How Apple’s Private Relay could be the beginning of the end for fingerprinting on iOS devices

apple

It’s been three months since Apple’s privacy safeguard arrived and ad execs are still trying to make sense of the company’s stance on tracking — or lack of one. Specifically, when it comes to fingerprinting, the much-maligned tracking technique Apple aimed the safeguard at. 

As it stands, there are still instances of companies gathering data points from a person’s device so they can be tracked across apps and sites even when they have declined to do so. Recent reports from Digiday and the Financial Times are testaments to this.

And herein lies the rub for ad execs. Apple has told them fingerprinting is off-limits but doesn’t seem to be aggressively enforcing this policy. Few execs, however, believe this perceived inaction will last. Eventually, goes the thinking, Apple won’t need to enforce a policy like ATT to rid its mobile operating system of fingerprinting — it will have the technology to block it from ever happening in the first place. The reason: Private Relay. 

Private Relay renders a person’s IP address useless for fingerprinting because it redirects web traffic through two separate servers. Granted, an IP address is just one of many aspects that make a fingerprint of someone’s behavior on a device — but it’s an important one.

“We view this [Private Relay] as a precursor to Apple using welcome technical solutions to break fingerprinting,” said Shumel Lais, CEO of mobile advertising intelligence business Appsumer.

That said, the current version of Private Relay won’t be much of a deterrent against fingerprinting. It only obfuscates traffic coming from the web and a tiny amount of app traffic (specifically encrypted HTTP app traffic). But app traffic is where fingerprinting is rife.

There are other loopholes in Private Relay that could be exploited. For instance, Private Relay restricts traffic apps send over an insecure web connection (HTTP). So apps that use an IP address for fingerprinting could theoretically work around this by using a secure web connection or some other transport protocol. This may lead to a “cat and mouse game” between Apple, ad tech vendors with fingerprinting solutions, and the apps integrating them, said Aaron McKee, chief technology officer at mobile ad tech vendor Blis.

Private Relay is also only for paying Apple customers for its upcoming iCloud+ service. Although it will undoubtedly cover a large number of iOS users when it launches later this year, it won’t be all of them. Of course, this could change over time in the same way the breadth of traffic obfuscated could be broadened. As Lais explained: “Overall, we’d view it [Private Relay] as them [Apple] testing the technical solutions on smaller subsets of users before rolling them to a wider audience.”

In a sense, Private Relay is posed to be the pebble in the pond that creates the ripple that turns into the third wave of privacy change around identifiers. This after the industry was hit by the first wave of device IDs, followed by cookies.

Regardless of how Private Relay will evolve, it will do so in slow motion.

Related
robot shopping
Member Exclusive
Media Buying Briefing: Known builds clients an ‘Iron Man suit’ made of data science and creativity to supercharge campaigns

“Apple needs to be careful when it uses its market position in a way that could be interpreted as either anti-competitive or too dictatorial,” said Nii Ahene, chief strategy officer at digital agency Tinuiti. “This is why there’s a gradual rollout of Apple’s privacy plan. The company communicates what it will do early, starts to have conversations behind the scenes, and then over some time the enforcement of the ATT policy starts to kick in.”

Some execs believe this enforcement could kick in soon. After all, Private Relay is the easy answer to the fingerprinting question in the future — not now.

Indeed, there are apps in the iOS App Store that use measurement and attribution tools to circumvent Apple’s guidance around tracking to varying degrees. This flies in the face of Apple’s marketing, which prides itself on giving customers choice over the companies they do and don’t want to be tracked by. Apple will only tolerate companies who flout its rules for so long before it reacts with force.

Otherwise, its customers could start to feel like their choices not to be tracked are meaningless when they click on an ATT prompt in their favorite app. It makes it hard to discount the possibility that Apple enforces its policies in a non-technical way even before the next major update to its operating system via the App Store approvals and notices of non-compliance with Apple AppStore rules.

“If I were the marketing lead for one of those companies using another measurement tool that is not complying, I would be concerned about the board-level discussion that happens when my company gets a notice of removal of my apps because I looked the other way despite Apple’s year-long guidance,” said Charles Manning, CEO of mobile attribution analytics firm Kochava.

https://digiday.com/?p=420017
Digiday Top Stories