• Blog
    phone spy

    Can Facebook/Google Still Track You Even if You Turn on App Tracking Transparency (ATT)?

    by iSecurityGuru

    Saturday, December 4, 2021, 5:00 PM

This article was written for Peak Prosperity by Terence Kam, founder and cybersecurity consultant at iSecurityGuru.com. You can follow his company on LinkedInOr subscribe to his writings on Medium, where he writes on a wider variety of topics.

Facebook app tracking

From iOS/iPadOS 14.5, Apple has made it much harder for apps to track you with the “App Tracking Transparency” (ATT) feature. The job of this feature is to protect your privacy. Facebook is reported to have lost $10 billion because of ATT.

According to Apple, this is how the ATT works:





The big question is, even if you turn on the ATT, do apps still have other means to track you? In short, the answer is “Yes”!

First, you must understand what happens when you allow apps to track you with this ATT prompt:

App Tracking Transparency (ATT) prompt

Every device is assigned an Identifier for Advertisers (IDFA). The IDFA is a piece of random information that is uniquely assigned to each iOS/iPadOS device. The IDFA by itself does not reveal any information about you. If you allow an app to track you, you are basically allowing it to get your device’s IDFA.

The problem arises when you reveal personal information (e.g. your name, phone number, email) to apps that have access to your IDFA. When that happens, apps can associate your device’s IDFA with your revealed personal information. Usually, what happens is that apps send your IDFA, along with your associated personal information, to some third-party advertising companies. For example, when you sign in with Apple, you can potentially reveal your first and last name:

Different apps collect all sorts of information about you (e.g. your usage data, your browsing history), some of which are not even private. But if all this collected information from different apps are associated with the same IDFA, it can then be used to build a comprehensive profile about you. For example, let’s say you run a video app that has access to your IDFA. Even if you do not reveal your personal information to that app, your video browsing history in that video app will be associated with your IDFA. That app then submits your video browsing history and your IDFA to a third-party advertising company. At this point, the video app cannot link your video browsing history to you (since it did not collect your personal information). However, since that advertising company already has your personal information (e.g. name, email, phone number) associated with your IDFA, it can link your personal information with your video browsing history. In other words, the IDFA is the common link between all the disparate and dispersed collected information about you. So, when you ask an app not to track you in the ATT prompt, it can no longer obtain your IDFA. Without the IDFA, third-party advertising companies cannot link all these disparate and dispersed collected information to you.

The next questions are, who are the third-party advertising companies? The biggest ones are Facebook and Google. Some apps even send information about you to multiple third-party advertising companies! This is how, with IDFA, Facebook and Google can know what you are up to across many different apps by different companies. Since Facebook and Google have already collected a lot of personal information about you, if you run any of their apps and give them access to your IDFA, they can link the same IDFA to all your other collected information from other apps. This way, they can build an even more comprehensive profile about you!

Without IDFA, what can Facebook/Google do?

Without access to IDFA, third-party advertising companies need to collect other information from your device that can uniquely identify it. What sort of information can they collect from your device? Examples include:

  • Cellular Carrier Name (e.g. AT&T, Optus, Vodafone, Telstra)
  • Locale information
  • Device screen resolution
  • Device model
  • iOS/iPadOS version
  • Language
  • Language keyboard
  • Country
  • Device name (more information about how to change or set it can be found here)
  • Date & time in which your device was first switched on
  • IP address

The problem with all this information is that each of them alone cannot uniquely identify your device. Also, some of them can be changed (e.g. your iOS version will change when you update it, or when you change your telecommunication provider, or when you restart your device). But if you combine all of them together, they can more or less be able to uniquely identify your device. Granted, they will still not be as foolproof as IDFA, but for the purpose of tracking, they are the best alternative for trackers.

Can you stop this alternative tracking method?

Unfortunately not, unless you are willing to install another third-party app (more on that below).

All this information about your device serves a purpose. Apps can have legitimate reasons for accessing some of this information about your device. For example, they need to know which country you are located in or your language so they serve you with country or language-specific information. They need to know your device’s screen resolution in order to display graphics properly.

