IPhone screen with application icons showing device fingerprinting to work around privacy rules

Apple Begins Enforcing New Privacy Rules, Rejects Apps Using Known Device Fingerprinting Techniques

With iOS 14.5 expected to roll out sometime during the spring, Apple’s new App Tracking Transparency framework is about to be fully in place. Some of the new privacy rules have gone active ahead of the formal rollout, however, and the most recent looks to make device fingerprinting a thing of the past on the App Store.

Apple has previously told developers that the new rules about use of the Identifier for Advertisers (IDFA) cannot be circumvented by using similar means to individually identify and track end users. Doing so can result in the app being banned from the store. This policy appears to have gone live in the past week as both new apps and updates to existing apps are being rejected if they contain any sort of device fingerprinting measures.

New app store privacy rules continue to fall into place, to dismay of some

When iOS 14.5 launches sometime in the coming weeks, the full complement of new privacy rules will require any app that uses the IDFA for targeted advertising to notify the user during download and obtain their consent. Given widespread displeasure from the marketing industry, Apple has anticipated that developers might attempt to use “device fingerprinting” measures as a functionally similar substitute. This means logging a list of device qualities and characteristics that form a unique combination; this might include IP addresses, web browser versions and plugins, lists of installed apps, screen resolutions, language settings and time zone just to name a few possibilities. Enough of these characteristics combined will create a unique profile that is extremely unlikely to be replicated by another end user.

Apple told developers months ago that device fingerprinting would not be allowed as a substitute for IDFA tracking in the near future, and now appears to have quietly begun enforcing this new privacy rule. The company did not make a significant public announcement to this end, but simply began rejecting apps that it says contain fingerprint IDs. The first indication of the new development was when various app publishers took to forums, social media and company Slack channels to complain about it. Among the apps to suddenly find themselves in violation of Apple’s privacy rules were those that implement a commonly-used third party tracking SDK from Adjust. Members of the teams of ridesharing app Heetch and fiction publishing platform Radish also publicly posted indicating that updates to their apps had been rejected by Apple. A common message received by apps accused of device fingerprinting shared by these parties reads as follows: “Your app uses algorithmically converted device and usage data to create a unique identifier in order to track the user.”

In some cases, these app publishers may not be aware that they are engaging in device fingerprinting. As was the case with Adjust, many use SDKs that have other primary functionality but also engage in user tracking in the background. In these cases, they will either need the SDK publisher to make updates or they will need to find a replacement solution. Adjust (used by some 50,000 apps) indicated that it updated its SDK within a day after customers began receiving these notices from Apple, and that it should now be in line with Apple’s new privacy rules.

Device fingerprinting tempts advertisers in spite of Apple ban

Though the use of device fingerprinting could now buy app developers a quick suspension from the App Store, some have been mulling taking the risk out of sheer desperation. Much of the targeted advertising industry is anticipating a huge chunk of its revenue from Apple users drying up overnight once the iOS 14 privacy rules are fully implemented, as there is no good substitute for this level of personal data collection.

Perhaps the biggest name to openly explore the idea of device fingerprinting is Snap; a Financial Times report indicates that it has looked into implementing a technique called “probabilistic matching” for Snapchat. Snap has since commented that it respects and supports Apple’s privacy rules. For its part, Apple has ruled out the use of probabilistic matching along with other device fingerprinting techniques.

The biggest organization to flaut the new privacy rules could very well be the Chinese Advertising Association. Documents obtained from the organization indicate that it is developing something called the China Anonymization ID (CAID), a device fingerprinting technique intended for use by China’s biggest app publishers. The open development of CAID indicates that Chinese companies may be counting on the backing of the government in a battle against Apple; if Apple bans major Chinese apps from the App Store, the Chinese government steps in and bans Apple from the country.

The company has not set a firm date for releasing iOS 14.5, but comments from Apple regarding the completion of the App Tracking Transparency framework indicate that it may be coming in May.