Sun. Oct 2nd, 2022

THE apple introduced in 2021 a new privacy policy on its devices, regarding the collection and tracking of data on the iPhone, iPad and Apple TV, both when crossing information between apps, or during the use of browsers. When versions 14.5 of iOS, iPadOS and tvOS were released, all applications that use the feature were required to request user authorization to maintain access. Apple bet rightly that the majority of the public would block the tracking if given the option, to the complete terror of giants like Google and Meta (with the latter having turned to FUD), who rely on that data to make cash. But a year after the feature debuted, a study found that companies had learned to get around the problem.
iPhone XR (Credit: Ronaldo Gogoni/Meio Bit)iPhone XR (Credit: Ronaldo Gogoni/Meio Bit) The research (caution, PDF) published on arXiv, the open access repository at Cornell University, was conducted by independent US professionals and researchers in the University’s Department of Computer Science of Oxford, UK. The group analyzed the behavior of 1,759 applications, and how they handled the collection, tracking and cross-referencing of data between applications, comparing before and after the iOS, iPadOS and tvOS 14.5 update. Apple’s privacy policy, officially called App Tracking Transparency, requires that apps that track user activity in other software, or a website while using the browser on iPhone, iPad and/or Apple TV, are required to display a notification, at the time of its first run after installation (or in the 1st run after the OS upgrade to the above mentioned versions), asking the user if he allows the collection, or wants to block it. If the owner of the device decides on the second option, the app is permanently prevented from tracking and collecting such data, which allows analyzing individual behavior and providing the user with products, services and personalized promotions, and which, at the same time, accounts for a large part of the revenue of big companies like Meta and Google. In fact, the blow suffered by Facebook cost Mark Zuckerberg’s company hundreds of billions of dollars. Of course, companies and developers affected by Apple’s new policy wouldn’t be quiet for long. Meta, for example, has implemented a new tool called Aggregate Event Measurement, where advertisers can access metrics from a large scope, where each domain (site) and app is related to up to 8 conversion points. It is a data visualization of the behavior of a general public, of great scope and generic, since it would not be possible to collect personalized and individual information. Or so it was thought. Research conducted by Oxford academics revealed that among the applications analyzed, there was no significant difference between the data collected before and after Apple’s implementation of the new rules. Basically, stakeholders learned to circumvent the rules, finding semantic flaws in the rules stipulated by Cupertino, which allow them to continue operating normally, collecting and crossing information between apps. All this without breaking the rules; basically, methods that are not explicitly prohibited and illegal by Apple’s privacy guidelines are technically allowed to be used, no problem.
Data collection and tracking before and after iOS 14.5, listing top 15 libraries and 15 most accessed domains (Credit: Reproduction/arXiv/Cornell University)Data collection and tracking before and after iOS 14.5, listing the top 15 libraries and top 15 most accessed domains (Credit: Reproduction/arXiv/Cornell University) That’s not to say Tracing Transparency in Apps doesn’t work. It’s excellent at what it sets out to do, and there’s no catch from Apple, as if the user determines that an app, browser or game shouldn’t track data between apps, they’re prevented from doing so. The problem is that this only concerns the parameters defined by the privacy policy. Small and medium-sized developers lack the resources that tech giants have, to shift resources and manpower to find loopholes in the supposedly armored system of the apple, and to take advantage of flaws in the rules to implement new ways to access information. of the user, collect them and continue cross-referencing information. Basically, such apps enter through the back door of the iPhone, which is unlocked. The survey demonstrates the results of tracking data across the top 15 libraries, and the top 15 most accessed domains, and the usual suspects like Facebook/Meta, Google/Alphabet Inc., Microsoft and Oracle either continue to collect data in the same way they did before. iOS 14.5, or intensified their efforts (note the play.googleapis.com domain) and started tracking even more information. Methods used include user identification through logins with specific accounts such as Google and Facebook, or tracking the use of a particular IP and connecting it to an individual. In one specific case, researchers found that Umeng, a subsidiary of Alibaba Group, provided identifiers for apps in order to track users, which is a blatant violation of Apple’s terms, but in this case, Apple has its reasons for faking it. who didn’t see anything. Sought by Ars Technica, Apple and Alibaba did not comment.
Of course privacy matters, but it only works if everyone follows the rules of the game (Credit: Reproduction/Apple)Of course, privacy matters, but it only works if everyone follows the rules of the game. personalized results, to data security, those who choose to block the activity do so in the belief that Apple has developed a really useful tool to protect their privacy. What Apple does not comment, however, is that the developers have found ways to get around the feature, and at least for now, the company is not interested in closing such loopholes, giving a sense of false security to owners of iGadgets, who they believe they are protecting their habits and data when they are not.

references

KOLLNIG, K., SHUBA, A., KLEEK, MV et al. Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels. arXiv (Cornell University), 13 pages, April 7, 2022. Available at https://doi.org/10.48550/arXiv.2204.03556. Source: Ars Technica