Apple v Facebook, and Our Privacy
At Apple’s 2020 Worldwide Developer’s Conference, it was announced that starting with iOS, iPadOS, and tvOS 14 -
Apps will need to receive the user’s permission through the AppTrackingTransparency (ATT) framework to track them or access their device’s advertising identifier.
This single announcement, quite unmistakably caused a dent in Facebook’s (and other advertisers’) universe. And that started the big fight between Menlo Park and Cupertino, with an obvious good and bad side. But as we all know, when it comes to big tech, there is never a good side without some profit to be made. So I’m going to try and get some clarity on what’s changing, who’s losing, who’s winning and what it means for us, the consumers.
What’s Changing?
When it comes to smartphones, the basis of tracking and profiling are Identifier for Advertisers (IDFA) on iOS devices and Android/Google Advertising Identifier (AAID, GAID) for Android devices. Like web browsers have cookies, to track user activity in the browser outside of the subject website, devices have IDFAs and AAIDs. Since the changes have (as of now) occurred on the Apple side, we’ll be talking about IDFAs.
Think of IDFAs as cookies, tied to the device.
The difference between cookies and IDFA lies in its nature. Every device that ships with Apple’s software ecosystem has a unique IDFA tied to it. Unlike cookies, IDFAs are not short lived, they’re static, permanent identifiers for the device which won’t change until they’re manually reset by the user. It should be noted that IDFA alone won’t provide the advertiser with enough data to uniquely identify a user, and it is common practice in the advertising space to collect additional information about the device (like the IMEI) to do just that. But simply put, IDFA has been, until now, the string that ties it all together.
Among all the big tech players, it is safe to say that Apple is by far the most (and perhaps the only) consumer focused company. Currently valued at over $2 trillion, the company has recently taken up the privacy of its users more seriously than ever. In 2017, Apple decided to bring an end to 3rd party cookies on the Safari web browser, followed by Mozilla in 2019 for Firefox. Later that year, Google followed suit by announcing that it would be putting the lights out on 3rd party cookies in its Chrome browser in 2022. After dealing one crushing blow to advertisers in the browser space, Apple is now coming for device-side tracking, and it has taken crippled a $80 billion industry by killing IDFAs. Apple’s premise is to make tracking in apps an opt-in situation, leaving the choice to the user.
Apple is making tracking in apps an opt-in situation, leaving the choice to the user.
The Menlo Park Side -
Facebook, for a long time now, has focused not only on building the world’s largest social networks, but also on building the most precise ad service on the internet. These days it’s common knowledge that Facebook is actively profiling every single one of its users, using any means it can to obtain information on their habits and persona.
Let’s just skip over to the case at hand. What you see above is a front page newspaper ad published by Facebook on December 16, 2020. While Facebook expected to make a case for itself and its privacy practices by citing “small businesses”, anyone who would look this up for a few minutes could see the smoke clearly.
Is there really a case to be made for Facebook though? I think not. Facebook today is infamous for its mishandling of user data and tracking that at this point, amounts to user surveillance. Facebook’s unique selling point for its ad network is the precise profiling of individual user habits, and not that of cohorts, to serve personalized ads, that way, they virtually make sure that an advertiser putting out an ad will reach the target demographic. Facebook’s profiling has been so precise that some people have been led to think that it’s listening in on their day to day life, and analyzing the audio. They don’t need to do that, they already have every other detail they need. But this is all now stuff of the past because Facebook, like most advertisers, uses the IDFA to tie all the activity together in a granular manner, and there is no other way to uniquely identify each device across 3rd party services.
Facebook relies heavily on cookies, embedded trackers on “Like” or “Follow” or such Facebook buttons used on websites, and perhaps most importantly, on device identifiers to link all the activity together. In a paper published a little while before Apple’s WWDC announcement, Facebook claimed that non-personalized ads are 50% less effective than personalized ads. So, when Apple announced that access to IDFAs would be made optional, Facebook virtually lost all its means to uniquely identify iOS users based on the device, crippling it to generalized data, since Safari, the browser over 90% of iPhone users prefer, is also blocking third party cookies. This loss gets even more expensive when we consider the fact that the average iPhone user spends more money than the average Android user.
What’s baffling is how much Facebook appears to be losing over being blocked out of tracking user activity across other apps and websites. Every developer and publisher still has access to IDFV (Identifier for Vendors) which is used to identify a user across apps made by the same developer. Facebook can still track you over Instagram, WhatsApp, Facebook, Messenger and Oculus, just as it always has, and these services form the majority of social media today. Apple has clarified that developers will continue to have unrestricted access to the IDFV after the new framework comes into effect.
