Is apple reaction tracking effective? Most popular IOS apps are still sending user information to third parties

0
102

Focus
Apple launched the so-called att reaction tracking function in April this year, but some applications still send data to third parties without user consent.
2 using IP address, storage service, volume, battery power and other data, advertisers can identify a specific iPhone and understand what other applications users use.
The survey found that even if users refuse to accept tracking, most applications will continue to communicate with third-party data companies called “trackers” behind the scenes.
Unless apple takes action, iPhone users’ privacy remains in the hands of application developers and data companies.
Tencent technology news on September 24, Apple users can now click a button on the iPhone, which says “ask the app not to track”. But behind the scenes, many popular applications continue to pry into people’s privacy.
Suppose the user opens the app subway surfers, which is listed as one of the “must play” games in the Apple App store. It will ask you whether you agree to accept “tracking”, which is a question that has popped up on the iPhone since April and part of Apple’s fight against privacy violations. If users refuse, they can theoretically prevent applications such as subway Parkour and Facebook from tracking what they do on other applications and websites.
The iPhone began displaying the pop-up window in April as part of Apple’s fight against privacy violations
But the results of a joint survey by privacy software developer lockdown and the Washington Post show that many strange things happen when users refuse to accept tracking. Subway Parkour began to send 29 very specific data points about users’ iPhones to external advertising company chartboost, including Internet address, free storage space, current volume level and even battery power. These are very unique data that advertisers can use to identify specific iPhones, which may let them know what other applications users use, or how to target specific people.
In other words, it avoids requests from users who want to be alone. Users can’t even stop it, and privacy is getting worse.
Apple’s latest “anti app tracking” feature app tracking transparency (ATT) stipulates that apps are not allowed to track people who clearly say they don’t want to be tracked. So why did this happen? Privacy advocates believe that this data collection is likely to be tracking, using a different name: fingerprint identification.
The survey shows that the tracking protection of iPhone is far less comprehensive than implied by Apple’s advertising. At least three very popular iPhone games share a lot of identification information with advertising companies, even after users ask not to be tracked.
“Apple believes that tracking should be transparent to users and under their control. If we find that developers do not respect users’ choices, we will work with them to solve this problem, otherwise they will be removed from the app store,” said Fred Sainz, an apple spokesman
When providing apple with the above findings, apple said it was contacting relevant companies to understand what information they were collecting and how they shared it. But after a few weeks, things didn’t seem to change.
Recent Apple ads, such as this billboard in Berlin, boast that the iPhone prevents unwanted tracking
User refused to track personal information is still sent
Apple’s so-called response tracking initiative has prompted large application developers such as Facebook and Zynga to complain that this may endanger their profits, but this does not mean that they can prevent all tracking.
In order to find out what happens when users click “ask applications not to track”, lockdown said that it tested ten popular applications on the iPhone running IOS 14.8, tested them again on the latest IOS 15, and analyzed what personal information they sent.
As part of the improvements brought by IOS 14.5, these applications can no longer access some valuable data, including the unique IDFA (identifier for advertisers, that is, the advertising identifier used to track users) owned by each iPhone. But in addition to this number, there are other information that can identify the user’s mobile phone.
Lockdown found that most applications continue to communicate behind the scenes with third-party data companies called “trackers” by privacy advocates. Most of them we haven’t even heard of, but they can receive a lot of information from the iPhone, potentially revealing how users use applications and location data. Their use of data may be benign, such as helping applications find vulnerabilities and track their design effects. They may also provide user information to advertisers and data brokers.
In the applications surveyed by lockdown, clicking the don’t track button had no impact on the total number of third-party trackers contacted by the applications, while the number of attempts by these applications to send data to these companies decreased by only 13%.
Johnny Lin, co-founder of lockdown and former apple icloud engineer, said: “in terms of blocking third-party trackers, Apple’s response tracking function is more like a mute. Worse, allowing users to choose to click the ‘ask apps not to track’ button may even give users a false sense of privacy and security.”
Lockdown co-founder Johnny Lin investigated what happens when he clicks “ask apps not to track” on 10 popular apps

