Apple came under considerable flack yesterday after announcing that it was delaying protections against one of the ad industry’s ways to track us. 9to5Mac readers and Twitter users were not impressed.
But ultimately Apple’s latest privacy step won’t make much difference: there’s already a new way for advertisers to track us, and there’s little Apple can do about it: device fingerprinting. Read on to find out how to test whether your devices can be uniquely identified …
Why advertisers, websites and apps want to track us
There are two reasons advertisers, websites, and apps want to track us.
First, they want to show us personalized ads. Ads which relate to our own interests and activities are more likely to be effective. If you visit a lot of tech websites, for example, then advertisers have a higher chance of catching your interest if they show you ads for gadgets rather than random stuff.
So if you visit ten tech websites, and they each drop a cookie on your device to say that you’ve visited that site, ad networks can check for the presence of those cookies, see that you like tech, and then serve gadget ads. The same thing can be done in apps – using the apps you use to determine your interests.
Things can get much more specific than that. If you visit a website about Apple Watch straps, then the cookie can be used to ensure that, later, on an unrelated site, you are shown an ad for those straps.
Second, advertisers want to know which ads are effective. Relatively few people click on ads, so that’s not a good way to measure effectiveness. Instead, if you have been shown an ad for, say, an iPhone case, the advertiser may drop a cookie on your device. If you later visit the website for that case, the site can check for the presence of that cookie and conclude that the ad was effective in bringing you there.
The cookie will also identify which website you were on or which app you were using when you saw the ad. The case maker will then be able to conclude that it’s worth spending money on that ad on that site or in that app.
Note that the advertiser has no idea who you are. It doesn’t know your name, address or any personally identifiable data. It can simply know that person X has a lot of tech cookies on their device, person Y visited an Apple Watch strap website and person Z has seen an ad for a particular iPhone case.
Apple’s three-stage approach to limiting tracking
Apple initially recognized that advertisers wanted to perform tracking (including things like Apple Search Ads), but wanted to ensure user privacy was protected. The first step it took was to come up with something known as IDFA: IDentifier For Advertisers. This is a unique identifier for each device, randomly assigned by Apple. Advertisers are allowed to use this for tracking, because Apple knows that there is no way to use it to identify a named individual.
Stage 2 was to let users go into Settings > Privacy > Tracking and set a toggle allowing or denying permission for tracking. That was no threat to advertisers, because only someone who strongly objected to tracking was ever going to bother.
Stage 3 is the change which upset Facebook, and which Apple has now agreed to delay. With this change, iOS 14 will force apps to show a popup that asks your permission to be tracked. If you say no, the app doesn’t get to use your IDFA.
Advertisers were already concerned about that, because many people think ‘tracking’ means that they can be personally identified. A typical non-tech person is also going to imagine that ‘tracking’ means something much scarier than it really does, so most people will say no.
The ad industry’s next step: device fingerprinting
Advertisers started with cookies; Apple and others let us block them.
Apple then offered advertisers IDFA, but the delayed change in iOS 14 means that most users will deny access to that.
But as much as Facebook may be making a fuss about this, the ad industry already has another way to identify devices: device fingerprinting.
Whenever you visit a website, your browser hands over a bunch of data intended to ensure that the site displays correctly on your device. A website needs to display itself very differently on an iMac and an iPhone, for example.
As time has gone on, and websites have become more sophisticated, the amount of data your browser hands over has grown. Here are some examples of the data which your browser sends to a website:
- Browser name and version (eg . Safari 13.1.1/605.1.15)
- Device operating system and version (eg. macOS 10.15.5)
- Fonts installed
- Device vendor (eg. Apple)
- Browser plugins installed
- Screen resolution
- Screen color depth
- Audio formats supported
- Video formats supported
- Media devices attached (for input and output, eg. webcams)
- Keyboard layout
- Preferred content language
- How your device renders a particular image on the webpage
Note that this isn’t a comprehensive list, it’s just examples. When a website analyses all of the data available to it, things get very specific, very fast.
The aim of device fingerprinting is to try to identify each unique device, assigning to it a device fingerprint. This can then be used to track you in exactly the same way as IDFA.
Want to see if your device can be uniquely identified? Go to this website or this one and run the test. If you’re worried about doing this, bear in mind that any website can do the same thing – the only difference with these sites is they are showing you your data. But if it makes you feel more comfortable, amiunique.org makes its source code available, and Panopticlick is run by the EFF.
I tested both my Mac and my iPhone.
That my Mac was uniquely identified didn’t surprise me. I have a 49-inch monitor, and there can’t be too many people with a screen resolution of 5120×1440. Add that together with some of the non-standard fonts I have installed and that may already be unique. If not, a few more pieces of data would do it.
But my iPhone 11 Pro was also unique among the more than 2.5 million devices they have tested. This stuff works.
Apple’s delayed change will largely render IDFA useless for advertisers, as so many people will deny permission. But the ad industry will simply switch to device fingerprinting and carry on as usual.
Apple could fight this too, by allowing you to spoof some of the info just as you can for MAC addresses when connecting to a public WiFi hotspot. But a lot of the info can’t be spoofed, else it will stop web pages rendering properly.
The bottom line is that Apple’s delayed implementation of its IDFA popups is only really going to have one effect: it will give advertisers more time to switch to device fingerprinting. The tracking battle isn’t ending anytime soon.
FTC: We use income earning auto affiliate links. More.