Ad companies still thinking about 'fingerprinting' to work around Apple's privacy rules
As Apple's App Tracking Transparency feature nears in iOS 14, some ad firms may be resorting to "server-to-server fingerprinting" to get around the privacy restrictions.
Users will be asked whether they want to allow ad tracking or not
App Tracking Transparency (ATT) is about to launch in Apple's updated iOS 14.5, and when it does, users will be prompted to say whether they want an app to be able to track them for advertisers. However, some advertisers are reportedly resorting to a workaround that, while limited, still gets them some targeting information.
According to digital marketing and advertising site Digiday, server-to-server fingerprinting is not new, but it is being deployed more in an attempt to circumvent Apple's privacy rules. When an app accesses a website or other internet resource, that site has legitimate reasons to interrogate the app to see what device, operating system. or IP address is being used.
It means the internet resource can then provide content that is correctly formatted for the user to read, and this is not blocked by Apple's SDK. What this server-to-server fingerprinting does is take that information and use it outside of the app.
"From the perspective of the SDK it's indistinguishable between legitimate uses of data like IP address to make the apps work and fingerprinting," Rob Webster, chief strategy officer at media consultancy Canton, told Digiday. "There's no way for Apple to see into the app via the SDK that this type of fingerprinting is happening."
Having got legitimate information about a device and OS, the server sends that to another server which is collating this data. Apple can see exactly what data is being exchanged between the app and a company's related server, but it cannot see when that server does anything else with the data.
What may prevent this limited tracking becoming routine, though, is not a technology feature but a business one. According to Digiday, one head of data partnerships at a global media agency said you can tell when a company is selling you this kind of tracking.
"Vendors won't talk about this as fingerprinting, but you can pick apart what they mean by the language they use," they said. "Sometimes the vendor might say they have a series of HTTP information about a person's device -- that HTTP mention is the red flag that what that company is doing is server-side fingerprinting."
Similarly, an unnamed publishing executive said that once you realize that a company is actually selling, you stop dealing with them.
"I spoke to someone recently in the identity space and they were pitching me the application of probabilistic matching across non-opted-in Apple uses like it was the way of the future," said the executive. "At that moment I stopped the pitch there and said 'no thanks.'"
No publisher or marketing person is going to admit to using practices Apple wants to stop, but according to the publishing executive, that's the point.
"We have a list of everyone we're working with that Apple checks should anything go down," he or she explained. "It's effectively the names of the companies we're willing to take a bullet for and I hope it isn't very long."
Alongside the on-device privacy feature in iOS 14.5, Apple is seemingly policing the misuse of ad tracking data. Most recently, it reminded all developers to prepare for App Tracking Transparency -- and warned at least two Chinese app companies to cease trying to bypass the feature.
Separately, the advertising industry publication Adweek has repeated reports that a significant proportion of advertisers are considering moving their ad spend to Android because of ATT.
Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.
Users will be asked whether they want to allow ad tracking or not
App Tracking Transparency (ATT) is about to launch in Apple's updated iOS 14.5, and when it does, users will be prompted to say whether they want an app to be able to track them for advertisers. However, some advertisers are reportedly resorting to a workaround that, while limited, still gets them some targeting information.
According to digital marketing and advertising site Digiday, server-to-server fingerprinting is not new, but it is being deployed more in an attempt to circumvent Apple's privacy rules. When an app accesses a website or other internet resource, that site has legitimate reasons to interrogate the app to see what device, operating system. or IP address is being used.
It means the internet resource can then provide content that is correctly formatted for the user to read, and this is not blocked by Apple's SDK. What this server-to-server fingerprinting does is take that information and use it outside of the app.
"From the perspective of the SDK it's indistinguishable between legitimate uses of data like IP address to make the apps work and fingerprinting," Rob Webster, chief strategy officer at media consultancy Canton, told Digiday. "There's no way for Apple to see into the app via the SDK that this type of fingerprinting is happening."
Having got legitimate information about a device and OS, the server sends that to another server which is collating this data. Apple can see exactly what data is being exchanged between the app and a company's related server, but it cannot see when that server does anything else with the data.
What may prevent this limited tracking becoming routine, though, is not a technology feature but a business one. According to Digiday, one head of data partnerships at a global media agency said you can tell when a company is selling you this kind of tracking.
"Vendors won't talk about this as fingerprinting, but you can pick apart what they mean by the language they use," they said. "Sometimes the vendor might say they have a series of HTTP information about a person's device -- that HTTP mention is the red flag that what that company is doing is server-side fingerprinting."
Similarly, an unnamed publishing executive said that once you realize that a company is actually selling, you stop dealing with them.
"I spoke to someone recently in the identity space and they were pitching me the application of probabilistic matching across non-opted-in Apple uses like it was the way of the future," said the executive. "At that moment I stopped the pitch there and said 'no thanks.'"
No publisher or marketing person is going to admit to using practices Apple wants to stop, but according to the publishing executive, that's the point.
"We have a list of everyone we're working with that Apple checks should anything go down," he or she explained. "It's effectively the names of the companies we're willing to take a bullet for and I hope it isn't very long."
Alongside the on-device privacy feature in iOS 14.5, Apple is seemingly policing the misuse of ad tracking data. Most recently, it reminded all developers to prepare for App Tracking Transparency -- and warned at least two Chinese app companies to cease trying to bypass the feature.
Separately, the advertising industry publication Adweek has repeated reports that a significant proportion of advertisers are considering moving their ad spend to Android because of ATT.
Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.
Comments
There’s a whole slew of apps I stopped using after they started asking for the phone number.
When my financial institution asks for it, that’s OK, but not some sort of social media app.
They might want to because the source of the data originated from an app on an Apple device, that is trying to circumvent a user's do not track request.
Trying to plug one hole after another is a never ending battle; this is better solved by contract law and massive punitive fees as well as AppStore bans.