Does Apple really protect you from advertising surveillance?

With iOS 14.5, tracking on iOS apps will be severely restricted. Let's revisit Apple's actions against advertising surveillance

Published by Pixel de Tracking on April 19, 2021

Privacy, a selling point for Apple

Faced with the surveillance capitalism developed by Google, Apple has an obvious argument: privacy. And it does not hesitate to use it, as shown by this advertising campaign :

iPhone

This argument is also found in the words of Tim Cook, during the “Computers, Privacy & Data Protection” conference in January 2021, a truly remarkable speech.

Apple has always been very good at product marketing, but is it just talk? A first response is provided by this page, a more detailed answer is provided here : Apple is indeed taking many initiatives. These include, for example:

Privacy is one of Apple's core values:

privacy

But Apple could go much further, and I would be willing to pay for the following services to be end-to-end encrypted : Apple Photos, Calendars, Contacts, iCloud Drive, Notes or Messages on iCloud. After its dispute with the FBI during the San Bernardino terrorist attack, during which it courageously fought against the introduction of backdoors on iOS, Apple had an opportunity to expand end-to-end encryption across all its services. Under pressure from the FBI, it unfortunately did not dare :

Apple dropped plans to let iPhone users fully encrypt backups of their devices in the company's iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters.

To the delight of governments, police services and secret services, Apple does not encrypt iCloud end-to-end. And to better sell its products in China, Apple agrees to store iCloud encryption keys of its Chinese users directly on servers located in China. Another compromise with the Chinese regime, Apple censors apps in China.

Now let's look at Apple's initiatives against advertising surveillance. Do they go far enough?

Safari ITP, good protection against tracking

In 2017, Apple integrated “Intelligent Tracking Prevention” (ITP) into Safari, with the goal of combating cross-site tracking. Since that first release, Apple has evolved ITP, for example with complete blocking of third-party cookies and limits on the lifespan of cookies placed via CNAME, allowing it to offer good protection against tracking by adtech companies.

When it comes to privacy, Apple also has an excellent influence on the web ecosystem.

Apple's actions against cross-site tracking have clearly inspired other browsers. In 2018, Firefox announced a change to its tracking policy, with the aim of offering tracking protection by default. In 2019, Firefox followed through with Enhanced Tracking Protection (ETP), the equivalent of ITP, a feature it has also continued to evolve.

As a bonus, if you use an iPhone or iPad and go through another browser, ITP protections also apply! Indeed, Apple locks down the options of third-party browsers, which are forced to use WebKit, Safari's rendering engine.

Apple counters Google's influence at W3C

At the W3C, the organization responsible for building and developing web standards, Apple offers alternatives to Google in the field of advertising. While Google made a lot of noise with proposals to replace third-party cookies (“Privacy Sandbox”), in particular the controversial FLoC proposal, Apple is putting forward standards that better protect privacy:

  • “Private Click Measurement (PCM)” : to correctly attribute conversions to ad campaigns. Google has its own proposal called “Conversion Measurement API”, but this barely protects privacy, because Google lets the advertiser assign a unique identifier to each click on an ad... Apple, for its part, limits the options to 256 different values, which simply lets you tell which advertising campaign is effective.
  • “Storage Access API” : while Apple prevents third parties from tracking the user without their consent (via restrictions on cookies, local storage, etc.), those third parties can explicitly ask the user for authorization via this API. Certain use cases, such as authentication systems, can justify granting it.

Still at the W3C, while Apple is not the only one defending privacy (Firefox and Brave are also very active), its involvement is not unwelcome when it comes to counterbalancing the armies of Chrome developers, who often compromise user privacy under the guise of adding new features to the web. For example, here is a list of 16 features that Safari does not implement because the security and fingerprinting risks are too great.

Could Safari go further?

Safari could decide to fight more radically against advertising surveillance by integrating a tracker and ad blocker such as uBlock Origin by default. Benefits for the user:

Speaking of CNAME cloaking, the technique is also used by Apple on its website, with the Adobe Analytics tool :

Today, Brave goes much further via its “Shields” feature: the goal is not to prevent cross-site tracking but to block trackers from running. An example to illustrate the difference in approach: trackers using CNAME cloaking are blocked by default.

