The end of phone ID tracking?
Apple’s changes to iOS, what they mean for you and why Nathan Taylor thinks Facebook is terrified.
If you’ve been following IT news through the early part of this year, you may have learned that Apple and Facebook have been engaged in quite a stoush. The fight was over a change Apple planned to make in iOS 14 with respect to advertiser ID, a change that would be a positive move for privacy but Facebook felt was an existential threat to its and many other companies’ business models.
Facebook’s opposition was so vehement that Apple agreed to push back the changes from the September 2020 launch of iOS 14 to a later patch in order to give developers time to adjust. At the time of writing, the patch to implement the change was scheduled for some time in the US Spring (March, April, May), so it may already be out by the time you read this.
On the surface the change seems like a somewhat modest change to the iOS Identifier for Advertisers (IDFA). So why is that such a big deal? Well, to understand that, we should first take a look at what IDFA is and how it works.
So what is IDFA, and how does it work?
IDFA is essentially a permanent tracking cookie, built right into every iPhone, nominally designed so that advertisers can track your advertising preferences and use that to deliver customised ads. We say nominally, because it is also commonly used for things like analytics and custom news feeds (for example, do you like to click on articles about conspiracy theories? IDFA knows.)
With IDFA, every iPhone and iPad has a unique identifier in the form of a random numerical code. The code is theoretically nonidentifying: it’s just a number, and contains no personal information inside it. App developers can make a call to access this code without requiring permission from the user. A company like an ad network or a social network like Facebook, which has hooks into multiple apps, could then use it to track your activity across those apps.
Let’s say, for example, you were given the IDFA code 12345-67890 (they’re actually quite a bit longer than that, with 32 hex digits, but we’ll keep it simple for our example). Your favourite mobile word game, which includes pop-up ads from the Intruders Inc Ad network, can access that IDFA and pass it onto Intruders Inc. The IDFA code wouldn’t provide any information about you... yet.
Later, when you’re playing a Jewels game, which also includes ads supplied by Intruders Inc, your unique IDFA code is grabbed again. Now Intruders Inc knows that phone 12345-67890 played certain games, and at what times. They know what ads 12345-67890 clicked on, and can over time build a fairly complete profile of the owner of phone 12345-67890. Through a process called fingerprinting using this and other persistent identifiers like the phone’s IMEI number or MAC address, they might even be able to personally identify the user or overcome IDFA resets (it’s really not a long leap from the anonymous code to a personal ID, as many researchers have demonstrated).
This is essentially the exact way that much-maligned tracking cookies work, but for apps instead of web sites. Fortunately, there is a way to turn it off. In iOS, go to Settings > Privacy and switch on the ‘Limit Ad Tracking’ option. Once you’ve done this, your phone or tablet will no longer provide an IDFA on request, instead providing a null result.
There’s another option here: Reset Advertising Identifier. This option changes your current IDFA code to a new random number so that historical information gathered on your phone will be null. Of course, if Limit Ad Tracking is on, then you shouldn’t need to do this.
So what’s changing (and why it’s a big deal)
iOS 14 is making one notable change to IDFA – it’s being turned into a app permission. Prior to the update, it was either always on or always off. If it was on (that is, ‘Limit Ad Tracking’ was switched off) then any app could access it at will, no permission required. Once the change is implemented, however, when an app tries to access the phone or tablet’s IDFA number a big honkin’ permission popup will appear, asking if you would like to allow the app owner permission to track you.
This is a positive move for privacy, making it more transparent to the user which apps are tracking them and how, and giving them the option to opt in or out on an app-by-app basis.
But it may not seem like that big
a deal, since users already have the option to universally opt out. So why is Facebook so upset? Simply put, Facebook’s business model relies heavily on the apathy and ignorance of users with respect to privacy. Although you could previously switch off IDFA manually, it required you to understand what was going on and dig through some arcane privacy settings to do so. Only about 20% of iOS users did – the other 80% just left it on.
This change brings tracking front and centre, and Facebook knows very well that, given the explicit choice to be tracked or not tracked, most users will choose not to be. In essence, IDFA tracking becomes opt-in rather than opt-out.
In response, Facebook itself is removing IDFA from its iOS app completely, at least until it knows more, and encouraging its partners to do so in order to ensure that users won’t get the popup and won’t be reminded that Facebook is doing everything it can to monitor their activity online.
Meanwhile, in the Google-verse...
If you’re feeling cocky as an Android user right now, you shouldn’t. When it comes to tracking and advertising IDs, Google is actually no better than Apple, and at least Apple is improving. A blog called AppCensus ( blog.appcensus.io) even found roughly 17,000 Google Play apps that were breaking Google’s apparently unenforced policies regarding the linking of advertising identifiers with other persistent identifiers.
Android has a nearly identical advertiser ID system to IDFA. It’s known as Google Advertising ID (GAID), and it’s attached to every Android-based device that uses Google Play Services. Each user of a shared device has their own ID.
As with Apple, you can find an option to turn it off if you dig deep into your settings (and Android users are even worse on this score, with less than 5% of users applying it, according to US marketing company Singular). On stock Android you need to head to Settings > Google > Ads to find the option to ‘Opt out of Ads Personalisation’, which effectively turns off GAID for that device. You can also reset your current GAID number here.
There’s an important note here: if you clear your phone cache, you will need to re-enable this setting.
As far as we know, Google hasn’t any plans to implement permissions that way that Apple is. A note on the Google website says “Persistent identifiers are still available because there are various supported use cases which aren’t related to advertising. Longer term, we’ll evaluate additional opportunities to provide users with even more informed control over what persistent identifiers are provided to third parties.” Translation: maybe one day, if we’re put under enough pressure.