An interesting novelty learn of 1,759 iOS apps before and after Apple implemented a major privacy feature last year that required developers to ask permission to track app users — also known as App Tracking Transparency (ATT) — found that the measure reduced the Made tracking more difficult by preventing the collection of the identifier for advertisers (IDFA), which can be used for cross-app user tracking.
However, the researchers found little change to the tracking libraries built into apps, and also saw that many apps still collect tracking data despite the user asking the apps not to be tracked.
Additionally, they found evidence of app makers using anti-privacy fingerprinting of users by using server-side code to bypass Apple’s ATT – suggesting Cupertino’s move could motivate a backlash from developers using other means to continue tracking iOS -User.
“We even found a real-world example from Umeng, a subsidiary of Chinese tech company Alibaba, using its server-side code to provide apps with a fingerprint-derived cross-app identifier,” they write. “Using fingerprints is against Apple’s policies and raises questions about the company’s ability to enforce its policies. ATT could eventually encourage a behind-the-scenes shift of tracking technologies, putting them out of Apple’s reach. In other words, Apple’s new rules could result in even less transparency around tracking than we currently have, including for academic researchers.”
The research paper entitled Goodbye tracking? Impact of transparency and privacy flags on iOS app tracking, is the work of four researchers affiliated with the University of Oxford and a fifth independent researcher from the United States. It’s worth noting that it’s pre-released – meaning it’s not yet peer-reviewed.
Another part of the study looked at the “private nutrition labels” that Apple introduced to iOS end of 2020 – although the researchers concluded that these labels are often inaccurate.
Apple’s system, which aims to give iOS users an at-a-glance view of how much data they’re giving up to use an app, requires app developers to explain themselves how they handle user data. And here the researchers found “notable discrepancies” between the apps’ disclosed and actual data practices – which they say could create a false sense of security in consumers and mislead them about how much privacy they are giving up to use an app.
“Our findings suggest that tracking companies, particularly larger ones with access to large first-party troves, are still tracking users behind the scenes,” they write in a section discussing how continued, consentless tracking both powers of gatekeepers as well as increasing the opacity of the mobile data ecosystem. “You can do this through a number of methods, including using IP addresses to associate installation-specific IDs across apps and through the sign-in functionality provided by individual apps (e.g. Google or Facebook sign-in or email address).
“Especially in combination with other user and device characteristics, which according to our data are still often collected by tracking companies, it would be possible to analyze user behavior across apps and websites (e.g. fingerprinting and cohort tracking). So a direct consequence of the ATT could be that existing power imbalances in the digital tracking ecosystem will be amplified.”
The paper may fuel arguments trying to pit competition law against privacy rights, as the paper’s authors’ findings suggest that Apple and other big companies have been able to increase their market power as a result of measures like ATT giving users more leverage on their privacy.
Apple was contacted for comment on the research paper, but at the time of writing, the company had not responded.
While a separate plan by Google to end support for tracking cookies in its Chrome browser and switch to alternative ad targeting technologies (which the tech giant also has said it will bring to Android devices) – has also been the target of antitrust complaints in recent months.
As it stands, neither Apple’s ATT nor Google’s self-proclaimed “privacy sandbox” by the two mobile gatekeepers has been fully blocked by competition authorities, although Google’s sandbox plan remains under close scrutiny in Europe following UK antitrust intervention that led to it to offer the company a series of obligations about how it will develop the tech stack. The interventions probably also contributed to this Delay in Google’s original schedule.
The EU also has one formal antitrust investigation into Google’s adtech That includes investigating the Sandbox plan – although at the time the investigation was announced it stressed that any decision would also need to consider user privacy, writing that it would “consider the need to protect user privacy under EU laws to protect in this context, such as the General Data Protection Regulation”, and emphasizes that “competition law and data protection laws must work hand in hand to ensure that there is a level playing field in display advertising markets, where all market participants protect the privacy of users on the same way.”
