As somebody who actually has first hand knowledge of this issue (I wrote and designed the tracking for a major iOS ad network), I can say that this is an incredibly misleading article.
Here's what's actually going on:
- Apple has deprecated the UDID. We're still allowed to use it for a while, but in the long term it's going away.
- Apple has created a new identifier (the IFA), specifically for the use case of advertising. This identifier uniquely identifies a device across apps, but beyond that provides no information about the device or its user.
- This ID comes with strings. There's an option in Preferences to "Limit Ad Tracking." The terms and conditions specify that when this option is enabled, we still get access to the ID, but we are only allowed to use it for some specific purposes like conversion tracking (eg. making cost-per-action campaigns possible), and fraud detection (eg. preventing fake clicks). We are not allowed to use it to create profiles, or to improve our ad targeting algorithm. We are absolutely not allowed to divulge the information to third parties.
Without this, advertising wouldn't be possible. Some may think that that'd be for the best (myself included), but that's an entirely different argument, and you'd have to realize that the market would be very different (No free/freemium apps, and everything would be more expensive). You can't have your cake and eat it too.
Thanks for giving us the information on "what's actually going on". But that makes it seem worse, even when you apparently can't see it from working in the field.
Apple continues to give apps access to the UDID; the recent leaks were apparently not as stark a reminder as some people thought.
The "Limit Ad Tracking" option seems wholly useless; another "X-Do-Not-Track". In this case, the user even expresses the wish to not be tracked, and Apple just continues to provide the data while telling the apps you checked a meaningless box. Apple is in no position to control what app developers do with the data after the fact; the only possible way here is to not disclose that data at all.
(Also, Google does just fine without a globally unique "advertising number". It can do so because people get actual value for the advertisements, and the advertisements are targeted. Apple is just providing this trove of data on the cheap to every hinterland app developer. Thats a huge mistake.)
> Google does just fine without a globally unique "advertising number". It can do so because people get actual value for the advertisements, and the advertisements are targeted.
I don't understand, can you elaborate? How can advertisements be targeted without tracking?
> I don't understand, can you elaborate? How can advertisements be targeted without tracking?
Keywords is how Google does it. Try using Google in Incognito mode (or whatever your browser of choice calls it) and note the relevant ads. Obviously this does not work as well in all apps, but to say you can't do targeted advertising without tracking is not true.
At least on Android, this becomes a little more transparent, and why so many Android apps request permission to access to network and/or phone state, to get access to unique Ids.
Depends what your cake is. The internet was not always ad-supported. We know for fact it was valuable before commercial activity was permitted. Suggesting that any improvements since that time are attributable to web advertising is perhaps an easy argument to make, but a very difficult one to support with evidence. Showing correlation is easy. Any fool can do it. Causation OTOH requires work: a well designed experiment, using acceptable methods with controls, and data subjected to rigorous statistical analysis.
Web and mobile advertising does not need to become "impossible" in order for you to stop suggesting it's unavoidable.
Any fool can also make predictions of the future. Given Y, X will not exist. But given Z, X will exist. If we could be so certain about cause and effect and how to shape the future, mobile advertising would be quite easy, wouldn't it?
However we can all see that is not the case. Uncertainty favors those selling advertising services, not advertisers.
Allowing commercial activity does not necessarily mean the internet has to be an ad channel. I'd still buy things from Amazon even if I never saw a single web ad for the company. There are many other ad channels besides the web. They still work.
> We are not allowed to use it to create profiles, or to improve our ad targeting algorithm. We are absolutely not allowed to divulge the information to third parties.
Sorry I'm pretty ignorant on how this kind of thing works, but when you say 'not allowed', what's actually stopping you? I mean, how is Apple or anyone else going to know if you do or do not use these IDs?
What did you really expect? Him to buy into your weak hand-waving rationalization for this information exposure? Computer security is about what is possible for malicious actors, contractual "strings attached" and what you're "allowed to use it for" are next to irrelevant. If we could safely assume everyone is acting with the other's best interests in mind and respecting their privacy, computer security wouldn't even be a thing.
I get it that you were on the inside of one of these companies. Its really easy to have your perspective shifted when you live something for so long. It lets you draw conclusions based on your anecdotal experiences there. That's fine and all, but don't attack the guy for pointing out the real issues you've chosen to marginalize.
Maybe it would be less successful, maybe less prevalent, maybe less useful, but I'm pretty sure advertising would still be possible in a world with no device-specific IDs made accessible to the advertisers.
Really what should be happening is that Google Play and iTunes should support affiliate tags on URLs/intents that are passed through to the app on install.
That, too, is clearly false. Perhaps not as successful, but advertising built plenty of powerful businesses long before this kind of technology became available.
> the market would be very different (No free/freemium apps
Most freemium apps seem to rely on in-app purchases, not ads. (Leaving aside the ones that combine the two by having you pay for not having ads, but many apps manage to come up with something more creative than that.)
And quite a few free apps exist that don't have ads.
