Privacy

Apple Hasn’t Cracked Down On Fingerprinting On IOS 14 Yet, But That Other Shoe Is Gonna Drop

"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today's column is written by Allison Schiff, senior editor at AdExchanger. It's part of a series of perspectives from AdExchanger's editorial team.

Apple hasn’t been transparent about much to do with its new privacy framework for iOS 14, but there is one point upon which it has been abundantly clear: fingerprinting will not fly.

In fact, Apple has been downright blunt.

“As a reminder,” Apple noted in a brief news update about AppTrackingTransparency on its developer site in early April, “collecting device and usage data with the intent of deriving a unique representation of a user, or fingerprinting, continues to be a violation of the Apple Developer Program License Agreement.”

What else is there to say?

Fingerprinting is not allowed under Apple’s policies. This was the case even before iOS 14.5 was released. And apps or SDKs that rely on fingerprinting as a tracking technique run the risk of being rejected from the App Store.

But despite Apple’s public stance on fingerprinting and on ad tracking in general, it’s sown confusion by its inaction.

To date, Apple has barely begun to enforce ATT. As a result, a gray zone has emerged wherein several mobile measurement providers (MMPs) continue to obliquely enable fingerprinting as a backup mechanism when the IDFA isn’t available.

As Digiday recently reported, some MMPs like to call the practice “probabilistic attribution” as opposed to “fingerprinting” because there’s a nuance in the definition. They contend that, while fingerprinting is about creating persistent identifiers, probabilistic attribution uses statistical models to determine if an ad or campaign likely generated an install, and this doesn’t necessarily run afoul of ATT. Or so the argument goes.

In a blog post entitled “Probabilistic Attribution ≠ Fingerprinting,” Vungle described fingerprinting as a type of probabilistic attribution, but notes that probabilistic attribution can include methods other than using signals from a device to identify a specific user or a specific device.

Fair enough. But if semantics is your primary defense against an alleged infraction, then you must enjoy living dangerously.

“But officer, I wasn’t doing fingerprinting, it was just probabilistic attribution!”

And just because Apple hasn’t started enforcing ATT doesn’t mean it’s not going to – and perhaps quite soon.

Apple is hosting its 2021 Worldwide Developers Conference next week, which would be a fitting time to kick off enforcement considering that Apple made its original announcement about ATT at last year’s WWDC.

If we are, indeed, on the cusp of enforcement and the time between Apple’s late April release of iOS 14.5 and now is a grace period before crackdowns begin, it would be a shame if companies had spent this quiescent period twisting themselves in pretzels defending a practice that might soon no longer be viable.

Plus, where does that leave companies that are adhering to the spirit of the law and not just the letter? (Well, the letter as currently interpreted in the absence of an Apple pronouncement on whether it also considers probabilistic attribution to be ≠ fingerprinting.)

If Apple doesn’t sanction companies that fall back on fingerprinting when there’s no explicit IDFA opt-in, then others that voluntarily choose to strictly comply with ATT could be at a competitive disadvantage.

Alex Bauer, head of product marketing at mobile measurement provider Branch put it like so: “Without Apple enforcing a level playing field, compliance would be like opting in to paying extra income tax – there’s no compelling reason for apps to do it voluntarily.”

February 1, 2021
by 
Tom Hawkins

Find something interesting?

 Send us a note.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.