
Apple Turns on iPhone Tracking in iOS6 - yenoham
http://www.schneier.com/blog/archives/2012/10/apple_turns_on.html
======
SeoxyS
As somebody who actually has first hand knowledge of this issue (I wrote and
designed the tracking for a major iOS ad network), I can say that this is an
incredibly misleading article.

Here's what's _actually_ going on:

\- Apple has deprecated the UDID. We're still allowed to use it for a while,
but in the long term it's going away.

\- Apple has created a new identifier (the IFA), specifically for the use case
of advertising. This identifier uniquely identifies a device across apps, but
beyond that provides no information about the device or its user.

\- This ID comes with strings. There's an option in Preferences to "Limit Ad
Tracking." The terms and conditions specify that when this option is enabled,
we still get access to the ID, but we are only allowed to use it for some
specific purposes like conversion tracking (eg. making cost-per-action
campaigns possible), and fraud detection (eg. preventing fake clicks). We are
not allowed to use it to create profiles, or to improve our ad targeting
algorithm. We are absolutely not allowed to divulge the information to third
parties.

Without this, advertising wouldn't be possible. Some may think that that'd be
for the best (myself included), but that's an entirely different argument, and
you'd have to realize that the market would be very different (No
free/freemium apps, and everything would be more expensive). You can't have
your cake and eat it too.

I expected better from Schneier.

~~~
revelation
Thanks for giving us the information on "what's actually going on". But that
makes it seem worse, even when you apparently can't see it from working in the
field.

Apple continues to give apps access to the UDID; the recent leaks were
apparently not as stark a reminder as some people thought.

The "Limit Ad Tracking" option seems wholly useless; another "X-Do-Not-Track".
In this case, the user even expresses the wish to _not be tracked_ , and Apple
just continues to provide the data while telling the apps you checked a
meaningless box. Apple is in no position to control what app developers do
with the data after the fact; the only possible way here is to not disclose
that data at all.

(Also, Google does just fine without a globally unique "advertising number".
It can do so because people get actual value for the advertisements, and the
advertisements are targeted. Apple is just providing this trove of data on the
cheap to every hinterland app developer. Thats a huge mistake.)

~~~
ralfd
If Apple wouldn't provide an ID then developers would code their own device
identifiers. This here is crossplatform for iOS and Android:

<https://github.com/ylechelle/OpenUDID/blob/master/README.md>

Or just read the MAC address: [http://stackoverflow.com/questions/677530/how-
can-i-programm...](http://stackoverflow.com/questions/677530/how-can-i-
programmatically-get-the-mac-address-of-an-iphone)

> Google does just fine without a globally unique "advertising number". It can
> do so because people get actual value for the advertisements, and the
> advertisements are targeted.

I don't understand, can you elaborate? How can advertisements be targeted
without tracking?

~~~
jonknee
> I don't understand, can you elaborate? How can advertisements be targeted
> without tracking?

Keywords is how Google does it. Try using Google in Incognito mode (or
whatever your browser of choice calls it) and note the relevant ads. Obviously
this does not work as well in all apps, but to say you can't do targeted
advertising without tracking is not true.

------
flxmglrb
From the bottom of the article:

> EDITED TO ADD (10/15): Apple has provided a way to opt out of the targeted
> ads and also to disable the location information being sent.

Ok, why is that "edited to add"? Seriously. The page he links to on apple.com
says it was last modified more than a month prior. Why did Schneier post his
article, get some hits, and only then add this little tidbit which basically
turns the whole thing into a non-story? Couldn't he have researched it all up
front before posting the story? The page on apple.com is the _very first hit_
for "iAd opt out" on Google. It's just beyond lazy to have posted this story
without having done that search first.

I realize Schneier is a bit of a sacred cow in most tech circles, but this
seriously just smacks of sensationalism:

"OMG Company X does something horrible!"

* wait for pageviews to roll in *

"EDIT: Eh, not really. Shoulda Googled first."

Come on. Really.

~~~
delinka
Schneier does this often enough that I kind of expect it. He's not a
journalist- that's not an excuse for him to lack research before writing, but
it does mean I take a different quantity/flavor of salt with his writings.

When it comes to general advice, he's spot on. When it comes to commenting on
actual implementations, he does miss details. Hell, it's not like he's Chuck
Norris.

