back to article Apple iOS privacy clampdown 'did little' to reduce tracking

Apple's ramp up in iOS privacy measures has affected small data brokers, yet apps can still collect group-oriented data and identify users via device fingerprinting, according to a study out of Oxford. What's more, the researchers claim, Apple itself engages in and allows some forms of tracking, which serve to strengthen its …

  1. Anonymous Coward
    Anonymous Coward

    "We care about our customers."

    (Tongue in cheek and fingers crossed behind back)

  2. DS999 Silver badge

    How is Apple supposed to prevent use of email addresses to identify people?

    If the users voluntarily submit data sufficient to track them across apps, like an email address, once the app sends it to e.g. Facebook's servers there isn't anything Apple can do to limit what Facebook does with it. Sure, it is possible to use a different email address for different services, but very few people choose to do so so it is an even better identifier since it will follow you to new phones, your PC, etc.

    Nevermind apps for stuff like banking/finance or dating where providing personally identifying information is sort of required for the app to function at all.

    Apparently these researchers thought Apple could wave a magic wand and fix all privacy problems? All they could do is stop providing apps the means to track, which they were doing in the form of IDFA.

    Now maybe Apple could provide apps the option of getting some sort of special privacy designation in the App Store if they committed to not sharing any personally identifying information with anyone else (which would probably require not using Google's libraries) but neither they nor the end user would have any way of knowing whether they comply.

    1. Tessier-Ashpool

      Re: How is Apple supposed to prevent use of email addresses to identify people?

      Apple provided Hide My Email functionality for exactly this reason. No more mucking about managing email aliases; just click the option to generate a new hidden email alias when registering on a website. Because it’s so easy, I imagine a lot of people are using this, myself included.

      1. DS999 Silver badge

        Re: How is Apple supposed to prevent use of email addresses to identify people?

        Hide My Email only works for a new app/website. If you already have say a Facebook account or Reg login, unless you start from scratch as a new user you can't use it.

        I agree it is a nice thing, but most of us already have so many accounts using our real unhidden email address it is closing the barn door when the horse is already in the next county.

        1. Tessier-Ashpool

          Re: How is Apple supposed to prevent use of email addresses to identify people?

          I changed my longstanding Register email address to use a Hide My Email address a few months ago. It’s not difficult.

          1. sreynolds

            Re: How is Apple supposed to prevent use of email addresses to identify people?

            Did you create a new account? Did you get a new device? Did you even bother to clear all cookies?

            So now there are two email addresses associated with you, the individual.

            1. Dan 55 Silver badge

              Re: How is Apple supposed to prevent use of email addresses to identify people?

              Why would Hide My Email not work with El Reg's profile edit option?

              Safari on your iPhone, iPad, iPod touch and Mac when filling in a web form or creating an account for an app or website that does not support Sign in with Apple

        2. Graham Cobb Silver badge

          Re: How is Apple supposed to prevent use of email addresses to identify people?

          Frankly I am really surprised that there are any IT professionals left using the same email address for different personal-use registrations. Even my resolutely non-technical friends have mostly now understood the advantage in appending ".companyname" to the email address they hand out for any registration and are using it for all new registrations.

          My current battle is to get them all to use password managers for every website so they no longer need to choose or remember passwords.

          1. DS999 Silver badge

            Re: How is Apple supposed to prevent use of email addresses to identify people?

            Using the "same" email address modified in a way that results in it being delivered to a single email address are well known by those using them to track personal behavior. You won't fool them using a '+' address or equivalent.

    2. Pascal Monett Silver badge

      Re: How is Apple supposed to prevent use of email addresses to identify people?

      The problem is not with voluntary data submission. If I choose to activate 2FA then I provide my phone number, that's my choice.

      The problem is with all the tracking that done without consent. The fact that ad agencies are basically finding out who you are as soon as you connect, and they're following you all the way whether you like it or not.

      I use Firefox with NoScript and uBlock Origin, or Brave. I like to think that I'm rather invisible to ad companies, until I actually make a purchase somewhere. I like to think that, but I'm not sure.

      I would like to be sure.

      1. stylistics

        Re: How is Apple supposed to prevent use of email addresses to identify people?

        The problem lies not just in tracking domains you might incidentally connect to, but the extent to which your browser's capabilities are exposed to the website you are actually trying to connect to.

    3. iron

      Re: How is Apple supposed to prevent use of email addresses to identify people?

      If you read the article this has nothing to do with voluntary user supplied data like an email address. It is to do with device fingerprinting and tracking using hidden identifiers without user consent.

      If you want to have a problem with the article or research go for the classification of Crashlytics as a tracking library. Obviously I haven't read the code so it might be doing some behind the scenes tracking for Google but for the app dev it is reporting on crashes and errors and is not a tracking or advertising library. I doubt the usefulness of a tracking library that only tracks users for whom your app is crashing.

