privacy Security Technology

Does Apple care about your privacy?

I’ve been an Apple user since 2005 or so. Well, unless you consider my Apple IIc, in which case I guess I was a customer since 1987. I managed to negotiate with my parents to bundle two birthdays (my 12th and my Bar Mitzvah, that’s a big one) to get one of those. It was a turning point in my life… But I digress.

By Bilby – Own work, CC BY 3.0, Link

I really admire Apple’s push for security without compromising convenience, with Touch ID and Face ID making things safer. Apple’s touting their efforts to reduce web tracking, and Tim Cook publicly stated that “We at Apple believe that privacy is a fundamental human right”.

But when it comes to their own backyard, does Apple even meet the requirements of the GDPR? (The European privacy directive). I don’t think so.

There’s one nifty little setting on your iPhone. It’s right there at the bottom of your Settings > Privacy page, inside the Advertising section. You can turn on Limit Ad Tracking. But it’s OFF BY DEFAULT.

If you want to skip reading because it’s boring, do yourself a favour, go and check this setting on your phone. I highly recommend you turn Limit Ad Tracking on.

Update: if you have a Mac, there’s a similar setting you should set as well (again, right at the bottom of the list…)

If you’re a European citizen, it should have been turned on for you by default. But for some reason Apple manages to get away with it. I’m not sure how. Let me explain…

What’s Ad Tracking?

So before we start our dive, what does this thing even do?

Apple creates a unique identifier on your phone, and shares this with apps that run on your phone. Technically, I guess apps are supposed to ask for your permission to use it. Practically I’m not familiar with a single app that does.

Apps can then send the identifier further. For example, to Facebook. This is part of the custom audiences feature Facebook provides.

Now if you have a Facebook app (and I imagine also Whatsapp, Messenger, Instagram), Facebook can effectively link this Apple Ad tracking ID to your email address. To you.

When apps further share this with Facebook, Facebook also knows which other apps you use. Those apps can target advertising to you, or build lookalike audiences to target other people similar to you on Facebook.

So what?

If this sounds confusing, I guess it is. There are several layers of abstraction and obfuscation at play here. Apple “just” shares a random ID. Facebook and other apps “just” match this ID to you. Apps “just” pass this ID along to Facebook… But the end result is those IDs form a web of connections that eventually get linked to you. It’s therefore your private information.

It appears that every company kicks the bucket to the next one here. I didn’t trawl through Apple’s and Facebook’s privacy policies, but I’m pretty sure somewhere in there they say something to this effect (paraphrased, this is not an exact quote):

App developers must use the <Facebook identifier | Apple advertising ID> lawfully and in accordance with privacy regulations.

And in turn, companies pretend that they don’t do anything wrong, or that it’s just an ID and it has nothing to do with your personal information.

Apple’s response

I contacted Apple’s privacy team to ask about this. I was surprised that they can turn this tracking on by default, without asking for explicit consent under the GDPR. This is what they said (emphasis mine)

We would like to reiterate that the advertising identifier we have perviously [sic] referred to is not associated with your Apple ID. It is randomly generated on your device. Information collected in association with an advertising identifier is not personally identifiable and thus consent does not arise under the GDPR.

Apple does not sell or otherwise transmit any personally identifiable information to third parties.

So essentially, Apple thinks that this setting and this advertising ID is not personal information, and therefore they do not need to ask for consent for generating it and sharing it with apps.

What’s personal information then?

According to the GDPR, Personal information is (again, emphasis mine):

… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

I am not a lawyer, but this sounds pretty clear to me.

Apple generates a unique advertising ID, shares it with apps without my explicit and informed consent. Those apps are then able to link it to my identity, and even share it further with other apps (e.g. via Facebook). If this unique advertising ID not personal information, covered by the GDPR, I really don’t know what is.

As a point of comparison: an IP address is considered personal data, even though it allows less accurate linking with a person (because it can be shared by many people over time and people move between IPs).

Fundamental switch

So if privacy is a fundamental human right, and there’s literally one switch standing between privacy respecting and privacy invading, why isn’t this switch ON by default?

As a side note, I think this Limit Ad Tracking switch is deliberately misleading. It should be called Ad Tracking and set be OFF by default. At its current state, there’s a double negative to reason about, the Limit is OFF by default, which means Advertising is ON.

If you look at most settings on the iPhone, they are phrased positively. For example: Settings > General > Keyboard > Auto Correction (On/Off), Settings > Control Centre > Access Within Apps (On/Off), Settings > Display & Brightness > Bold Text (On/Off), and even Settings > Privacy > Location Services (On/Off) … But somehow this setting is called Limit Ad Tracking. Is it a coincidence? I don’t think so. Apple is very deliberate about making things clear. In this case, they want to make it confusing.

In addition, there’s another confusing option just below it: Reset Advertising Identifier...What is it? And if I already Limited Ad Tracking, then do I need to also reset this identifier? Why is it still showing? Perhaps I’m over-analysing this one though, to be fair.

What can we do about it?

The easiest thing is to make sure our Limit Ad Tracking is turned on. It takes literally 10 seconds and can have a real impact on your privacy.

But of course, the bigger question is how Apple manages to get away with it? And can we do something to force them to respect the GDPR and our privacy? I suppose complaining to the data protection controllers in your country might help. I imagine it’s a long process with low likelihood of doing much. I’d be very curious to hear from lawyers who understand the GDPR better or privacy advocates what’s the best course of action here. Fighting Apple isn’t going to be easy.

Bonus: How did I bump into this?

A lot of this stuff probably happens without your knowledge. Apps tracking you and linking your Apple ID to your identity, or passing over your data to other apps. There’s usually very little you can do to even know that this happens.

In my particular case, I discovered it via the Off-Facebook Activity list (if you have a Facebook account, I recommend checking it). It lists all apps and websites that use this tracking ID or the Facebook pixel to build custom audiences.

I was surprised to discover a number of apps I installed, that I never gave this kind of permission to. Some of those apps I only gave a unique, random email that was not shared with Facebook or any other apps, or didn’t give any personal details at all… Those only way those apps could have shared my data with Facebook was via Apple’s advertising ID. That’s the only way they could link to my identity.

Leave a Reply

Your email address will not be published. Required fields are marked *