Therefore, when you ask apps not to track you in the ATT prompt, it is based on an honor system. Although Apple can prevent apps from accessing your IDFA, it cannot prevent apps from collecting other innocuous information from your device. If they collect all this information about you, it is up to them to honor your request not to track you.

How can you stop Google/Facebook from tracking you?

The only way to stop Google, Facebook and other third-party advertisers from tracking you is to cut off apps’ ability to ‘phone home’ to third-party advertisers and trackers. This will require cutting off your device’s Internet connections to known third-party advertisers and trackers.

There is an app to do that: Disconnect.me. It works by functioning as a VPN on your device. Their VPN server will filter away all Internet connections to advertisers and trackers.

Related content
» More

16 Comments

  • Sat, Dec 04, 2021 - 10:03pm

    #1
    saskier

    saskier

    Status: Member

    Joined: Jun 09 2012

    Posts: 3

    4

    disconnect.me

    VPNs abound.  disconnect.me has apps (some free) plus apparently a VPN service.  The company is incorporated in Deleware (no taxes) and resides in Frisco (Silicon Valley).  They are funded by venture capitalists (FirstMark Capital LLC/Crunchbase Venture Program) whos modus operandi is to go public at some point to make $millions.  So it goes.

    From my BRIEF research they don't look so bad on paper while private, my concern would be when they go public or get bought out by someone not so privacy centric.  It's a little concerning their main page shows plugs by NON-PRIVACY centric companies/organizations:

    Microsoft, Mozilla, NSA, CISA, et. al.

    While I have nothing to hide (other than my privacy), these plugs don't give me warm fuzzies.

     

    Login or Register to post comments

  • Sun, Dec 05, 2021 - 6:20am

    Terminator

    Terminator

    Status: Member

    Joined: Feb 06 2011

    Posts: 140

    2

    Terminator said:

    Exactly my feeling. Protecting yourself by installing another "free" app might be an easy short cut (as easy as searching with Google 😉 ), but will compromise you possibly in the future.

    It might however be the best you can do at the moment, based on an expert opinion.

    Btw I've been running pi-hole (on a raspberry pi) for some time, this blocks all unwanted traffic by blocking them from coming in/exiting your home network (router). It did  basically shutdown all free news websites after a while as you have to allow the adware to be active before you can enter most sites or view content (video is the worst). It's ominous practice nowadays at most website so I had to stop using it to maintain a functional internet for the family.

    I liked it, because it was community build software on an easy to build platform and it even had a community maintaining the black/white lists with snooper ip's.

    The relevance to IDFA is that it would help stop your IDFA's being connected with your browsing behaviour while at home.

     

    Login or Register to post comments

  • Sun, Dec 05, 2021 - 8:19am

    Phred

    Phred

    Status: Bronze Member

    Joined: Dec 16 2020

    Posts: 136

    1

    Phred said:

    The pi-hole acts as your primary domain name server (DNS) on ethernet and returns "not found" for domains on the blacklist. This blocks embedded trackers for facbook, google, microsoft, etc. as well as requests for adsvertising from servers on the blacklist (currently 174 thousand on mine).  Bandwidth and page load times are tpically reduced 2x.  Individual sites like Facebook can be whitelisted or temporarily enabled through the web interface.  You can set it up on an RPI2B for about US$50.

    But it only works  with Linux and Windows where you can set the primary DNS server.  Android and Chromebook have ways to bypass that, and Wifi generally uses the DNS provided by your ISP (who also tracks you). Google is working on HTML language extensions that get rid of domain name translations entirely.

    My pihole also is my "cloud" for documents that I want to view and modify on any of my PCs. The /share partition mounts as a network drive.

