Reprinted from TidBITS by permission; reuse governed by Creative Commons license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary on Apple and Internet topics. For free email subscriptions and access to the entire TidBITS archive, visit http://www.tidbits.com/ Apple Unveils Stringent Disclosure and Opt-in Privacy Requirements for Apps Glenn Fleishman In late 2020, Apple [1]rolled out its new privacy guidelines for apps, which require explicit and detailed disclosure by apps of their collection and use of personal data. In the near future, it will also require that apps get opt-in permission to track users by any personal identifier or a device's unique advertiser identifier. These two changes have roiled the online advertising industry, which has unfortunately shifted over its 25 years in existence from being excited about counting clickthroughs and measuring them against actions to luring users into a deliberately invasive stew of misdirection and obfuscation. By and large, the industry prefers that people don't know how much their private information is being extracted and used, and it hates having to ask for permission'because it knows most people will say no. The online advertising industry claims that advertising success is possible only through highly targeted advertising, in which each ad that appears on your screen is the result of a billion billion calculations of everything known about you, including your clicks and visits from mere moments ago. While that claim about success may or may not be true'an increasing amount of evidence, noted below, suggests that it is not'the industry has become dependent on concealing what it does with our information, fearful that if it were known, the house of cards would come crashing down. [2]This blog post from Invoca'a company whose business I cannot figure out exactly because the ad and marketing industry has become so very baroque'explains the insider view of Apple's moves. The headline reads, 'What Is IDFA and Why Apple Killed It.' IDFA is the device-based advertising identifier Apple attaches to its hardware, which functions like a browser cookie for a device and which users can reset whenever they like. However, when you dig into the post, it turns out that, despite the hyperbolic headline, the author actually says: Apple hasn't 'killed' IDFA per se, but has made tracking in apps an 'opt-in' situation in iOS 14 as part of the company's continued focus on user privacy. In other words, Apple is blowing like mad on that house of cards. Among the top tier of tech companies, Apple is the only one that places its customers' privacy in its list of central concerns'and means it. Other big firms flap their gums about how privacy is important, then routinely lobby for loopholes, pay small fines for violating regulations, or construct methods that deceptively violate user consent. While Amazon and Google have their own issues with disclosure, tracking, and consumer violations in the US and internationally, the biggest privacy abuser is, of course, Facebook. Facebook's business model appears to rely on routinely violating its users' privacy and then promising to do better, which it never does. Apple has progressively clamped down on user tracking in Safari and apps over the last few years, describing such efforts as part of its mission in creating a safe and generally 'opt-in' Internet, in which your online activities remain protected and private unless you choose otherwise. Apple's new app-based disclosures and the requirement of consent to track outside of the app continue its evolution in insisting on customer privacy. Signs are already apparent that the whole edifice of the online ad industry may be due for a collapse. So much of the money collected ostensibly on behalf of publishers is sucked up by ad tech firms, ad fraud, and intermediaries [3]that half or less reaches the actual sites. Some research suggests it's as little as [4]30 cents on the dollar. Other examples of a possible adpocalypse? * [5]JPMorganChase reduced its advertising reach from 400,000 sites to 5000 and saw no change in outcome. * Uber audited its ad spending to generate new users and [6]went from $150 million to $20 million in spending without a drop in actual leads. * [7]Proctor & Gamble slashed $200 million in online spending and found its reach increased. * [8]eBay cut $100 million in ad spending without a drop in referred sales. For instance, try to explain why, after you purchase a given item, ads for that same item chase you around the Internet. Ad efficiency? Hardly. Apple's privacy moves might topple some dark ad giants who don't deliver for advertisers (or publishers) and have managed to hide their incompetence behind Rube Goldberg contraptions. It's not unthinkable that Apple could help sweep in a simpler, more direct, and less intrusive advertising that resembles the Internet's earlier days. That's probably too optimistic, but let's start with the changes Apple has already made and the opt-in requirement on third-party tracking about to emerge. From a Single Line to