Hacker News new | past | comments | ask | show | jobs | submit login
We’re asking Apple to change the advertising ID for each iPhone every month (blog.mozilla.org)
222 points by soheilpro 6 days ago | hide | past | web | favorite | 93 comments

I really wanted to believe Apple but they need to try harder.

This is not on iPhone but on a MBP so it's still quite relevant to Apple. I had disabled the "apsd" process, which serves as Apple's push notifications service, completely blocked it off using Little Snitch, and yet the process still found its own way to reactivate itself and keeping a persistent connection back to Apple servers in the background. I personally don't use FaceTime or Notifications on MBP, why couldn't Apple just let me disable this, and instead the process even circumvented around my firewall protection to make sure it could communicate back to their data center? This practice is a little shady and does not promote trust or transparency. If I have blocked a process permanently then I expect it to remain always blocked.

Their EmbeddedOS on the Touch Bar also keeps a couple always-on connections that utilize its own bridged network interface which users are completely blocked off and do not have access to. They were supposedly for TouchID, but I was viewing bandwidth usage the other day and these connections used up to almost 10MB of data. Why would something like TouchID need to send 10MB of data back to Apple? Again, this makes no sense and does not promote trust.

By "disabled", you mean using `launchctl unload -w`? I would be surprised if apsd launched after doing that; macOS is pretty consistent about having all processes managed by launchd and not spawning things at random. Though since that works by modifying the plist file in /System/Library/LaunchDaemons, rather than setting a preference somewhere separate, a software update could end up resetting it. No idea about Little Snitch.

Edit: Actually, launchctl apparently does use a separate preference these days; it used to modify the plist. Not sure when that changed or when you tried this.

I searched but couldn’t find information on the touchbar’s bridged adapter. Can you point me to something?

are you referring to: https://developer.apple.com/library/archive/documentation/Ne...

Apple Push Notification service (APNs) is the centerpiece of the remote notifications feature. It is a robust, secure, and highly efficient service for app developers to propagate information to iOS (and, indirectly, watchOS), tvOS, and macOS devices.

You may not be using FaceTime or Notifications, but someone you know will be using them.

Maybe that's not what they want though. Maybe they just want to use their computer without a constant connection to all of their other devices and servers

fair enough. but there are countless other phones and operating systems to choose from. there's even corded dumb phones one could use.

OP: This is not on iPhone but on a MBP

They weren't referring to their phone, but being able to, quite reasonably, have control over what their MacBook is making outbound connections to.

> there's even corded dumb phones one could use.

That's a somewhat facetious and unnecessary remark. And you know, not everyone has a POTS landline these days.

> ...but being able to ... have control over what their MacBook is making outbound connections to.

non-issue? simply block out the ports? https://support.apple.com/en-gb/HT203609

i dispute the assumption that people don't have control over their computers. there are literally millions of things anyone of us can do about every aspect of their computer.

> That's a somewhat facetious and unnecessary remark.

You're right and I apologise.

> non-issue? simply block out the ports?

From the top-level comment:

> the process even circumvented around my firewall protection to make sure it could communicate back to their data center

It seems like either this doesn't work or the firewall was configured incorrectly. Obviously we have know way of knowing for sure what happened in this case, but have you verified yourself that blocking the ports actually works for this?

Ugh, the use of they/their is very confusing in your last sentence. You refer to OP and to Apple using the same “their”.

It's possible this was snark, e.g. suggesting that a Mac really belongs to Apple and you're just paying them money to let them put it in your home where it can snoop on you. But in the spirit of good faith, let me assume not and just annotate your parent's they/ their use:

Maybe that's not what [netwanderer3] want though. Maybe [netwanderer3] just want to use [netwanderer3] computer without a constant connection to all of [netwanderer3] other devices and servers

English has some plural and possessive agreement rules that make this sound like faux caveman speak, let's fix those:

Maybe that's not what [netwanderer3] wants though. Maybe [netwanderer3] just wants to use [netwanderer3]'s computer without a constant connection to all of [netwanderer3]'s other devices and servers

Sorry, I was referring to the commmenter, not to Apple

I don't understand Mozilla's ask for changing the cycling of these tokens to monthly.

