We are tracked. All day, every day. We are tracked so that data brokers can learn what we are susceptible to and refine how to profit from exploiting what they know about us. The nature of this tracking is about to change. In the coming weeks, Apple is expected to roll out iOS 14.5. One of its key features will require apps to self-disclose their data use practices and ask users for permission before they track them. Users will also be able to access a list of the apps which have requested permission to track in their settings and make changes as they see fit. This is expected to cause significant changes to the massive, largely opaque consumer data industry.

1. Introduction

The number of people with smartphones was predicted to hit 3.5 billion globally by the end of 2020. The average smartphone user has 40 apps installed on their phone. They use 10 per day and 30 per month. In the first quarter of 2020, the Google Play Store and Apple’s App Store had a combined 33.6 billion app downloads. App downloads are expected to exceed 258.2 billion in 2022 and the average user spends 87% of their mobile time in apps. There are also approximately 1.14 billion tablet users worldwide (for detailed statistics see here and here).

Needless to say, Apple is a major player in terms of both apps and hardware sales. According to Wikipedia (here), 1.5 billion Apple products are currently in active use world wide. The Apple App Store offers 1.96 million apps for download. In 2020, Apple’s global revenue was $274.5 billion  and in August of that year, Apple became the world’s first publicly traded American company to be valued over $2 trillion. Around half of the smartphones sold in Canada are iPhones and, in the second quarter of 2020, Apple had 7 of the top 10 best-selling devices (here).

2. Online Tracking

Apple defines tracking (here) as one of two things: (1) the act of linking user or device data collected from an app with user or device data from another company’s app, website or offline properties for targeted advertising or advertising measurement purposes; and, (2) sharing user or device data with a data broker.

Currently, the primary way advertisers and data brokers track users is through built-in device identifiers specifically designed for that purpose. On Apple products, a device’s unique identifier is called the ID for Advertisers (IDFA). It is similar to Google’s GAID (Google Advertising ID) or GPS ADID (Google Play Services ID). These identifiers provide companies and third-parties who buy the data with depersonalized information about user interactions with apps and websites.

Other means of tracking are more subtle. For example, device “fingerprinting” involves collecting and correlating large amounts of seemingly innocuous data to build a user profile which can then be tracked. As explained in detail by technology journalist John Koetsier (here), this method can utilize information like a device’s processor type, software version, time since last update/restart, location/time zone, battery status, and available disk space in order to create a reasonably unique profile that can be used to track a user across the life of the device.

According to a paper released by Apple earlier this year (here), the average app is embedded with six trackers . These are often inserted in the form of pre-made third party code which developers insert when they build their apps. The trackers embedded within the code allow third parties to collect data about users and then link that data across apps. There are hundreds of data brokers and, according to the Apple paper, a single broker alone (Axiom) collected data on 700 million consumers worldwide and had created consumer profiles comprised of up to 5,000 characteristics (p. 2).

The information gathered through online tracking is extremely valuable. It is estimated to fuel a $227 billion dollar per year industry (p 1).  Each and every action taken by a user (clicking a link, playing a game, installing an app, watching a video, pausing rather than scrolling, etc) provides valuable information about which kind of people do what and when. Consumer information is harvested, aggregated, analyzed and then used to refine targeted advertising. By learning how particular users respond to cues and prompts, advertisers can fine-tune the best ways to nudge them into desired behaviours.

3. Apple’s New Initiative

The new privacy features in iOS 14.5 have been highly anticipated since they were first announced (here) in June of last year. The changes fall under the umbrella of what Apple is calling its App Tracking Transparency initiative. The new rules require app developers to seek express permission to track users and disclose privacy information to users.

The current iOS allows users to opt out of sharing their IDFAs by finding and disabling the feature in their device settings (see here for how to do this on an iPhone). In iOS 14.5, tracking will be turned off by default. Every app will have to display a pop-up asking permission to track a user or share their IDFA with third parties. Users will be able to opt-in to tracking should they wish and developers will not be allowed to reduce app functionality if tracking is turned off. The proportion of users who agree to share their IDFAs under the opt-in model is expected to plummet by those in the industry (here).

App developers will also be required to self-disclose their privacy practices and the practices of any third-parties who have code integrated into their apps. This information will be used to provide a summary of these practices on the app’s product page and inform users about how their data is used, including whether it is linked to the user or used for tracking (see here at p. 7 and here).

4. The Targeted Activities

These changes will impact many of the methods currently used to facilitate targeted advertising. Apple’s examples of the activities that consitute “tracking” and are thus governed by the new requirements include:

• displaying targeted advertisements based on user data collected from apps and websites owned by other companies;
• sharing device location data or email lists with a data broker;
• sharing a list of emails, advertising IDs, or other IDs with a third-party advertising network that uses that information to re-target those users in other developers’ apps or to find similar users (useful in a practice known as creating a Lookalike Audience); and,
• placing third-party SDKs (software development kits) into apps to combine the app’s user data with user data from other developers’ apps to target advertising or measure advertising efficiency. For example, using a login SDK that re-purposes the data it collects to enable targeted advertising in other apps would constitute tracking.

According to Forbes, Apple has already started enforcing the new privacy rules and rejecting apps that use “algorithmically converted device and usage data to create a unique identifier in order to track the user” (here). Disallowing these practices is expected to significantly impact the landscape of the online advertising industry, particularly for Google and Facebook although how they will respond remains unclear. According to MightySignal (here), Facebook SDKs are embedded in over 88,000 apps including 101 of the top 200 iOS apps. In the second half of 2020, Facebook took out two full page ads in the The Wall Street Journal, New York Times, and Washington Post protesting the changes. In March of this year, Mark Zuckerberg said he was confident Facebook would be “in a good position” and “may even be in a stronger position” than they were before (here).

5. What’s in it for Apple?

Apple articulates its stance on privacy in stark terms. It’s current privacy landing page (here) features large white text on a black background with the opening declaration: “Privacy is a fundamental human right.” The data collection header reads: “Your data. Your choice.” Apps are touted as: “Designed for your privacy.”

Apple’s strong stance on privacy is obviously designed to maintain the trust and goodwill of their already loyal customer base. The changes implemented by the App Tracking Transparency initiative will assist Apple in maintaining the moral high-ground as everyday consumers become more concerned with digital privacy. There may, however, be other benefits. As Kif Leswing writes for CNBC (here), the changes may make it more difficult for advertisers to prompt app downloads through in-app advertising. This may in turn give Apple more leverage by increasing the power of it’s App Store to highlight and recommend apps in accordance with Apple’s business objectives. Highlighting the apps from which Apple receives a higher cut could obviously be profitable. John Koetsier for Forbes argues (here), that despite the changes, Apple will retain preferential access to its own data, giving Apple Advertising an edge.  

6. Conclusion

Whatever Apple’s motivations, iOS 14.5 brings welcome changes. In many ways, Apple is bigger, more powerful and more influential than many of the countries in the world. Even a nominal recognition of privacy as a human right is meaningful. It is perhaps a modest step towards the recognition of what Marcello Ienca of the Swiss Federal Institute of Technology calls the rights to mental privacy and cognitive liberty. These refer to the  freedom to control one’s own cognitive dimension (including preferences, choices and beliefs) and to be protected from manipulative strategies designed to bypass one’s cognitive defences (here and here).