Apple flagship store in Hangzhou showing Chinese tech companies circumventing Apple's privacy rules

Chinese Tech Companies Look To Bypass Apple Privacy Rules With an Independent Tracking Number

Apple’s new App Tracking Transparency framework will soon require apps that use ad tracking to notify users and collect affirmative consent. If the user opts out, the unique device identifier for advertisers (IDFA) cannot be used. Though circumventing these new privacy rules with similar identifying techniques can get one banned from the app store, major Chinese tech companies appear to be discussing just that out in the open.

A document provided to app developers by the state-backed China Advertising Association (CAA), which has over 2,000 members including Tencent, Baidu and Tiktok parent Bytedance, indicates that the group is currently testing a new tracking system that it calls CAID. The document directly states that app developers can use CAID as a substitute when the end user opts to deny access to their IDFA. While this would be a clear violation of Apple’s new privacy rules if it is put into practice, Chinese tech companies appear to be banking on the government kicking Apple out of the country if it starts banning popular apps.

Chinese tech companies execute a bold scheme

Apple’s new privacy rules specifically state that attempts to work around the IDFA with substitute techniques, such as device fingerprinting, are unacceptable and could lead to a ban from the app store.

Specific technical details on the CAID are thin, but the Chinese tech companies appear to be attempting to exploit a loophole in the wording of Apple’s privacy rules to get away with fairly standard device fingerprinting techniques (recording unique combinations of device qualities and settings as an identifier). Apple’s App Tracking Transparency framework applies to apps that uniquely identify an individual user; CAID apparently at least pretends to anonymize the user in some way.

Of course, that may only be the public-facing reason. Behind the scenes, the Chinese tech companies may be counting on the country’s government to back them up. Anonymous sources told The Financial Times that Apple may hesitate to ban major apps from its store even if its privacy rules are broken, out of concern that it may provoke the Chinese government into banning Apple from the country. While that might sound outlandish given the massive popularity of Apple products in China, it is not unheard of. China has publicly made noises about banning Apple before over the 2020 US ban on WeChat, the ongoing federal government bans on Huawei equipment and the prospects of a trade war raised by the Trump administration.

However, at least for the moment, Apple is standing by its promise to ban anyone that violates its privacy rules. The company issued a statement in response to the developing story: “The App Store terms and guidelines apply equally to all developers around the world, including Apple. We believe strongly that users should be asked for their permission before being tracked. Apps that are found to disregard the user’s choice will be rejected.”

Anonymous sources indicate that both Tencent and ByteDance are among the major Chinese tech companies currently testing the CAID system, but neither has publicly commented as of yet. The ByteDance documents do make reference to “fingerprinting and probabilistic matching,” techniques that are specifically banned under Apple’s privacy rules.

New iOS 14 privacy rules tested early

The new privacy rules have rankled the digital advertising industry in the West, with expectations that half (or more) of iPhone and iPad user ad revenue is going to disappear as soon as the opt-in notification becomes mandatory. If Apple is soft on the major Chinese tech companies for fear of losing access to that market, it will no doubt throw a tremendous amount of fuel on that fire. However, if the Chinese government is serious about forcing the issue Apple may decide that the $21 billion in annual revenue and supply chain relationships it stands to lose is worth whatever storm of complaint is generated.

Apple is at least making overtures toward sticking to its principles in the early going. It issued warnings to two Chinese app developers ordering them to cease and desist the use of a dozen device parameters that could be combined to identify a unique device. It is presumed that this was in connection with testing of the CAID system. Apple gave the developers 14 days to comply or have the apps in question removed from the app store.

The move demonstrates that Apple has the ability to detect use of CAID; the only question remaining is how far it will go in enforcement of its privacy rules. However, there is some speculation that the Chinese tech companies could make use of CAID harder for Apple to detect if they move execution of most of the code to servers hosted by the app developer rather than having it take place on the local device.