For its part, Firefox offers fewer protections by default but its extension system is very open (Safari much less, you have to settle for a “Content Blocker” such as Firefox Focus), which allows for example uBlock Origin to be effective against CNAME cloaking.

Note that marketing tools can unfortunately still evade browser protections and other tracker blockers, sometimes even via turnkey solutions.

A consistent policy on the web... with one exception

On the web, Apple therefore has a consistent policy:

  • Safari protects against cross-site tracking.
  • Tracking within the same site is considered legitimate by Apple, it remains possible.
  • More privacy-friendly advertising is encouraged.

While there is always room for improvement, Safari is light years ahead of Google Chrome when it comes to protecting privacy.

Except that when it comes to money, Apple makes a deal with the devil: Google pays Apple $8 billion to $12 billion a year to be the default search engine on Safari.

On apps, a necessary catch-up

With iOS 14.5, Apple launches the “App Tracking Transparency” (ATT) system: tracking becomes opt-in. Here is the definition of “tracking” according to Apple :

Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.

This definition is classic, similar to that of Firefox :

Tracking is the collection of data regarding a particular user's activity across multiple websites or applications (i.e., first parties) that aren't owned by the data collector, and the retention, use, or sharing of data derived from that activity with parties other than the first party on which it was collected.

It is also similar to that of the W3C :

Tracking is the collection of data regarding a particular user's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred. A context is a set of resources that are controlled by the same party or jointly controlled by a set of parties.

Apple is finally consistent with the policy it already applied on the web:

  • ATT protects against cross-app tracking.
  • Tracking within the same app, or across several apps from the same company, is considered legitimate by Apple and remains possible.

On iOS, advertising tracking has historically been facilitated by Apple through the provision of a unique advertising identifier called IDFA. This identifier was enabled by default, and iOS users could disable it if they wished:

tracking In Settings > Privacy > Advertising, it was possible to check "Limited advertising tracking" (which I did, as shown in the screenshot), but the option was unchecked by default.

The default option is of utmost importance: few people change privacy settings (according to Adjust, only 20% of users deactivated the identifier).

Apple therefore has a historic responsibility here: the IDFA has made it easy for a multitude of companies to monitor you for years. As a reminder:

Here is an advertiser's reaction to the announcement of the launch of the IDFA (in 2012 with iOS 6), and to the "dark pattern" associated with the “Limited advertising tracking” option:

“It's a really pretty elegant, simple solution,” says Mobile Theory CEO Scott Swanson. "The biggest thing we're excited about is that it's on by default, so we expect most people will leave it on."

This historic responsibility has therefore earned Apple a GDPR complaint before the CNIL, filed by La Quadrature du Net :

apple-knows

A paradigm shift, then, with iOS 14.5: applications will have to ask you for authorization to track you, as shown in the new interface (visible from iOS 14, even if the protection is not yet in effect):

request In Settings > Privacy > Tracking, "Allow tracking requests from apps" is checked by default (at worst, apps will ask you if you want to be tracked), and you can uncheck the option.

For comparison, the Google Android equivalent of the IDFA is the Android Advertising ID. But the protections are almost non-existent:

  • It is impossible to deactivate Android Advertising ID (it was possible to deactivate IDFA from iOS 10).
  • It is only possible to reset it.

The noyb association launched a GDPR complaint against Google for tracking users through an “Android Advertising ID” without a valid legal basis. It should be noted that a GDPR complaint from noyb also exists against Apple for tracking without consent via the IDFA. But with this catch-up, Apple risks much less than Google (noyb also claims that after the update, Apple will still be able to use IDFA without consent, which is false).

Technically, advertisers will no longer have access to the IDFA if you have not explicitly given your permission. But advertisers have other weapons at their disposal to monitor you (fingerprinting, hashed email address...). Will Apple also fight against these techniques? Time will tell, but this seems to be its intention:

caid

The settings of your iOS device used to generate the CAID fingerprint.

