> Apple said in response that it “does not access or use the IDFA on a user’s device for any purpose”.
What is it there for then?
If Apple doesn't access the IDFA, but provide the mechanism to do so for others, then clearly Apple is still violating the law.
Apple put the IDFA there. Others accessing it is similar to one website giving you a cookie without consent and other websites looking at that cookie. It's still a violation by the website that gave you the cookie without obtaining your consent.
I think what Apple is saying is that it's not the browser's job to ask consent for storing a cookie or for doing browser fingerprinting but a website's. As much as I dislike IDFA, I think I must agree with their line of reasoning.
Edit: Let me bring an analogy (GDPR applies to physical world too). Most cars have a visible VIN number like a phone has an IMEI (if you replace IDFA with IMEI mentally, which would be much worse if that was exposed to the apps). If you take a photo of the VIN and then track the car using this identifier in some way, you are [potentially] violating GDPR, not the car manufacturer.
However, the car number is mandated for legal reasons that are easy to explain. The user on the other hand gets no benefits, the society gets no benefits, and those who benefit are random people whose motives are unclear.
I find that I benefit greatly from targeted advertising.
A couple of years ago I realized that Spotify's recommendation algorithm provides me with a better selection of music than any other method ever has.
Lately I've found ads targeted using advanced ML implementation have been of great value to me as well.
I don't remember ever purchasing products from direct response marketing before, but this year I've purchased multiple high importance things that I would not otherwise been even aware of.
Does Spotify base recommendations on the kind of tracking used by targeted advertising? I would think their recommendations are entirely based on the music you've listened to on Spotify, rather than, say, information they've gathered about your demographics, web browsing, purchasing habits, etc.
Personalized recommendations by an app based on your usage of that app are not what people mean by "targeted advertising." The privacy implications are completely different.
I thought so too, but I'm not completely sure since they rolled out the personalised "Time Capsule" playlists. Most of the tracks in mine seem more based on my age and location than my listening history. Particularly, many tracks that were in high rotation on a popular national alt/youth radio station when I was 10–15 with no obvious connection to my current listening habits.
As well I've find the time capsule playlist absolutely horrendous in all its recommendations. Sure it plays some things from my library but that's what I have my library for. Everything it's suggested has been ridiculous and honestly had me thinking it was just another corporate mandated playlist by committee based more on money for plays than my actual enjoyment of the music provided.
If it was actually of value to you then you would have searched for it yourself. That you needed advertising to find it only shows the toxic effects of advertising (convincing you that you needed a product that you actually didn't, and/or incentivizing the lobotomization of organic search so that you would go based on the ads instead).
“If I had asked people what they wanted, they would have said faster horses.” - Henry Ford.
Several years ago I saw a Facebook ad for an online coaching program for aspiring music producers.
It was exactly what I needed at the time, but I had no idea that someone had put something like this together, and I would never have independently thought of googling this. Instead, I relied on music production tutorials on the one hand, and generic productivity advice on the other hand, and assumed that was the best help available out there.
That is just my anecdote, but I'm sure everyone here has their "how could I possibly live without this before" product or service.
Advertising can be useful, and the more targeted, the less obnoxious.
It seems you're conflating innovation with marketing. It's perfectly legitimate for someone to invent a car. It's not, however, to cold call me or send me car catalogs or show me car ads on the web ad infinitum until I submit and buy one.
I enjoy receiving targeted products or services which I wouldn't have otherwise known about. That isn't toxic; we live in a world with tens of millions of products being offered worldwide. Just because we don't come across them "organically" doesn't make their advertising toxic. I'm still an individual who makes a conscious purchase decision.
>convincing you that you needed a product that you actually didn't
What if it's convincing him that he needs a product that is actually of benefit to him, that he didn't know existed?
I don't want crap pushed on me without consent. Once you have consent, (which is me doing a pull of what you're offering), then it's okay.
I'm surprised with all the controversy over consent in the last year or so that Tech and Ad companies still don't understand this. Then again, the wisdom of Upton Sinclair applies.
--It is difficult to get someone to understand what their paycheck is dependent on them not understanding
You would be hard-pressed to find anyone who disagrees on the issue of consent. The following is what I replied to though, and is unrelated to consent:
>The user on the other hand gets no benefits, the society gets no benefits, and those who benefit are random people whose motives are unclear.
This is blatantly false. In this thread alone there are multiple people who have stated they find benefit through targeted ads.
> I find that I benefit greatly from targeted advertising.
