Mobility

Apple allows app developers to resume tracking with iOS 6

Apple was burnt once by allowing app developers to track users via the UDID. Will they get burnt again by allowing app developers to track using Apple's brand-new IDFA?

Online tracking of mobile devices for whatever reason is a touchy subject -- just ask Apple. A while back, Apple was smack in the middle of the tracking squabble. The panic started when the Wall Street Journal publicized how application developers were able to associate iPhone's Unique Device IDentifier (UDID) -- considered the phone's serial number -- with other personal information (real names, addresses, and phone numbers) stored on the phone.

This paper written earlier by Eric Smith forecasted this inevitability:

"Apple provided this function to allow application developers to uniquely identify the iPhone being used for purposes such as storing application preferences or video game high scores. While the UDID does facilitate the process of collecting and storing certain types of data, it also creates a tempting opportunity for use as a tracking agent or to correlate with other personally-identifiable information in unintended ways."

The author Smith presented the following slide as evidence that an UDID (first red box) can be sent to an app's remote server. The slide also proves that the app is associating the UDID with the phone owner's name, Eric J. Smith (second box).

This means organizations associated with each one of your iPhone apps can retrieve a significant amount of information about you, your online habits, and quite possibly a location profile if the app has permission to use either coarse (cellular) or fine (GPS) location details.

Who is responsible?

I'd like to step back for a second and discuss something that seems to get lost in the battle. There are three parties involved in this conundrum: Apple, app developers/advertisers, and the phone owners.

Let's start with Apple. I pulled the following quote from their privacy policy webpage today:

"We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising."

Most people say that's okay. Apple already has all their personal information.

Next on the list are app developers and the advertising networks they use. Until this past February, privacy policies covering mobile apps were not required. Complete trust in an app developer with no recourse bothered many privacy experts. It appears that someone who could do something was listening.

This press release describes an agreement between the State of California and the six major mobile-app markets: Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research In Motion.

"This agreement strengthens the privacy protections of California consumers and of millions of people around the globe who use mobile apps. By ensuring that mobile apps have privacy policies, we create more transparency and give mobile users more informed control over who accesses their personal information and how it is used."

Good news. Everyone is in agreement; all mobile apps need to have a privacy policy. The policy must be easily accessible, and the app's listing in the store must include the privacy policy or a link to it.

Please note: The agreement does not restrict what information can be collected.

Then there's us, the phone owners. The way it is setting up, the responsibility is going to rest on each of us to read, understand, and agree to the app's privacy policy.

Back to the UDID

While all this was going on, Apple made a command decision. Message to app developers: No more using the UDID or we will remove your app from our store. Peace returned to the digital landscape, at least for a bit...

Apple started strategically leaking that something was in the works to replace the UDID as a marker for app developers. I'm told, it was inevitable. There's just too much money to be made by two of the three involved parties. Jessica Vascellaro, of the Wall Street Journal, was one of the first to catch on, mentioning in her post:

"Apple Inc. is planning to release a new way for mobile app developers to track who uses their software, according to people briefed on Apple's plans, the company's latest attempt to balance developers' appetite for targeting data with consumers' unease over how it is used."

Introducing IDFA

Well, the wait is over. With the release of iOS 6, Apple is back in the tracking game. What Vascellaro alluded to in her post is the IDentifier for Advertisers (IDFA).

To make it more palatable, Apple decided to make IDFAs similar to persistent cookies, thus somewhat controllable by the user -- unlike the UDID. Also, several sources are mentioning (I have not seen proof) the IFDA cannot be traced back to the individual user; it only links online behavior to a device.

How to disable

If targeted ads and giving app developers your personal information does not appeal to you, you can disable the IDFA, as it is enabled by default. The switch is found under Settings>General>About>Advertising.

To limit tracking, turn the switch on.

Some confusion

Why did Apple call the switch Limit Ad Tracking? They had to know it would create confusion. And it wasn't long before rumors were out and about. Some that I've found are:

  • Even with Limit Ad Tracking enabled, identifiers will be sent to advertisers. The information is flagged, but up to the individual organization to respect it.
  • TRUSTe.com pointed out several concerns in this article. For example: This system has some structural similarities to the DNT header feature, but with some important gaps like Exception management and some definitions around what behaviors are expected by third parties once the user has set the flag.

I have not been able to verify (second source) any of the above concerns. I thought it best to mention them and will update the article as information becomes available.

Final thoughts

Like so many other things, the onus is once again squarely on us users. Apple and developers can craft policies that cover their liabilities and more importantly:

"Blank company has the discretion to update this privacy policy at anytime."

About

Information is my field...Writing is my passion...Coupling the two is my mission.