In the same way as on the web with its “Private Click Measurement (PCM)”, Apple does not leave advertisers in the lurch. The measurement of application downloads following an advertising campaign was carried out via IDFA or via a fingerprint (produced by companies such as Adjust). Apple now provides developers with the SKAdNetwork API to carry out this measurement while protecting users' privacy.

Apple vs. Facebook

ATT's promise is simple :

cook

Thanks Tim Cook.

The importance of this update can be measured by Facebook's knee-jerk reaction, as it saw its surveillance capacity severely reduced on iOS (its SDK is now omnipresent in apps). Facebook justifies its approach by defending small businesses, which would be dependent on Facebook's targeted advertising to find new customers:

Facebook also bought entire pages of advertising in major American newspapers to denounce Apple's update:

small

Facebook never disappoints :

free

Apple against French advertisers

French advertisers are at the forefront of the fight against Apple. After a public letter sent to Tim Cook in July (spoiler: he did not respond), they decided to file a complaint with the competition authority last October. The subject of their complaint? The mandatory ATT prompt for iOS applications that want to track user activity on third-party sites.

First response from the competition authority on March 17, and a first rebuff for the advertising industry on the privacy front:

In the current state of the investigation, the Authority considered that Apple's decision to set up a consent collection system complementary to that put in place by other online advertising players did not appear to be an abusive practice.

The investigation nevertheless continues:

This should in particular make it possible to verify that Apple's implementation of the ATT prompt cannot be regarded as a form of discrimination or "self-preferencing", which could in particular be the case if Apple applied, without justification, more restrictive rules to third-party operators than those it applies to itself for similar operations.

It is a safe bet that advertisers will also be defeated on the anti-competitive front, because Apple does not favor its own applications: it does not practice tracking (and therefore does not use IDFA). Apple offers targeted advertising in its apps (Apple News, App Store, Stocks), using the personal data it collects. Google, Facebook or any other app can do the same on iOS; Apple is not opposed to personalized advertising.

Another complaint, this time before the CNIL by the France Digitale association. The attack is more subtle, Apple activates personalized advertisements on its own applications by default:

personalize

If you go to Settings > Privacy > Apple Advertising, the personalized ads option is enabled by default.

Clearly, Apple would have to ask for your consent before it can offer personalized advertising, so it does not comply with the GDPR. France Digital indicates that this causes significant harm:

  • To users (true enough, though personalized advertising on Apple News, the App Store and Stocks is a far cry from the harm of personalized advertising on Google or Facebook apps).
  • To French startups that, I quote, “scrupulously respect the rules set out by the GDPR”. The nerve! The list of companies belonging to the association is not public, but it is worth noting that Frichti is a member, and its app flouts the GDPR.

The complaint further speaks of distortion of competition by insinuating that Apple would offer personalized advertising with its “affiliated companies”:

digital

Table included in France Digitale's complaint, supposed to show a distortion of competition.

As already seen, personalized tracking and advertising within the same app, or several apps from the same company, is considered legitimate by Apple. This practice is not specific to Apple: it is also used by Google, Facebook, Twitter, etc. France Digitale therefore speaks of “affiliated companies”, Apple partners supposedly conspiring together to track you.

Apple's explanations of its advertising program are nonetheless very clear: there is no transmission or sharing of personal data with third parties:

Apple does not share or transmit your personally identifiable information to third parties.

Also, Apple does not collect personal data through third parties:

Apple's advertising platform does not track your activities, meaning it does not combine user or device data collected on our apps with user or device data collected from third parties for advertising targeting or measurement purposes, and does not share user or device data with data brokers.

No mention of "affiliated companies" in Apple's Privacy Policy, it looks like an invention of France Digitale.

But why such relentlessness toward Apple from “French digital entrepreneurs and investors”? No doubt because adtech carries a lot of weight in France; consider, for example, the involvement of Criteo (the famous French surveillance marketing giant) from the launch of France Digitale here and there. It must be said that Criteo is no fan of Apple, and has not been for quite some time now.

