iPhone back side cameras showing Apple's IDFA changes affecting app developers who are resorting to device fingerprinting

Apple’s IDFA Tracking Changes Force App Developers to Look for Workarounds; Device Fingerprinting is Popular Despite Violating App Store Rules

Apple’s IDFA usage terms will soon require app developers to obtain affirmative consent before tracking devices. It’s assumed that the overwhelming majority of users are going to choose to opt out, creating serious problems for the personalized advertising industry. This has developers desperate for alternatives that sneak under Apple’s radar, and device fingerprinting appears to be the direction many will be going in despite the risk of being banned from the app store for it.

Apple’s IDFA changes push advertisers to the brink

iOS 14 brought with it a number of major privacy changes. One that was supposed to roll out in early 2020, but was pushed back to sometime in early 2021 due to advertiser complaints, is a mandatory opt-in button that accompanies the installation of new apps. App users must be informed of how developers plan to use the device’s unique IDFA to track across other apps and websites. They are allowed to opt out of tracking, and app developers cannot deny service or restrict features if they do. This feature is already available in the settings menu but is not on by default; surveys indicate that only about half of all Apple device users presently do so. App developers are expecting that number to shoot through the roof once users are proactively prompted with the option.

App developers are struggling to come up with alternatives to tracking Apple’s IDFA numbers to deliver targeted ads, and the solution that a number appear to be settling on is device fingerprinting. The problem with that approach is that Apple has also banned the use of device fingerprinting as a way to circumvent the new tracking rules. Some app developers appear to be so desperate that they’re willing to take their chances rather than cede their revenue model, even going so far as to make use of hidden email addresses and phone numbers as a tracking measure.

Running the risk of device fingerprinting

In the broadest sense, device fingerprinting attempts to create a profile of each device based on unique combinations of attributes that can be viewed. There are a number of different ways to do this. A very popular one is to use the web browser, which often has telltale combinations that can identify a user: the browser type and version number, possibly with the extensions that the user has installed. App developers that pursue a device fingerprinting strategy will also usually add in whatever information about the user’s device can be viewed: model of phone or tablet, operating system number, list of apps installed, screen size and display ratio for just a few examples. Hardware benchmarking tests may even be quietly employed in the background to glean information about the CPU and battery. With enough of these data points, a unique user can be identified with high confidence across multiple browsing sessions. Marketers use this as an alternative to Apple’s IDFA to keep track of user interests and serve personalized ads based on these demographic observations.

Apple sees device fingerprinting as an invasion of privacy and has banned it from apps for several years now. Some app developers appear to be willing to run the risk of a ban rather than take their chances with user consent. The Apple App Store grossed an estimated $50 billion in sales worldwide last year. Apple has only about a 13.5% share of the mobile phone market worldwide, but has a disproportionate share (40% to 50%) in certain lucrative countries and its users have been estimated to be worth as much as double the average Android user in terms of expected revenue.

App developers feel the heat

Apple has yet to set a firm date for the rollout of the new mandatory privacy notifications, but has said that it would happen in “early 2021.” Apple’s IDFA numbers can still be used by ad tech companies without user notification in the meantime.

App developers feel backed into a corner by the proposed stark wording of Apple’s IDFA opt-in window, which they feel will almost certainly cause users to opt out, and the fact that incentivizing users with offers of bonuses or limiting of functionality pending opt-in for ad tracking is not allowed.

Apple has banned companies and engaged in high-profile battles over device fingerprinting before. Perhaps the most infamous incident was its tilt with Uber in 2017, in which Uber went to the length of geofencing off Apple’s Cupertino campus to hide the fact that it was fingerprinting devices. This led to an in-person meeting in which Tim Cook told Travis Kalanick that Uber would be banned from the App Store if it continued.

In addition to Apple’s IDFA changes there is another major component of iOS 14’s new data rules, the privacy “nutrition labels” that all apps must display, that has already gone active and is also rankling some in the mobile advertising industry. Facebook took the unusual step of taking out full-page newspaper ads to complain about them.

Given Apple’s IDFA restrictions, the reality that many ad-supported apps are now facing is to either run the risk of some sort of device fingerprinting scheme or to simply absorb the loss and switch to a less granular (and thus likely less lucrative) form of ad network such as an entirely contextual approach (which selects ads based on the page or app content rather than collected information about the end user).