> EDITED TO ADD (10/15): Apple has provided a way to opt out of the targeted ads and also to disable the ___location information being sent.
Ok, why is that "edited to add"? Seriously. The page he links to on apple.com says it was last modified more than a month prior. Why did Schneier post his article, get some hits, and only then add this little tidbit which basically turns the whole thing into a non-story? Couldn't he have researched it all up front before posting the story? The page on apple.com is the very first hit for "iAd opt out" on Google. It's just beyond lazy to have posted this story without having done that search first.
I realize Schneier is a bit of a sacred cow in most tech circles, but this seriously just smacks of sensationalism:
Schneier does this often enough that I kind of expect it. He's not a journalist- that's not an excuse for him to lack research before writing, but it does mean I take a different quantity/flavor of salt with his writings.
When it comes to general advice, he's spot on. When it comes to commenting on actual implementations, he does miss details. Hell, it's not like he's Chuck Norris.
The story is "you are being tracked". That there is a way to opt out is great but it's still important, as in best to have a sensational headline so people read it and are informed
I can't seem to find Apple's official wording on it within a few minutes, and I don't trust the shit writing of tech blogs online, but some have written that with the new IFA ad networks "can now see if you actually purchased anything, or downloaded an app."
Somehow, all mentions of this on tech blogs that I could find are completely devoid of links to Apple's official documentation on this.
Wasn't there a period of time where UDID tracking was banned and the IFA had not yet been introduced? Some people were probably hoping that situation was permanent.
While you are on your high horse: go to Settings | Location access and note the description below Wi-Fi & mobile network ___location item. Also note the checkbox on the right.
I remember that the system asked about it first time it needed ___location (and every time you turn this option on). The downside is that Google Now does not work without it.
From under my tin foil hat: I know it probably isn't perfect, but I'm running Cyanogenmod, without Google's ___location services, browsing with Opera labs because it supports the Ghostery extension that blocks trackers while browsing and is easy to change the search provider to DuckDuckGo (though the default is always Google for some reason), only using Google maps as a fallback after OsmAnd offline maps and MapQuest for online apps.
I do miss Google maps, and have used it every now and again, and the GPS in my old Samsung Galaxy S may as well be nonexistent, so not using ___location services sucks. Opera renders some popular websites poorly (quite possibly not their fault) but it is good at other things. I also still rely on Google Play (fdroid doesn't have enough stuff, and I don't mind paying for some stuff) but alternatives like Amazon are probably just as bad. Overall its not so bad.
One day I'll try to use my phone without any of my Google accounts and see how I go.
Both hacker news submissions have zero comments. Why is it that a month ago no one cared, but now everyone is grabbing his tin-foil hat?
Also I am pretty sure at least some of the more extensive iOS 6 reviews have mentioned the new "limit Ad tracking" feature. And aren't we presumed to be developers who uses this stuff? I did know that Apple had a replacement for the UDID.
PS:
On Schneiers blog one commentator claims that he/she was notified of the Ad tracking by a prompt in the iOS update. Sadly I have no updateable iOS 5 device here to examine that. But I think this was only an info for the new privacy pane, wasn't it?
> Both hacker news submissions have zero comments. Why is it that a month ago no one cared, but now everyone is grabbing his tin-foil hat?
A story not becoming popular on its first (or second) submission is not necessarily indicative of its importance. Relatively few people see new links, and the success of failure of these links in "going viral" is in the hands of relatively few. So no, it's not necessarily that no one would have cared about this a month ago and it's not an indication of hypocracy on behalf of this community; there are significant random factors that play into the exposure any particular topic or submission will receive.
1. Application ID, which scope is the app and lifetime is till uninstallation of this app.
2. Vendor ID: scope is developer and lifetime is till uninstallation of all developer's apps.
3. Advertising ID (identifierForAdvertising or IFA): scope is the device and a new ID is created by "Erase all contents/settings" and it is not restored across devices (practically lifetime is lifetime of the device). This means when you start to use a new iPad it will have its own Advertising ID and not use that of your old iPhone, because the ID is not tied to your Apple ID account, but tied to a device.
It is noteworthy that after Apple banned the usage of the UDID some developers and ad networks started bypassing Apples privacy rules and made their own open source ID replacement:
Well, it's got a different headline and a different (arguably more reputable) source.
But mostly probably luck. My impression is that if a story doesn't get votes for the minority of people who cruise the "new" section in the brief period of time where it's on the first page or two, it's dead.
FWIW, The learn more link in Settings-> General -> About -> Advertising says "iOS 6 introduces the Advertising Identifier, a non-permanent, non-personal, device identifier, that apps will use to give you more control over advertisers’ ability to use tracking methods. If you choose to limit ad tracking, apps are not permitted to use the Advertising Identifier to serve you targeted ads. In the future all apps will be required to use the Advertising Identifier. However, until then you may still receive targeted ads."
I think the ___location information and other stuff applies to everything app can do, which is in Privacy tab. I think this option is disable the identifier itself.