    Login or Register to post comments

  • Sun, Dec 05, 2021 - 3:20pm

    #4
    Shplad

    Shplad

    Status: Member

    Joined: Mar 21 2020

    Posts: 38

    1

    Shplad said:

    I'm feeling too lazy to do a thorough search right now, but at least in 2018,

    you could specify plain-old DNS server and not be forced to use DoH (DNS over HTTP/S)

    https://www.howtogeek.com/204672/how-to-change-the-dns-server-on-a-chromebook/

     

    And Android is often pretty hackable (in the original sense of the word, not the "I'm

    in a dark basement wearing a hoodie sense). So I'd think there are options there.

     

    My fear is that corporate America will find some way to prevent

    or workaround all ad blocking through similar (DNS cache poisoning) techniques.

     

    Another option is to have ad blocking at the router. FreshTomato open

    source firmware has this feature, and it's mostly as simple as just turning

    it on. FreshTomato runs on a lot of inexpensive consumer-level routers,

    such as Netgear, Asus, D-Link, Linksys etcetera.

     

    And of course, you can set your router to use OpenDNS as your DNS

    server and let them block the annoying stuff for you. Again, of course,

    this assumes that you're not bypassing standard DNS by having the client

    device configured for DoH or similar.

    Login or Register to post comments

  • Sun, Dec 05, 2021 - 10:23pm

    #5
    Stph

    Stph

    Status: Bronze Member

    Joined: Jul 01 2021

    Posts: 233

    3

    The best defence is block ALL ads, all the time.

    It needs to be appreciated that tracking is not, fundamentally, about advertising revenue.  It is, in fact, about putting you in a Skinner box, categorizing you, conditioning you, manipulating you.  This sort of "advertising" is completely incompatible with liberty, on a fundamental level, and makes any sort of free choice, or democratic governance, fundamentally impossible.

    Do not trade your liberty -- and your children's liberty -- for trinkets.  STOP USING ANDROID. Stop using Google.  Stop using Microsoft.  Look for a way to stop using any and all tech which is experimenting on you and yours.  These companies and people are your blood enemies, even if you have not noticed them stabbing you yet.  Don't be naive, and don't sell your privacy and autonomy for convenience nor trinkets.   Certainly, START using 100% ad blocking 100% of the time.  Use VPNs if possible, but -- most of all -- start blocking all ads all the time.  If you can't see the ad, you can't react to it.  If you can't see the ad, they can't catalog whether you slowed down for a microsecond in reaction to an image or a sound.  Garbage in, garbage out.  Give them garbage, if possible, but most of all, give them n-o-t-h-i-n-g  to work with.

     

    Login or Register to post comments

  • Sun, Dec 05, 2021 - 11:28pm

    #6
    FooBarr

    FooBarr

    Status: Bronze Member

    Joined: Oct 21 2010

    Posts: 137

    2

    Currently exploring un-googled phones, and am replacing Windows OS with Linux...looks promising, but much more to learn.

    I quit my job last summer and decided to go back to school, so my work cell phone got shipped back and I didn't have a personal one at the time.  (Turned out my company was a WEF corporate-sponsor, freakin losers).   It was quite liberating not having a cell phone for 3 months, but I eventually broke down a got a Rob Braxman de-googled phone, here: https://brax.me/prod/host.php?f=_store&h=rob&p=&version= .  3rd-party review video here: https://www.youtube.com/watch?v=UHblNY6TSdk

    It is a motorola running Linage OS with mostly F-Droid apps.  Typically my phone is usually in airplane mode with location off, and I only check messages periodically through the day.  I don't do social media, and only occasionally check the web, with the browser being DuckDuckgo with TOR and Orbot VPN.

    I am very pleased so far and my learning curve has advanced enough that I'm also playing with Linux OSs on a PinePhone.  It has six physical on/off switches for it's various emitters under the back cover.  On the PinePhone I've played with Manjaro, Postmarket, and Ubuntu OSs.  These OSs seem more at the J-V level, but I sense there will be much improvement coming soon.  PinePhone skinny here: https://en.wikipedia.org/wiki/PinePhone

    I'm also playing with Linux on some older laptops laying around.  Having good luck with Zorin OS.  Also playing with Linux on Raspberry Pi 4, and am currently replacing my big-tech streaming devices with multiple RP4s.