Pages of Revelations Apple's new disclosure requirements are relatively easy to understand and summarize. Apps must disclose what data they may collect, and whether that data is linked to users, stored outside the app, or used to track them. In terms of simplicity, it's fair to compare them to the nutrition facts label on packaged foods, thanks to the standardized format and language. But, just like those labels, it's worth noting that the data is self-reported. Apple's role in monitoring and verification is unclear, and there are a variety of exceptions. Developers who have conformed to Apple's privacy rules in the past, to the [9]European Union's General Data Protection Regulation (as of May 2018), and the [10]California Consumer Privacy Act (in effect from January 2020) should already have gathered all of this information and provided it in one or more policies within the app and on a Web site. That should be effectively all developers, even one-person firms, because of the broad scope of those existing laws, rules, and Apple guidelines. What Apple calls 'app privacy details' systematizes and makes simple all the kinds of data about you that an app collects, including via embedded third-party code, and how the developer handles it. Instead of reading a lengthy privacy policy that could be written to any standard, Apple's details use standardized terms and top-level icons. (The GDPR nominally requires language in privacy disclosures that's plain and easy to read, but it provides no assistance in doing that, nor does it seem to have any per se enforcement of confusing language.) Apple offers developers [11]an equally straightforward description of how to collect and provide all the necessary information. The general principle is that any data that's collected or inferred by an app and sent off-device for 'a period longer than what is necessary to service the transmitted request in real time' must be disclosed. For instance, someone might provide their email address to an app for it to retrieve some piece of information, but if the app's developers and any connected third parties immediately dump that email address after the retrieval, it doesn't seem to qualify as 'collected' in Apple's definition. (Please note that I am not a lawyer, and this article doesn't constitute legal advice.) The app privacy description covers which categories of data might be collected, providing specific examples for each (such as location, financial, contact information, and the like), how it's linked to the user (and how to avoid such linkages), and how an app developer or affiliated third-party might track a user based on collected data. Apple also makes it clear that there's a big difference between on-device and off-device tracking, personalization, and data usage. An app can download and cache marketing information, including from third parties, and then apply personalization or other behavior within the app based on locally stored personal information and the advertiser identifier. As long as that information isn't then sent off the device, it doesn't have to be disclosed. (This principle is similar to how Apple has allowed companies to provide phone-number spam identification, by allowing databases of numbers to be downloaded to an app and then compared only locally against incoming phone numbers.) These privacy details are presented in Apple's various App Stores in an App Privacy panel below version history. Under Data Linked to You, it specifies all the categories of data, with distinct icons, that are being used. There may also be a Data Not Linked to You section that discloses (sometimes optionally) data that's collected either only on-device or for diagnostic purposes, or that is not retained after a lookup or retrieval. Tapping or clicking See Details provides a more thorough item-by-item accounting. The range of disclosure can be mind-bending. James Thomson's popular calculator app, [12]PCalc, collects diagnostic data that's not linked to the user in any way; it gathers nothing else. Facebook's disclosure, on the other hand, [13]runs to ten iPhone screens. Apple, by the way, does not require that app developers disclose information that Apple itself collects through the use of Apple frameworks and systems, like advertising or in-app purchases. Apple already has agreements as a 'first party' with the user of an app in order to use an iPhone, Mac, or other device. It has disclosed terms and required acceptance of licenses and data-collection policies as part of a user setting up a device and signing into a given App Store on it. Those terms and agreements may not be as clearly displayed or worded as would be ideal, but we can hope that Apple will be working to improve that user experience as well. (Apple lets you opt out of some of its tracking and collection, too, as I detail at length in my book [14]Take Control of iOS & iPadOS Privacy and Security.) Apple's apps, however, do have their own App Privacy listings. [15]Pages notes that it might link 'Contact Info, User Content, Identifiers, Usage Data, and