Hand holding iPhone showing Schrems attack on Apple's device tracking ID

Privacy Crusader Max Schrems Sets Sights on New Target: Apple’s Device Tracking ID

Consumer rights activist Max Schrems, best known for severely disrupting the flow of personal information between organizations in the EU and US with the recent Schrems II decision, is honing in on a new big tech target. Schrems has filed a case against Apple in the EU, alleging that the company’s unique device tracking ID is in and of itself a breach of privacy law regardless of how it is used.

No rest for Schrems

Fresh off of upturning international digital trade for most of tech’s biggest names, Schrems and his group noyb are now focusing specifically on Apple. Filed in the courts of Germany and Spain, the complaint centers on the IDFA (Identifier for Advertisers) that is unique to each Apple device. The IDFA is used to track devices as they move through apps and browse websites, providing a means for advertisers to deliver targeted ads based on the user’s previously observed interests.

Apple itself has recently moved to restrict use of the tracking ID, though the company would probably not characterize the move in that way. As of sometime early next year, iOS 14 will require app developers that make use of the IDFA to allow users to opt out via a mandatory pop-up warning. The ability to stop use of the tracking ID has been available in iOS for several editions now, but it is not on by default; users must find it in the advertising privacy settings. The personalized ad industry believes that this will cause significantly more users to opt out of tracking, dealing a heavy blow to its bottom line.

Schrems argues that this is not enough. His group is contending that the existence of the IDFA is a breach of privacy under EU law given that it is created without the user’s knowledge or consent. While Apple users can forbid third parties from accessing the tracking ID and can reset it to generate a new one at any time, they are not able to stop one from initially being generated or permanently having one assigned to the device. Users are also not able to 100% restrict use of the IDFA, as Apple continues to have access to it regardless of settings and makes use of it for a number of its own services (such as Apple News).

noyb privacy lawyer Stefano Rossetti summarized the group’s argument: “While Apple introduced functions in its browser to block cookies, it places similar codes in its phones, without any consent by the user. This is a clear breach of EU privacy laws. With our complaints we want to enforce a simple principle: trackers are illegal, unless a user freely consents. The IDFA should not only be restricted, but permanently deleted. Smartphones are the most intimate device for most people, and they must be tracker-free by default.” Apple replied with a statement that its practices comply with European law and that it would cooperate with regulators should they examine the complaint.

One interesting twist is that Schrems is not challenging the tracking ID on the basis of a General Data Protection Regulation (GDPR) violation. Instead, noyb is contending that it is a violation of the e-Privacy Directive. Established in 2002, the directive focuses on the use of online tracking mechanisms such as cookies. A key difference is that the governments of member states would be able to take direct action on the case and issue fines without going through a Data Protection Authority (DPA). The e-Privacy Directive was supposed to have been folded into the GDPR by now, but has run into numerous political obstacles.

Is the Apple tracking ID on the way out?

Though Apple is publicly pushing back against the Schrems case, it has already distanced itself from anything but internal use of the IDFA as a tracking ID. Common speculation is that Apple is realigning as a brand focused on premium hardware that provides superior security and privacy to what is available from rival Google’s Android operating system.

The IDFA is distinct from Apple ID, the optional account that users can create to more conveniently log into multiple devices and share settings between them. The only real practical purpose for the IDFA is to facilitate personalized advertising and track users, essentially acting as a more stable and accurate replacement for cookies that also expanded their reach beyond the web browser. The IDFA has proven to be a superior tracking ID system for the diligent and privacy-focused user as it can be manually reset at any time; the advertising industry has banked on the fact that most users will not be this aware and diligent. Only about 30% of iOS users choose to opt out of use of the tracking ID.

Luke Taylor, COO & Founder at adtech company TrafficGuard, presented the personalized ad industry’s case for its continued access to the IDFA: “As an advertising industry, we’ve done a very poor job of communicating to the end user as to why we’re tracking them, and why this is beneficial … While consumers should have the right to decide what is collected, sold and shared about them, they should be making an informed decision … Many people think of ‘advertisers’ as big headless corporations and digital advertising as this sinister dark art. But it is an ecosystem and businesses of all sizes depend on online advertising to reach consumers … Content providers rely on revenue from advertising to provide their content for free. The result for the consumer is lots of choice and innovation – in terms of the products they buy and discover through advertising, and in the content they consume. Opacity has always been a characteristic of the digital advertising ecosystem – and unfortunately, if IDFA is removed it is going to exacerbate that, to the detriment of the advertiser. With less transparency, fraud (a $42B industry) is likely to flourish, compounding the challenges of attribution and optimization. At TrafficGuard, we already see a lot of invalid traffic masquerading as devices with LAT enabled. This has been a popular way for fraudsters to attempt to obfuscate details about traffic they are sending. The removal of IDFA is going to take this to the next level.”

#Schrems is contending that the existence of the IDFA is a breach of #privacy under EU law given that it is created without the user's knowledge or consent. #respectdata Click to Tweet

While Apple mobile device users only represent about 27% of the overall mobile ad market, they tend to be on the more affluent end and loss of access to the IDFA would certainly hurt marketing operations that rely on targeted ads. Though a successful challenge by Schrems would likely force Apple’s hand, the company may have already been in the process of quietly retiring it anyway.


Senior Correspondent at CPO Magazine