Apple against American advertisers

Among American advertisers, the attacks are more subtle but hardly convincing. You can read Ben Thompson or Eric Benjamin Seufert (at Ben Thompson or on his website). Here are some arguments:

  • By tackling tracking, we would strengthen the “Walled Gardens” (Google, Facebook, etc.). Wolfie Christl responds very well to this in this Twitter thread :

wolfie

  • As for the supposed strengthening of “Walled Gardens”, tackling tracking does not preclude going after the advertising giants. The two approaches can complement each other: read for example Brave's complaint against RTB ("external" data free-for-all), as well as Brave's complaint against Google ("internal" data free-for-all). Even setting privacy aside, it would be useful to tackle abuses of dominant position by advertising giants such as Google and Facebook. But advertising lobbyists ignore that option.
  • Apple would not be seeking to protect your privacy in apps (via ATT), but rather to control your entire experience. Now, Facebook would bother Apple because the discovery of new apps would no longer go through the App Store at all, but through personalized advertising on Facebook or Instagram. By tackling tracking, Apple would therefore be seeking to regain control over app distribution. But what is advertising's real share of app distribution?
  • A similar argument is made about the web (via ITP), where Apple would instead be seeking to choke off advertising revenue. As a result, publishers would have to fall back on subscriptions via apps, on which Apple takes a commission. But why not offer advertising that respects privacy?
  • Apple would fight against advertising players to push its own advertising business. Hard to believe, because Apple's advertising business (App Store, Apple News and Stocks) is negligible compared to its other revenue (products, services). Apple also shut down iAd, its ad-network, in December 2016.

While Apple's desire for control is obvious, and while the App Store monopoly is a huge problem, the advertising lobbyists' arguments miss the point. Apple has an obvious reason to invest in better privacy protection: the demand for protection is high (and Apple's potential customers are not advertisers, but you and me).

Apple forces transparency among app developers

Since December 2020, Apple has made privacy labels mandatory for apps. These labels help highlight the differences between applications. If we compare browsers for example:

chrome

Google Chrome, the spyware.

duck

DuckDuckGo's browser, which respects your privacy.

If we now look at messaging apps:

messenger

Messenger, Facebook's spyware, even worse than WhatsApp.

signal

Signal, an app that respects privacy.

Of course, these labels have limits:

  • They are based on self-declaration. Will Apple check whether the developer is telling the truth?
  • There is no information about personal data that can leak to third parties. It would be interesting to see who collects your personal data and why.

But they already represent a good step forward, and will perhaps push app developers to limit the use of personal data to what is strictly necessary.

Could Apple go further on apps?

With ATT, Apple has reached the level of Safari ITP (protection against tracking). If it wanted to go further, it could decide to block advertisements and first-party trackers (analytics, A/B testing, tag managers, etc.). Benefits for the user:

  • Ads would be blocked.
  • 1st-party trackers (analytics, A/B testing, tag managers, etc.) would also be blocked. Today, for example, trackers from Google Analytics, Segment, Mixpanel or Amplitude are not blocked.

But it would alienate certain developers, and this would not be consistent with its current policy on the web via Safari ITP.

Unfortunately, this protection therefore does not apply to first-party trackers: your iPhone still communicates with many third parties, including Google's (even if identifiers should now be specific to each app, since the IDFA is no longer available by default):

billboard

With native support for encrypted DNS in iOS 14, however, Apple allowed tracker and ad blockers to do their job better (these blockers previously had to create a local pseudo-VPN, which was a disaster for the battery). I use NextDNS myself, which allows me to block all trackers and other ads.

Yes, Apple protects you against advertising surveillance, getting better and better

As we have seen, the protections provided by Apple against advertising surveillance on iOS could be greatly improved. But they have the merit of being coherent and of fighting quite effectively against tracking, as the irritation of Facebook and adtech in general proves. An advanced user can go further by using a tracker and ad blocker such as NextDNS, AdGuard or a Pi-Hole.

Even if it is healthy to criticize such a dominant multinational, and for very valid reasons (closed, locked system, very limited repairability, App Store monopoly, "tax optimization", planned obsolescence, etc.), the "Android by Google" alternative is not credible if you want to protect your privacy.

If you are allergic to Apple but still want to protect your privacy on your smartphone, you will have to go through distributions that have removed the "Google" layer from Android (/e/ for example, based on Lineage OS and microG), but you will need good technical skills.