If this was implemented, it wouldn't be very difficult to associate a cycled out profile with a new one. Only days of behavioral information. So if out of a 30 day month, 3 days are used to re-associate user profiles, they're only using a partial profile 10% of the time?

I don't even get why Moz thinks IDFAs are particularly bad for privacy anyways. They're only shared across apps that come from the same developer; your Facebook and Snapchat apps see different tokens. They don't expose any personal information, they only identify a unique piece of hardware. It wouldn't be particularly difficult for apps themselves to generate and persist their own random token; how often do people reinstall apps anyways?

The IDFA is device universal, and is only reset when the user takes manual action.

Apple was aware of the privacy challenges of this, and laid out the rules for using IDFA in this WWDC 2014 presentation. https://developer.apple.com/videos/play/wwdc2014/715/

It's a video with no transcript, but if you click the link to the slides, you can see on slide 7 that the lifetime of the Advertising ID is "Reset Advertising ID."

Each time you submit an app binary to Apple for review, you have to click a box that solemnly swears that you're using the IDFA to attribute activity to an advertisement, proving that the advertisement did its job. "I, USER NAME, confirm…"

I don't know whether the solemn vows really do anything; I get the impression that IDFA abuse is detected via privacy researchers making noise in the tech press. But it has been enforced a few times.

> It's a video with no transcript

While Apple only started posting transcripts of WWDC presentations last year, https://asciiwwdc.com has been around for a while and is a great searchable archive of WWDC transcripts. Here's the transcript for the presentation you referenced: https://asciiwwdc.com/2014/sessions/715?q=user%20privacy%20i....

>If this was implemented, it wouldn't be very difficult to associate a cycled out profile with a new one. Only days of behavioral information. So if out of a 30 day month, 3 days are used to re-associate user profiles, they're only using a partial profile 10% of the time?

It's even worse than that. The IDFA might reset every month, but there's nothing preventing apps from storing a persistent identifier in its data. As soon as there's a new IDFA, the ad network can immediately link that back to the old IDFA. As long as you have one app that belongs to the ad network, you can be linked back. You can even combine this with keychain data to persist across reinstalls (technically you're not supposed to use the keychain for this purpose, but storing the currently logged in user's credentials is fine, so you can use that instead).

> there's nothing preventing apps from storing a persistent identifier in its data.

Can't link the PDF since it's behind a login wall, but the developer agreement already prohibits this (3.3.12):

> If a user resets the Advertising Identifier, then You agree not to combine, correlate, link or otherwise associate, either directly or indirectly, the prior Advertising Identifier and any derived information with the reset Advertising Identifier.

Uh-huh. And I'm sure advertisers do this.

I believe in technical measures over pinky-swears in cases like this.

It's a type of security in depth. The problem being solved isn't that companies can make anonymized profiles; it's that all that a company needs to do is associate one ID with a person to fully de-anonymize that person's data, whereas under the new scheme associating an ID would only de-anonymize a month's data. Not wonderful but, arguably, not nearly as bad.

That said, this is engineering-oriented security thinking in a behavioral playing field. People's habits don't change very rapidly, and I'd expect that (with the exception of life-changing events) a month's worth of data would tell you 95% of what a (device) lifetime of data would.

You may be thinking of IDFV (identifierForVendors). The IDFA usually stays the same until the user resets it.

> At Mozilla, we’re always fighting for technology that puts users’ privacy first

I would love to run my own Pocket server ...

2 years and counting.

There is this: https://wallabag.org/en

Their description: wallabag - a self hostable application for saving web pages

No idea on how good it is or how it compares to pocket but it seems to be what you're after. And you can import your data from pocket.

I use it self hosted, it's excellent.

> I would love to run my own Pocket server ...

Oh I'd love to run my own Pocket server. The service seems useful but I stopped using chrome and disabled most of the utilities I reasonably could to avoid centralizing my data again.

A self-hosted Pocket could help some of that.

I'd love to never see a Pocket button in my browser ever again.

It's easy to turn off. About:config

Search for pocket. You'll see extensions.pocket.enabled

Double click to set it to false. That's all.

Soooo, pretty similar to the manual steps that Mozilla are complaining about in the article, then?

