It’s been almost a year since Apple launched the App Tracking Transparency feature with iOS 14.5, where apps should now ask users if they want to be tracked.
However, according to a recent paper by Oxford University researchers, some app developers are implementing a workaround that allows them to identify and continue tracking users even if they don’t want to. The research analyzed 1,759 iOS apps from the UK App Store before and after ATT was released for iOS users.
Apple’s ATT prevents the collection of the Identifier for Advertisers (IDFA), an identifier used to facilitate cross-app user tracking. However, per the study, many apps still collect device information that can be used to track users at a group level (cohort tracking) or identify individuals probabilistically (fingerprinting).
“We find real-world evidence of apps computing and agreeing on a fingerprinting-derived identifier through the use of server-side code, thereby violating Apple’s policies,” researchers says.
The study found 9 apps that were able to generate a mutual user identifier that can be used for cross-app tracking, through the use of server-side code. These nine apps used an “AAID” (potentially leaning on the term Android Advertising Identifier) implemented and generated by Umeng, a subsidiary of the Chinese tech company Alibaba.
The study also found that some app developers track users across apps by gathering data about users’ identities such as their email addresses or Facebook log-ins.
“Our findings suggest that tracking companies, especially larger ones with access to large troves of first party, still track users behind the scenes. They can do this through a range of methods, including using IP addresses to link installation-specific IDs across apps and through the sign-in functionality provided by individual apps (e.g. Google or Facebook sign-in, or email address).”
“Apple’s privacy changes have led to positive improvements for user privacy,” the paper concludes. “However, we also found various aspects that might go against users’ legitimate privacy expectations, e.g. that the new opt-in tracking prompts would stop all tracking … or that Apple would be subject to the same restrictions to data access and privacy rules as other companies.”