------
betageek
Just to be clear, Apple used to allow the use of the UDID for tacking which
was directly tied to your device and non-deletable.

They now use an anonymous, temporary, random ID that can be turned off.

How is this not an improvement?

~~~
wmf
Wasn't there a period of time where UDID tracking was banned and the IFA had
not yet been introduced? Some people were probably hoping that situation was
permanent.

~~~
untog
The UDID was deprecated, but not actually banned, I believe. So, part of the
transition process to using the IFA.

------
TimGebhardt
From high horse: Well one more reason Android is better than iOS.

Coming down from high horse: Oh crap, my phone's software is programmed by an
advertising company...

Conclusion: My life is being bought and sold out of my control.

~~~
vetinari
While you are on your high horse: go to Settings | Location access and note
the description below Wi-Fi & mobile network location item. Also note the
checkbox on the right.

I remember that the system asked about it first time it needed location (and
every time you turn this option on). The downside is that Google Now does not
work without it.

------
ralfd
4 weeks ago:

> "Apple adds new "Limit Ad Tracking" feature to iOS 6"

<http://news.ycombinator.com/item?id=4545602>

3 weeks ago:

> "Google implements Apple's Ad Identifier for mobile tracking choice"

<http://news.ycombinator.com/item?id=4581781>

Both hacker news submissions have zero comments. Why is it that a month ago no
one cared, but now everyone is grabbing his tin-foil hat?

Also I am pretty sure at least some of the more extensive iOS 6 reviews have
mentioned the new "limit Ad tracking" feature. And aren't we presumed to be
developers who uses this stuff? I did know that Apple had a replacement for
the UDID.

PS: On Schneiers blog one commentator claims that he/she was notified of the
Ad tracking by a prompt in the iOS update. Sadly I have no updateable iOS 5
device here to examine that. But I think this was only an info for the new
privacy pane, wasn't it?

~~~
ralfd
Addendum:

It is explained (from the developers point of view) in the WWDC 2012 session
"Privacy Support in iOS and OS X".

<https://developer.apple.com/videos/wwdc/2012/?id=710>

The old UDID is splitted into three new API:

1\. Application ID, which scope is the app and lifetime is till uninstallation
of this app.

2\. Vendor ID: scope is developer and lifetime is till uninstallation of all
developer's apps.

3\. Advertising ID (identifierForAdvertising or IFA): scope is the device and
a new ID is created by "Erase all contents/settings" and it is not restored
across devices (practically lifetime is lifetime of the device). This means
when you start to use a new iPad it will have its own Advertising ID and not
use that of your old iPhone, because the ID is not tied to your Apple ID
account, but tied to a device.

It is noteworthy that after Apple banned the usage of the UDID some developers
and ad networks started bypassing Apples privacy rules and made their own open
source ID replacement:

<https://github.com/ylechelle/OpenUDID/blob/master/README.md>

But I don't know if this will be permitted in the future or you have to use
Apples provided ID system (I would assume the latter).

~~~
Terretta
Thanks for this succinct info.

------
jeffclark
You can turn it off by visiting <http://oo.apple.com> on your phone.

~~~
dabei
That only turn off tracking for iAd, which is one of hundreds of ad networks.

------
glasshead969
FWIW, The learn more link in Settings-> General -> About -> Advertising says
"iOS 6 introduces the Advertising Identifier, a non-permanent, non-personal,
device identifier, that apps will use to give you more control over
advertisers’ ability to use tracking methods. If you choose to limit ad
tracking, apps are not permitted to use the Advertising Identifier to serve
you targeted ads. In the future all apps will be required to use the
Advertising Identifier. However, until then you may still receive targeted
ads."

~~~
Cbasedlifeform
Should have been under the "Privacy" setting -- if they really cared.

~~~
glasshead969
I think the location information and other stuff applies to everything app can
do, which is in Privacy tab. I think this option is disable the identifier
itself.

------
0wza
"For the last few months, iPhone users have enjoyed an unusual environment..."

Am I the only one who finds that humourous? An "unusual" environment? What
exactly is "normal" about tracking people's movements in the name of
convincing advertisers to pay you?