I would say that disabling this is even less user friendly in Firefox. The about:config is cryptic and prompts the user whether "they know what they're doing", that will scare most away.

Yes, but we're talking about disabling a button instead of persistent tracking used for advertising purposes.

I can do that. But try explaining that to the average person the street and see how far they get before they give up.

The average person might like having Pocket already installed though.

If that person likes it they can go to AMO and install it like the extension that it's supposed to be. Instead of wasting space, time, and technical debt for all the users who don't want to use it.

How is this technical debt? It’s a plug-in. None of its code is in Firefox.

Serious question - would you object as much if it was called “Firefox save page”? Because I’ve never heard HN complain about Firefox sync, which has all your passwords, your history etc.

If you explicitly sign in to it.

Pocket explicitly requires a sign in with a separate Pocket account. What now?

Doesn't Pocket require a sign in too?

The average person sees the button in their browser and says "What the heck is Pocket?"

The average person's eyes would gloss over it - just like how you'd ignore features and tools you don't use or don't know how to use in photoshop or visual studio.

This would break a lot of standing marketing/long-term lead nurturing efforts. It sort of forces marketers to engage with users they have in their actual database or do everything in 30 days. Some sales cycles are a lot longer than 30 days. In publishing its pretty relevant to know if long term visitors stop coming back in the aggregate. There are lots of legitimate business purposes for anonymous longer term tracking.

Counterpoint: if a data collector stores the ad id or derivative of it with anonymous activity then later links it to a user account with PII that could break a lot of basic assumptions the user may have about their privacy. That would be difficult to prevent from happening with a technical solution.

The Ad identifier isn't exposed to the web (thankfully)

(Edit: Apparently I was wrong - I’d swear it was per device? Hence the single global “reset the id “ option. If it’s per app/app group/developer ID then rolling doesn’t help because they can always just generate and store their own ID)

It is not in fact exposed to the web, you weren't wrong about that.

IDFA is not shared per app, only across developer accounts. Your Facebook and Snapchat apps don't see the same IDFA.

Ok I edited my answer but literally all my research indicates that it is per device - all apps irrespective of developer see the same ID. It was specifically created to replace the UDID that could never be changed at all.

So I am irked I didn’t research before editing :-/

It's strange because I had the same impression. I remember the whole migration from UDID to application advertising identifiers... I swear each app got their own IDFA token, and that it didn't persist across app installs. I guess I was mistaken also, because it only resets on manual reset or device erasure.

The APIs for this are very clear:

var advertisingIdentifier: UUID { get }

"Unlike the identifierForVendor property of the UIDevice, the same value is returned to all vendors. This identifier may change—for example, if the user erases the device—so you should not cache it."

Yeah, my original comment was correct unlike the very confident correction.

The problem is periodic rolling of the ID doesn’t get you anything as any tracking service is simply going to track when the value changes in all the apps, and so all different IDFA tokens can always be tied to a single individual. Rolling, automatic or not, and irrespective of frequency gains you nothing. Tracking companies have repeatedly demonstrated a complete disregard for user privacy.

The /only/ way to fix this is to remove device centric ids from the platform. Then tracking frameworks can’t tied one user to multiple different app installs.

None of this “automatic rolling” nonsense - the API should not be there at all.

You obviously don't know how things work. So please stop saying factually incorrect things as matter of fact statements.

What? IDFA is device universal and only reset manually by the user.

They do see the same IDFA, that's how apps using the Facebook SDK can link analytics with a Facebook user profile even without asking you to login into Facebook, as long as you have the Facebook app installed and you're logged in there.

I wonder if these kinds of painful (from a business perspective) choices will act as a kind of forcing function on their whole privacy push, either by highlighting the hypocrisy if they continue mining customer data while preaching virtue, or alternatively, by really pushing them to put their money where their mouth is and creating a more truly private system.

I think the biggest factor will be if they can convince the US population (their core demographic / market) that privacy matters. If it does, then it will be worth it to their bottom line - if not, they may have to capitulate to market forces and return to squeezing as much data as they can from their users.

The next few years could be very interesting from a privacy standpoint.

I'll believe they are honest about caring about users privacy when they release imessage for other platforms.

