Transparency Matters, a group of ex-Apple engineers have disclosed that iPhone apps are still tracking user data, whether or not the user allows tracking. They tested ten of the most popular apps in the Apple app store to see if the ATT featured released in iOS 14.5 worked.
In a report published Wednesday, the group disclosed that the App Tracking Transparency or ATT feature practically made no difference in the total number of third-party trackers and had minimal impact on third-party tracking connection attempts.
The group further confirmed that detailed personal or device data was being sent to trackers in all cases, regardless of ATT being implemented. The apps were sending back data even after users had explicitly asked not to be tracked.
An apple a day keeps privacy away?
Apple tried to paint itself as a privacy-concerned brand over the years. With the release of ATT, Apple seemed to have taken a big and serious step towards user privacy; however, all of that seems to be a sham.
Essentially, ATT claims to give users a choice whether or not they want to be tracked by disabling (or allowing) third-party trackers. With every app you install, you’re bound to run into an ATT pop up asking if you want to “Ask App Not to Track” or “Allow” it to run trackers.
To test ATT’s effectiveness, the group used the top ten ranked apps on Apple’s app store, most of which were suggested by Apple’s app store editors themselves. They used Lockdown Privacy v1.2.4, an open-source privacy software developed by the group themselves, to detect and block any third-party trackers as well as manual testing to uncover the content being sent.
Initially, the tests were run on an iPhone XR running iOS 14.8, but the results were identical even after an update to iOS 15, including tracking data, number of trackers and ATT’s behaviour.
Each app was tested twice, once with ATT’s “Ask App Not to Track” and once with “Allow” options. Each test was run with clean signup and with basic usage of the app for no longer than two minutes, the tracking activity for which was recorded in Lockdown Privacy.
How did Apple get away with this?
The reason Apple was able to get away with ATT failing miserably lies in the company’s definition of the term tracking, which according to the researchers at Lockdown Privacy, is too “narrow”.
“Apple has hijacked the term “tracking” to define it as something highly specific, and they’ve even placed their full definition of it in the developer documentation, which of course no average iOS user will ever read,” stated the report.
According to Apple, an act of “tracking” must meet three conditions.
- It must link user data from one app (or website) to another.
- It must do this specifically for the purposes of targeted advertising or advertising measurement.
- Apple maintains a list of co-called acceptable tracking behaviours from which any tracking behaviour is exempt.
With that narrow definition, it’s easy to see how these apps are still able to ransack users for data and get away with it with no problems at all. The scope here is too narrow, not to mention it has way too many caveats, buried in developer documentation being one of them.
Finally, this definition also relies heavily on trusting the tracking companies Apple’s policies are supposed to be defending users against. Lastly, the whole thing incentivises less transparency, putting privacy at risk.