html Does Apple really protect you from advertising surveillance? | Tracking pixels

Does Apple really protect you from advertising surveillance?

With iOS 14.5, tracking on iOS Apps will be severely restricted. Let's return to Apple's actions against advertising surveillance

Published by Pixel de Tracking on April 19, 2021

Privacy, a product argument for Apple

Faced with the surveillance capitalism developed by Google, Apple has an obvious argument, privacy. And he does not deprive himself of it, as evidenced by this advertising campaign :

iPhone

This argument is also found in the words of Tim Cook, during the “Computers, Privacy & Data Protection” conference in January 2021, a truly remarkable speech.

Apple has always been very good at product marketing, but is it just talk? A first response is provided by this page, a more detailed answer is provided here : Apple is indeed taking many initiatives. For example, we can cite:

Privacy is one of Apple's core values:

privacy

But Apple could go much further, and I would be willing to pay so that the following services are end-to-end encrypted : Apple Photos, Calendars, Contacts, iCloud Drive, Notes or Messages on iCloud. After his dispute with the FBI during the San Bernardino terrorist attack, during which he courageously fought against the introduction of backdoors on iOS, Apple had an opportunity to expand the use of end-to-end encryption to all its services. Under pressure from the FBI, he unfortunately did not dare :

Apple dropped plans to let iPhone users fully encrypt backups of their devices in the company's iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters.

To the delight of governments, police services and secret services, Apple does not encrypt iCloud end-to-end. And to better sell its products in China, Apple agrees to store iCloud encryption keys of its Chinese users directly on servers located in China. Another compromise with the Chinese regime, Apple censors apps in China.

Now let's look at Apple's initiatives against advertising surveillance. Do they go far enough?

Safari ITP, good protection against tracking

In 2017, Apple integrated the functionality “Intelligent Tracking Prevention” (ITP) in Safari, the goal being to combat multi-site tracking. Since this first release, Apple has evolved ITP, with for example complete blocking of third-party cookies or the limitation of the lifespan of cookies placed via CNAME, which allows it to offer you good protection against tracking by adtech companies.

When we talk about privacy, Apple also has an excellent influence on the web ecosystem.

Apple's actions against multi-site tracking undoubtedly inspire other browsers. In 2018, Firefox announces change to its tracking policy, now wishing to offer protection against tracking by default. In 2019, Firefox takes action with Enhanced Tracking Protection (ETP), the equivalent of ITP, a functionality that it has also since evolved.

As a bonus, if you use an iPhone or iPad and go through another browser, ITP protections also apply ! In fact, Apple locks the options of third-party browsers, which are forced to use WebKit, Safari's rendering engine.

Apple counters Google's influence at W3C

At the W3C, the organization responsible for building and developing web standards, Apple offers alternatives to Google in the field of advertising. If Google made a lot of noise with proposals to replace third-party cookies (“Privacy Sandbox”), in particular the controversial FLoC proposal, Apple offers standards for better respect for privacy:

  • “Private Click Measurement (PCM)” : to correctly attribute conversions to ad campaigns. Google has its own proposal called “Measurement API Conversion”, but this hardly protects privacy because Google allows the advertiser to assign a unique identifier to each click on an advertisement... Apple for its part limits the options to 256 different values, which simply allows you to know which advertising campaign is effective.
  • “Storage Access API” : If Apple prevents third parties from tracking the user without their consent (via restrictions on cookies, local storage, etc.), they can explicitly ask the user for authorization via this API. Certain use cases such as authentication systems can justify this authorization.

Still at the W3C, if Apple is not the only one to defend privacy (Firefox and Brave are also very active), its investment is not too much when it comes to counterbalancing the armies of Chrome developers. These will often compromise user privacy under the guise of adding new features to the web. For example, here is a list of 16 features that Safari does not implement because the security and fingerprint are too big.

Could Safari go further?

Safari could decide to fight more radically against advertising surveillance by integrating by default a tracker and ad blocker such as uBlock Origin. Benefits for the user:

Speaking of CNAME cloaking, the technique is also used by Apple on its website, with the Adobe Analytics tool :

Today, Brave goes much further via its functionality “Shields” : the goal is not to prevent multi-site tracking but to block the execution of trackers. An example to illustrate the difference in approach: tracers using CNAME cloaking are blocked by default.