Your only foundation for this reasoning is that you've bought more things. What this definitely says is that the advertising is targeting you successfully, what it does not say is that you benefited from it. You clearly lived before you owned those things, presumably pretty well given your evident spending habits.
In conclusion, when looking at this post we can say just as easily that you were harmed greatly by targeted advertising.
Perhaps they actively subvert the ways in which those bombs are otherwise detected or they start offering blind pickup so everyone has plausible deniability. There are many ways in which a bomb delivery service could be more convenient than the post.
The consent MUST be received before storing cookies. As Apple stores the cookie without consent, they break the law, even if the cookie is never read by anybody without consent.
Is consent required before setting a MAC address on a NIC? I don’t think it’s the NIC manufacturer’s duty to get consent because others fingerprint devices using the MAC address.
I didn't elaborate because there really isn't any more to say about it. If you've read up on how the GDPR works and know what essential means, you will see this person is correct.
For what it's worth, I have been involved with implementing the GDPR properly in a number of reasonably large companies. Sadly a number of people can say this and a vanishingly small amount of companies actually adhere to it properly, so I'd take it with a grain of salt.
They are exempt from consent but not from the law. Also, GDPR is not about things but their processing purposes. If you use my MAC address to address my network traffic, that's a legitimate business need; no consent is needed. If you use the same MAC address to track me, you need consent.
A distinction without a difference as not every interaction involves a browser. It can be used in the same manner as an identifier cookie (it doesn’t carry a payload) for cases that do not involve a browser.
True, but the term ‘magic cookie’ is not the term we use today. If you said magic cookie I’d know you were using the historical term. I’m old enough to remember but most people here are not.
Yes, they will make it opt-in soon. The lawsuit is about the damage caused by it being opt-out until now. So both Apple's promised fix and the lawsuit's core argument appear correct.
Apple clearly agrees that things could be better, which is why they are changing it for the better. However, they can also, without contradiction, argue that they were not acting ILLEGALLY before.
Who knows when they will actually change it. They were going to have the change when iOS 14 released but they paused it when they received pushback from Facebook. Now on iOS 14 you don't have access to the permission setting and you can't reset your IDFA anymore either.
Why? Apple were creating PII. They were not storing or processing it. You can probably break the GDPR by incorrectly handling the IDFA you get from Apple, but that does not mean that Apple are breaking the law.
Reminds me of a quote by Adam Yauch of the Beastie Boys:
"I’d rather be a hypocrite than the same person forever."
The only way to get better is to change the things you did incorrectly in the past.
This doesn't mean it was illegal (or even unethical). Fifteen years ago few people anticipated the privacy implications of smartphones and many people didn't anticipate exactly how much this stuff would be abused. But in order to get better, they need to change their policy.
I'm don't think I've ever considered MCA a great philosopher, and after reading that self-contradicting quote the outlook for that to change is still murky. Plainly: being a hypocrite is about doing in opposition to what you preach, it's unrelated to changing your mind.
It's strange too that you go back to 2005, what with the iphone was out only by 2007 and the IDFA launched in 2013. Incidentally, IDFA was create as a way to limit the methods advertisers could use to track users, even as it expanded the pool of users tracked. And in 2013 the idea that digital tracking, as supplied by for example apple, could be bad was certainly not groundbreaking.
Prior to IDFA, advertisers used other unique on-device information (I believe they had access to the IMEA which was not changeable). With IDFA, users have the option of opting out or at one point resetting the IDFA on the device.
IDFA was fundamentally put in to give uses more control. It wasn't really enough, but it was an improvement over what was before it. Now Apple is improving it again by making it opt-in instead of opt-out.
There are third party Ad-Tech companies that will sell IDFA - cookie combinations they have gathered from their "partners".
Think it through: you read this very article, and many cookies on that page you will have consented to will let many ad-tech companies know that you should probably be labeled "privacy conscious". Which, as any good AI will teach them, is closely related to the "extremist left" and "anti fascist" labels. Next, you start Youtube or Insta on your Apple device. Now you suddenly see promoted content from those bubbles because you probably want to click on it.
The difference is that browser cookies are necessary for sessions and persisting state - Facebook exploiting this for nefarious purposes isn't the browser's fault.
IDFA's only purpose is tracking. I can't see any legitimate use for it. In this case Apple intentionally created a feature (which most people aren't even aware of) that only has malicious use-cases.
