Apple’s App Tracking Transparency works, but there are loopholes, bypasses, and outright violations

Last year, Apple enacted App Tracking Transparency (ATT), a mandatory policy that forbids app makers from tracking user activity across other apps without first receiving those users’ explicit permission, but there are loopholes, bypasses, and outright violations.

Apple App Tracking Transparency

Dan Goodin for Ars Technica:

Privacy advocates praised the initiative, and Facebook warned it would spell certain doom for companies that rely on targeted advertising. However, research published last week suggests that App Tracking Transparency, as it’s usually abbreviated, doesn’t always curb the surreptitious collection of personal data or the fingerprinting of users.

While ATT in many ways works as intended, loopholes in the framework also provided the opportunity for companies, particularly large ones like Google and Facebook, to work around the protections and stockpile even more data. The paper also warned that despite Apple’s promise for more transparency, ATT might give many users a false sense of security.

“Overall, our observations suggest that, while Apple’s changes make tracking individual users more difficult, they motivate a counter-movement, and reinforce existing market power of gatekeeper companies with access to large troves of first-party data,” the researchers wrote. “Making the privacy properties of apps transparent through large-scale analysis remains a difficult target for independent researchers, and a key obstacle to meaningful, accountable and verifiable privacy protections.”

MacDailyNews Note: In their report, the researchers wrote:

Our findings suggest that tracking companies, especially larger ones with access to large troves of first party, still track users behind the scenes. They can do this through a range of methods, including using IP addresses to link installation-specific IDs across apps and through the sign-in functionality provided by individual apps (e.g. Google or Facebook sign-in, or email address). Especially in combination with further user and device characteristics, which our data confirmed are still widely collected by tracking companies, it would be possible to analyse user behaviour across apps and websites (i.e. fingerprinting and cohort tracking). A direct result of the ATT could therefore be that existing power imbalances in the digital tracking ecosystem get reinforced.

We even found a real-world example of Umeng, a subsidiary of the Chinese tech company Alibaba, using their server-side code to provide apps with a fingerprinting-derived cross-app identifier… The use of fingerprinting is in violation of Apple’s policies, and raises questions around to what extent the company is able to enforce its policies. ATT might ultimately encourage a shift of tracking technologies behind the scenes, so that they are outside of Apple’s reach. In other words, Apple’s new rules might lead to even less transparency around tracking than we currently have, including for academic researchers.

Users may want to use iCloud Private Relay — part of an iCloud+ subscription — which helps protect your privacy when you browse the web in Safari. More info here.

Please help support MacDailyNews. Click or tap here to support our independent tech blog. Thank you!

Shop The Apple Store at Amazon.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.