Is Privacy Really iPhone? Researchers Weigh in on Apple’s Targeted Ad Tracking | Threatpost

Apple has a consistent track record of implementing privacy controls, which it has been touting via a series of saturating “Privacy? That’s iPhone” television ads.

Yet, though it may be deservedly capitalizing on the increasing privacy-consciousness of consumers out there (and the negative headlines that its Silicon Valley brethren, like Facebook, have been racking up), the giant from Cupertino still has a big problem, as far as fell tech giant Mozilla is concerned.

Earlier this month, Mozilla launched a petition asking the iPhone-maker to change the way it handles “identifiers for advertisers,” or IDFAs.

These are unique IDs that come with every phone, and they let advertisers track how users of that piece of hardware move around the web and various apps. The idea is to enable targeted, relevant advertising – but as ever, there’s a down side. These IDs are meant to be anonymized, and not linked to any personal information. However, they are in fact linked to the phone itself, which still makes it possible to build a potentially intrusive profile of the consumer using that device, even if the person’s name and other personal information is not associated to it.

“It’s like a salesperson following you from store to store while you shop, and recording each thing you look at,” Mozilla’s Ashley Boyd said in a recent blog post. She added, “We’re asking Apple to change the unique IDs for each iPhone every month You would still get relevant ads — but it would be harder for companies to build a profile about you over time.”

Threatpost asked security researchers what they thought about how Apple handles IDFAs and whether its claims of being a pro-privacy defender are accurate – and the results were a mixed bag.

John Zelonis, senior analyst at Forrester Research, told Threatpost that changing IDFAs on a monthly basis won’t cut it when it comes to preventing advertisers off from tracking phone activity in an invasive way.

“Rolling the IDFA on a monthly basis would only be an effective anonymizer if the app owners weren’t able to track a user across those newly generated IDFAs using login sessions or other methods of associating a user to an IDFA,” he explained. “The impact of making this change would likely only increase the value of the data collected by apps that are finding ways to track across IDFA, not necessarily solve the problem at hand. We need strong and informed consent.”

He also pointed out that though it’s possible to turn off IDFAs, they’re enabled by default and people aren’t typically aware they exist, which is a problem in and of itself.

“While I had already turned on ‘Limit Ad Tracking,’ I was not personally aware of the second option in another part of the menu to disable ‘Location-Based Apple Ads,’” he said. “I frankly view this as a dark pattern that they have opt-outs for ads in parts of the interface that aren’t in the Privacy/Advertisements submenu. True consent should be opt-in.”

On the other end of the spectrum from Zelonis, Corneliu Balaban, manager of mobile endpoint protection at Avira, disagrees with the notion that Apple needs to make any changes at all.

“Apple’s current way of handling the IDFA is the correct one,” he told Threatpost. “Even if you are building user profiles, you are building them for your application and to determine how to target the users for your app. Moreover, this is an anonymous ID which cannot be bound to the person. If an app developer wouldn’t use the IDFA it would still have the possibility to record some unique ID in the keychain (which doesn’t get reset unless the user resets it) and would still be able to profile that person based on that ID.”

Some agreed that the suggested changes would be a good thing – but to be careful not to overstate the impact.

“I do believe that doing what Mozilla suggests, or simply turning on the Limit Ad Tracking setting by default, would raise the privacy bar even further,” said Thomas Reed, director of Mac & Mobile at Malwarebytes. “However, this would be a rather small incremental improvement in comparison to the changes other companies would need to make to become privacy-centric. If the gulf between Apple and a company like Facebook is like the Grand Canyon, the improvement Apple could make by taking Mozilla’s suggestion is like jumping over a pothole.”

Reed’s point about the gulf between Apple and other companies was a theme that other researchers also picked up on.

“IDFA does not identify the device or user, and was a replacement for the much less secure UDID,” explained Chris Morales, head of security analytics at Vectra. “The fact IDFA can be turned off means the user has control. The fact is, users are being tracked for advertising purposes everywhere on the internet, from search engines to social media to devices. While there is a bigger privacy debate going on here, I do think Apple of all companies has been the least-worst offender.”

Others echoed that “better than the rest” sentiment. “Looking at the competitor OS – Android, iOS is still further ahead on the privacy topics by not allowing apps to run things in the background without some very specific entitlements or in some cases not at all,” Avira’s Balaban said.

Malwarebytes’ Reed also took the opportunity to favorably compare iPhone to the Android ecosystem.

“The iPhone – and all of Apple’s services that go along with it – is hands-down more privacy-conscious than the competition,” he said. “There’s no question in my mind on that. Apple has stood its ground against the FBI over the security of a terrorist’s phone, and has made it a priority to create architectures that prevent data from being associated with people. Refer, for example, to the changes Apple has made to data from Apple maps in iOS 12, allowing them to use customer data to show things like traffic problems without actually knowing anything about where you’re going or where you’ve been. The question I believe Mozilla is posing is: has Apple gone far enough?”

Google Android declined to comment for this article.

The television campaign culminates with tagline, “if privacy matters in your life, it should matter to the phone your life is on.” As for whether Apple can legitimately claim iPhone to be the privacy phone, reactions were positive.

Lastline’s co-founder and chief architect Engin Kirda noted, “Lately, Apple has indeed started to use privacy as a key feature of its products. One question, of course, is how convincing this argument is. Apple-supporters often bring the argument that Apple is in the hardware business (i.e., it sells computer hardware rather than mine user data). I personally believe that this is a valid claim.”

And Tim Erlin, vice president of product management and strategy at Tripwire, said that he welcomed the issue being taken up in a nationwide advertising initiative, because it helps with awareness.

“On some level, I’m happy any time that privacy and security are marketed as differentiators,” he said. “It’s positive visibility, which is a good contrast to the ‘doom-and-gloom’ of security incidents and malware. The best-case scenario is that this advertising campaign pushes other vendors to step up their privacy and security capabilities, both in marketing and in reality.”

He added that the campaign also helps consumers to understand that privacy and security, while related, are not the same thing.

“If Apple gives their partners authorized access to your data, that’s not insecure, but it’s clearly concerning for your privacy,” he said. “If you grant an app permission to read all your contacts, that’s not a security issue. Privacy is more intertwined with user consent and explicit actions.”

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.