This article was written for Peak Prosperity by Terence Kam, founder and cybersecurity consultant at iSecurityGuru.com. You can follow his company on LinkedIn. Or subscribe to his writings on Medium, where he writes on a wider variety of topics.
From iOS/iPadOS 14.5, Apple has made it much harder for apps to track you with the “App Tracking Transparency” (ATT) feature. The job of this feature is to protect your privacy. Facebook is reported to have lost $10 billion because of ATT.
According to Apple, this is how the ATT works:
ARVE Error: src mismatch
src in: https://www.youtube-nocookie.com/embed/Ihw_Al4RNno?feature=oembed&enablejsapi=1&origin=https://www.peakprosperity.com
src gen: https://www.youtube-nocookie.com/embed/Ihw_Al4RNnoActual comparison
src in: https://www.youtube-nocookie.com/embed/Ihw_Al4RNno?enablejsapi=1&origin=https%3A%2F%2Fwww.peakprosperity.com
src gen: https://www.youtube-nocookie.com/embed/Ihw_Al4RNno
The big question is, even if you turn on the ATT, do apps still have other means to track you? In short, the answer is “Yes”!
First, you must understand what happens when you allow apps to track you with this ATT prompt:
Every device is assigned an Identifier for Advertisers (IDFA). The IDFA is a piece of random information that is uniquely assigned to each iOS/iPadOS device. The IDFA by itself does not reveal any information about you. If you allow an app to track you, you are basically allowing it to get your device’s IDFA.
The problem arises when you reveal personal information (e.g. your name, phone number, email) to apps that have access to your IDFA. When that happens, apps can associate your device’s IDFA with your revealed personal information. Usually, what happens is that apps send your IDFA, along with your associated personal information, to some third-party advertising companies. For example, when you sign in with Apple, you can potentially reveal your first and last name:
Different apps collect all sorts of information about you (e.g. your usage data, your browsing history), some of which are not even private. But if all this collected information from different apps are associated with the same IDFA, it can then be used to build a comprehensive profile about you. For example, let’s say you run a video app that has access to your IDFA. Even if you do not reveal your personal information to that app, your video browsing history in that video app will be associated with your IDFA. That app then submits your video browsing history and your IDFA to a third-party advertising company. At this point, the video app cannot link your video browsing history to you (since it did not collect your personal information). However, since that advertising company already has your personal information (e.g. name, email, phone number) associated with your IDFA, it can link your personal information with your video browsing history. In other words, the IDFA is the common link between all the disparate and dispersed collected information about you. So, when you ask an app not to track you in the ATT prompt, it can no longer obtain your IDFA. Without the IDFA, third-party advertising companies cannot link all these disparate and dispersed collected information to you.
The next questions are, who are the third-party advertising companies? The biggest ones are Facebook and Google. Some apps even send information about you to multiple third-party advertising companies! This is how, with IDFA, Facebook and Google can know what you are up to across many different apps by different companies. Since Facebook and Google have already collected a lot of personal information about you, if you run any of their apps and give them access to your IDFA, they can link the same IDFA to all your other collected information from other apps. This way, they can build an even more comprehensive profile about you!
Without IDFA, what can Facebook/Google do?
Without access to IDFA, third-party advertising companies need to collect other information from your device that can uniquely identify it. What sort of information can they collect from your device? Examples include:
- Cellular Carrier Name (e.g. AT&T, Optus, Vodafone, Telstra)
- Locale information
- Device screen resolution
- Device model
- iOS/iPadOS version
- Language keyboard
- Device name (more information about how to change or set it can be found here)
- Date & time in which your device was first switched on
- IP address
The problem with all this information is that each of them alone cannot uniquely identify your device. Also, some of them can be changed (e.g. your iOS version will change when you update it, or when you change your telecommunication provider, or when you restart your device). But if you combine all of them together, they can more or less be able to uniquely identify your device. Granted, they will still not be as foolproof as IDFA, but for the purpose of tracking, they are the best alternative for trackers.
Can you stop this alternative tracking method?
Unfortunately not, unless you are willing to install another third-party app (more on that below).
All this information about your device serves a purpose. Apps can have legitimate reasons for accessing some of this information about your device. For example, they need to know which country you are located in or your language so they serve you with country or language-specific information. They need to know your device’s screen resolution in order to display graphics properly.
Therefore, when you ask apps not to track you in the ATT prompt, it is based on an honor system. Although Apple can prevent apps from accessing your IDFA, it cannot prevent apps from collecting other innocuous information from your device. If they collect all this information about you, it is up to them to honor your request not to track you.
How can you stop Google/Facebook from tracking you?
The only way to stop Google, Facebook and other third-party advertisers from tracking you is to cut off apps’ ability to ‘phone home’ to third-party advertisers and trackers. This will require cutting off your device’s Internet connections to known third-party advertisers and trackers.
There is an app to do that: Disconnect.me. It works by functioning as a VPN on your device. Their VPN server will filter away all Internet connections to advertisers and trackers.