Apple Stirs Up Mobile Privacy Debate

Cracking down on personalized mobile targeting may lead to more questionable tactics

Apple is apparently cracking down on mobile privacy. But that crackdown may be inadvertently causing a shift in mobile targeting tactics, which may be better or worse for privacy-concerned users and advocates.

Indeed, with privacy in mind, the company is reportedly rejecting applications submitted to its App Store that access UDIDs (unique device identification numbers), which is likely to lead to a rise in alternative mobile tracking methods. The question is, how privacy sensitive are those methods?

Earlier this week, TechCrunch wrote that, as Apple had previously indicated, it was starting to deprecate UDIDs, leaving app developers and advertisers searching for other approaches. In the wake of the news, some have floated the possibility of using a slew of other targeting tactics, such as MAC (Media Access Control) addresses, HTML 5 cookie tracking or open source solutions.

It has also created an opportunity for those in the mobile world who use an alternate, sophisticated means of tracking called device recognition (or what some term "digital fingerprinting") to make bold—and highly debatable—claims of being more pro-privacy, since these methods don't rely on the controversial UDID. However, digital fingerprinting potentially involves the collection of potentially hundreds of other data points flowing off of a mobile device, which could set off just as many or more privacy alarms.

For example, device identification company BlueCava claims that its practice of creating "digital snapshots" of users is both more precise for ad targeting—and more respectful of privacy. According to BlueCava, creating digital snapshots involves capturing basic desktop and mobile device data like browser settings, fonts and time zones, and other hardware-based information, which allows it to uniquely identify devices for targeting online advertising—and combating fraud. (The UDID is one mechanism it uses for identifying devices, but the company said it's not dependent on it.)

If consumers want to opt out of such tracking, BlueCava CEO David Norris said, they can use Do Not Track browser tools or the Digital Advertising Alliance and Network Advertising Initiative's opt-out programs to make the request, and the company will save the instruction on their servers, not as a cookie which can be deleted. Sounds simple, right?

"It's simply a better technology for consumers' privacy because we're able to do everything cookies can do and more to honor and protect the privacy choices the consumer makes," he said. 

AdTruth, the digital media division of fraud prevention firm 41st Parameter, also uses non-UDID information to identify a wide range of devices for cookieless ad targeting.

James Lamberti, general manager for AdTruth, declined to elaborate on the specific data points the company uses but emphasized that it's nonpersonally identifiable information, including data captured from a technique called time differential linking. The process records the time stamp—down to the millisecond—of the processor on a phone or desktop and compares it to the server time, and uses that subtle difference between phones to help identify them, he said.

But while some have called their technique digital fingerprinting, Lamberti said that's an inaccurate description because their approach is "neither permanent, which cookies and UDIDs are, and it's not unique."

As AdTruth's system assigns each mobile device a unique internal ID number, it also includes a metric for advertisers indicating the probability that they're reaching the right audiences. As more time passes, the probability drops (reflecting changes people make to their device settings, app selections, etc.), until it falls below a predetermined benchmark, which triggers a reset and the assignment of a new device ID.

Even if the probability doesn't fall below a benchmark, he continued, the system automatically rescans the devices every 60 days and issues new device IDs.

"Inherently, and by design, [there] is a layer of privacy protection," Lamberti said, adding that the company also supports Do Not Track browser tools.

Both AdTruth and BlueCava acknowledged that the current framework around mobile privacy is insufficient because the app-centric environment common to smartphones doesn't provide consumers an easy and effective way of learning that they are being tracked and choosing to opt out. And both companies said the industry needs better privacy solutions for mobile platforms. AdTruth also said it's working with privacy firm Truste to create a Do Not Track-style mechanism for mobile.

But some privacy advocates say device recognition technology could present the next privacy minefield. After all, how many consumers are going to feel safer about mobile ad targeting when and if they learn their devices are being scanned, and their mobile activities are being time stamped and tracked continuously?

"The issue with these services is the lack of transparency to the end user that information is being collected. Privacy-conscious users today can look into their browser cookies and have a good understanding about what's being collected and control it," said Jim Brock, founder of "With device fingerprinting, they don't have visibility or verifiable control over that tracking."

Even assuming that the industry is able to devise an effective program that gives consumers notifications and choice around this kind of mobile tracking, he said, there will be discomfort around the collection of immutable characteristics about the user.

"I can clear my cookies," he said. "I can't clear a hundred data points."

Aside from that, he said, the level of obfuscation around how these companies operate doesn't inspire confidence from brands or consumers. (Potentially indicating caution around the industry, AdTruth declined to name clients for Adweek, saying that they weren't ready to be publicly announced.)

"When these companies step up and retain independent, competent technical firms to audit them on the back end, that's when we'll start to be able to talk about them as mainstream," said Brock. "Until then, they're going to be fringe."

Justin Brookman, director of the Center for Democracy and Technology's Project on Consumer Privacy, said he expects device fingerprinting to become an increasing area of interest for Web and mobile tracking. But while he's pleased that the companies providing it have stepped up to support Do Not Track, they still raise privacy questions.

"My concern about it is that they have to collect even more information about you to create a viable fingerprint," he said. Even if that information is so-called "nonpersonally identifiable," he continued, it still uniquely ties an individual to a device. Pointing to the Federal Trade Commission's report on consumer privacy issued earlier this week, he said the term PII (personally identifiable information) is "going out of fashion" as the line between what's personally identifiable and what isn't erodes.

Whether they pass muster with privacy advocates and regulators remains to be seen, but expanded industry-backed privacy initiatives and tools meant to keep pace with mobile tracking could start surfacing in the next few months.

Sara Hudgins, director of public policy and mobile privacy lead at the IAB, said that while the current process of opting out of mobile ad networks via their websites can be "cumbersome," the IAB is in the process of optimizing the Digital Advertising Alliance program for mobile and hopes to make an announcement about it this summer.

And Truste, which has certified some parts of AdTruth's process as being privacy compliant, said it plans to launch a mobile app-optimized privacy tool in the near future.

"There will be [technological] solutions very soon," said Kevin Trilli, vp of product management for Truste. "But it requires the industry to implement and deploy it."