    To me it's important to figure this out now, in order to avoid being culled into transmoronism in the coming years.  You snooze you looze.  Happy Hunger Games and let the odds be in my favor....

    Login or Register to post comments

  • Mon, Dec 06, 2021 - 2:25am

    #7
    saskier

    saskier

    Status: Member

    Joined: Jun 09 2012

    Posts: 3

    1

    get a vpn and mess with 'em

    Pinephone seems cool, wish I had first hand experiences with them.  So far they do not support Wifi calling (obviously totally tracked), but makes a phone more useful when you do not have a cell signal, but DO have Wifi.

    No idea which is the "best" VPN, and that may very well depend upon where you live?  Seems like it's a good idea to get one, and then mess with them.  If you work for a medium-large company or edu, you are surfing through a proxy, frequently behind a VPN of some kind.

    I track all sockets when browsing (and disallow js until I deem it's needed...which is frequently).  So, mess with 'em:  change your language/location (you speak or read  french/german/spanish--good time to brush up on your language skills)?  OK, then stick with english, change your location to canada/US, Mex, Aus.  Ensure your VPN is giving you a new IP address every few days/week.  This is easy, just pick a different VPN server every now and then (they always give you different server locations).  Use different computers/phones/pads.  Clear your cookies & history frequently.  Use browser plugins sparingly (yet, you probably should use a few).  Change you browser plugins every now and then.

    I'd love to provide more suggestions, but they are a PITA for people who just want their shit (laptop/phone/pad) to work.  Most just don't have the time nor patience nor at times background to make their websites and/or small networks safer and less prone to tracking.

    This is where software developers need to devote their talents (even part-time).  Defaults that use google are evil.  Recall, Youtube == google.  Almost every freaking website I visit uses some google remote socket call (amongst others).  It's up to 95+% now based on my laborious browsing.  Remember, the cloud just means your stuff is on SOMEONE else's computer.  Great for testing and such, but for security?  Just think about that for a moment.

    From the original post (tweak these for some semblance of anonymity).

    • Cellular Carrier Name (e.g. AT&T, Optus, Vodafone, Telstra)
    • Locale information
    • Device screen resolution
    • Device model
    • iOS/iPadOS version
    • Language
    • Language keyboard
    • Country
    • Device name (more information about how to change or set it can be found here)
    • Date & time in which your device was first switched on
    • IP address

    May the force be with you.

     

    Login or Register to post comments

  • Mon, Dec 06, 2021 - 5:34pm

    #8
    ezlxq1949

    ezlxq1949

    Status: Bronze Member

    Joined: Apr 29 2009

    Posts: 125

    1

    Oh dear, getting left behind. . .

    My iGadgets are getting old and can't run many recent apps, including Disconnect.me

    I can't afford to purchase new iGadgets, which is good from the point of view of not adding to the growing mountain of e-waste, but not good if I want to keep current in the arms race between users and snoopers.

    Up until recently I made almost no use of my phone, cellular. I detest the thing. Sadly, the blasted check-in regime could have forced me to take it out of the drawer (which no doubt was one of its purposes) had Canberra not implemented a scheme where people lacking portable phones are issued with a check-in card which the store scans. No need for a phone at all. No tracking of tht nature at all. Within the ACT I don't need to carry one anywhere.

    I have a largely unused Faraday bag, so when I travel outside the ACT and must take the ball-and-chain, oops, phone, with me, I will bring the Faraday bag too. That may help just a little. I amuse myself wondering what the surveillance squad will do with my popping in and out of existence. I am presuming that even when a modern phone is switched off, it still responds to signals from the cell tower.

    Login or Register to post comments

  • Tue, Dec 07, 2021 - 11:38am

    #9
    davefairtex

    davefairtex

    Status: Member

    Joined: Sep 03 2008

    Posts: 3102

    1

    wow

    Who knew there was this much experience hiding at PP?  Very cool stuff.