Why is that your threshold for believing that Apple cares about user privacy? The ecosystem they've built so far has had significant time and effort invested into it to make it privacy friendly.

Because it highlights their real motives. Why not give everyone the ability to securely communicate? profits > privacy.

> Why not give everyone the ability to securely communicate?

Because their message isn’t “we offer privacy to everyone in the world” but “we offer privacy to our customers”.

But they don't because when their own customers communicate with others customers the conversation is no longer private and if they aren't sufficiently technically knowledgeable then their own customers might not even know it's not secure.

It would be if they were on iPhones :) Apple's not a non-profit. There's money to be made selling privacy to those who care, and Tim's on the job.

Funny thing is Apple's competitors don't make money. Apple has ~50% of all smartphone revenue and 87% of the world's total smartphone profit share - iPhone X alone was 35% of global profit share with, to your point, only 22% of the market. Less, even, my data shows 19% of shipments most recently. Samsung is next in line off the back of approximately equal shipment volumes. Everyone else effectively breaks even or loses money. [1]

I'd say Apple's got this one figured out.

[1] https://www.forbes.com/sites/chuckjones/2018/03/02/apple-con...

Money doesn't matter, you don't get it. When only 1 in 5 phones is an iphone then keeping imessage.. you know what, I'm not wasting the effort.

I do get it, my argument was that money is the only thing that matters. Their goal isn't to secure everyone's communication, it's to maximize profits. They're doing that by saying if you both care about privacy, we have a one-stop-shop that'll get you taken care of, but it's gonna cost ya - and your friends. It creates an implicit pressure for others to get on the bandwagon driving up sales.

There are cross-platform messaging apps with end-to-end encryption. It’s not Apple’s job to save everyone: if you want to be saved, buy an iPhone.

If you think buying an iphone saves you then you've already lost.

Funny, I think nearly every article coming out about the location tracking, reading your contacts, reading your messages, and even malware on mobile has come out saying roughly "it's on android, but a much lesser version is on iOS" or even better "only on android."

So... what exactly did we lose with buying an iPhone in the context of this conversation? The ability to change the launcher?

Maybe you're ok with apple's limitations, I'm not. That's ok because I'm not you and I'm not asking/forcing you to change anything. So what exactly is your point? Choice is a wonderful thing.

Who owes you a private and secure communication platform for free?

Not saying I agree with this line of thinking but I personally think cross platform iMessage would benefit iMessage users privacy significantly. You can't control what OS your friends use.

I think the real reason why might be something along the lines of anti SPAM or botting; iMessage seems to require an authentic, unleaked serial number to connect, as I found out a while ago when connecting my Hackintosh. (I succeeded but I have a feeling many real Mac serial numbers get banned from iCloud by Hackintosh users sniping them out of pictures in eBay listings and whatnot.

Given how leaky Android security is, I wouldn’t assume that just because it arrived encrypted that the message was secure after that point.

I think this jab is unwarranted. Android with security updates is not significantly less secure. Talking historically, Android started with more security measures than iOS, with app sandboxing from the get go. Nowadays modern devices contain dm-verity for verified boot, layered security at various levels including SELinux, etc.

Not suggesting there hasn't been more security issues with Android overall, but there's also more devices and more available source code with Android, and iOS is far from having a clean track record for exploits either. If it did, you wouldn't be so limited in which versions of iOS you could restore in iTunes...

Looks to me like where Apple is heading is offering some kind of "Apple Plus" subscription that bundles all their services, including iMessage. I predict that over time this will evolve to encompass more platforms. So iMessage will be available for Android but not for free.

That's fine with me, I'm not suggesting privacy should be free but they can't pay me enough to use their OS or hardware. I would however entertain the idea of using their services if they are available on my hardware choice.

You’re likely to get your wish. I think Apple has realized that they need to offer their services on non Apple platforms if they want to continue to grow. We’re seeing some early signs of this already.

How would this make it at all harder to build a profile or change anything? Correct me if im wrong:

Google, or whatever ad tech, gets data from an app which sends an email or oauth data to the IDFA. The email or oauth data stays the same even if the ad uuid changes month to month. Over many many apps.

