’s apps do not have to follow. However, this paper claims that Apple’s own apps do not present an opt-in prompt for tracking because they do not track across third-party apps for advertising purposes to begin with.
Most of the meaty clarifications are found in the paper’s frequently asked questions (frequently asked questions). For example, Apple writes that “app developers can not require you to allow tracking to use the full capabilities of the app” – meaning users will not get reduced functionality in apps if they opt out of tracking. This gets a critical warning about Apple’s upcoming change: the policy prevents tracking across multiple third-party apps if a user chooses, but both Apple and any other company can still track users across multiple apps if all those apps are powered by the same Business. The same thing that gives Apple a pass could also apply to saying that Google tracks you across Gmail, Google News, Docs and so on. But as soon as Google wants to use a technique that, for example, can also see what you are doing in Apple’s or Facebook’s apps, then opt-in is required.
Apple offers a separate switch labeled “Personalized Ads” – quite different from the IDFA-related sign-up prompt – that allows users to decide if they want to be tracked in Apple’s first-party apps.
And in the context of the recent stream of rejection of App Store submissions, Apple clarifies that a developer “is also required to respect your choice in addition to the ad identifier.” This means that once a user has opted out of IDFA tracking, the developer also does not have to track the user through any other method that generates a similar result, e.g. Device fingerprint. The device fingerprint was apparently what caused the wave of rejections we reported last week. “If we discover that a developer is tracking users who ask not to be tracked, we will require them to update their practices to respect your choice, otherwise their app may be rejected from the App Store,” the paper says.
Frequently asked questions also address the criticism of the effectiveness of App Store privacy brands, though not very effective. It confirms that the data is self-reported and says “if we find out that a developer may have provided inaccurate information, we will work with them to ensure the accuracy of the information.”
List image by Samuel Axon