      Similarly Firebase Analytics is not necessarily a tracking library but it can be used for that depending on how you implement it. Merely detecting the existance of one of these libraries and declaring the app tracks its users is poor science imo.

      1. Falmari Silver badge

        Re: How is Apple supposed to prevent use of email addresses to identify people?

        @iron I agree it is poor science, some of their conclusions about the effect of ATT on tracking rely on assumptions (Crashlytics and Firebase Analytics).

        Though not all their conclusions rely on assumptions. Their conclusion that ATT is beneficial in regard to IDFA is supported by their tests 26% of apps using it before ATT, none of those apps using it after.

        One set of figures in their study are interesting though, “firebaseinstallations.googleapis.com got called by 4.1 percent of apps prior to ATT and 47.4 percent after.”. Though not a conclusion it could suggest that because IDFA can’t be used it is being replaced with Firebase Analytics to do tracking.

        Finally with Apple’s stance on privacy, it does seem a little hypocritical of them to exempt their advertising technology. Surely Apple should abide by the same privacy rules they apply to others.

      2. DS999 Silver badge

        Re: How is Apple supposed to prevent use of email addresses to identify people?

        The article first mentions "cohort tracking", which no one cares about.

        The only claim about individual tracking was nine apps that create an "AAID" in an unspecified way suggested to be fingerprinting. Without knowing what those apps we can't tell what information they might have on individuals to be able to do so.

        It isn't clear to me what avenues there are for this, especially on iPhone where there are many millions of each model. Bit easier on the Android side if you buy a phone that sold less than a million, then you install an SD card which further reduces you, then you use a different browser which could put in a class of a few hundred. Wouldn't take much more (installed browser extensions perhaps) to perhaps uniquely identify such a person. But someone with a Galaxy S22 where they will sell 10 or 20 million of them who uses the system default browser and doesn't tweak much? Good luck fingerprinting their device!

        Maybe if we could access the paper we could tell what ways they think we are being fingerprinted, but I'm still gonna bet those nine apps got hold of your email address or some other voluntarily submitted bit of personal data and hashed that into an "AAID", unless they found some backdoor way to access something they shouldn't be able to like a list of all the apps installed on the phone.

        If they want to uniquely identify someone using their IP address is still the best way. Most IPs rarely change even if they aren't static, so if you are using it from home wifi they can know it is you. Or one of a few in your household if you have multiple people with the same phone. That's not device fingerprinting though, and doesn't require the app to do anything - the server can do that by itself. Only way around that is a VPN. Now if Apple made use of a VPN to hide your location the default someday that would REALLY upset the data collection cartel!

  3. Anonymous Coward
    Anonymous Coward

    You get tracked, and you get tracked

    And you get tracked!

  4. Anonymous Coward
    Anonymous Coward

    There's email addresses......and then there's actual messages.......

    *

    nxgRlmjIlCx4Lj3iSicD0BQauvVHgcmmv1VbKnWGt8Z0YsUH0KqPrd8r1qcx9HSTnS3c7g1FiXBG

    V1uh/0LdqFRDKZP8B7BiJgYsYJFOi+YDiqdbHirFI4pqU0UZ1bujXGwbZHCz3CXjJwql2jGu6sCE

    1TfCYIK2Nk2AZgI937KEUzv15IAUuWR/n2oqKxTDKa7MM8Qoy7SYYbvbZkfGhCEqjoZ/4ifB4+n/

    X1VAHvAAbtkZ3mOplzGr+myyMnxbC4XqhdCUjFaR2KBN5uDZ1NsAde9Rekkd4Csr9qAYVjNahxGX

    +94AjA4sJHBNG6ymp3MVhbuWHb2QTGwU0LR2D7A4Ywc5B8z0CjSu4JUnEKvZVpEpC9GNCNa3/OIh

    H2O+r/2H3imyLtiCFsGykNski048bBcrFTs+8KUY3OHMhEwRnp9t+PZrxct6SRZyQ02QzTI6c0qc

    dqJYnRPlp2kOz34T0jdEM5x+wU1zYEwhe0OXT0IU4iwuBAqSU5mMp5AbLmTxoiI47kQgGD1PljRG

    +cPd

    *

    So...was it a throw-away email address?

    *

    So........is it IDEA.....or AES......or blowfish.......or some other type of encryption?

    *

    The snoops here who are worrying about email addresses are COMPLETELY MISSING THE POINT!!

  5. Ashto5

    Tracking

    Let us be honest Google etc tracking us has already happened.

    Your data is out there, you cannot get it back.

    The only true way to enforce privacy is to actually make tracking you a crime.

    And like that is ever going to happen.

  6. Shepard

    Well at least...

    Apple tried to do something to reduce tracking. Google on the other hand...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like