Apple called its App Tracking Transparency framework one of the most impactful moves towards creating a more private ecosystem, but recent independent research shows that it is not really effective against third-party trackers and doesn’t block the transfer of personal or device data either. The core premise of the ATT framework was to offer users more transparency about their data, such as which apps collect information, what data they extract, and how it is shared. More importantly, each app was mandated to ask users explicitly about tracking via a pop-up notification.
Of course, the likes of Facebook, whose coffers are generously filled by its massive advertising business, wasn’t too happy about the change and resorted to an industry-wide lobbying campaign. However, Apple remained adamant that it wants to give users a choice whether they want an app to show them personalized ads by tracking their activity across the web and apps. Following a fierce backlash and claims of Apple not implementing the rules on its own apps, the company temporarily delayed the ATT implementation for months and eventually enabled it with the iOS 14.5 release. However, the whole system might not be as effective as Apple claims.
In a study conducted by Lockdown Privacy — whose members are said to be ex-Apple engineers — App Tracking Transparency didn’t create any difference when it comes to disabling third-party trackers associated with an app and is minimally effective at blocking connection requests. As part of the research, the team selected ten top ranked apps on the App Store and monitored third-party tracking for each one under two scenarios — ATT enabled and ATT disabled. Apps like Grubhub, DoorDash and Peacock TV were found to have roughly the same number of active third-party trackers even when users enabled ATT. Another study earlier this year in June also arrived at a similar conclusion about the inefficacy of the ATT system.
The Yelp app was found to have allowed at least six active trackers even with ATT enabled using the “Ask App Not To Track” prompt. Interestingly, the same six trackers were observed when ATT was disabled. Likewise, 39 tracking attempts were recorded, which is only marginally lower than the 42 attempts when ATT was disabled. Lockdown Privacy concluded that enabling or disabling ATT didn’t make any difference for the 50 trackers they observed while running the selected pool of apps. When it came to tracking attempts, enabling ATT only reduced the number by a mere 13-percent.
In terms of the kind of data that the apps were able to share with third parties, everything from time zone, carrier name, iOS version, and iPhone model to more sensitive details such as the user’s first and last name, location with exact latitude and longitude, free storage on device, battery and volume levels, as well as accessibility setting details were included. Lockdown Privacy mentions that in all test scenarios, the IP address of users was exposed as well. Contrary to what Apple claims, there was no automatic blocking of tracking requests either. Even if users denied an app’s request for tracking their activity, a majority of the test apps did not seem to honor that choice at all.
The study is a sign that Apple may need to implement a more stringent vetting process to ensure that apps do not avoid the ATT norms and violate user privacy despite an explicit denial for tracking. If it continues the same way, Apple might not be too far from another lawsuit over privacy concerns, misleading advertising, and/or more regulatory scrutiny.