For its part, Firefox offers fewer protections by default but its extension system is very open (Safari much less, you have to settle for a “Content Blocker” such as Firefox Focus), which allows for example uBlock Origin to be effective against CNAME cloaking.

Note that marketing tools can unfortunately still evade browser protections and other tracker blockers, sometimes even via turnkey solutions.

A consistent policy on the web... with one exception

On the web, Apple therefore has a consistent policy:

  • Safari protects against cross-site tracking.
  • Tracking within the same site is considered legitimate by Apple, it remains possible.
  • More privacy-friendly advertising is encouraged.

If it is always possible to do better, Safari is light years away from Google Chrome regarding the protection of privacy.

Except that when we talk about money, Apple makes a deal with the devil: Google pays Apple $8 billion to $12 billion a year to be the default search engine on Safari.

On Apps, a necessary catch-up

With iOS 14.5, Apple launches the system “App Tracking Transparency” (ATT), tracking becomes opt-in. Here is the definition of “tracking” according to Apple :

Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.

This definition is classic, similar to that of Firefox :

Tracking is the collection of data regarding a particular user's activity across multiple websites or applications (i.e., first parties) that aren't owned by the data collector, and the retention, use, or sharing of data derived from that activity with parties other than the first party on which it was collected.

It is also similar to that of the W3C :

Tracking is the collection of data regarding a particular user's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. A context is a set of resources that are controlled by the same party or jointly controlled by a set of parties.

Apple is finally consistent with the policy it already applied on the web:

  • ATT protects against cross-App tracking.
  • Tracking within the same App or on several Apps from the same company is considered legitimate by Apple, it remains possible.

On iOS, advertising monitoring has historically been facilitated by Apple, through the provision of a unique advertising identifier called IDFA. This identifier was enabled by default, iOS users could disable it if they wished:

follow-up In Settings > Privacy > Advertising, it was possible to check "Limited advertising tracking" (which I did, as shown in the screenshot), but the option was unchecked by default.

The default option is of utmost importance: few people change privacy settings (according to Adjust, only 20% of users deactivated the identifier).

Apple therefore has a historic responsibility here: the IDFA has made it easy for a multitude of companies to monitor you for years. As a reminder:

Here is the reaction of an advertiser with the announcement of the launch of the IDFA (in 2012 with iOS 6), and the "dark pattern" associated with the “Limited advertising tracking” option:

“It's a really pretty elegant, simple solution,” says Mobile Theory CEO Scott Swanson. "The biggest thing we're excited about is that it's on by default, so we expect most people will leave it on."

This historic responsibility has therefore been worth a GDPR complaint before the CNIL, from Quadrature du Net :

apple-knows

Paradigm change therefore with iOS 14.5, applications will have to ask you for authorization to track you, as shown in the new interface (visible from iOS 14, even if the protection is not yet effective):

request In Settings > Privacy > Tracking, "Allow tracking requests from apps" is checked by default (at worst, Apps will ask you if you want to be tracked), and you can uncheck the option.

For comparison, the Google Android equivalent of IDFA isAndroid Advertising ID. But the protections are almost non-existent:

  • It is impossible to deactivate Android Advertising ID (it was possible to deactivate IDFA from iOS 10).
  • It is only possible to reset it.

The noyb association launched a GDPR complaint against Google for tracking users through an “Android Advertising ID” without a valid legal basis. It can be noted that a GDPR complaint de noyb also exists against Apple for tracking without consent via the IDFA. But with this catch-up, Apple risks much less than Google (noyb also points out that after the update, Apple will still be able to use IDFA without consent, which is false).

Technically, advertisers will no longer have access to the IDFA if you have not explicitly given your permission. But advertisers have other weapons in hand to monitor you (fingerprint, hash of email address...). Will Apple also fight against these techniques? Time will tell, but this seems to be his intention:

caid

The settings of your iOS device to generate the CAID fingerprint.