    Login or Register to post comments

  • Thu, Dec 09, 2021 - 5:20am

    White-Light-2

    White-Light-2

    Status: Member

    Joined: Jun 14 2021

    Posts: 23

    0

    White-Light-2 said:

    Many reviews of disconnect.me give this product low ratings to useless.

    I am using search engines that stop alot of ads etc. e.g. Brave or at times Opera until something is better and easier to use.

    Login or Register to post comments

  • Thu, Dec 09, 2021 - 12:35pm

    #11
    hmcgov

    hmcgov

    Status: Member

    Joined: Aug 25 2010

    Posts: 9

    2

    Why This is Super Important

    Nice article, certainly hits on some tricky topics that need to be mastered. The scary part is what happens to your data, not just now but in the future (computers never forget and AI is getting better every year).

    Check out Michal Kosinski's work at Stanford. With 500 likes, they can predict your personality better than your spouse. Liking cat photos doesn't seem like  much, but when they have other people submit to deep psychological assessments... and those other people are also liking similar cat photos... then bingo we have a match and that deep pyschological profile is accurately correlated to you just from liking cat photos.

    Login or Register to post comments

  • Fri, Dec 10, 2021 - 9:38pm

    #12
    MGRS

    MGRS

    Status: Silver Member

    Joined: Feb 28 2013

    Posts: 143

    0

    advertorial?

    Good article, learned some cool stuff.  It did a good job of defining the problem.

    Proposing a product solution, disconnect.me, without any nuanced discussion of its pros and cons is kind of jarring though, and doesn't build any credibility.  I don't know if it's the intent, but it reads like an advertorial.

    In the author's defense, the link doesn't appear to be any sort of affiliate link.

    Login or Register to post comments

  • Sat, Dec 11, 2021 - 12:18pm

    #13
    Curt504

    Curt504

    Status: Member

    Joined: Mar 22 2020

    Posts: 34

    0

    Everyone should have a choice of opting out or in, but my choice is to stay opted in.

    As a past software engineer (presently self employed as a real estate investor for passive income) my personal belief is we are trackable no mater what we do if we turn on any device that connects to the internet.  Not conspiracy belief just feeling that its so much work to be invisable and errors occur thus wasting most of the prior effort.

    PLUS we run our whole business on google/gmail/google docs, the whole tool set.  The only thing I pay is $1.99/mo for more google drive storage.   All your and my clicking is paying for my businesses IT infrastructure and I'm SOOOO glad for all those clicks and tracking cookies.

    If no one looks at ads, eventually what we use for free will need a monthly fee.  Which I agree with, but in the mean time we get treamendous value for almost free.  Including ads for stuff that I just bought.  LOL,,,, geeze thats a wasted tracking cookie!

    Best to all.  Glad you are taking charge of all your interactions with the world.  I agree its important to know how all this glues together.  Curt

    Login or Register to post comments

  • Mon, Dec 13, 2021 - 4:21pm

    iSecurityGuru

    iSecurityGuru

    Status: Member

    Joined: Mar 21 2020

    Posts: 16

    0

    iSecurityGuru said:

    My apologies.

    The last part on Disconnect.me was a last minute add-on to the article. I thought it was wasn't good to end an article without a solution. So, I added that in the last minute and so it appeared jarring.

    Login or Register to post comments

  • Thu, Dec 16, 2021 - 1:26pm

    #15

    Mark_BC

    Status: Silver Member

    Joined: Apr 30 2010

    Posts: 665

    2

    Mark_BC said:

    I was just talking with my mom about her friend's cataract surgery. Speaking in person. Within a half hour Youtube is suggesting videos for cataract surgery. My Android phone is listening to me.

    Login or Register to post comments

  • Thu, Jan 06, 2022 - 8:57am

    #16
    GwenHelen

    GwenHelen

    Status: Member

    Joined: Jan 06 2022

    Posts: 2

    0

    GwenHelen said:

    The 2021 world ranking of the most loved games has just been announced. Slope 2 is a spectacular ingenious uphill running game to the top

    Login or Register to post comments