The joint work of the UK competition authorities (CMA) and data protection authorities (ICO) was also the approach taken throughout the CMA’s privacy sandbox process. And in one opinion last yearThe outgoing UK information commissioner told the adtech industry that it needs to move away from tracking and profiling-based ad targeting – and pushed for the development of alternative ad targeting technologies that don’t require processing of people’s data.
In the discussion in their research paper, the researchers further speculate that reduced access to persistent user IDs as a result of Apple’s ATT could — over time — “substantially improve” app privacy, precisely pointing to these broader changes leading to the recast Underway of ad targeting are technologies (like Google’s Sandbox) that claim to be better for privacy, although the researchers also note that these claims need to be challenged – as they have the potential to undermine economic computations of anti-privacy techniques like avoid fingerprints.
However, they predict that this migration away from tracking will further concentrate the market power of platform gatekeepers.
“While some companies may seek to replace IDFA with statistical identifiers in the short term, the limited access to non-probabilistic cross-application identifiers could make it very difficult for data brokers and other smaller tracker companies to compete. Techniques like fingerprinting and cohort tracking may not be competitive enough compared to more privacy-friendly on-device solutions,” they suggest. “We are already seeing a shift in the advertising industry towards adopting such solutions, driven by decisions by platform gatekeepers (e.g. Google’s FloC/Topics API and Android Privacy Sandbox, Apple’s ATT and Privacy Nutrition Labels), although further discussion is needed, if this is the case these new technologies protect privacy in a meaningful way.
“However, the net result of this shift towards more privacy-preserving methods will likely be a greater focus on existing platform gatekeepers, such as the early reports of Apple’s tripled marketing share, the planned overhaul of Facebook/Meta’s advertising technologies and others, and the changing spending patterns of advertisers suggest this. Ultimately, advertising for iOS users – who are among the wealthiest individuals – will be an opportunity that many advertisers cannot afford to miss, and they will therefore rely on the advertising technologies of the larger tech companies to continue targeting the right audiences with their ads .”
The paper also evokes the failure of European regulators and policymakers to crack down on tracking by enforcing data protection laws such as the General Data Protection Regulation (GDPR), writing: “[I]It is worrying that a few changes by a private company (Apple) appear to have changed privacy in apps more than many years of high-level discussions and efforts by regulators, policymakers, and others. This underscores the relative power of these gatekeeper companies and the failure of regulators to adequately enforce the GDPR to date. An effective approach to improve compliance with data protection law and data protection in practice could be more targeted regulation of app ecosystem gatekeepers; So far there is no specific regulation in the US, UK and EU.”
For Internet gatekeepers, however, targeted regulation is on the way. Albeit at a pace orders of magnitude slower than the ads that are auctioned off and eyeballed every millisecond of every day.
The European Union has just reached political agreement on its flagship ex-ante competition reform for gatekeepers, also known as the Digital Markets Act Last month — and lawmakers said at the time they expected the regime to come into effect in October. (Though it’s unlikely to really kick off until 2023 at the earliest, and there’s already debate over whether the Commission has sufficient resources to crack down on some of the world’s most valuable companies with their growing armies of in-house lawyers.)
The UK, meanwhile, has its own bespoke version of this sort of big-tech competition reform. His “pro-competitive” regime was persecuted back in 2020 but pending legislation to authorize the Digital Markets Department. And up to date Reports in the British press have suggested that the law on digital competition will not be presented to Parliament until next year – which would mean a further delay.
Germany is ahead of the pack here, having passed competition reform early last year. It also has – earlier this year — identified Google as subject to this specific abuse control regime. Although the country’s FCO has yet to complete the investigative work various Google products which raise competition concerns. But it is possible that we will see some gatekeeper enforcements by the FCO this year.
Study of Apple’s ATT impact highlights competition concerns – TechCrunch Source link Study of Apple’s ATT impact highlights competition concerns – TechCrunch