Privacy-focused search engine DuckDuckGo called out rival Google for “spying” on users after the search giant updated its flagship app to spell out the exact kinds of information it collects for personalization and marketing purposes.
“After months of stalling, Google finally revealed how much personal data they collect in Chrome and the Google app. No wonder they wanted to hide it,” the company said in a tweet. “Spying on users has nothing to do with building a great web browser or search engine.”
The “privacy nutrition labels” are part of a new policy that went into effect on December 8, 2020, mandating app developers to disclose their data collection practices and help users understand how their personal information is put to use.
The insinuation from DuckDuckGo comes as Google has been steadily adding app privacy labels to its iOS apps over the course of the last several weeks in accordance with Apple’s App Store rules, but not before a three-month-long delay that caused most of its apps to go without being updated, lending credence to theories that the company had halted iOS app updates as a consequence of Apple’s enforcement.
The “privacy label” changes are part of a series of privacy protections that Apple has been incorporating into its products and services in recent years, while simultaneously positioning itself as a more private and secure alternative to other platforms like Facebook and Google.
Starting with iOS 14, first- and third-party apps will not only have to tell users what information they amass but also get their permission to do it. The privacy labels aim to condense an app’s data collection practices in an easy-to-understand and user-friendly format without going into great detail about what that data is being used for.
As Vox pointed out last month, the idea is to “strike a balance between giving the general user enough information to understand what an app is doing with their data, but not so much that the labels become as dense and complex as the privacy policies they’re supposed to summarize.”
For its part, Apple updated its privacy website last week with a new “Labels” section that highlights the privacy labels for all of Apple’s apps together in one place, making it easier for users to learn about how Apple apps handle their personal data.
App Tracking Transparency Explained
An even bigger deal is an upcoming privacy update to iOS 14.5, which will also require apps to ask for users’ consent before tracking them across other apps and websites using the device’s advertising identifier (also called IDFA) as part of a new framework dubbed App Tracking Transparency (ATT).
The IDFA (or Identifier for Advertisers) — created by Apple in 2012 — has been traditionally used by companies and marketers to keep tabs on individuals between different apps in order to serve tailored ads and monitor how their ad campaigns performed.
For example, imagine scrolling through your Instagram feed, and you see an ad for a smartphone. You don’t tap the ad, but instead, you go on Google, search for the same smartphone you saw on Instagram, and buy them.
Once this purchase is made, the retailer records the IDFA of the user who bought the phone and shared it with Facebook, which can then determine whether the ID corresponds to the user who saw an ad for the smartphone.
An analysis of app data collection practices by cloud storage company pCloud released earlier this month found that 52% of apps share user data with third-parties, with 80% of apps using the collected data to “market their own products in the app” and deliver ads on other platforms.
|Click to see full version|
With the new changes, it’s no longer possible for apps and third-party partners to accurately measure the effectiveness of their ads without asking explicit permissions from users to opt-in to being tracked using the identifier as they hop from one app to the other, a move that has riled up Facebook and others that sell mobile ads who heavily rely on this identifier to help target ads to users.
Put differently, while companies can still track users through their own services on a first-party basis, they cannot share that information with third-parties without users’ permission.
In what could be a sign of things to come, an analysis by mobile advertising firm AppsFlyer found that after several third-party developers integrated Apple’s ATT into their apps, 99% of users chose not to allow tracking.
“Technology does not need vast troves of personal data, stitched together across dozens of websites and apps, in order to succeed. Advertising existed and thrived for decades without it,” Apple CEO Tim Cook explained the change in a January 28 speech at the Computers, Privacy and Data Protection (CPDP) conference. “If a business is built on misleading users, on data exploitation, on choices that are no choices at all, then it does not deserve our praise. It deserves reform.”
The development comes as tech giants including Apple, Google, Amazon, and Facebook have come under heightened regulatory and privacy scrutiny in the U.S. and Europe for having amassed immense market power and for their collection of personal information, leading to the formation of new data protection laws aimed at safeguarding user privacy.
On Wednesday, France’s competition regulator rejected calls from advertising companies and publishers to block ATT on antitrust grounds, stating that the privacy initiative “does not appear to reflect an abuse of a dominant position on the part of Apple,” but added it would continue to investigate the changes to ensure that “Apple has not applied less restrictive rules” for its own apps, signaling how measures designed to protect user privacy can be at odds with regulating online competition.
It’s worth noting that Google has separately announced plans to stop supporting third-party cookies in its Chrome browser by early 2022 while emphasizing that it would not build alternate identifiers or tools to track users across the web.
Advertisers Test New Tool to Circumvent ATT
But that hasn’t stopped advertisers from trying workarounds to sidestep iOS privacy protections, setting them once again on a collision course with Apple.
According to the Financial Times, the Chinese Advertising Association (CAA) has developed an identifier called the China Anonymization ID (or CAID) that’s aimed at bypassing the new Apple privacy rules and allow companies to continue tracking users without having to rely on IDFA.
“CAID has the characteristics of anonymity and decentralization, does not collect private data, only transmits the encrypted result, and the encrypted result is irreversible, which can effectively protect the privacy and data security of the end user; the decentralized design allows developers to be more flexible Access to meet business needs,” a Guangzhou-based ad-tech firm called TrackingIO explained in a now-removed write-up.
“Because CAID does not depend on Apple IDFA and can generate device identification ID independently of IDFA, it can be used as an alternative to device identification in iOS 14 and a supplementary solution when IDFA is not available,” it added.
While CAID is yet to be formally implemented, the tool is said to be presently under testing by some of China’s largest technology companies, including ByteDance and Tencent, with “several foreign advertising companies have already applied on behalf of their Chinese divisions,” per the report.
It remains to be seen if Apple will green-light this proposal from the CAA, which is said to be “currently actively communicating” with the Cupertino-based company, with the report claiming that “Apple is aware of the tool and seems to have so far turned a blind eye to its use.”
“The App Store terms and guidelines apply equally to all developers around the world, including Apple,” the iPhone maker told FT. “We believe strongly that users should be asked for their permission before being tracked. Apps that are found to disregard the user’s choice will be rejected.”
Following reports that companies are readying workarounds to skirt Apple’s upcoming limits on ad tracking, the company is said to have sent cease and desist emails to two Chinese app developers who are testing CAID, a new anonymized identifier that’s designed to track users even without access to IDFA, according to the Financial Times.
“We found that your app collects user and device information to create a unique identifier for the user’s device,” the email from Apple read, warning the developer to update the app to comply with App Store rules within 14 days or risk its removal from the App Store.
Besides CAID, other proposed solutions rely on a process called fingerprinting, which leverages device-specific information such as the IMEI number or a combination of the user’s IP address and the type of browser and phone to create a unique identifier.
With apps devices numerous ways to slip through Apple’s new requirements, it remains to be seen how the tech giant will enforce its anti-tracking policies once it goes into effect later this spring.