There was no mention of fingerprinting (or any allusions to a forthcoming crackdown on the practice) during the kickoff keynote at Apple’s Worldwide Developers Conference on Monday, as many expected – but that doesn’t mean enforcement isn’t coming at some point soon … ish.
Apple has already been crystal clear that, without a user’s permission through ATT, device fingerprinting on iOS is as kosher as pig feet in matzah ball soup.
Although that hasn’t stopped companies from engaging in fingerprinting like it’s going out of style (which it is). And that begs the question: Why hasn’t Apple clamped down yet?
One reason is because enforcement is tricky.
Sticky fingers
As Eric Seufert has pointed out, ad tech and measurement companies fingerprint users and devices based on data collected through their SDKs, which developers integrate directly into their apps.
This means policing fingerprinting could result in serious collateral damage. Apple would have to reject updates from any app partnered with an SDK deemed to be in violation of the policies. (When Apple started rejecting apps with Adjust’s SDK last year for alleged fingerprinting, the result was a confusing mess, to say the least.)
And so the quandary remains: Apple is categorically anti-fingerprinting and yet doesn’t have an elegant enforcement method to actually prevent the practice.
Maybe Google has the answer. There’s nothing stopping Apple from devising (and/or cribbing) a technical solution for an upcoming version of iOS inspired by the SDK Runtime in Google’s Android Privacy Sandbox. This feature could allow third-party SDKs to run in a separate environment, making it impossible for one to access and share data without permission.
A solution like SDK Runtime, which is set for release as part of Android 13, would allow apps to release updates even if their SDK partners are having privacy problems.
It’s a marathon not a (Private) Relay race
On reflection, it’s hardly surprising that Apple didn’t dwell on third-party data collection and ad tracking at WWDC this year.
At this point, there’s no doubt as to where the company stands, and it wouldn’t be out of character for Apple to begin fingerprinting enforcement at any time. The company doesn’t need a WWDC announcement.
Still, for the past two years, Apple has trained the mobile ad tech community to a Pavlovian response every time Craig Federighi, SVP of software engineering, looks the camera dead in the eye at WWDC and utters the words “Let’s talk about privacy.”
In 2020, those words were a prelude to the AppTrackingTransparency framework and Apple’s announcement that developers would be required to ask for explicit permission before using the IDFA for tracking and ad targeting starting with iOS 14.
The following year, in 2021, Apple announced Private Relay, a beta feature in iOS 15 that masks the IP address of any iCloud+ customers using Safari as their browser. An IP address is one of the main ingredients used to create a device fingerprint.
It’s unclear whether Apple plans to turn on Private Relay by default in iOS 16, as some have predicted. For now, the feature remains disabled by default and available only to people who pay for Apple’s upgraded iCloud subscription service.
In other news, the lack of privacy-related bombshells at WWDC may have been a minor boost to some tech stocks that are still reeling from Apple’s past privacy changes. Meta, Snap and Pinterest were all up a smidge Monday afternoon during and following Apple’s presentation.
