Apple was burnt once by allowing app developers to track users via the UDID. Will they get burnt again by allowing app developers to track using Apple's brand-new IDFA?
Online tracking of mobile devices for whatever reason is a touchy subject -- just ask Apple. A while back, Apple was smack in the middle of the tracking squabble. The panic started when the Wall Street Journal publicized how application developers were able to associate iPhone's Unique Device IDentifier (UDID) -- considered the phone's serial number -- with other personal information (real names, addresses, and phone numbers) stored on the phone.
This paper written earlier by Eric Smith forecasted this inevitability:
"Apple provided this function to allow application developers to uniquely identify the iPhone being used for purposes such as storing application preferences or video game high scores. While the UDID does facilitate the process of collecting and storing certain types of data, it also creates a tempting opportunity for use as a tracking agent or to correlate with other personally-identifiable information in unintended ways."
The author Smith presented the following slide as evidence that an UDID (first red box) can be sent to an app's remote server. The slide also proves that the app is associating the UDID with the phone owner's name, Eric J. Smith (second box).
This means organizations associated with each one of your iPhone apps can retrieve a significant amount of information about you, your online habits, and quite possibly a location profile if the app has permission to use either coarse (cellular) or fine (GPS) location details.
Who is responsible?
I'd like to step back for a second and discuss something that seems to get lost in the battle. There are three parties involved in this conundrum: Apple, app developers/advertisers, and the phone owners.
"We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising."
Most people say that's okay. Apple already has all their personal information.
Next on the list are app developers and the advertising networks they use. Until this past February, privacy policies covering mobile apps were not required. Complete trust in an app developer with no recourse bothered many privacy experts. It appears that someone who could do something was listening.
This press release describes an agreement between the State of California and the six major mobile-app markets: Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research In Motion.
"This agreement strengthens the privacy protections of California consumers and of millions of people around the globe who use mobile apps. By ensuring that mobile apps have privacy policies, we create more transparency and give mobile users more informed control over who accesses their personal information and how it is used."
Please note: The agreement does not restrict what information can be collected.
Back to the UDID
While all this was going on, Apple made a command decision. Message to app developers: No more using the UDID or we will remove your app from our store. Peace returned to the digital landscape, at least for a bit...
Apple started strategically leaking that something was in the works to replace the UDID as a marker for app developers. I'm told, it was inevitable. There's just too much money to be made by two of the three involved parties. Jessica Vascellaro, of the Wall Street Journal, was one of the first to catch on, mentioning in her post:
"Apple Inc. is planning to release a new way for mobile app developers to track who uses their software, according to people briefed on Apple's plans, the company's latest attempt to balance developers' appetite for targeting data with consumers' unease over how it is used."
Well, the wait is over. With the release of iOS 6, Apple is back in the tracking game. What Vascellaro alluded to in her post is the IDentifier for Advertisers (IDFA).
To make it more palatable, Apple decided to make IDFAs similar to persistent cookies, thus somewhat controllable by the user -- unlike the UDID. Also, several sources are mentioning (I have not seen proof) the IFDA cannot be traced back to the individual user; it only links online behavior to a device.
How to disable
If targeted ads and giving app developers your personal information does not appeal to you, you can disable the IDFA, as it is enabled by default. The switch is found under Settings>General>About>Advertising.
To limit tracking, turn the switch on.
Why did Apple call the switch Limit Ad Tracking? They had to know it would create confusion. And it wasn't long before rumors were out and about. Some that I've found are:
- Even with Limit Ad Tracking enabled, identifiers will be sent to advertisers. The information is flagged, but up to the individual organization to respect it.
- TRUSTe.com pointed out several concerns in this article. For example: This system has some structural similarities to the DNT header feature, but with some important gaps like Exception management and some definitions around what behaviors are expected by third parties once the user has set the flag.
I have not been able to verify (second source) any of the above concerns. I thought it best to mention them and will update the article as information becomes available.
Like so many other things, the onus is once again squarely on us users. Apple and developers can craft policies that cover their liabilities and more importantly: