Tim Cook has a reputation for being soft-spoken and a little boring. His Twitter feed is replete with corporate platitudes. But when it comes to user privacy — “one of the top issues of the century” — he gets fired up.
In January the Apple chief executive railed against “data brokers, purveyors of fake news . . . trackers and peddlers of division . . . hucksters just looking to make a quick buck.” Cook said that if “everything in our lives can be aggregated and sold, then we lose so much more than data, we lose the freedom to be human”.
These are fighting words, and the policy to back them up was rolled out this week. In its new operating system update, the $2.2tn tech giant clamped down on how app developers collect data from its 1bn users in order to create personalised ads.
Owners of iPhones the world over are now seeing in-app prompts asking if they are OK being “tracked”. Users that click “Ask App Not to Track” deprive developers from seeing their IDFA — identifier for advertisers — a string of numbers associated with each iPhone that build user profiles as they move from app to app.
The new feature doesn’t actually give consumers a new power they didn’t have before; it merely took an obscure feature deep in the phone’s settings and forced it to centre stage. But this trick from behavioural psychology — opting in to tracking, rather than opting out — is likely to have profound consequences for the future of internet privacy and for many of the world’s tech companies.
When Cook first signalled the move in June 2020, it was immediately understood to be a massive blow to the digital ads industry estimated to be worth almost $400bn a year — bigger than Apple by revenue and dominated by Facebook and Google. Some called it “the IDFA apocalypse”.
Charles Manning, chief executive at Kochava, an adtech group whose clients include Coca-Cola, Nike and the BBC, likens the policy shift to dropping “a bomb in a lake, just to see how many fish fly up”.
Dating app Bumble spoke for many when it projected that between zero and 20 per cent of its users would share their IDFA. It warned investors that “the ability of advertisers to accurately target and measure their advertising campaigns at the user level may become significantly limited”.
Apple’s privacy push has been widely portrayed as a battle with Facebook, poster child for “free” apps monetised by ads. Arguably the better framework is Apple versus Everybody — as every company involved in advertising will be forced to learn the new rules.
Already the opposition has been massive. Germany’s largest media, tech and advertising companies sued Apple on Monday for abuse of power. A month earlier, a lobby group for 2,000 French start-ups filed a complaint alleging “privacy hypocrisy”.
In China, TikTok parent ByteDance and search giant Baidu worked with two Beijing-backed groups to create a substitute iPhone identifier, called CAID, designed to undermine Apple’s policy and keep the lucrative status quo going. According to documents seen by the Financial Times, Tencent went further by creating what one person called “an internal adaptation” to CAID, called QAID, to track its 1.2bn WeChat users.
Snapchat parent Snap explored ways it could surreptitiously identify users based on device and network information. Similarly, adtech groups such as Adjust and AppsFlyer marketed to clients that they conduct “probabilistic matching” techniques with more than 90 per cent accuracy to identify users who declined to be tracked.
Apple appears to have been caught off guard by this backlash. It has had to clarify its FAQ for developers multiple times; issued cease-and-desist letters to Chinese companies trying to use CAID, and rejected multiple apps for running IDFA-workaround schemes. Earlier this month Cook told a New York Times podcast that he was “shocked that there’s been a pushback . . . to this degree”.
But if Apple is relatively isolated in its sweeping policy change, it has one major proponent: consumers.
Apple surmises that millions of iPhone users have little idea just how closely they are being watched. Not even experts have a precise sense of how and where this data gets used.
Apple’s best demonstration of what Cook called “the data industrial complex” is an Apple presentation called “A Day in the Life of Your Data: A Father-Daughter Day at the Playground”.
It’s a parable of how “John” and “Emma” spend a pleasant day in the park, oblivious to how their actions are being monitored. Location trackers embedded in John’s weather, news and maps applications take note as he drives to the playground. When daddy and daughter pose for a selfie enhanced by digital bunny ears, the photo-filter app accesses metadata on all the photos John has ever taken.
When John buys ice cream and visits a toy store, his credit card purchases match his location data and taste for sweets — adding new details to his digital profile. And when Emma plays a game on her dad’s tablet, a scooter ad appears from a split-second auction based on a profile of recent web behaviour.
For consumers, putting a stop to unconsented tracking is laudable. As tech analyst Zach Edwards puts it: “Any business that got wealthy off weak privacy standards will either evolve or die off, and the market won’t miss their exploitative products baked into random mobile games and apps.”
The response from critics is that Apple is deploying scary language about “tracking” and that it fails to inform users why they might want relevant ads. “What people don’t understand is that the alternative is to have a whole bunch of ads served to you about a brand you probably don’t care about for a product that you don’t need,” says Stephen Cavey, co-founder of Ground Labs, which helps companies understand their data.
Some say tracking isn’t nearly as invasive as Apple makes it out to be, as what advertisers need are personas rather than specific individuals. “The advertising industry has never really cared about individuals, so to speak; they buy media in the tens or hundreds of thousands,” says Amy Fox, director of product at Blis. “You’re a statistic — that’s how you become interesting.”
Apple counters, however, that while data such as location information is “claimed to be anonymous”, a whole industry of “obscure third-party data brokers” exist who can match this data with other information and figure out who the individuals are. Such brokers were able to piece together which individuals stormed the US Capitol after hearing former president Donald Trump speak at the National Mall on January 6. Phones were traced to specific homes hundreds of miles away, according to records obtained through an FBI search warrant which was served on Google.
Left unsaid in Apple’s marketing materials is just how profound its self-interest is in this new privacy-centric paradigm.
