"We care about our customers."
(Tongue in cheek and fingers crossed behind back)
Apple's ramp up in iOS privacy measures has affected small data brokers, yet apps can still collect group-oriented data and identify users via device fingerprinting, according to a study out of Oxford. What's more, the researchers claim, Apple itself engages in and allows some forms of tracking, which serve to strengthen its …
If the users voluntarily submit data sufficient to track them across apps, like an email address, once the app sends it to e.g. Facebook's servers there isn't anything Apple can do to limit what Facebook does with it. Sure, it is possible to use a different email address for different services, but very few people choose to do so so it is an even better identifier since it will follow you to new phones, your PC, etc.
Nevermind apps for stuff like banking/finance or dating where providing personally identifying information is sort of required for the app to function at all.
Apparently these researchers thought Apple could wave a magic wand and fix all privacy problems? All they could do is stop providing apps the means to track, which they were doing in the form of IDFA.
Now maybe Apple could provide apps the option of getting some sort of special privacy designation in the App Store if they committed to not sharing any personally identifying information with anyone else (which would probably require not using Google's libraries) but neither they nor the end user would have any way of knowing whether they comply.
Apple provided Hide My Email functionality for exactly this reason. No more mucking about managing email aliases; just click the option to generate a new hidden email alias when registering on a website. Because it’s so easy, I imagine a lot of people are using this, myself included.
Hide My Email only works for a new app/website. If you already have say a Facebook account or Reg login, unless you start from scratch as a new user you can't use it.
I agree it is a nice thing, but most of us already have so many accounts using our real unhidden email address it is closing the barn door when the horse is already in the next county.
Why would Hide My Email not work with El Reg's profile edit option?
Safari on your iPhone, iPad, iPod touch and Mac when filling in a web form or creating an account for an app or website that does not support Sign in with Apple
Frankly I am really surprised that there are any IT professionals left using the same email address for different personal-use registrations. Even my resolutely non-technical friends have mostly now understood the advantage in appending ".companyname" to the email address they hand out for any registration and are using it for all new registrations.
My current battle is to get them all to use password managers for every website so they no longer need to choose or remember passwords.
Using the "same" email address modified in a way that results in it being delivered to a single email address are well known by those using them to track personal behavior. You won't fool them using a '+' address or equivalent.
The problem is not with voluntary data submission. If I choose to activate 2FA then I provide my phone number, that's my choice.
The problem is with all the tracking that done without consent. The fact that ad agencies are basically finding out who you are as soon as you connect, and they're following you all the way whether you like it or not.
I use Firefox with NoScript and uBlock Origin, or Brave. I like to think that I'm rather invisible to ad companies, until I actually make a purchase somewhere. I like to think that, but I'm not sure.
I would like to be sure.
If you read the article this has nothing to do with voluntary user supplied data like an email address. It is to do with device fingerprinting and tracking using hidden identifiers without user consent.
If you want to have a problem with the article or research go for the classification of Crashlytics as a tracking library. Obviously I haven't read the code so it might be doing some behind the scenes tracking for Google but for the app dev it is reporting on crashes and errors and is not a tracking or advertising library. I doubt the usefulness of a tracking library that only tracks users for whom your app is crashing.
Similarly Firebase Analytics is not necessarily a tracking library but it can be used for that depending on how you implement it. Merely detecting the existance of one of these libraries and declaring the app tracks its users is poor science imo.
@iron I agree it is poor science, some of their conclusions about the effect of ATT on tracking rely on assumptions (Crashlytics and Firebase Analytics).
Though not all their conclusions rely on assumptions. Their conclusion that ATT is beneficial in regard to IDFA is supported by their tests 26% of apps using it before ATT, none of those apps using it after.
One set of figures in their study are interesting though, “firebaseinstallations.googleapis.com got called by 4.1 percent of apps prior to ATT and 47.4 percent after.”. Though not a conclusion it could suggest that because IDFA can’t be used it is being replaced with Firebase Analytics to do tracking.
Finally with Apple’s stance on privacy, it does seem a little hypocritical of them to exempt their advertising technology. Surely Apple should abide by the same privacy rules they apply to others.
The article first mentions "cohort tracking", which no one cares about.
The only claim about individual tracking was nine apps that create an "AAID" in an unspecified way suggested to be fingerprinting. Without knowing what those apps we can't tell what information they might have on individuals to be able to do so.
It isn't clear to me what avenues there are for this, especially on iPhone where there are many millions of each model. Bit easier on the Android side if you buy a phone that sold less than a million, then you install an SD card which further reduces you, then you use a different browser which could put in a class of a few hundred. Wouldn't take much more (installed browser extensions perhaps) to perhaps uniquely identify such a person. But someone with a Galaxy S22 where they will sell 10 or 20 million of them who uses the system default browser and doesn't tweak much? Good luck fingerprinting their device!
Maybe if we could access the paper we could tell what ways they think we are being fingerprinted, but I'm still gonna bet those nine apps got hold of your email address or some other voluntarily submitted bit of personal data and hashed that into an "AAID", unless they found some backdoor way to access something they shouldn't be able to like a list of all the apps installed on the phone.
If they want to uniquely identify someone using their IP address is still the best way. Most IPs rarely change even if they aren't static, so if you are using it from home wifi they can know it is you. Or one of a few in your household if you have multiple people with the same phone. That's not device fingerprinting though, and doesn't require the app to do anything - the server can do that by itself. Only way around that is a VPN. Now if Apple made use of a VPN to hide your location the default someday that would REALLY upset the data collection cartel!
So...was it a throw-away email address?
So........is it IDEA.....or AES......or blowfish.......or some other type of encryption?
The snoops here who are worrying about email addresses are COMPLETELY MISSING THE POINT!!