• United States



Contributing writer

With iOS 6, Apple tracking is back

Oct 16, 20126 mins
AppleIFAMobile Security

New IFA tracking in iPhone 5 and other devices running iOS 6 doesn't identify you personally, but privacy advocates say it still has risk

While you are getting to know your new iPhone5, iPad or iPod Touch, it will be getting to know you too — very well.

Apple’s iOS6 will track pretty much every detail of your online activities — what websites you visit, where you go to eat, what apps you download, where you shop and what you look to buy, what movies or TV shows you stream, what kind of social and professional networking you do, where you’re going when you ask for directions, and more.

That is not a bad thing, according to those in the marketing world. All that information that Apple’s updated mobile operating system is collecting is just being used to give you the kind of information you might want anyway. Wouldn’t you rather get ads for things you’ve already expressed an interest in, that fit your lifestyle?

Besides, tracking is not new. And the new tracking technology Apple is using, called IFA or IDFA (Identifier for Advertisers) doesn’t identify you personally. It just provides data that advertisers can use to send relevant ads to the right devices.

There is general agreement that IFA is an improvement over the previous system of Unique Device Identifiers (UDID). They were, “the unique, permanent, non-deletable serial number that previously identified every Apple device,” Jim Edwards wrote last week at Business Insider.

Since UDIDs were attached to the hardware, and couldn’t be changed or reset, a breach could be a big problem. That is what came to light last month when BlueToad, a Florida-based technology provider for digital publishers, acknowledged it had been the victim of a hack that left more than a million Apple UDIDs exposed.

“The UDID was quickly abused by app developers as well as others to tie a person to a device for tracking and also to scavenge personal information (like contacts). It was a mess for iPhone owners and Apple alike,” wrote Sean Kalinich at Decrypted Tech.

Apple’s response was to ban app developers from using UDID last March. So, for a few months, the tracking of iPhone users was all but disabled — until the rollout of iOS6 last month. And the chances for abuse appear to be lower.

“Unlike UDIDs, IFA is located in a device’s settings rather than in the hardware,” Business Insider‘s Laura Stampler wrote this week. “An IFA is a random, non-permanent, and anonymous number (meaning users aren’t personally identified) that can be reset or even turned off — although its default is to be on. It’s kind of like a cookie.”

[See also: Anonymous had bad month, but no less ‘reliable’]

However, privacy advocates say IFA is still not without risk because the information being collected could be misused and abused. After all, it is not entirely clear yet what information is being collected and distributed. “We still don’t know a lot about what advertisers can see and do with the new Identifier for Advertisers,” Stampler wrote.

Kalinich wrote that while the IFA is less intrusive than UDID in one way — because it is less likely to be tied to a person — it is more intrusive in another because it “tracks your habits further than was possible with the UDID.”

“IFA can track you all the way through to purchase or app download, giving advertisers more ammunition to fine tune their ads and targeting algorithms,” he wrote. “This last item is where the most likely exploit would be, if you can track a purchase with IFA then there is a chance you can tie that purchase to a person although what information you can gather after that is questionable.”

Advertisers note that the customer has control of tracking – that it is possible to limit IFA. Those on the privacy side agree, but note that the default setting for IFA allows tracking, and that it is a bit tricky to disable it. They also note that Apple does not promote IFA on its launch page about “What’s New” with iOS 6.

While a user might expert to find IFA controls in the “Privacy” settings, it is instead under “General,” then “About,” and then “Advertising,” where it is titled “Limit Ad Tracking,” and must be turned “On” instead of “Off,” which might confuse some users.

Mobile Theory CEO Scott Swanson told Edwards: “The biggest thing we’re excited about is that it’s on by default, so we expect most people will leave it on.”

Rebecca Herold, CEO of The Privacy Professor, said Apple should be more transparent and aggressive about letting users know what their options are. “A key privacy concept is notice to the individual of the types of information that are collected, why that information is necessary, and the purposes for which it is used.”

Herold said “opt-in” is the requirement in most other countries, as opposed to the “opt-out” provided in iOS6.

And even if users do turn off tracking, Kalinich and others find it hard to believe it will be entirely off. “Our guess based on what we have seen is that [IFA] are not completely off. It is possible that your search and browsing habits are still tracked, but that that IFA no longer tracks the purchase or download like it did before,” he wrote. “We are sure that there are people out there working on ways to exploit IFA and get more than it was intended to offer … after all the mobile market is now a major space for advertising.”

Those who advocate for the collection of information note that it is one of the reasons so many apps are “free.” The slogan is, “If you’re not paying for the product, you are the product,” Kalinich said.

But Rebecca Herold does not find that argument persuasive. “Just because people choose to share their personal information online does not mean that anyone else should be able to usurp their ability to make a choice,” she said. “Choice by the individual to share online is completely different than choice by others to post an individual’s personal data online.

“If app developers are collecting personal information from the app users, and they are not charging them to use the apps, at the very least they should describe to the app users what data they are collecting, why, how they are using it, and with whom they are sharing it,” she said.

“In the long run, nothing is ever ‘free’ if you are paying with your personal data,” Herodl said.