In the same way as on the web with its “Private Click Measurement (PCM)”, Apple does not leave advertisers in the lurch. The measurement of application downloads following an advertising campaign was carried out via IDFA or via a fingerprint (produced by companies such as Adjust). Apple now makes available to developers the SKAdNetwork API, to carry out the measurement while protecting the privacy of users.

Apple vs. Facebook

ATT's promise is simple :

cook

Thanks Tim Cook.

The importance of this update can be measured by the knee-jerk reaction of Facebook, which saw its surveillance capacity severely reduced on iOS (its SDK is now omnipresent on Apps). Facebook justifies its approach by defending small businesses, which would be dependent on Facebook's targeted advertising to find new customers:

Facebook also bought entire pages of advertising in major American newspapers to denounce Apple's update:

small

Facebook never disappoints :

free

Apple against French advertisers

French advertisers are at the forefront of the fight against Apple, and after a public letter sent to Tim Cook in July (spoiler: he did not respond), they decide to file a complaint with the competition authority last October. The subject of their complaint? The mandatory introduction of ATT solicitation for applications on iOS that would like to track user activity on third-party sites.

First response from the competition authority on March 17 and first snub for the advertising industry, on the privacy aspect:

In the current state of the investigation, the Authority considered that Apple's decision to set up a consent collection system complementary to that put in place by other online advertising players did not appear to be an abusive practice.

The instruction nevertheless continues:

This should in particular make it possible to verify that Apple's implementation of the ATT solicitation cannot be viewed as a form of discrimination or "self preferencing", which could in particular be the case if Apple applied, without justification, more restrictive rules to third-party operators than those it applies to itself for similar operations.

It is a safe bet that advertisers will also be defeated on the anti-competitive aspect because Apple does not favor its own applications: it does not practice tracking (and therefore does not use IDFA). Apple offers targeted advertising on its Apps (Apple News, App Store, Stock Market), using the personal data it collects. Google, Facebook or any other App can do the same on iOS, Apple is not opposed to personalized advertisements.

Another complaint, this time before the CNIL by the France Digitale association. The attack is more subtle, Apple activates personalized advertisements on its own applications by default:

personalize

If you go to Settings > Privacy > Apple Advertising, the personalized ads option is enabled by default.

Clearly, Apple would have to ask for your consent before it can offer personalized advertising, so it does not comply with the GDPR. France Digital indicates that this causes significant harm:

  • To users (it's true, although personalized advertising on Apple News, the App Store and Stock Exchange is very far from the harm of personalized advertising on Google or Facebook apps).
  • To French startups who, I quote, “scrupulously respect the rules set out by the GDPR”. It's daring! The list of companies that are part of the association is not public, but it can be noted that Frichti is one of them, and the app that flouts the GDPR.

The complaint further speaks of distortion of competition by insinuating that Apple would offer personalized advertising with its “affiliated companies”:

digital

Table included in France Digitale's complaint, supposed to show a distortion of competition.

As already seen, personalized tracking and advertising within the same App or several Apps from the same company is considered legitimate by Apple, this practice is not the simple act of Apple but also of Google, Facebook, Twitter, etc. France Digitale therefore speaks of “affiliated companies”, Apple partners who would conspire together to track you down.

Apple's explanations of its advertising program are however very clear, there is no transmission or sharing of personal data with third parties:

Apple does not share or transmit your personally identifiable information to third parties.

Also, Apple does not collect personal data through third parties:

Apple's advertising platform does not track your activities, meaning it does not combine user or device data collected on our apps with user or device data collected from third parties for advertising targeting or measurement purposes, and does not share user or device data with data brokers.

No mention of "affiliated companies" in Apple's Privacy Policy, it looks like an invention of France Digitale.

But why such relentlessness of “French digital entrepreneurs and investors” against Apple? No doubt because adtech weighs very heavily in France, we can see for example the involvement of Criteo (the famous French surveillance marketing giant) from the launch of France Digitale here and there. It must be said that Criteo hardly likes Apple, and that for some time now.