This briefly enjoyed environment should not be unusual. It is the one we've
lived in for hundreds of years. It should be the norm. iAd should be _opt-in_
not opt-out. There are no valid arguments to the contrary that are not
motivated out of just a tad bit too much greed, the unhealthy kind.

(Why do I say the greed is excessive and unhealthy? Because Apple has already
sold a highly marked up device composed of cheap electronics and booked that
revenue. But this is apparently not enough. The casualty of this greed is the
consumer's basic notions of privacy. That price is arguably far too high for
anyone to pay to any company in return for "helpful suggestions" of products
and services they _might_ want, based on seller guesswork. Apple made a
fortune selling iPods. They didn't need to track users' listening preferences
to do it. There are limits to what is reasonable.)

------
ljoshua
It's always a quandary--I will most likely be seeing ads, so would I rather
that they are targeted to me and possibly even helpful, or do I want to
tighten down as much as possible all possible data dumps of me?

I'm still trying to figure out when I want to turn off these sorts of things,
versus when I'd rather keep them on.

~~~
LaGrange
Actually, even if I end up with ads when I wasn't at least sort-of looking for
them (say, opening Yellow Books, doing a search), then I'd rather if they're
not targeted — the less information they have the worse they are at hacking my
brain.

------
richcollins
_For the last few months, iPhone users have enjoyed an unusual environment in
which advertisers have been largely unable to track and target them in any
meaningful way._

This is completely false. It hasn't changed at all in any meaningful way.

------
rooster117
Advertisers do not need to rely on the UDID(which is still widely used) to
track you since all that matters is they have a unique key they can associate
with the hardware. The MAC address does the same thing and there are a handful
of other options that are close enough for what they care about.

------
ashbrahma
Apple actually messed up the IDFA for users that update from iOS 5 to 6 (over
wifi). All these users are assigned an IDFA number of 0000000. Users that are
on the new iPhone 5 or updated from iOS 5 to 6 via a network connection have a
valid IDFA number.

------
nirajd
Are you kidding me? Regardless of privacy, this is incredibly useful. I would
love having even the slightest amount relevance with the iAds popping up on my
iAds.

------
scubaguy
From Apple's press release [http://www.apple.com/pr/library/2011/04/27Apple-Q-
A-on-Locat...](http://www.apple.com/pr/library/2011/04/27Apple-Q-A-on-
Location-Data.html)

    
    
        1. Why is Apple tracking the location of my iPhone? 
        Apple is not tracking the location of your iPhone. 
        Apple has never done so and has no plans to ever do so.

~~~
wmf
Scheier's not talking about location.

------
glasshead969
update to the linked article... "EDITED TO ADD (10/15): Apple has provided a
way to opt out of the targeted ads and also to disable the location
information being sent."

------
thechut
Another case of how Apple doesn't care about its customers. They offer the
opt-out option but turn the service on by default and don't notify anyone.

Good thing (for Apple) most of their customers have had too much koolaid to
care.

~~~
headShrinker
What a ridiculous comment. Take your trolling comments somewhere else. Nearly
every company is guilty of reusing collected data and almost always without
telling customers.

~~~
suyash
It's not a ridiculous comment. Do you work at Apple? What's wrong with him
expressing his opinion. I feel the same way and belive we can have a
discussion about what's right and what's wrong. I agree that most companies
just automatically subscribe you in when they create new feature and they make
it users responsibility to opt out but I hate it as much as most of us. At
least they (including Apple) should be responsible of informing users if they
decide to keep us opted in automatically. Tracking is not a joke, people are
very concerned about it.

~~~
jamesaguilar
It is counterfactual to say that Apple does not care about its customers. It
does way too much for them to make that statement anything but ridiculous.

That said, it's also possible to recognize cases where their behavior _might_
not be in the customers' best interests. Whether you think this is one of
those cases probably depends on how much harm you think tracking does to the
average consumer. Personally, I'm completely satisfied with their opt-out
approach. People who care can opt out. The vast majority of people who don't*
can receive more relevant advertisement. But I can accept that other people
have different value functions where this approach would be considered less
benign.

*And before someone quotes a survey where people claim to care, my personal view is that actions speak louder than words on this point. If you really care, you'd be taking steps to make yourself aware of what is happening on your phone and responding accordingly.

