WTF are Apple’s Privacy Manifests

This article is a WTF explainer, in which we break down media and marketing’s most confusing terms. More from the series →

Originally published on June 13, 2023, this article has been updated to include an explainer video.

Apple despises fingerprinting, no doubt about it.

But their plan to stop it has been a bit fuzzy. It’s like a lazy security guard who doesn’t check IDs or stop unwanted visitors. However, things are changing now. Apple has introduced “Privacy Manifests” to give app owners better clarity over what data is being collected from their users and how it’s being used. 

This could have a big impact on fingerprinting. 

But before we unpack all of that, here’s a recap of what it is about fingerprinting that has riled Apple up so much.

WTF is fingerprinting?

When you use their phone (or computer for that matter) it has special characteristics like the software on it, the type of device, even the way the screen looks. These details create a fingerprint that is used to track you as you move around online. Some companies use this fingerprint to learn about you so that they can show you targeted ads. And often they do so without your permission.

Ah, so that’s why Apple isn’t a fan

Correct. Apple isn’t a fan of fingerprinting because it can seriously invade your privacy. The company believes what you do online is your business, and sneaker trackers shouldn’t be allowed to spy on those activities without your permission. That’s why Apple is working to make it simpler for app owners to avoid any slip-ups that could undermine these efforts, whether they’re accidental or intentional. 

Right, so this is where this new thing comes in? 

That’s right, let’s talk about this thing called “Privacy Manifests.” Put simply, these manifests are like standardized files that lay out the privacy practices of an app or an ad tech vendor. 

Think of them as behind-the-scenes summaries. And each summary consists of four parts: first it tells you whether an app or ad tech vendor using an app’s data is doing so for tracking purposes as defined under Apple’s own privacy safeguards: then there’s a list of sites that the app or ad tech vendor connects to that are tracking online behavior: next, there’s a collection of descriptions that specifies the types of data that the app or ad tech vendor collects: lastly, there’s another list of explanations that describe the iOS tools that an app or ad tech vendor can access, but only if they have a specific reason to do so. 

Specific reason?

Yes, because those iOS tools, while valuable for allowing different apps on a device to talk to each other and share information, could also be misused for fingerprinting. In other words, Apple wants app owners and ad tech vendors to explain why they’re using certain features. They’ve even prepared a list ready for them to choose from. Although the list isn’t available yet, Apple has mentioned that many apps likely use one or more of those features. Just a heads up, “selling more ads” probably won’t be a valid reason. Apple has got stricter rules in place for that. But, there will be a feedback form for ad execs to suggest new reasons for using those features. 

Got it. “Privacy Manifests” are like Apple’s version of an ads.txt file?

Sure, this comparison works. Ads.txt files list only authorized ad sellers for an online media owner, whereas a “Privacy Manifest” file lets app owners spill the beans on their data practices. Ultimately, they’re both tools for transparency and control.

So what happens with “Privacy Manifests” now?

Not much will happen until this fall. Apple will check if new or updated apps on the App Store work with ad tech vendors that may pose a privacy risk. If an ad tech vendor lacks app owner support or a “Privacy Manifest” file, Apple will notify the app owner. Additionally, Apple will contact apps that have not provided a reason for using those iOS tools that could be misused for fingerprinting purposes. It’s a grace period. And when it ends in the Spring next year, these checks will be a standard part of the app review process. This means app developers and ad tech vendors will need to address these issues before submitting a new or updated app to the App Store. 

Sounds like the onus is on the app owner to enforce Apple’s crackdown on fingerprinting?

Apple has always held app owners accountable for any actions by their partners that put Apple users’ privacy at risk. The arrival of “Privacy Manifests” just makes it easier for those app owners to be accountable. 

“I think the purpose of it is to give app developers and SDKs end users a better transparency into what data is being collected and why,” said Roy Yanai, vp of product management at mobile analytics provider Appsflyer. “We welcome this change because it really makes a lot of things clearer about fingerprinting and other privacy-related issues that were abstract in Apple’s ecosystem.”

Why was there confusion? I thought Apple was clear that fingerprinting was a bad

Apple arguably wasn’t clear enough on the matter. Sure, they repeatedly emphasized to the ad industry that fingerprinting was a big no-no, but there were always those executives who claimed it was acceptable in certain cases. 

The disconnect between Apple’s statements and the industry’s interpretation created a loophole for fingerprinting to persist. If Apple had taken stronger measures to crack down on fingerprinting, the situation might have been avoided. However, since it didn’t, some app owners and ad tech vendors decided to team up with those companies that engaged in fingerprinting because, let’s face it, they were more interested in making money than following the rules.

So has Apple cleared that up now? 

Potentially. Remember, that part of the manifest file where the author has to list the sites using tracking that an app or ad tech vendor links to? Well, they will need to do so based on Apple’s definition, which is any form of tracking that stitches together information taken from a device to learn about what you do online. In fact, Apple has specifically recommended separating traffic types into different domains, such as tracking.example.com and non-tracking.example.com. This suggestion was flagged by by Alex Bauer, head of product at Branch in a blog post.

Will Privacy Manifest really curb fingerprinting?

Well, it’s a mixed bag. For companies playing by Apple’s rules, Privacy Manifests are a helpful tool. But for the rebels, it’s a reminder of the risk they’re taking. The risk that Apple will eventually shut them down. Enter Private Relay, Apple’s secret weapon against fingerprinting. As it slowly rolls out, Private Relay acts like a bouncer guarding your online activities. By redirecting web traffic through separate servers, it renders your IP address not useful for fingerprinting. While an IP address is just one piece of the puzzle, it’s a crucial one.

So while Privacy Manifests provides some guidance, the real game-changer is Private Relay, silently gearing up to deal a blow to fingerprinting. 

https://digiday.com/?p=507024

More in Marketing

Ad tech’s take: early reactions to Google’s third-party cookie demise

Two months into Google’s grand cookie cleanse in Chrome, ad tech vendors are dishing out their hot takes.

Influencer arena

How Blast is finding esports success through the ‘co-production’ model

Co-production is a key aspect of Blast’s esports strategy because it means both partners are invested in keeping “Rainbow Six” esports healthy in the long run, even if their key performance indicators for the collaboration might be different.

Inside Quaker’s ‘iterative’ approach to make its advertising work globally and locally

To accommodate the global needs of the campaign, Quaker created numerous iterations for Canada and Latin America to reflect the way that consumers in those various local markets use the product.