Checklist 281: ATT and Privacy Labels with Anastasia Shuba
On this week’s Checklist, we talk with security researcher Anastasia Shuba about App Tracking Transparency and App Store Privacy Labels.
ATT and Privacy Labels revisited
Anastasia Shuba is an independent security researcher and Senior Privacy Engineer at DuckDuckGo. Shuba holds a PhD in computer science and is co-author of a recently published academic paper entitled “Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels.” Written in collaboration with researchers at the University of Oxford, the paper examines the effect of Apple’s App Tracking Transparency and App Store Privacy Labels on user privacy and control.
For those who need a quick refresher, App Tracking Transparency (ATT) is an Apple privacy feature first rolled out in iOS 14. ATT lets iPhone users opt out of tracking. When you launch an app, iOS asks if you want to allow the app to track you. If you say no, that app can no longer access your device’s advertising ID. Privacy Labels let app developers share information about the user data they’re collecting and how it’s being used.
Evaluating ATT
The paper released by Shuba and the Oxford researchers casts doubt on whether or not Apple’s privacy features deliver on all their promises. This raises questions about whether the features are helpful—or if they’re lulling users into a false sense of security.
Shuba, however, believes that ATT is a good thing on the whole:
It’s a great first step. It’s much harder for apps to track users now. They can’t just use the ad ID any way they want anymore.
However, she cautions that isn’t the end of the story:
It’s sort of a double-edged sword, because some apps, as we’ve seen in our research, come up with these intricate ways to track users anyway. For example, they use highly customized TLS libraries that encrypt their communications, which means we no longer have visibility into what they’re doing. Some apps also track users with fingerprinting-derived identifiers, bypassing the ad ID—which they’re not supposed to do, according to Apple’s policies, but which they still do anyway.
A privacy arms race?
It’s not surprising that developers have found ways around Apple’s privacy features. In a sense, Shuba says, this is just an extension of the “privacy arms race” we’ve seen in other areas:
Look at ad blocking extensions, for example. They came out and started blocking ads (which is a privacy issue, since the way you get ads is from personalized trackers). But then advertisers created anti-ad blockers, where the page won’t load and tells you to disable your ad blocker if you want to view it. And then the ad blockers came out with anti-anti-ad blockers to circumvent the anti-ad blockers! So there has always been this kind of privacy arms race. App Tracking transparency is just one part of a larger phenomenon.
In short, Apple may find ways to block the workarounds used by developers today: things like cohort tracking and fingerprinting. But advertisers and developers will likely come up with further workarounds in the future. The fight for user privacy, then, will be a long-term battle.
Can you trust the Privacy Nutrition Labels?
Given that developers find ways to circumvent ATT and collect user data anyway, you may be wondering how reliable Privacy Labels are. After all, they’re self-reported, which means they basically work on an honor system.
But Shuba says that Privacy Labels, like ATT, are a step in the right direction. They offer some information for users to base their privacy decisions on. In addition, Apple and third-party researchers can audit Privacy Labels to help “keep them honest.”
In some cases, Shuba says, Privacy Label inaccuracies aren’t the result of malice on the part of developers, but a simple lack of due diligence:
Developers sometimes use third-party libraries in their code without reading the libraries’ privacy policies. So maybe their own app really isn’t collecting a certain type of user data…but a library they’ve used is. In their own Privacy Label, they don’t disclose the data that the library is collecting — but only because they’re not aware of it!
All things considered, says Shuba, Privacy Labels are a net good:
Again, they make it easier for researchers to perform audits—and compared to full privacy policies, they’re much more digestible for end users.
Suggestions for App Privacy
If Shuba’s research contains a takeaway for everyday users, it’s this: Tools like App Tracking Transparency and Privacy Labels are a great start—but individuals still need to be proactive about their privacy.
To that end, Shuba offers a few basic suggestions for privacy-conscious users:
- Be careful about the apps you install on your device. In general, minimize what you have on your phone. If possible, keep it to “the essentials” only.
- If you enjoy data-hungry apps like mobile games, consider buying a separate device for those apps only, and keeping your personal apps (things like email and so forth) on your primary device.
- Always read the Privacy Labels before installing an app. If you’re concerned about the developer, skim their full privacy policy for keywords like “advertising,” “personalized,” “collection,” “sharing,” and so on. If you see something that worries you, reconsider installing the app.
- Use privacy-enhancing technologies such as DuckDuckGo’s private browsing app or Brave browser. For extra privacy, consider using VPN tools as well.