At present, “84 per cent of apps are free and developers pay nothing to Apple,” the iPhone maker says. But if Apple’s shift results in third-party data becoming less accessible, developers are likely to adapt, charging consumers for in-app purchases and subscriptions — models where Apple typically takes a 15 to 30 per cent commission.
“I don’t believe Apple is doing this for altruistic reasons, definitely not,” says Lesley Hannah, partner at Hausfeld, a law firm. “It’s helpful they’ve got an attractive PR narrative by privacy campaigners, but ultimately that’s not why it’s being done.”
Apple is already expanding its own fledgling ads business. Any iPhone user can turn off these “personalised” ads, but by default they are turned on — an option plenty of critics see as hypocritical.
Apple’s defence is that it tailors ads only from its own user data. This includes “the music, movies, books, TV shows and apps you download, as well as any in-app purchases and subscriptions . . . the stories you read and the publications you follow, subscribe to, or enable notifications from.”
To critics this sounds an awful lot like tracking, but Apple says this data gets aggregated into “segments” and that it does not “share personally identifiable information with third parties”.
Matt Voda, a consumer privacy advocate and chief executive of OptiMine, a marketing analytics platform, says it’s tough to ascertain if Apple is being hypocritical, but on the whole he considers Apple’s push a “revolutionary” move that will force transparency across the digital ads marketplace.
It will take years to understand the reverberations of Apple’s shift. But one consequence so far runs counter to Apple’s messaging.
Jane Horvath, Apple’s privacy chief, argued in January that a problem with the status quo was that “accumulation of large troves of data primarily benefits big businesses with big data sets”.
But Apple’s policy risks entrenching those businesses. Google has such a trove of data on its users that its reaction to Apple’s privacy push has been to shrug.
Its reasoning is simple: losing access to third-party data is damaging, but if all of its rivals lose that access, too, then the company with the most first-party data wins. And that’s Google.
Apple’s policy stops developers from tracking users’ activity in third-party apps; it doesn’t deter companies with multiple apps from collating their activity. So Google could have a big advantage as it continues to build user profiles based on how consumers use Search, Maps, Chrome, Gmail and YouTube.
Facebook has come to the same realisation. When Sheryl Sandberg was asked this week if the iOS changes will shift from a “short-term headwind to potentially a tailwind”, the chief operating officer responded: “You’re exactly right.” She explained that the policy hurts, but versus its competitors Facebook is “relatively better positioned”. Chief executive Mark Zuckerberg said in March that companies may opt to “conduct more commerce” directly on Facebook’s platforms.
The belief that “bigger is better” is already driving consolidation. Glu Mobile, a California maker of games such as Kim Kardashian: Hollywood, realised in July 2020 that it needed to go on an acquisition spree, or be acquired, to “combine scale to address the business model challenges posed by the pending release of an Apple iOS update”, according to details in its most recent annual filing. Within a few months it was acquired by Electronic Arts for $2.1bn.
Christian Selchau-Hansen, chief executive of Formation, a software specialist for personalised marketing, says “gaming M&A has spiked” as companies have realised that advertising across a portfolio of games will deliver “an incredible advantage over someone that has a single gaming app.”
Mobile advertising expert Eric Seufert has explained that the best strategy for navigating Apple’s new policies is to sever one’s dependence on external ad platforms and instead create a “content fortress” — a collection of first-party data supported by proprietary ad tech infrastructure. Leading gaming companies Zynga and Applovin have done exactly that.
Another risk for Apple, which this week announced a 54 per cent rise in first-quarter revenues buoyed by 5G-enabled iPhone sales, is that it may have created an enforcement nightmare for itself, a never-ending cat-and-mouse game as developers try to get around its rules.
In recent weeks, Apple’s sometimes less-than-rigorous approach to keeping the App Store secure has been highlighted by internal material uncovered in an unrelated, ongoing lawsuit.
For instance one of Apple’s top fraud detection engineers has likened the App Store review process to be “more like the pretty lady who greets you with a lei [garland] at the Hawaiian airport than the drug sniffing dog”. And the former head of the App Store review process acknowledged that after one Chinese app was approved that “would randomly go into your contact lists and replace all the phone numbers with 8s”, Beijing had intervened “to criticise us for our review process”.
Apple has already blocked numerous apps from implementing IDFA workarounds, but such apps were writing their violations in “software development kits” visible by Apple. Other documents released in the case suggest Apple has had difficulties in the past detecting “Jekyll” apps — malicious apps that can alter their behaviour after passing through App Review by making changes at the server level.
“The only knowledge they have is what’s going to run on your phone; they have no knowledge of what runs in the cloud,” says Mike Audi, founder of Tiki, which helps users take control of their data.
“But the vast majority of what happens today is in the cloud. That’s where all the data gets sent, that’s where the algorithms run, that’s where IDs are built and shared. And no one has any visibility into that other than the company making it and running it.”
If developers can use these techniques to “fingerprint” a device in violation of Apple’s policies, and keep the ad game going, then Apple’s broad privacy push won’t be a revolution so much as a marketing gimmick. In that scenario, iPhone users won’t get more privacy, just the illusion of it.
But winning, too, could have unforeseen consequences. Apple’s fight to redefine how digital advertising works is so public that some observers worry it could be a magnificent show of force at a time when it’s coming under antitrust scrutiny in both Washington and Brussels.
“If Apple succeeds, this actually shows the extraordinary power they have over their ecosystem and it actually hurts them as it relates to antitrust,” says Mike Fong, chief executive of Privoro, which makes security hardware for smartphones. “You have the biggest companies in the world — Facebook, Tencent, TikTok — plus the biggest government in the world. And Apple literally faces them all down. And wins.”