"For the last few months, iPhone users have enjoyed an unusual environment..."
Am I the only one who finds that humourous? An "unusual" environment? What exactly is "normal" about tracking people's movements in the name of convincing advertisers to pay you?
This briefly enjoyed environment should not be unusual. It is the one we've lived in for hundreds of years. It should be the norm. iAd should be _opt-in_ not opt-out. There are no valid arguments to the contrary that are not motivated out of just a tad bit too much greed, the unhealthy kind.
(Why do I say the greed is excessive and unhealthy? Because Apple has already sold a highly marked up device composed of cheap electronics and booked that revenue. But this is apparently not enough. The casualty of this greed is the consumer's basic notions of privacy. That price is arguably far too high for anyone to pay to any company in return for "helpful suggestions" of products and services they _might_ want, based on seller guesswork. Apple made a fortune selling iPods. They didn't need to track users' listening preferences to do it. There are limits to what is reasonable.)
It's always a quandary--I will most likely be seeing ads, so would I rather that they are targeted to me and possibly even helpful, or do I want to tighten down as much as possible all possible data dumps of me?
I'm still trying to figure out when I want to turn off these sorts of things, versus when I'd rather keep them on.
Actually, even if I end up with ads when I wasn't at least sort-of looking for them (say, opening Yellow Books, doing a search), then I'd rather if they're not targeted — the less information they have the worse they are at hacking my brain.
For the last few months, iPhone users have enjoyed an unusual environment in which advertisers have been largely unable to track and target them in any meaningful way.
This is completely false. It hasn't changed at all in any meaningful way.
Advertisers do not need to rely on the UDID(which is still widely used) to track you since all that matters is they have a unique key they can associate with the hardware. The MAC address does the same thing and there are a handful of other options that are close enough for what they care about.
Apple actually messed up the IDFA for users that update from iOS 5 to 6 (over wifi). All these users are assigned an IDFA number of 0000000. Users that are on the new iPhone 5 or updated from iOS 5 to 6 via a network connection have a valid IDFA number.
Are you kidding me? Regardless of privacy, this is incredibly useful. I would love having even the slightest amount relevance with the iAds popping up on my iAds.
1. Why is Apple tracking the ___location of my iPhone?
Apple is not tracking the ___location of your iPhone.
Apple has never done so and has no plans to ever do so.
update to the linked article...
"EDITED TO ADD (10/15): Apple has provided a way to opt out of the targeted ads and also to disable the ___location information being sent."
As a note this actually represents an improvement for Apple. It used to be that advertisers were able to use the raw UDID to identify users and it was used widely until the whole Path blowup got Congress involved. Advertising is a necessary evil and tracking users is a part of that, while its opt-out instead of opt-in this at least allows users who have concerns a lot of ability to choose if and how they want to be tracked.
What a ridiculous comment. Take your trolling comments somewhere else. Nearly every company is guilty of reusing collected data and almost always without telling customers.
It's not a ridiculous comment. Do you work at Apple? What's wrong with him expressing his opinion. I feel the same way and belive we can have a discussion about what's right and what's wrong. I agree that most companies just automatically subscribe you in when they create new feature and they make it users responsibility to opt out but I hate it as much as most of us. At least they (including Apple) should be responsible of informing users if they decide to keep us opted in automatically. Tracking is not a joke, people are very concerned about it.
It is counterfactual to say that Apple does not care about its customers. It does way too much for them to make that statement anything but ridiculous.
That said, it's also possible to recognize cases where their behavior might not be in the customers' best interests. Whether you think this is one of those cases probably depends on how much harm you think tracking does to the average consumer. Personally, I'm completely satisfied with their opt-out approach. People who care can opt out. The vast majority of people who don't* can receive more relevant advertisement. But I can accept that other people have different value functions where this approach would be considered less benign.
*And before someone quotes a survey where people claim to care, my personal view is that actions speak louder than words on this point. If you really care, you'd be taking steps to make yourself aware of what is happening on your phone and responding accordingly.
Here's what's actually going on:
- Apple has deprecated the UDID. We're still allowed to use it for a while, but in the long term it's going away.
- Apple has created a new identifier (the IFA), specifically for the use case of advertising. This identifier uniquely identifies a device across apps, but beyond that provides no information about the device or its user.
- This ID comes with strings. There's an option in Preferences to "Limit Ad Tracking." The terms and conditions specify that when this option is enabled, we still get access to the ID, but we are only allowed to use it for some specific purposes like conversion tracking (eg. making cost-per-action campaigns possible), and fraud detection (eg. preventing fake clicks). We are not allowed to use it to create profiles, or to improve our ad targeting algorithm. We are absolutely not allowed to divulge the information to third parties.
Without this, advertising wouldn't be possible. Some may think that that'd be for the best (myself included), but that's an entirely different argument, and you'd have to realize that the market would be very different (No free/freemium apps, and everything would be more expensive). You can't have your cake and eat it too.
I expected better from Schneier.