Analysts predict that only 30% of the users will opt into IDFA based tracking on getting the notification request for the same. Facebook predicts that it will see a 7% drop in ad revenue directly due to the changes in iOS, with subsequent quarters seeing further drops. Perhaps it may happen that the 50% less effective ads could someday cause a drop of 50% in ad prices as well.
PS : At this point if you’re feeling bad about Facebook, here’s the privacy nutrition label on Facebook’s App Store page. It’s a pretty long list.
The Cupertino Side -
Apple has been ramping up its efforts to better protect the privacy of its customers, and it surely is paying off. Just a look at any privacy related article shared on Reddit or Twitter will show you that the people greatly appreciate Apple’s efforts. It is true that the general everyday user won’t research or try to improve their privacy. But to assume that people are clueless about privacy practices of tech giants is not correct either, the recent media spotlight on Silicon Valley has made the public increasingly aware of how their data is mishandled by the software they use everyday. Given the choice, the general consumer will most likely opt not to have their activity tracked across the internet.
Given the choice, the general consumer will opt not to have their activity tracked across the internet.
I’d recommend everyone to read “A Day in the Life of Your Data”, an 11 page document Apple prepared for Data Privacy Day, 2021. It sheds light on just how extensively people are tracked in their daily lives by the companies whose services they use. And then it goes on to show how Apple services would have given the user better control over his privacy and data (bit of a shameless plug but more on that later).
Apple is just doing what it does best, maintaining a walled garden by laying out the rules and keeping the keys to the kingdom only for itself. But seeing how user data is widely misused all over the internet, perhaps restricting access has become necessary. Let’s look a bit more into the implementation of these changes.
Apple is putting their user data in a walled garden, laying out the rules and keeping the keys to the kingdom for itself.
Starting in late 2020, Apple made it mandatory for developers to use the ATT framework in their app updates or new releases. Without meeting this requirement, the release will be rejected by the App Store. Besides this change, the developers will also be required to disclose all the information they or their partners collect on the App Store page for the application. That way, a concerned user can check what kind of tracking an app is capable of before installing it on their device. Apple calls these “Privacy Nutrition Labels”, and requires all apps, including its own, to include these on their page.
Apple is restricting apps from tracking users across the device, and limiting them to only in-app tracking. Any tracking done using the IDFA will have to be explicitly allowed by the user on the system dialogue asking for that. The publisher does get to explain why they need to track you in a string below the popup (see the image of the privacy prompt) but more likely than not, people will probably tap on “Ask App Not to Track”, and since this happens the first time you start the app, it will be difficult for the publisher to convince you to go back into device settings and dig up the privacy settings and allow tracking again. With all these limitations put on IDFA, Apple is providing a more privacy conserving form of ad tracking.
SKAdNetwork — The Apple Ads Framework
Apple released the SKAdNetwork in 2018 as a new means to measure the success of ad campaigns without invading on the user’s privacy. The idea behind it is simple, advertisers have to register their ads with Apple to have them shown to the user, Apple presents the ad to the user through its ad network, and the advertiser is notified if the user engages with the campaign. But this doesn’t include user or device identifiable information.
The drawback here for advertisers is that they have to depend only on contextual marketing without knowing more about the user or the device they’re using. In addition to this, view-through attribution is not supported on the platform, so an advertiser can’t know if there was a time gap between when the user saw the ad and when they engaged with it. Click-through attribution, the more straightforward metric that checks whether the ad resulted in a click to install the application, was not supported earlier but Apple promises to have it enabled by the time the new update rolls out.
The biggest drawback of SKAdNetwork for advertisers is the “timer” you see in the image above. It means that notifications of attribution are sent 24 to 48 hours after a successful conversion. And so, real time attribution data is absent, and the advertiser can’t instantly target the user with an ad while they’re in-market and won’t be able to tie app activity to a particular time.
Simply put, while SKAdNetwork offers robust privacy preserving features and still allows some forms of ad targeting. It’s probably not bad for the users, but it’s certainly a much worse option for the advertisers, since they won’t have unrestricted access to user data like before and considerably cripples their ability to show precisely targeted ads that are relevant at that moment.
Is this the way?
Partly, yes, and partly, no. Let’s go back to SKAdNetwork. It is a closed system, just like the App Store, owned and operated by Apple. Just like with the App Store, Apple owns all the data that involved in this process, and they are the data broker here. This is good and bad at the same time.