The IDFA is intentionally limited to prevent many malicious use cases. For instance, each vendor will see a different IDFA for the same device, so you can not collect IDFAs to track users across applications.
It is for tracking, but not all tracking is malicious. It is used for things like attributing an ad impression to an app install, to measure how effective an ad campaign is at getting people to install an app. This information doesn't really tell you anything about individual users, but is still useful when aggregated.
Are you confusing it with the IDFV (identifier for vendor)? As far as I know the IDFA is explicitly shared across apps for ad targeting to work (including most of the examples you mention).
> This information doesn't really tell you anything about individual users
Except when you correlate it with other information that does identify individual users and suddenly you've deanonymized this "anonymous" ID.
Scum like Facebook, Google, data brokers and advertising companies base their entire business on this and that needs to stop.
The point of IDFA is to allow the user to express a system wide preference, and also to allow the identifier to persist across installs.
Although the overwhelming majority of people distrust tracking, a significant minority >20% do not. Every time the discussion comes up here we see people who say they like targeted advertising.
Apple wants to exclude other mechanisms and have an opt-in mechanism to support this 20%. They are one step away from making it opt-in but were delayed by political pressure from Facebook.
If Ad Tracking companies improve their practices, perhaps they can persuade more people to opt-in.
Apple has reached this point by slowly eliminating other sources of fingerprinting from their apis, and adding rules insisting that IDFA be the only identifier used.
The only issue here is that IDFA is not yet opt-in. Otherwise, Apple is way ahead of the game. All other platforms allow some kind of fingerprinting.
It is shared across web and apps but only for one vendor. So you can track the performance of an ad campaign on getting installs of your app, for instance.
> So you can track the performance of an ad campaign on getting installs of your app, for instance.
So in order for it to work you'd need to also be the developer (vendor) of the initial app which displays the advertisement for your second ad? Otherwise how would it work if let's say your ad is displayed in app from vendor A (and they get their own IDFA), now when your (vendor B) app is installed you see a different IDFA. How would you associate the two?
That's just not the same.
A website is asking the browser to put a cookie. So the browser is just a channel.
If I understand correctly The IFDA is an identifier created by apple, which they let third parties access. The phone is not a channel, it is the creator of the ID so you're analogy doesn't hold.
And come on, the name of this is proof enough that the only use for this ID is tracking users.
Cookies are used to store anything, not necessarily specific for tracking.
Oh wow, it's the same guy who won in court against Facebook. I can understand why Apple feels the need to quickly shoot back.
He's pursuing Apple under German law, and Apple's statement was that they fully follow EU law. So they may both be right at the same time.
In detail, Apple is creating a device-unique ID for advertisement tracking and access to that will be user-controlled in iOS 14. And Schrems is filing because it is exposed to advertisers without the user's consent in iOS 13 and earlier.
Edit: NOYB (the NGO, "None Of Your Business") is probably one of the more cost-effective ways of supporting a fight for real privacy over corporate interest. Just in case people here are wondering where to put their holiday season donations...
I interpreted the statement as if something is invisible to the user (without knowing to look for it), the (average) user has not had a hand in it, and are thus not controlling it.
GDPR isn't interested in control, it's interested in informed consent. You can't give informed consent if you were never asked for consent in the first place.
Maybe one day we can get a law like this around opt-out autoupdates that hands control of your device over to a remote party that can execute arbitrary code on it without your involvement.
This is becoming the norm even in security/cryptography software like iOS and Signal and it’s terrifying.
It's true though that you need explicit consent for sending PII under GDPR. Whether IDFA is considered PII (I think there are strong hints it is) is up to the jury. More surprising is that Apple is hellbent to defend this when they've only their pro-privacy stance to loose.
This is absolutely not in any way a true statement. The GDPR applies to very specific things, and I don't think you could find a reading of it where it applied to maintaining the IDFA on a phone.
The situation is slightly confusing: The change to IDFA handling was meant to roll out as part of the iOS 14 update. However, the change was delayed, but the rest of iOS 14 was not.
As my fellow responder indicted, iOS14 was indeed released in September and I came here to comment on this extremely odd and incorrect statement myself. As the OP states, Apple merely postponed the IDFA functionality.
I cannot prove it, but this whole piece reeks of being algorithmically generated, and I do believe that this factual error is proof of that. Any human journalist operating in the field of technology would be well aware that iOS14 has already been released and would have phrased accordingly; I think that what we’re seeing here is some algorithmic synthesis of background facts (one of which was apparently source of confusion, because of references to iOS14 and postponement, not of the whole OS but of a relevant portion thereof).
