> Apple said in response that it “does not access or use the IDFA on a user’s device for any purpose”.
What is it there for then?
If Apple doesn't access the IDFA, but provide the mechanism to do so for others, then clearly Apple is still violating the law.
Apple put the IDFA there. Others accessing it is similar to one website giving you a cookie without consent and other websites looking at that cookie. It's still a violation by the website that gave you the cookie without obtaining your consent.
I think what Apple is saying is that it's not the browser's job to ask consent for storing a cookie or for doing browser fingerprinting but a website's. As much as I dislike IDFA, I think I must agree with their line of reasoning.
Edit: Let me bring an analogy (GDPR applies to physical world too). Most cars have a visible VIN number like a phone has an IMEI (if you replace IDFA with IMEI mentally, which would be much worse if that was exposed to the apps). If you take a photo of the VIN and then track the car using this identifier in some way, you are [potentially] violating GDPR, not the car manufacturer.
However, the car number is mandated for legal reasons that are easy to explain. The user on the other hand gets no benefits, the society gets no benefits, and those who benefit are random people whose motives are unclear.
I find that I benefit greatly from targeted advertising.
A couple of years ago I realized that Spotify's recommendation algorithm provides me with a better selection of music than any other method ever has.
Lately I've found ads targeted using advanced ML implementation have been of great value to me as well.
I don't remember ever purchasing products from direct response marketing before, but this year I've purchased multiple high importance things that I would not otherwise been even aware of.
Does Spotify base recommendations on the kind of tracking used by targeted advertising? I would think their recommendations are entirely based on the music you've listened to on Spotify, rather than, say, information they've gathered about your demographics, web browsing, purchasing habits, etc.
Personalized recommendations by an app based on your usage of that app are not what people mean by "targeted advertising." The privacy implications are completely different.
I thought so too, but I'm not completely sure since they rolled out the personalised "Time Capsule" playlists. Most of the tracks in mine seem more based on my age and location than my listening history. Particularly, many tracks that were in high rotation on a popular national alt/youth radio station when I was 10–15 with no obvious connection to my current listening habits.
As well I've find the time capsule playlist absolutely horrendous in all its recommendations. Sure it plays some things from my library but that's what I have my library for. Everything it's suggested has been ridiculous and honestly had me thinking it was just another corporate mandated playlist by committee based more on money for plays than my actual enjoyment of the music provided.
If it was actually of value to you then you would have searched for it yourself. That you needed advertising to find it only shows the toxic effects of advertising (convincing you that you needed a product that you actually didn't, and/or incentivizing the lobotomization of organic search so that you would go based on the ads instead).
“If I had asked people what they wanted, they would have said faster horses.” - Henry Ford.
Several years ago I saw a Facebook ad for an online coaching program for aspiring music producers.
It was exactly what I needed at the time, but I had no idea that someone had put something like this together, and I would never have independently thought of googling this. Instead, I relied on music production tutorials on the one hand, and generic productivity advice on the other hand, and assumed that was the best help available out there.
That is just my anecdote, but I'm sure everyone here has their "how could I possibly live without this before" product or service.
Advertising can be useful, and the more targeted, the less obnoxious.
It seems you're conflating innovation with marketing. It's perfectly legitimate for someone to invent a car. It's not, however, to cold call me or send me car catalogs or show me car ads on the web ad infinitum until I submit and buy one.
I enjoy receiving targeted products or services which I wouldn't have otherwise known about. That isn't toxic; we live in a world with tens of millions of products being offered worldwide. Just because we don't come across them "organically" doesn't make their advertising toxic. I'm still an individual who makes a conscious purchase decision.
>convincing you that you needed a product that you actually didn't
What if it's convincing him that he needs a product that is actually of benefit to him, that he didn't know existed?
I don't want crap pushed on me without consent. Once you have consent, (which is me doing a pull of what you're offering), then it's okay.
I'm surprised with all the controversy over consent in the last year or so that Tech and Ad companies still don't understand this. Then again, the wisdom of Upton Sinclair applies.
--It is difficult to get someone to understand what their paycheck is dependent on them not understanding
You would be hard-pressed to find anyone who disagrees on the issue of consent. The following is what I replied to though, and is unrelated to consent:
>The user on the other hand gets no benefits, the society gets no benefits, and those who benefit are random people whose motives are unclear.
This is blatantly false. In this thread alone there are multiple people who have stated they find benefit through targeted ads.
> I find that I benefit greatly from targeted advertising.
Your only foundation for this reasoning is that you've bought more things. What this definitely says is that the advertising is targeting you successfully, what it does not say is that you benefited from it. You clearly lived before you owned those things, presumably pretty well given your evident spending habits.
In conclusion, when looking at this post we can say just as easily that you were harmed greatly by targeted advertising.
Perhaps they actively subvert the ways in which those bombs are otherwise detected or they start offering blind pickup so everyone has plausible deniability. There are many ways in which a bomb delivery service could be more convenient than the post.
The consent MUST be received before storing cookies. As Apple stores the cookie without consent, they break the law, even if the cookie is never read by anybody without consent.
Is consent required before setting a MAC address on a NIC? I don’t think it’s the NIC manufacturer’s duty to get consent because others fingerprint devices using the MAC address.
I didn't elaborate because there really isn't any more to say about it. If you've read up on how the GDPR works and know what essential means, you will see this person is correct.
For what it's worth, I have been involved with implementing the GDPR properly in a number of reasonably large companies. Sadly a number of people can say this and a vanishingly small amount of companies actually adhere to it properly, so I'd take it with a grain of salt.
They are exempt from consent but not from the law. Also, GDPR is not about things but their processing purposes. If you use my MAC address to address my network traffic, that's a legitimate business need; no consent is needed. If you use the same MAC address to track me, you need consent.