Diagnostics' to you. That seems like an awful lot of linkage for a word-processing app. However, when you click See Details, Apple clarifies that it uses most of the data for analytics (measuring usage and what people do), while only using a few pieces of information for customizing the app, and that it has access within the app to user content (photos, video, data, and other documents). As always, the question is whether disclosure prompts changes by individuals. The App Privacy listing is just a disclosure: users can't opt in or out of different kinds of data collection'it's all or nothing. But unlike a standard software EULA (end-user license agreement) or dense privacy policy, Apple's requirements and presentation make it quite clear what's up, assuming the developer has been truthful, of course. Then you take it or leave it: you either buy or install the app or don't. However, Apple is about to enable an option that will give you choice over one set of items disclosed in App Privacy. Sometime soon'the company hasn't yet said when'Apple will require that you opt into third-party tracking. That's what has Facebook quaking, and what I'll explain next. The Holy Grail of Permission-Based Marketing and Advertising What could have terrified Facebook enough about Apple's upcoming [16]App Tracking Transparency requirement that it took out [17]a full-page ad in multiple newspapers and [18]created an accompanying Web site alleging that Apple's update would endanger small businesses? It's this little message, as Tim Cook [19]noted on 17 December 2020 in a tweet (see '[20]App Store Wars: Facebook vs. Apple, Publishers vs. Apple, Apple vs. Brave,' 17 December 2020). We believe users should have the choice over the data that is being collected about them and how it's used. Facebook can continue to track users across apps and websites as before, App Tracking Transparency in iOS 14 will just require that they ask for your permission first. [21]pic.twitter.com/UnnAONZ61I -- Tim Cook (@tim_cook) [22]December 17, 2020 Facebook characterizes this message on its advocacy site thusly: 'Apple's new iOS14 [sic] policy requires apps to show a discouraging prompt that will prohibit collecting and sharing information that's essential for personalized advertising.' To paraphrase: Facebook's entire advertising model is so fragile that if users were given the information to choose between having their information shared willy-nilly and relying on Facebook to preserve their privacy, advertising results would collapse. That would be a damning admission, no? Even some Facebook employees thought Facebook's stance was a bunch of hooey, [23]according to Buzzfeed News. 'It feels like we are trying to justify doing a bad thing by hiding behind people with a sympathetic message,' one engineer wrote. Another worker reasonably asked, 'Why can't we make opt-in so compelling that people agree to do so[?]' Facebook won't be the only company whose apps will trigger this new transparency alert, of course. All apps that send information Apple defines as providing a way to track a user outside that developer's 'first-party' ecosystem will have to present and honor a similar dialog. For some apps, that might be just the app; for others, the app and servers or other resources organized under an associated domain. For still others, it could be broader and encompass a range of networked hardware and services that still comprise just one company. In other words, Facebook doesn't need to display such an alert to share tracking identifiers from the Facebook app on an iPhone with the Facebook Web site someone might access from a browser on a Mac. But after passing data to and from the Facebook Web site, the company can't pass any tracking identifiers to other parties. To make its targeted ad approach work, Facebook'or any company that shares information with data brokers'would have to display the tracking prompt. (Apps can also share and use certain identifying information to deter or detect fraud and for security purposes.) But there is a red line: if a company shares information that can track a user outside of stuff it owns or operates on its own behalf, this transparency requirement is triggered. How Apple will enforce that, for companies with expansive services, remains to unfold. Can Facebook track across its Instagram and WhatsApp subsidiaries without an alert? This tracking prompt will appear the first time you launch an app after Apple enables App Tracking Transparency. If you later change your mind, you can make modifications in Settings > Privacy > Tracking. Apps can explain why the pop-up appears, or they can rely on a generic message. (This approach is very similar to Location privacy settings, which Apple has tightened down over multiple releases of iOS and iPadOS in response to developers and ad networks creating workarounds and exploiting loopholes.) Notably, apps cannot require you to opt into third-party tracking in order to use the app. As Apple notes in its developer FAQ: '[Q] Can I gate functionality on agreeing to allow tracking, or