Apple against American advertisers

Among American advertisers, the attacks are more subtle but hardly convincing. You can read Ben Thomson or Eric Benjamin Seufert (at Ben Thomson or on his website). Here are some arguments:

  • By tackling tracking, we would strengthen the “Walled Gardens” (Google, Facebook, etc.). Which Wolfie Christl responds very well in this Twitter thread :

wolfie

  • Regarding the supposed reinforcement at “Walled Gardens”, tackling tracking does not prevent us from attacking the advertising giants. The 2 axes can complement each other: read for example Brave's complaint against RTB ("external" data free-for-all), as well as Brave's complaint against Google ("internal" data-free-for-all). Without talking about privacy, it would be interesting to tackle the abuse of dominant position of advertising giants, Google and Facebook. But advertising lobbyists ignore the option.
  • Apple would not seek to protect your privacy on Apps (via ATT), but rather to control your entire experience. Excluding Facebook would bother Apple because the discovery of new Apps would no longer go through the App Store at all but through personalized advertising on Facebook or Instagram. By tackling tracking, Apple would therefore seek to regain control over the distribution of Apps. But what is the real role of advertising in the distribution of Apps?
  • Similar argument on the web (via ITP), where Apple would rather seek to suffocate advertising resources. Consequently, publishers should focus on subscriptions via Apps, on which Apple earns a commission. But why not offer advertising that respects privacy?
  • Apple would fight against advertising players to push its own advertising business. Hard to believe because Apple's advertising business (App Store, Apple News and Stock Market) is insignificant compared to its other income (products, services). Apple also shut down iAd, its ad-network, in December 2016.

If Apple's desire for control is obvious, and if the App Store monopoly is a huge problem, the arguments of advertising lobbyists lack relevance. Apple has an obvious reason to invest in better privacy protection: the demand for protection is high (and Apple's potential customers are not advertisers, but you and me).

Apple forces transparency among App developers

Since December 2020, Apple has made it mandatory privacy labels on Apps. These labels help highlight the differences between applications. If we compare browsers for example:

chrome

Google Chrome spyware.

duck

DuckDuckGo's browser, respectful of your privacy.

If we now look at the messaging:

messenger

Messenger, Facebook's spyware, even worse than WhatsApp.

signal

Signal, an App that respects privacy.

Of course, these labels have limits:

  • They are based on self-declaration. Will Apple check whether the developer is telling the truth?
  • There is no information about personal data that can leak to third parties. It would be interesting to see who collects your personal data and why.

But they already represent a good step forward, and will perhaps push App developers to limit the use of personal data to that which is strictly necessary.

Could Apple go further on Apps?

With ATT, Apple has reached the level of Safari ITP (protection against tracking). If he wanted to go further, he could decide to block advertisements and 1st-party trackers (analytics, A/B testing, tag managers, etc.). Benefits for the user:

  • Ads would be blocked.
  • 1st-party trackers (analytics, A/B testing, tag managers, etc.) would also be blocked. Today, for example, trackers from Google Analytics, Segment, Mixpanel or Amplitude are not blocked.

But it would alienate certain developers, and this would not be consistent with its current policy on the web via Safari ITP.

Unfortunately, this ad therefore does not apply to 1st-party trackers, your iPhone still communicates with many third parties, including those from Google (even if the identifiers should now be specific to each App, because IDFA is no longer available by default):

billboard

With native support for encrypted DNS via iOS 14, however, it allowed tracker and ad blockers to do their job better (these blockers had to create a local pseudo VPN, which was a disaster for the battery). I use NextDNS for my part, which allows me to block all trackers and other advertisements.

Yes, Apple protects you against advertising surveillance, getting better and better

As we have seen, the protections provided by Apple against advertising surveillance on iOS can be largely improved. But they have the merit of being coherent and of fighting quite effectively against tracking, as the irritation of Facebook and adtech in general proves. An advanced user can go further by going through a tracker and ad blocker such as NextDNS, AdGuard or a Pi-Hole.

Even if it is healthy to criticize such a dominant multinational, and for very valid reasons (closed, locked system, very limited repairability, App Store monopoly, "tax optimization", planned obsolescence, etc.), the "Android by Google" alternative is not credible if you want to protect your privacy.

If you are allergic to Apple but still want to protect your privacy on your smartphone, you will have to go through distributions that have removed the "Google" layer from Android (/e/ for example, based on Lineage OS and microG), but you will need good technical skills.