App developers are exploring surreptitious new forms of user tracking to evade Apple’s new privacy rules, which threaten to upend the mobile advertising industry in the coming months.
Early in 2021, an iPhone update will prevent apps from using advertising identifiers known as IDFA without obtaining each user’s explicit consent for targeting. Developers expect more than two-thirds of users will block tracking when they see a popup appear within their apps.
Some app makers say they plan to use invasive tracking techniques such as “device fingerprinting” to work around the new restrictions—even though doing so risks getting them thrown off the App Store if they are caught.
“100 percent, everyone will try doing fingerprints, whether Apple enforces their rules or not,” one mobile games developer said.
Privacy campaigners have welcomed Apple’s changes but warn that it is never possible to eliminate tracking entirely.
“There is still going to be tracking,” said Andrés Arrieta, director of consumer privacy engineering at Electronic Frontier Foundation, a campaigner for digital rights. “We will still see apps trying to do nefarious things. No matter what you do, you will have those bad actors.”
Facebook has led criticism of Apple’s change, taking out a series of newspaper advertisements in December that accused Apple of depriving app makers of as much as half of their ad revenues by removing personalization.
Few other developers are willing to pick a public fight with Apple, whose App Store acts as gatekeeper to a $500 billion economy. But privately, the creators of some of the App Store’s most popular apps are fretting, given the importance of advertising as a means of both revenue and distribution.
“The impact is close to impossible to predict,” said the head of one large mobile games developer.
“This is a huge, huge change,” said the chief of another leading mobile games developer. “It’s the biggest risk that we have [as a company]… It could really affect us negatively.”
Developers are concerned that many in the advertising industry are still unaware of the magnitude of the coming changes. “Brands and agencies have no idea—they don’t have a full grasp on where the ecosystem is headed,” said a policy executive at one app maker. “Tech intermediaries are being forced to solve the problem.”
Under such pressure, some developers are, in desperation, considering using new and more invasive forms of tracking, even if users deny their apps permission to use IDFA.
Device fingerprinting can be used to recognize repeat visits from the same smartphone, even across multiple apps. The technique, which is banned by Apple’s App Store rules but can be difficult to detect, works by correlating a combination of a device’s hardware and software characteristics, configurations such as Internet connections, battery or language settings, and patterns of usage.
Another way to track people between apps is if they use the same email address to sign up for various services and games. “Hashed emails,” whereby addresses are turned into a string of letters and numbers, allow companies to share user details without directly handing over an individual’s email address to their partners.
While these techniques might be difficult for Apple to detect, the cost of being caught—and losing access to the world’s most lucrative mobile storefront—could be enormous. “Do you want to play with fire?” one developer asked.