Apple’s Privacy Promises Are Undermined by Its App Store Rules

“Don't let the perfect be the enemy of the good” is a cliché, but we have clichés for a reason.

“Don’t let the perfect be the enemy of the good” is a cliché, but we have clichés for a reason. In some cases we really shouldn’t let the perfect be the enemy of the good! When it comes to privacy, the status quo is so bad that sometimes I’m tempted to settle for “better than nothing.” As it stands, Apple’s App Tracking Transparency (ATT) is in that category. It’s a step in the right direction, but incomplete. Privacy initiatives from private companies will always be incomplete, often in ways that are self-serving, and users should be cautious about companies that claim they want to defend you from all the bad actors out there while glossing over their own practices. In Apple’s case, the intersection of its privacy policies and its rules around payments in apps creates a situation that is both bad for privacy and competition, making ATT less of a benefit to users than it otherwise could be.

App Tracking Transparency has a few components. First, Apple requires that apps ask for permission before tracking users. The choices are “Allow” and “Ask App Not to Track.” 

If a user selects “Ask App Not to Track,” then the iPhone or other Apple device does not allow the app to access something called the “Identifier for Advertisers” (IDFA). This is a unique number on your device that can be used to track you around the internet. Apple created the IDFA when it blocked apps from accessing other device identifiers, such as the MAC address, which are something like serial numbers, can’t be changed, and were not intended to be used to track users to begin with. When it created the IDFA, Apple also gave users the ability to turn off the IDFA across their whole device, as well as to reset it. App Track Transparency improves on this by allowing users to grant some apps the ability to track them if they want, but not others.  

But there’s more than that, which is why Apple words the prompt as “Ask,” instead of “Tell.” Advertising companies are always coming up with new ways to track users, and it’s a cat-and-mouse game to shut them down.  Apple’s agreement with developers says they are not supposed to track users using any means, not just the IDFA, if a user selects “Ask App Not to Track.” 

Apple describes ATT and defines “tracking” in a few places. On a support page for users, Apple says that “App Tracking Transparency allows you to choose whether an app can track your activity across other companies’ apps and websites for the purposes of advertising or sharing with data brokers.” On a support page for application developers, Apple writes that “Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.”

Apple’s view of “tracking” concerns tracking you from one company to another. Most people’s concept of “tracking” is much broader.  For example, if Facebook serves you ads on Facebook.com based on your activity in Instagram, this is not “tracking,” because both apps are owned by the same company. In Apple’s case, Apple can monitor what you do in any Apple app, and serve you ads in any other Apple app, based on what it has learned about you. None of this is “tracking” to Apple.

This idea of what “tracking” means doesn’t come from nowhere. The World Wide Web Consortium (W3C), as part of the (failed) Tracking Protection Working Group, adopted this definition in 2011: “Tracking is the collection of data regarding a particular user’s activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.”

The word “context” is doing a lot of work here and there is no reason to interpret it as a “company.” Serving me ads in Apple News based on my activity with Siri seems like “tracking” under the W3C definition, but would not be under Apple’s. But a view of “tracking” that only cares about data transfers and use between third parties, but not what companies collect about their own users and how they use this data, is incomplete–even harmful.

It could have profoundly negative effects on competition, as larger companies with more first-party data have an inherent advantage over smaller competitors under this scheme. It might even encourage mergers, since buying a third party turns it into a first party. And it probably gives people the impression that they have more control over their data than they actually do.

All this is why we need a comprehensive privacy law like the American Data Privacy and Protection Act — companies will only go so far to protect your privacy, especially from themselves. A good privacy law might be closer to the W3C’s definition than Apple’s, would protect user privacy more than private company initiatives, and would address the competitive problems inherent in a system that structurally benefits the largest tech companies.

All this is also context to understand how Apple’s rules around in-app payments make the privacy implications of its definition of “tracking” worse.

As Public Knowledge has written, rules that require that developers use platform in-app purchase systems, and the requirement that apps can only be installed from the one app store, are anticompetitive. But to make it worse, Apple’s rules, and the definitions that Apple writes, put a large amount of data under Apple’s control that, in a more open market, it would not even have access to.

A whitepaper on Apple’s website states that “Apple does not use third-party data for advertising on its own apps.” Under Apple’s definitions, this is true. But Apple forces developers to use its tools, and considers information from the use of those tools its own first-party data. As it explains, “Apple-delivered advertising helps people discover apps, products, and services on the App Store, Apple News, and Stocks. We use information about your device, account, purchases, subscriptions, and previous downloads to ensure that ads are relevant.” Apple also uses “purchase history, including in-app purchases, [and] subscriptions” for personalization.

So, yes, kudos to Apple for not using third-party data, and for ATT, which does protect user privacy to a degree. But also boo to Apple.  Its rules require developers to use tools that bring data under its control that should not be.  Users can’t install iOS apps directly from developers–which means that data about what apps they download and search for in the App Store is “first-party” Apple data.  Developers are forced to use Apple’s in-app payment systems–and as a result, data about subscriptions, media purchases, and in-game purchases are all considered (by Apple) to be Apple’s to monetize and advertise against. This data could include whether a user has subscribed to a streaming service that competes with Apple TV+, has installed pregnancy or dating apps, or is using a VPN to evade censorship.

Among the tech giants, Apple is in many ways the most privacy-conscious. This isn’t saying much.  Apple simultaneously protects users against real privacy harms from third parties while using all its means to bring large amounts of data under its own control.

I don’t agree with those that think that privacy should be sacrificed to make it easier to be tracked for advertising, government surveillance, or any other purpose. Nor do the competitive concerns around ATT mean it should be rolled back. Apple should not drop ATT, it should enhance it, by preventing the use of data within Apple across contexts. But I think we will be waiting a long time for Apple to do these things on its own — and regardless, there are similar gotchas lurking in the terms of service and legal disclaimers of just about every company. Congress must step up to protect user privacy in the ways that companies never will voluntarily.