By John Gruber
Jiiiii — Free to download, unlock your anime-watching-superpowers today!
Sharon Terlep, Tim Higgins, and Patience Haggin, reporting for The Wall Street Journal, “P&G Worked With China Trade Group on Tech to Sidestep Apple Privacy Rules” (News+ link):
Procter & Gamble Co. helped develop a technique being tested in China to gather iPhone data for targeted ads, a step intended to give companies a way around Apple Inc.’s new privacy tools, according to people familiar with the matter. […]
The company has joined forces with dozens of Chinese trade groups and tech firms working with the state-backed China Advertising Association to develop the new technique, which would use technology called device fingerprinting, the people said. Dubbed CAID, the advertising method is being tested through apps and gathers iPhone user data. Through the use of an algorithm, it can track users for purposes of targeting ads in a way that Apple is seeking to prevent. […]
Through apps, CAID collects user device data, such as the device start-up time, model, time zone, country, language and IP address. Based on China’s personal information security standards, most of those data aren’t counted as “personal information.” But a so-called device ID can be generated by algorithm based on these data. That device ID can achieve a similar tracking effect as the identifier that Apple is allowing users to block.
Not a good look for a major American company like Procter & Gamble to be in cahoots with a Chinese trade group to circumvent Apple’s new privacy rules.
The whack-a-mole1 aspect of Apple’s new privacy rules is that while Apple can restrict access to the API that provides access to the IDFA identifier, clever developers can find (perhaps infinite) other ways to combine things they do have access to into a unique, or even just “close enough to unique to be useful for tracking”, identifier. IP addresses, to name just one example, are a big factor that Apple can’t block would-be-trackers from using. That’s what CAID is, but CAID isn’t some rogue effort on the part of surveillance advertisers alone — it has the backing of the Chinese government.
Doing this is clearly against Apple’s rules. The questions are: Can Apple detect these techniques? And what is Apple going to do if they do identify apps in China using CAID in flagrant violation of the App Store rules, if those apps have the backing (implicit or explicit) of the Chinese government?
Consider just Tencent. What is Apple going to do if WeChat is flagged for circumventing the App Store privacy rules, and Tencent says “No thank you” to Apple’s rules, that they’re going to do it anyway because they have the backing of the PRC? Reading between the lines, I think Apple is diplomatically telling the companies involved with CAID that they will pull the apps from the App Store over this. Here’s Apple’s statement to The Journal:
Device fingerprinting runs afoul of Apple’s rules, and the tech company has said it would ban any app that violates its policies.
“The App Store terms and guidelines apply equally to all developers around the world, including Apple,” an Apple spokesman said. “We believe strongly that users should be asked for their permission before being tracked. Apps that are found to disregard the user’s choice will be rejected.”
I don’t read diplomat-ese fluently, but that statement seems adamant: “all developers around the world, even Apple”. I wonder, though, if Tencent believes they can track users with impunity because Apple wouldn’t dare pull WeChat (etc.) from the Chinese App Store.
Basically, IDFA was Apple’s attempt to work with companies to provide a way to offer a sanctioned identifier for advertising tracking that respected user privacy and user control over tracking. It didn’t work — these companies have no respect for user privacy or user control, even with IDFA. So Apple is taking it to the next level. That’ll only work if Apple backs up its rules with enforcement — even in China.
Random spelling factoid I recently learned: the actual arcade game is spelled “Whac-A-Mole”, with no “k”. Which, to me, looks wac-y. ↩︎