Apple has historically been more responsible when it comes to privacy in comparison to others like Facebook and Google. So, the user data being guarded and maintained by Apple is a much safer bet than it being exploited by Facebook or collected by Google. The key phrase here is ‘maintained’; since Apple doesn’t run an advertising business, they are only the keepers of the data and nothing more. By restricting access to identifiers, companies like Facebook cannot track users across their whole day, without the knowledge or permission of the users. This is as it should be, because privacy is a fundamental right of every individual. The same amount of care for user privacy is reflected across Apple’s services, and they deserve all the credit for bringing this subject to the spotlight in recent times.
So what’s the problem here? I would say capitalism, but this isn’t a socio-economic study. Fact of the matter is, no company gets to $2 trillion valuation just by doing things for the goodwill of its users. After SKAdNetwork becomes the default, Apple will undisputedly have the largest (and only) complete collection of iOS user data. A centralized database of every Apple user on the planet. And that’s precisely what the problem is. So if Apple were to start its own ad services, it would be the keeper of the data, the maker of the devices the data is collected from, and the regulator for other competing advertisers on its platform. Recent rumors also point towards Apple working on its own in-house search engine to compete with Google.
Taking a quick look at the Google side of things, it’s been reported that Google is working on a similar, but less stringent solution to device tracking for Android. Google announced a few weeks ago that it would stop relying on 3rd party cookies and any other technology used to track an individual across the web. It plans to use the its own tracking technology, Federated Learning of Cohorts (FLoC), which will be embedded into Chrome. FLoC will work on the machine itself and group similar users into cohorts for serving personalized ads, without tracking any individual user, or having the user’s data processed in the cloud.
However, industry experts say that this move will ultimately only benefit Google and no other advertiser, since it’s basically turning the Chrome browser into a tracker. It is reported that Google plans to employ a similar solution to upcoming Android releases in the form of privacy controls.
The problem with all these solutions is centralized tracking.
We know for a fact that centralized tracking is not the only option to serve relevant ads. The most privacy preserving option are contextual ads, that present users with ads according to their activity at that moment, regardless of their history or device type. These kinds of ads are used by the search engine DuckDuckGo. A common argument is that you can’t serve such ads in apps because there is no direct search query to base the results on, but we can always use the app itself as context, with each section of the app offering different parameters to base the ads on. The downside is that there will be close to no personalization in such ads, but they’ll still be relevant to the user’s activity at that time. DuckDuckGo argues that this is not a trade off and their advertising revenue is very healthy since contextual ads are good enough for most users. In a better world, that would be the way to go for better privacy.
Closing Thoughts
Privacy is a fundamental right of every user on the internet. Tracking unsuspecting people across the web without their information, should be prohibited by law. So, it’s a great victory for user privacy that companies like Facebook and Google are finally being met with resistance from other players in the industry. All the current changes will lead to the death of third party tracking through cookies, and eventually IDFA/GAID based tracking as well. I hope the recent media attention that Apple has drawn to the extent of tracking on devices continues, and that public awareness leads to a change in these practices for better privacy.
Apple also needs to realize that when when advocating for better data practices on the internet, it shouldn’t be outright advertising its own services. Half of the “A Day in the Life of Your Data” document is about Apple’s services being better for privacy. While that could very well be true, it’s also true that Apple’s devices and services have a large economic barrier of entry. Not everyone can afford to own a MacBook, an iPad or an iPhone. So, Apple should try to set an industry wide standard for privacy, since it has repeatedly cited that the web needs to be a safer place for all people and not just its own customers. More likely than not however, Apple will probably go the way the money is, but we can always hope for something good to come out of all this.
I want to state that some parts of this article, specifically the ones about Apple’s ad service and search engine efforts, are based on industry reports and are currently just rumors. I started looking this up after finding that Apple’s ad services documentation has been missing for over 2 months, and found more information about this on Eric Seufert’s blog. It’s still very much a developing story and we know for a fact that there will be more changes in the days leading up to the Spring iOS update that enables ATT and I hope to revisit this once there are any major new developments.
I’d like to close with a quote about user privacy from Steve Jobs, at the All Things Digital Conference, 2010.
“I believe people are smart and some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you’re going to do with their data.”
References and Further Reading -
- Apple’s App Store Privacy and Data Use Guidelines
- SKAdNetwork Documentation — Apple.
- Apple’s Data Privacy Day 2021 press release
- Facebook press release — “Preparing Our Partners for iOS 14”
- Apple’s Ad Services Documentation (Missing)
- Eric Seufert — “Apple killed the IDFA: A comprehensive guide to the future of mobile marketing”
