A unique ID is enabled by default on every iPhone that is available on the market, allowing advertisers to track phone activity across the web.
Apple has a consistent history of applying privacy checks, even with TV ads that use the phrase "Privacy? That's iPhone ".
However, although it can duly use the growing consumer consciousness out there (and for example Facebook has collapsed), the giant company from Cupertino still has a big problem with the Mozilla technology giant.
Earlier this month, Mozilla launched a report asking the iPhone maker to change the way it handles "advertiser IDs" or IDFAs.
These are unique identifiers that accompany each phone and let advertisers keep track of how users of this hardware are moving to the web and to various apps. The idea is to allow targeted, relevant advertising - but as always, there is a down side. These identifiers are identified as anonymous and not associated with personal information. However, they are actually connected to the phone itself, which still makes it possible to create a potentially annoying consumer profile with the use of this device, even if the person's name and other personal information are not associated with it.
"It's like a salesman following you around the store while shopping and recording everything you see," Ashley Boyd of Mozilla said in a recent blog post. He added: “We ask Apple to change the unique IDs for each iPhone every month. You'll still get relevant ads - but it will be harder for companies to create an ad profile over time. "
Threatpost asked security researchers to say what they think about how Apple manages IDFAs and whether its claims to be a privacy protector are accurate - and the results were a mixed bag.
John Zelonis, senior analyst at Forrester Research, told Threatpost that changing IDFA (Identifier for Advertisers) on a monthly basis would not reduce it when it's going to prevent advertisers from tracking telephony activity in an invasive manner.
"Moving IDFA on a monthly basis would only be effective if application owners were unable to track a user on all newly created IDFAs using login sessions or other methods of logging a user into an IDFA," he explained. “The impact of this change will probably only increase the value of the data collected by applications that find ways to identify IDFA, and not necessarily solve the problem manually. We need strong and informed consent. ”
It also notes that, although it is possible to disable IDFA standards, they are enabled by default and people are usually unaware that they exist, which is a problem in itself.
"While I had already enabled 'Limit Ad Tracking', I didn't personally know the second option in another part of the menu to disable 'Location-Based Apple Ads'," he said.
At the other end of the spectrum from Zelonis, Corneliu Balaban, director of mobile endpoint protection at Avira, disagrees with the idea that Apple needs to make any changes.
"The current way Apple's IDFA is handled is the right way," Threatpost said. “Even if you create user profiles, you create them for your application and determine how users are targeted for your application. Moreover, this is an anonymous identifier that cannot be linked to the individual. ”
Some agreed that the proposed changes would be good - but be careful not to overestimate the impact.
"I think doing what Mozilla recommends or just enabling Limit Ad Tracking by default will further increase the privacy bar," said Thomas Reed, Mac & Mobile's chief executive at Malwarebytes. “However, this would be a rather small improvement over the changes that other companies would have to make to become central in the privacy field. If the gap between Apple and a company like Facebook resembles the Grand Canyon, the improvement Apple could make by taking the Mozilla proposal is like jumping over a puddle. "
Better than others
The gap between Apple and other companies was an issue that other researchers took part in.
"IDFA does not detect the device or the user and was a substitute for much less secure UDID," explains Chris Morales, head of security analytics at Vectra. “The fact that IDFA can be turned off means that the user has control. The fact is that users are being tracked for advertising purposes everywhere on the Internet, from search engines, social media to devices. I objectively believe that Apple is the one that has created the least problem compared to other companies. ”
Others echoed this "better than the rest" feeling. "IOS is even ahead of privacy issues because it does not allow apps to run in the background without very specific rights or in some cases at all," said Avira's Balaban.
Malwarebytes Reed also took the opportunity to compare favorably the iPhone with the Android ecosystem.
"The iPhone - and all the Apple services that come with it - is much better in privacy than competitors," he said. “There is no doubt in my mind about it. Apple found opposite it FBI for the safety of a terrorist's phone and has prioritized the creation of architectures that prevent data from being linked to people. Refer, for example, to Apple's changes to data from Apple Maps to iOS 12, allowing them to use customer data to display issues such as traffic problems without knowing anything about where you're going or where you are. ”
Are Ads Accurate?
The TV campaign had the following motto: "If privacy matters in your life, then it should have equal importance in your online life". As to whether Apple can legitimately claim that the iPhone is the privacy phone, the reactions were positive. Lastline co-founder and chief architect Engin Kirda said: “Recently, Apple has begun to use privacy as a key feature of its products. One question, of course, is how convincing this argument is. Its supporters Apple they often argue that Apple is in the hardware business (that is, it sells computer hardware rather than user data). ”
And Tim Erlin, vice president of product management and strategy at Tripwire, said he was delighted that the issue was embroiled in a national advertising initiative because it helped raise awareness.
"At some level, I'm happy every time privacy and security are traded as a factor of differentiation," he said. “It's a positive thing, which contradicts the sadness of security and malware incidents. The best case scenario is that this ad campaign pushes other competitors to enhance privacy and security capabilities, both in marketing and in reality. "
He added that the campaign also helps consumers understand that privacy and security, while related, are not the same thing.
"If Apple gives its partners authorized access to your data, that's not unsafe, but it's clear that it's about your privacy," he said. “If you grant an application permission to read all your contacts, this is not a security issue. Privacy is more interconnected with user consent and explicit actions. “