I personally would actually rather have Apple control this and start competing with FB as a mobile ad network. I think they could present a solution which fits with their privacy appeal while also cleaning up fraud and dictating better ads formats / rules

I would like to think that space isn't totally won yet.

Apple tried to play in this space before. They didn't win https://developer.apple.com/support/iad/

I rather them focusing on hardening their own privacy instead of cherry picking issues at competitors.

They have been focusing on privacy for the last several years and rolled out multiple improvements specifically in that area on the last year alone (e.g. Anti-Tracking Protection, DNS over HTTPS, HTTP Referrer limits, Container Tabs, etc). Plus products like Firefox Focus (essentially an in-private browser).

If we're gatekeeping who is allowed to criticize Apple, perhaps it would be enlightening to give some examples of people or entities who attain a high enough level of moral purity to do so. If an organization like Mozilla fails to reach it, I just want to get a sense of where the bar is set.

> If an organization like Mozilla fails to reach it, I just want to get a sense of where the bar is set.

Telemetry that's not on by default would certainly be one measure, I don't know about apple but mozilla certainly fails. If they don't understand the need to gain consent before collecting statistics on their users then they don't understand privacy.

Apple themselves does the same. Therefore the position is that doing something Apple does makes you unqualified to criticize Apple. That would by extension make Apple themselves unqualified to criticize Apple, which is a rather unusual bar.

What I find curious about many comments in this thread is that few want to address the issue itself, but instead would rather either shoot the messenger or argue that even raising the issue is unacceptable.

Why are people so opposed to discussing this and why is Mozilla's record or reputation even relevant here?

It might be because the point stands up well to argument:

- Should Apple do it? Yes. No downsides are apparent.

- Will it help many users? Yes. Many users will benefit.

- Is it a panacea? No. Rulebreaking apps will rulebreak.

Thus the career detractors are forced to invoke unrelated topics to continue their press conferencing.

"Let he who is without sin cast the first stone" and "people in glass houses shouldn't throw stones" we've got a pretty long history of having a higher expectation of the person/organisation doing the criticism and this is no exception.

As for the actual criticism I'd agree with the blog, the fact that phones come with an advertiser ID at all is a sad sign of the state of our industry.

If Mozilla really, really cared about privacy then the default search engine would be no search engine. The first page you would get after installing would be a "choose your search engine" page, so people who want Google will have to choose to use Google, and people who want DDG will have to choose to use DDG. Having a default search at all is showing partiality to who gets to receive the browser information of a large portion of the user base.

How would they fund their business?

But it is working for Samsung so well.

They don't hammer Google hard enough imho in their marketing campaigns in my opinion.

Perhaps because they are less privacy focused then you think.

That would be one possibility

When has google ever pretended to care about privacy?

Wouldn't that give us even more reason to ask for privacy features from them? If they don't show an initiative to consider it themselves then users should take the lead. Mozilla wants me to sign a petition asking Apple to rotate their advertising ID. Well where's the petition I can sign asking Google to do the same?

If Mozilla speaks out against Apple while staying silent against Google it gives the appearance that they are at best not willing to bite the hand that feeds them. But at worst may raise concern that they are barking at the behest of their master.

resetting the idfa doesnt realy help anyways because apps usually

a.) generate a uuid that is stored in the keychain upon first launch

b.) send the users iphone name to thier tracking servers

c.) other uniquing information such as screen size, device make, os version etc

so you can bet that idfa doesnt matter one iota and is totally besides the point...

What is Mozilla’s incentive to push for this? I get that tracking is a big deal these days, but other than to get some press how is Mozilla related to all of this?

Making the world better?


Mozilla is posturing as "even more privacy focused than Apple". It's annoying.

Unless I'm missing something, the user can set this to all zeroes.


A sane default would be nice but there's a lot of other information that can be used to fingerprint a user from their device, device names and carrier names along with a bunch of other device settings are accessible without asking for permission. Unfortunately there's no current way to limit these.

ITT: Lots of people bashing Mozilla, probably as an excuse to feel better about still using Chrome.

I wish I could "Sync" without connecting to Firefox, among other intrusive things:

  geo.enabled              ,false,disable asking to share location
  extensions.pocket.enabled,false,disable pocket

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact