Apple’s long-awaited privacy update for iOS is out, and it’s a solid step in the right direction. With the launch of iOS 14.5, hundreds of millions of iPhone users will now interact with Apple’s new AppTrackingTransparency feature. Allowing users to choose what third-party tracking they will or will not tolerate, and forcing apps to request those permissions, gives users more knowledge of what apps are doing, helps protect users from abuse, and allows them to make the best decisions for themselves.
In short, AppTrackingTransparency (or ATT) means that apps are now required to ask you permission if they want to track you and your activity across other apps. The kind of consent interface that ATT offers is not new, and it’s similar for other permissions that mobile users will be accustomed to (e.g., when an app requests access to your microphone, camera, or location). It’s normal for apps to be required to request the user’s permission for access to specific device functions or data, and third-party tracking should be no different. You can mark your ATT preferences app by app, or set it overall for all apps.
Much of ATT revolves around your iPhone’s IDFA, or “ID for advertisers.” This 16-byte string of numbers and letters is like a license plate for your iPhone. (Google has the same kind of identifier for Android, called the Android Ad ID; these identifiers are referred to collectively as “ad IDs”). Previously, you could opt out of IDFA’s always-on surveillance deep in the settings of your iPhone; now, ATT means that IDFA settings are more visible, opt-in, and per app.
The main feature of ATT is the technical control on IDFA, but the framework will regulate other kinds of tracking, too: if an app does not have your permission to “track” you, it is also not allowed to use identifiers like your phone number, for example, to do so. Presumably, this policy-level feature will depend on Apple’s app store review process to be effective.
Ad IDs are often compared to cookies, their tracker-enabling partner on the Web. But there’s a key difference: cookies were designed for, and continue to support, a wide range of user-friendly features. Cookies are the reason you don’t have to log in every time you visit a website, and why your shopping cart doesn’t empty if you leave a website in the middle of a visit.
Ad IDs, on the other hand, were designed for one purpose and one purpose only: to let third parties track you. Ad IDs were created so that advertisers could access global, persistent identifiers for users without using the IMEI number or MAC address baked into phone hardware, with absolutely no pretense of user-friendliness or “shopping cart” use-case. Simply put: this feature on your phone has never worked in your favor. That’s why we applaud Apple’s efforts to give users more visible and granular choices to turn it off, and in particular ATT’s new requirement that app developers must ask for explicit permission to engage in this kind of tracking.
ATT is only a first step, and it has its weaknesses. It doesn’t do anything about “first-party” tracking, or an app tracking your behavior on that app itself. ATT might also be prone to “notification fatigue” if users become so accustomed to seeing it that they just click through it without considering the choice.
And, just like any other tracker-blocking initiative, ATT may set off a new round in the cat-and-mouse game between trackers and those who wish to limit them: if advertisers and data brokers see the writing on the wall that IDFA and other individual identifiers are no longer useful for tracking iPhone users, they may go back to the drawing board and find sneakier, harder-to-block tracking methods. ATT is unlikely to wipe out nonconsensual tracking in one fell swoop. But moving from a world in which tracking-by-default was sanctioned and enabled by Apple, to one where trackers must actively defy the tech giant, is a big step forward.
Apple is already pushing against the tide by proposing even this modest reform. Its decision to give users a choice to not be tracked has triggered a wave of melodramatic indignation from the tracking industry. In unraveling a tracking knot of its own creation, Apple has picked a fight with some of the most powerful companies and governments in the world.
Looking ahead, the mobile operating system market is essentially a duopoly, and Google controls the larger part of the -opoly. While Apple pushes through new privacy measures like ATT, Google has left its own Ad ID alone. Of the two, Apple is undoubtedly doing more to rein in the privacy abuses of advertising technology. Nearly every criticism that can be made about the state of privacy on iOS goes double for Android. Your move, Google.
This essay first appeared at the Electronic Frontier Foundation and is reprinted under a Creative Commons license.