19 comments
22766
22766

Advertisement makes a lot of money. Whether mobile user likes it or not the benefit is to the tracker.

flhtc
flhtc

dump my IPhone a get the closed thing to a "brick" as I can. No data, GPS, web, etc.. Just a phone. They can track me from tower to tower like a monkey swingin' in the trees. :D Heck I'd steampunk it with a rotory dial if I could. LOL

Craig_B
Craig_B

It just seems like we will be caught in this trap of business wants to suck everything of value from the herd ur, um, it's customers and the customers seem to want reasonable privacy when using devices or services. I believe this will go on until Congress makes the Privacy Act of 2013 or whatever. Then business will complain it has too many regulations to follow. If only people, because that's who is doing this would just be reasonable in the first place.

HAL 9000
HAL 9000

It's a Perceived Benefit which is continuing to be pushed in the hope of revenue down the track when the Technology Grows Up. Like the Yellow Pages if you are in first you have the Best Placement and these Adds are cheap to insert and are used by those who want the exposure but don't necessarily expect big returns on advertizing. Or if you like the belief that Facebook is Big so it must be valuable. The Market went crazy over that release and since that time how much money has been lost by those who had to be early owners? If you do not have a solid income stream the business isn't worth anything no matter how many members you actually have and the same applies to Apps and App Adds. You might get millions of people forced to look at them but very few actually buy. As mentioned above I don't know anyone who has parted with their money but maybe that's just because I associate with the wrong crowd. Col ;)

Michael Kassner
Michael Kassner

I agree with you, but fail to see how. I'm hoping you can explain. I have yet to run into anyone that has bought anything from an ad displayed in an app.

Michael Kassner
Michael Kassner

They track every mobile device (smart or not) and for whatever reason retain the information.

Michael Kassner
Michael Kassner

Is the perceived value of ads, whether targeted or not. How many buy something that's advertised in an app they are using?

knj_1
knj_1

I have one. I am so offended by the constant invasion of advertisements everywhere that I started a list. Michael - your friend and his colleagues will never make a dime off of me. They will, however, get the advertiser on to my blacklist. And there's a big difference between these advertisements and the Yellow Pages. The former is push (on to me) and the latter is pull (when I'm interested and looking). I DO get annoyed when I actually want something and the vendor turns out to be on my blacklist...but I persist and won't give them my business!

Michael Kassner
Michael Kassner

I work with William Francis, fellow TR writer and app developer, he mentioned that he gets paid by the click on an add. I wonder if they are just using that as their marker.

vegesm
vegesm

What advertisers really want is exposure not individual downloads or purchase. They think it generates revenue on the long term.

HAL 9000
HAL 9000

Recently here we had a Vintage Airplane disappear in some really nasty country and the only way they found it was to track the Mobile Phone that one of the passengers had. Took 4 days and everyone was dead as the plane was involved in a [b]High Impact[/b] meeting with a hill so at the very least it was quick and most likely they never knew what they hit. The EPerb in the plane was destroyed on Impact but at least 1 mobile was still working so they found the wreck by closing in on the phone. Didn't matter that they flew over the crash site several times they simply didn't see the wreckage through the trees. Col

michaellashinsky
michaellashinsky

Exactly what I have been saying. The whole business model is based on a false premise and will eventually collapse. The website owners and hosts that insist I am stealing by using adblock are actually stealing from their ad clients because no one is buying this crap!

ahmedkabir
ahmedkabir

Yup it is'mnt i agrred SAK ahmedkabir.tumblr.com

Michael Kassner
Michael Kassner

I was thinking that it was fortunate that the phone was on and not in "airplane mode" or shut off.

HAL 9000
HAL 9000

It took them 4 days to locate the downed plane by accessing the Mobile Phone so if that's the best that can be managed it's hardly worth the time and effort involved to use that tracking ability. They where relying on the Phone Polling the nearest Cell Tower to locate it, well I would imagine several Cell Towers and then triangulating it's location. It's not the fastest way to locate something. ;) Col

Michael Kassner
Michael Kassner

All this new technology has great uses. It's the other ones that are scary.

Michael Kassner
Michael Kassner

I never thought about sharing real estate with a less than desirable ad. That would have some impact.

michaellashinsky
michaellashinsky

Common sense agrees with you, but I don't know anyone who buys anything because of the crappy ads on the cell phones or even the slightly less crappy ads in web pages. Seriously, who is buying misspelled Viagra and Cealis from web ads? Who sees that picture of the rotten teeth and clicks the link for tooth whitener? Even if there are legitimate products and services out there, they would be lost in the spam. (The company you keep...) I am an honest guy that fixes computers. If I had an ad for my services right next to an ad for V1agra, would you want to take a chance on me? I wouldn't! I think anyone using this form of advertising is wasting their money.

Michael Kassner
Michael Kassner

They are spending tons of money on this type of advertising year after year. If it wasn't effective, one would think they'd stop.