A distinction without a difference as not every interaction involves a browser. It can be used in the same manner as an identifier cookie (it doesn’t carry a payload) for cases that do not involve a browser.
True, but the term ‘magic cookie’ is not the term we use today. If you said magic cookie I’d know you were using the historical term. I’m old enough to remember but most people here are not.
Yes, they will make it opt-in soon. The lawsuit is about the damage caused by it being opt-out until now. So both Apple's promised fix and the lawsuit's core argument appear correct.
Apple clearly agrees that things could be better, which is why they are changing it for the better. However, they can also, without contradiction, argue that they were not acting ILLEGALLY before.
Who knows when they will actually change it. They were going to have the change when iOS 14 released but they paused it when they received pushback from Facebook. Now on iOS 14 you don't have access to the permission setting and you can't reset your IDFA anymore either.
Why? Apple were creating PII. They were not storing or processing it. You can probably break the GDPR by incorrectly handling the IDFA you get from Apple, but that does not mean that Apple are breaking the law.
Reminds me of a quote by Adam Yauch of the Beastie Boys:
"I’d rather be a hypocrite than the same person forever."
The only way to get better is to change the things you did incorrectly in the past.
This doesn't mean it was illegal (or even unethical). Fifteen years ago few people anticipated the privacy implications of smartphones and many people didn't anticipate exactly how much this stuff would be abused. But in order to get better, they need to change their policy.
I'm don't think I've ever considered MCA a great philosopher, and after reading that self-contradicting quote the outlook for that to change is still murky. Plainly: being a hypocrite is about doing in opposition to what you preach, it's unrelated to changing your mind.
It's strange too that you go back to 2005, what with the iphone was out only by 2007 and the IDFA launched in 2013. Incidentally, IDFA was create as a way to limit the methods advertisers could use to track users, even as it expanded the pool of users tracked. And in 2013 the idea that digital tracking, as supplied by for example apple, could be bad was certainly not groundbreaking.
Prior to IDFA, advertisers used other unique on-device information (I believe they had access to the IMEA which was not changeable). With IDFA, users have the option of opting out or at one point resetting the IDFA on the device.
IDFA was fundamentally put in to give uses more control. It wasn't really enough, but it was an improvement over what was before it. Now Apple is improving it again by making it opt-in instead of opt-out.
There are third party Ad-Tech companies that will sell IDFA - cookie combinations they have gathered from their "partners".
Think it through: you read this very article, and many cookies on that page you will have consented to will let many ad-tech companies know that you should probably be labeled "privacy conscious". Which, as any good AI will teach them, is closely related to the "extremist left" and "anti fascist" labels. Next, you start Youtube or Insta on your Apple device. Now you suddenly see promoted content from those bubbles because you probably want to click on it.
The difference is that browser cookies are necessary for sessions and persisting state - Facebook exploiting this for nefarious purposes isn't the browser's fault.
IDFA's only purpose is tracking. I can't see any legitimate use for it. In this case Apple intentionally created a feature (which most people aren't even aware of) that only has malicious use-cases.
The IDFA is intentionally limited to prevent many malicious use cases. For instance, each vendor will see a different IDFA for the same device, so you can not collect IDFAs to track users across applications.
It is for tracking, but not all tracking is malicious. It is used for things like attributing an ad impression to an app install, to measure how effective an ad campaign is at getting people to install an app. This information doesn't really tell you anything about individual users, but is still useful when aggregated.
Are you confusing it with the IDFV (identifier for vendor)? As far as I know the IDFA is explicitly shared across apps for ad targeting to work (including most of the examples you mention).
> This information doesn't really tell you anything about individual users
Except when you correlate it with other information that does identify individual users and suddenly you've deanonymized this "anonymous" ID.
Scum like Facebook, Google, data brokers and advertising companies base their entire business on this and that needs to stop.
The point of IDFA is to allow the user to express a system wide preference, and also to allow the identifier to persist across installs.
Although the overwhelming majority of people distrust tracking, a significant minority >20% do not. Every time the discussion comes up here we see people who say they like targeted advertising.
Apple wants to exclude other mechanisms and have an opt-in mechanism to support this 20%. They are one step away from making it opt-in but were delayed by political pressure from Facebook.
If Ad Tracking companies improve their practices, perhaps they can persuade more people to opt-in.
Apple has reached this point by slowly eliminating other sources of fingerprinting from their apis, and adding rules insisting that IDFA be the only identifier used.
The only issue here is that IDFA is not yet opt-in. Otherwise, Apple is way ahead of the game. All other platforms allow some kind of fingerprinting.
It is shared across web and apps but only for one vendor. So you can track the performance of an ad campaign on getting installs of your app, for instance.
> So you can track the performance of an ad campaign on getting installs of your app, for instance.
So in order for it to work you'd need to also be the developer (vendor) of the initial app which displays the advertisement for your second ad? Otherwise how would it work if let's say your ad is displayed in app from vendor A (and they get their own IDFA), now when your (vendor B) app is installed you see a different IDFA. How would you associate the two?
That's just not the same.
A website is asking the browser to put a cookie. So the browser is just a channel.
If I understand correctly The IFDA is an identifier created by apple, which they let third parties access. The phone is not a channel, it is the creator of the ID so you're analogy doesn't hold.
And come on, the name of this is proof enough that the only use for this ID is tracking users.
Cookies are used to store anything, not necessarily specific for tracking.
What is it there for then?
If Apple doesn't access the IDFA, but provide the mechanism to do so for others, then clearly Apple is still violating the law.
Apple put the IDFA there. Others accessing it is similar to one website giving you a cookie without consent and other websites looking at that cookie. It's still a violation by the website that gave you the cookie without obtaining your consent.