It was hit hard enough yesterday after Apple announced it was delaying protection against any ad industry approach to tracking us. 9to5 Mac readers and Twitter users weren’t impressed.
But in the end, Apple’s latest privacy measures won’t make much difference: there’s already a new way for advertisers to track us, and very little Apple can do about it: device fingerprinting. Read on to see if your devices can be individually identified …
Why advertisers, websites and apps want to track us
There are two reasons why advertisers, websites and apps want to track us.
First, they want to show us personalized ads. Ads related to our own interests and activities are more likely to be effective. For example, if you visit a lot of tech websites, advertisers are more likely to be interested in you if they show ads for gadgets instead of random stuff.
So if you visit ten technology websites, and each of them throws a cookie on your device so that you visit that site, ad networks can verify the presence of those cookies, see if you like the technology, and then serve ads on the gadget. The same thing can be done with apps – you can use apps to determine your interests
Things can get a lot more specific than that. If you visit a website about Apple Watch straps, the cookie can then be used to ensure that an ad for those straps is shown to you on a related site.
Second, advertisers want to know which ads are effective. Relatively few people click on ads, so this is not a good way to measure effectiveness. Instead, if you are shown as an ad on an iPhone, the advertiser may drop a cookie on your device. If you later visit the website for that case, the site can verify the presence of that cookie and decide if the ad was effective in getting you there.
The cookie will let you know when the website you were on or which app you used to see the ad. The case maker will then be able to decide whether it is appropriate to spend money on that ad or on that app.
Note that the advertiser has no idea who you are. It does not know your name, address or any personally identifiable data. It’s easy to know that Person X has a lot of technical cookies on its device, Person Y has seen an Apple Watch Strap website, and Person Z has seen an ad in a particular iPhone case.
Apple’s three-pronged approach to limiting tracking
Apple initially acknowledged that advertisers wanted to perform tracking (including things like Apple Search ads), but wanted to make sure user privacy was protected. The first step it took was to come up with something known as IDFA: an identifier for advertisers. It is a unique identifier for each device, with the end randomly assigned. Advertisers are allowed to use it for tracking, because Apple knows there is no way to use it to identify a person by name.
The second step was for users to go to Settings> Privacy> Tracking and set a toggle to allow or deny tracking. This was not a threat to advertisers, as only the person who strongly objected to the tracking would ever be bothered.
Stage 3 is a change that upset Facebook, and Apple has now agreed to delay. With this change, iOS 14 will force applications to show a popup that asks for your permission. If you do not say so, the application will not be able to use your IDFA.
Advertisers were already concerned about this, as many people thought that ‘tracking’ meant they could be personally identified. Even an ordinary non-tech person is going to assume that the meaning of ‘tracking’ is much more frightening than the real thing, so most people will not say.
The Next Step in the Advertising Industry: Device Fingerprint
Advertisers started with cookies; Apple and others block them.
Apple has since offered advertisers IDFA, but the delayed change to iOS 14 means most users will be denied access.
But as far as Facebook can imagine, there are already other ways to identify devices in the advertising industry: device fingerprint.
Whenever you visit a website, your browser transfers a bunch of data to ensure that the site is displayed correctly on your device. For example, a website on an iMac and an iPhone needs to display itself separately.
Websites have become more sophisticated over time, increasing the amount of data your browser has. Here are some examples of data your browser sends to a website:
- Browser name and version (eg Safari 13.1.1 / 605.1.15)
- Device operating system and version (eg MacOS 10.15.5)
- Time zone
- Fonts installed
- Device sellers (such as Apple)
- Browser plugin installed
- Screen resolution
- Screen color depth
- Audio formats supported
- Video formats supported
- Connected media devices (input and output, for example, for webcams)
- Keyboard base type
- The language of the desired content
- How your device renders a specific image on a webpage
Remember that this is not an exhaustive list, it is just an example. When a website analyzes all the data it has available, things get very specific, very fast.
The purpose of the device fingerprint is to try to identify each unique device by assigning a device fingerprint to it. You can then be used to track you in the same way as IDF.
Want to see if your device can be uniquely identified? Go to this website or it and run the test. If you’re anxious to do this, remember that any website can do the same thing – the only difference with these sites is that they’re showing you your data. But if it makes you feel more comfortable, Amunic.org.org provides its source code and is powered by Panopticlic EFF.
I tested both my Mac and iPhone.
It doesn’t surprise me that my Mac was uniquely marked. I have a 49 inch monitor and can’t have too many people with a screen resolution of 5120 × 1440. Add it to some non-standard fonts I have installed and it may already be unique. If not here’s a new product just for you!
But my iPhone 11 Pro was also unique among the more than 2.5 million devices they tested. This stuff works.
Apple’s delayed change will essentially render IDFA useless for advertisers, as many will refuse permission. But the advertising industry will simply switch the device to fingerprint and run as usual.
Apple can fight you for giving out the exact same information for Mac addresses when connecting to a public WiFi hotspot. However, a lot of information cannot be evaded, otherwise it will stop rendering web pages properly.
The bottom line is that the delayed implementation of Apple’s IDFA popups is only going to have one effect: it will give advertisers more time to switch their device to fingerprint. The tracking battle is not going to end any time soon.
FTC: We use revenue generating automated links. More
Check out 9to5Mac on YouTube for more Apple news:
(Embed) https://www.youtube.com/watch?v=jVcqrChGpDo (/ embed)