More worrying to consumers, lockdown said that the three apps it investigated, subway parkour, streamer life! And run rich 3D, seem to be collecting data, which can be used for more intrusive tracking called “digital fingerprint identification”.
Fingerprint identification is performed when the application obtains seemingly harmless technical information from the user’s iPhone, such as volume, battery power and IP address. Combining these details, we can outline the basic outline of the user’s mobile phone, just like everyone’s fingerprint.
On the same test phone, all three games tested by lockdown sent almost identical device specific data point arrays to the advertising network chartboost. This advertising network is the intermediary between game publishers and advertisers. The three games also sent to an advertising company called vungle to test the “super special” features of the iPhone. This may allow application developers and advertisers to connect these data points and track them without user consent.
Neither lockdown nor other privacy experts consulted are sure what happened to the data sent by these applications, or whether the data is used to track people’s advertisements. Only the application developer can explain how this data is used.
Few application developers give a clear answer. Sybo, the developer of subway parkour, wrote in an email: “in order to make the game run normally, some data will be transmitted to advertising network companies. As a company, we will not track users for advertising purposes without users’ consent.” however, The company did not specify why it needed to send so much personal information to advertising companies to function properly.
The developers of run rich 3D did not respond to requests for comment. The developer of anchor life said it met Apple’s privacy rules. Chartboost, an advertising company owned by Zynga, declined to answer questions, but the company said: “we are committed to protecting the privacy of end users and providing our publishers with the best possible experience to support their sources of advertising revenue.”
Vungle, an advertising company, said the data points it received could not be used to “identify users or other applications they might use”. The company also said that they “can ensure that we display ads compatible with the right device and the right language in the right country and applications.” but it did not explain how data such as battery power helped it do so. Apple said that fingerprinting the iPhone has long been a violation of its regulations.
The customer tried the iPhone 12 pro at the apple store in San Francisco
The definition of “tracking” is vague, which is more difficult to prohibit
When there is little agreement on the meaning of “tracking”, it is difficult to prohibit such tracking.
Many iPhone users may think that this means that an app gets your data in some way, possibly including your location. Privacy advocates argue that tracking can occur as long as applications or websites share your personal information with third parties without your express consent. This is another company that may leak or abuse your data.
Apple’s definition of tracking is narrower: connect the information about you collected on a company’s application or website with the information collected by different companies. Tracking is only used for advertising orientation, advertising measurement or selling to data brokers. It excludes the sharing of data for other purposes, such as analysis and combating fraud.
Many people in the application industry are promoting their own definition of tracking and see how much they can change the definition provided by apple. This is because Apple’s tracking protection is bad news for applications that rely on advertising. Advertisers are reluctant to pay if there is no evidence that advertisers’ advertisements encourage people to download another application or buy it.
Before Apple changed its privacy settings, it was relatively easy to match customers with the ads they clicked on. However, IOS 14.5 brought a huge problem: IDFA, the technology that the industry used to rely on tracking, suddenly disappeared. Many people in the advertising industry use different terms, such as “probability matching”, which is a way to locate advertisements using personal information collected from the iPhone without determining the user’s identity.
This practice has led to the differentiation of the application industry. Alex Austin, CEO of app data company branch, said: “we are constantly under pressure from customers who want to match the probability of users who choose to quit. We believe that Apple will eventually take action on this matter to crack down on companies trying to avoid risks.”
Some data companies hardly hide what they are doing. Lockdown found that the settings established by appsflyer and kochava data companies can make their customers ignore people’s tracking preferences.
Screenshot of appsflyer disclaimer taken by Lockdown
Kochava, a developer of advertising performance software, launched a product called “appletracker 4.6.1”. Lockdown found that kochava allows its customers to simply switch to override the user’s tracking request. Kochava said that this function is designed to allow companies to track customers through their own applications and websites, which does not violate Apple’s narrow anti tracking definition. But there is little to stop developers from using kochava to track applications developed by different companies, which is an absolute violation of Apple’s rules.

Lockdown discovery data company appsflyer uses a similar approach. Johnny Lin, co-founder of lockdown and former apple icloud engineer, said that this is a privacy cheating mode. All you have to do is “click a button”.
Who is responsible for the use of this technology? Both companies have warnings on their websites telling application developers not to abuse their ability to deal with people who choose not to be tracked. But technically, they did not stop this behavior.
“These guidelines were written by apple and we want apple to implement them. Kochava’s default behavior is in line with Apple’s policy,” kochava said. “App developers have complete control of the situation,” appsflyer said
Kayan drans, senior director of global product marketing for Apple’s iPhone, stressed that privacy is the key selling point at the iPhone 13 virtual conference
Will Apple launch a new solution?
Protecting privacy has triggered an arms race. Many advocates say apple has played an important role in cracking down on tracking. Bennett Cyphers, a technical expert at the digital rights advocacy group EFF, said: “Apple has changed from ‘tracking is allowed by default’ to ‘tracking is allowed only when users choose to accept’, which is a very affordable thing.”
But if you’re a privacy conscious iPhone user, the rise of fingerprint recognition is bad news. Ashkan Soltani, former chief technical expert of the Federal Trade Commission (FTC), said: “In the past, consumers had some control over their data. For example, they could at least reset IDFA and know that they might decouple their previous activities from any new actions they were doing. Through fingerprint identification, you don’t know whether a company is really chasing your activities. If this happens, they don’t have a simple way to stop it.”
The open question is what Apple will do about it. Many app developers and data companies hide behind apple, saying that if they do something wrong, Apple will stop them in the review before allowing them to enter the app store. In April this year, apple seemed to set an example in the application with a data company called adjust, prompting the latter to stop collecting money But industry executives say Apple’s law enforcement has failed since then, and data companies are watching to what extent they can promote it.
Eric seufert, founder of Heracles, a consulting firm, said: “Apple has not taken any measures to stop this trend, so every company has begun to do so.” Apple said that it is the responsibility of the application itself to comply with its rules, but for policy considerations related to reaction tracking and fingerprint identification, Apple has rejected tens of thousands of applications.
Without a thorough audit, it is difficult for even apple to know exactly what happens when the data leaves the application and flows to a third party. Some application and data companies also take technical measures to hide the code, making the investigation more difficult. Applications do have to state in their privacy policy that they send data to a third party, but usually do not specify the sending Apple earlier this year began requiring apps to publish privacy “nutrition labels” on its app store, but this does not include the name of the company receiving the data.
The new app privacy reporting function in IOS 15 allows people to see which domain names their apps contact, but users can’t choose to exit the connection alone. If you want to block trackers, software such as lockdown, jumbo privacy or privacy pro of disconnect will try to cut off contact with tracking companies.
Apple may also come up with new technical solutions to make it more difficult for applications to fingerprint on their devices. As part of icloud + subscription, Apple’s new private relay service may pave the way for this. It hides the IP address of network trackers in Safari browser, which is usually the key to application fingerprint identification.
Unless apple takes action, iPhone users’ privacy is in the hands of application developers and data companies. Considering their history, it is even more disturbing to entrust our personal information to them! (reviewed by Tencent technology / Jinlu)