Even when Apple makes definitive statements, it tends to gloss over the details in communications with developers.
Although masterful at making its public positions very (very) clear – for example, “At Apple, we believe that privacy is a fundamental human right, and protecting people’s privacy is at the center of everything we do” – it’s not always clear what mobile developers in the trenches should do about it.
Fingerprinting is a perfect example.
Apple has stated, and in no uncertain terms, that it wants to kill fingerprinting with fire: But no one knows how and when Apple is going to move from an honor system to actual policy enforcement.
Which is why, until then, you can expect fingerprinting or probabilistic attribution or whatever one wants to call it to continue, even though device fingerprinting for measurement purposes is probably the least future-proofed thing a company can do – other than perhaps basing their product road map on third-party cookies.
The beaten track
It’s not overly surprising that Apple didn’t dwell on or even mention fingerprinting during the keynote presentation at its Worldwide Developers Conference last week.
Although the mobile ad tech industry was on tenterhooks to find out whether Apple would release a technical solution to prohibit fingerprinting (P.S., there isn’t one yet), the WWDC keynote isn’t usually a venue where Apple gets deeply into the weeds. It’s where Apple shares information about consumer-facing updates to the next versions of its operating systems.
But WWDC is a week-long developer conference. The mainstream media and the trade press usually tune out after the keynote on Monday, but Apple posts and hosts sessions throughout the week, diving deeper into the technical details on topics like how to incorporate augmented reality into an app, how to create parametric 3D room scans, the finer points of SKAdNetwork 4.0 and how to use an iPhone as an external camera in macOS apps.
In a session posted last Thursday about the AppTrackingTransparency framework, Julia Hanson, a member of Apple’s privacy engineering team, reviewed examples of what constitutes tracking and talked about when apps need to show an ATT prompt.
Sharing data with third parties and data brokers is always considered tracking, for example, while sharing data between apps owned by the same company is not, although both apps must separately gain permission to use the data for advertising purposes.
Apps are responsible for any third-party code they integrate, including from SDK partners. Oh, and hashing isn’t magic.
“The type of identifier and whether or not it is hashed doesn’t change the fact it is being used for tracking – which is what requires permission,” Hanson said.
Enough with the honor system
These are nuanced points but, still, this is all stuff developers already know, or should know.
But there’s no nuance in Apple’s position on fingerprinting.
For those who still need to hear it, Hanson finished her talk with these words: “With permission, tracking is allowed. But fingerprinting is never allowed. Regardless of whether a user gives your app permission to track, fingerprinting – or using signals from the device to try to identify the device or user – is not allowed per the Apple Developer Program License Agreement.”
But “not allowed” is not the same thing as “restricted.”
Although Apple couldn’t be clearer about its stance on fingerprinting, enforcement is still a question mark – and will remain so until Apple devises a technical solution to quash it.
Until then, finger wagging won’t stop companies from fingerprinting, and the rule keepers will be at a disadvantage to the rule breakers. It’s time for Apple to get cracking so the nice guys don’t finish last.
“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.