incentivize users to agree to allow tracking in the app tracking transparency prompt? [A] No'¦' The [24]Electronic Frontier Foundation argues that Facebook's campaign against Apple has nothing to do with users or small businesses. Instead, the EFF suggests, Facebook is attempting to shore up a business model that relies on abusing privacy and to distract from its anti-competitive behavior. But the EFF's primary, seemingly obvious stance resonates even louder: We shouldn't allow companies to violate our fundamental human rights, even if it's better for their bottom line. Blow on that house of cards, Apple, blow. Apple Isn't in the Business of Treating Its Customers Like the Product Critics and cynics will note that Apple doesn't have to play nice with advertising networks because only a minuscule portion of its massive revenue stream comes from ads. Such people might suggest that deploying restrictions that could reduce ad revenue to Amazon, Facebook, Google, and even Microsoft, would hamper their efforts to challenge Apple's hardware ecosystem or develop competing apps and services. (You may not think of Microsoft as being focused on advertising, but the company generated a surprising nearly $8 billion in ad revenue in its 2020 fiscal year.) But it's hard to see Apple needing to resort to using privacy as a weapon to hurt other tech giants. Amazon makes its money selling all kinds of stuff, and even its hardware that does go head-to-head with a few Apple products'the Echo smart speakers and Fire TV'are up against the HomePod and Apple TV, which are perhaps Apple's lowest-selling hardware products. Google's Android operating system derives revenue from advertising, and a recent filing from the US Department of Justice [25]states that Google pays Apple $8 to $12 billion a year to be the default search engine on Apple devices. Microsoft exited the mobile business, and despite the scale of Windows, the company has refocused its efforts into making its apps and services available on every platform, including Apple's. Privacy may be a selling point for Apple, but overall, the company isn't using it as a competitive cudgel against other companies. Tim Cook's consistent, principled stance in nearly all aspects of user privacy'including apologizing and making changes when flaws or exceptions are discovered'can be both sincere and a marketing tactic. But just like, say, [26]Walmart's move towards renewable power and reduced emissions, we can accept the benefit to society while keeping a gimlet eye poised to watch for failures or misleading statements. In the end, there's nothing wrong with Apple's efforts to reduce the amount of undisclosed, unwanted, and opt-out forms of tracking across the Internet, even if they end up puncturing the cash balloons of parasitic data brokers, intermediaries, and ad tech firms. References Visible links 1. https://developer.apple.com/app-store/app-privacy-details/ 2. https://www.invoca.com/blog/what-is-idfa-and-why-apple-killed-it-everything-marketers-need-to-know 3. https://www.niemanlab.org/2020/05/of-the-money-advertisers-spend-on-digital-ads-half-of-it-vanishes-before-reaching-publishers/ 4. https://www.newsmediaalliance.org/google-ad-revenue-op-ed-70-percent/ 5. https://www.nytimes.com/2017/03/29/business/chase-ads-youtube-fake-news-offensive-videos.html 6. https://www.marketingtodaypodcast.com/194-historic-ad-fraud-at-uber-with-kevin-frisch/ 7. https://webcache.googleusercontent.com/search?q=cache:_knvC46FcGcJ:https://www.adweek.com/brand-marketing/when-procter-gamble-cut-200-million-in-digital-ad-spend-its-marketing-became-10-more-effective/+&cd=1&hl=en&ct=clnk&gl=us&client=safari 8. https://freakonomics.com/podcast/advertising-part-2/ 9. https://gdpr.eu/what-is-gdpr/ 10. https://oag.ca.gov/privacy/ccpa 11. https://developer.apple.com/app-store/app-privacy-details/ 12. https://www.pcalc.com/ 13. https://youtu.be/TueQEuQQgsE 14. https://www.takecontrolbooks.com/ios-ipados-privacy-security/ 15. https://apps.apple.com/us/app/pages/id361309726 16. https://developer.apple.com/app-store/user-privacy-and-data-use/ 17. https://www.theverge.com/2020/12/16/22178068/facebook-apple-newspaper-ads-ios-privacy-changes 18. https://www.facebook.com/business/apple-ios-14-speak-up-for-small-business 19. https://twitter.com/tim_cook/status/1339720611313065984?s=20 20. https://tidbits.com/2020/12/17/app-store-wars-facebook-vs-apple-publishers-vs-apple-apple-vs-brave/ 21. https://t.co/UnnAONZ61I 22. https://twitter.com/tim_cook/status/1339720611313065984?ref_src=twsrc%5Etfw 23. https://www.buzzfeednews.com/article/craigsilverman/facebook-apple-fight-self-serving 24. https://www.eff.org/deeplinks/2020/12/facebooks-laughable-campaign-against-apple-really-against-users-and-small 25. https://www.cnbc.com/2020/10/28/apple-steps-up-effort-to-build-google-search-alternative.html 26. https://corporate.walmart.com/newsroom/2019/05/08/walmart-on-track-to-reduce-1-billion-metric-tons-of-emissions-from-global-supply-chains-by-2030 Hidden links: 27. https://tidbits.com/wp/../uploads/2021/01/PCalc-vs-Facebook.jpg .