In this article, I see nothing that indicates hitting.
They don’t even say the complaint is completely unjustified, just that it is inaccurate. That already is the case if only a small detail (for example if it says Apple uses the identifier, while they don’t) in the complaint to be incorrect. It doesn’t make the entire complaint invalid, though.
“3. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller.”
I would guess (one of) their arguments are that the ID in itself isn’t information and that it is up to those reading the ID to explain the purpose of processing the ID.
I think that makes sense, but also can be called factually inaccurate/incomplete. One could argue they collude with advertisers to track you.
> Apple uses a tracking technique called "identifier for advertisers" (IDFA). This technique assigns a unique identifier to every user who buys an Apple iOS device (such as an iPhone or iPad). This identifier is then used by Apple's advertising network, iAd, to determine the ads that individuals are viewing and responding to.
See Apple Advertising & Privacy [2] for details:
> To see this information on your iOS or iPadOS device, go to Settings > Privacy > Apple Advertising and tap View Ad Targeting Information. On Mac, go to System Preferences > Security & Privacy > Privacy, select Apple Advertising, then click View Ad Information.
I have feeling about Apple wants to keep the user data for their own.
With recently privacy issues about macOS and iOS, it sounds like they protect user from 3rd party but the real purpose seems to be they want to control user and user's data.
You say that like it's a bad thing. Apple is a company many of us have voluntarily chosen to enter a commercial relationship with in a reasonably clear, traditional manner—whereby I give Apple money in exchange for goods and services.
Apple aren't making money from my data behind my back. Apple have never stood accused of surreptitiously weaponising my own data against me. They are not collecting my data in order to target me with manipulative advertising or tailor algorithms to maximise engagement.
I want a true privacy, I don't want to go too deep into Apple's ecosystem then someday I cannot go out.
No one can assure the big companies turn out and against them. It's just my feeling about a big tech company always talk about privacy but its action seems not.
Obviously any company can turn evil at any time. Right now though Apple is doing a commendable job of bending the arc of technology towards privacy. They're by no means perfect, but they're better than most other large tech companies and they're getting better over time.
The current implementation of "IDFA" was an improvement on what came before it (unfettered raw access to the hardware UDID) and Apple have already announced that consumers will be actively prompted to approve IDFA usage in the near future.
I do worry that if collectively we act like nothing but absolute perfection can ever satify us, perhaps companies will feel no incentive to make progressive improvements to privacy.
They are arguing it was not ILLEGAL in iOS 13, but they are changing it now to increase user privacy, even though they are not legally required to do so.
The problem is people want "total privacy" but also want everything free. Advertising pays for the latter but people decry both. IDFA is there for advertisers to use without being able to explicitly identify the user but still provide some measure of knowledge to present ads more than random. Once it's no longer opt out, I doubt anyone turns it on.
Eventually everything on the web will require payment without there being a universally supported payment method, which is what should be the solution everyone is working on (read an article, pay 1¢ out of a fund you provide under your control for example). But instead we get ranting about privacy. Shouldn't HN discussions be about finding a better way rather than ranting?
My programming blog used to get 300,000 readers a year, which would have netted me $3K a year at 1¢. I had too much work and gave had to give it up a couple years ago.
There is no implicit social contract on the web that we trade privacy for free access.
Someone doesn't want to pay to read your blog, what do you do? Allow shady third parties to install trackers on your readers' browsers to monitor what they are doing, without them really knowing nor understanding the long term consequences? I don't know about that...
Blogs are probably not a good example. There are so many useful services people are used to have for free on the internet, which will need to be paid without ads. Most of those could be subscription-based though. As for blogs—IMO articles that are written for money aren’t blogs, they are just old-school magazine articles that happen to be on the internet. So having them in a subscription-based closed platform seems appropriate.
> The problem is people want "total privacy" but also want everything free. Advertising pays for the latter but people decry both. IDFA is there for advertisers to use without being able to explicitly identify the user but still provide some measure of knowledge to present ads more than random. Once it's no longer opt out, I doubt anyone turns it on.
Do advertisers pay Apple for the use of IDFA?
Do I pay Apple for the phone?
You are saying people should pay for stuff OR get their data sold.
You paid for your computer, too, and Facebook, Google, and many other companies track that.
It's not about the price of the phone. It's about the price of the services you get online—everything from Facebook to HackerNews.
Some of these free websites are subsidized by other means (like YCombinator itself). Some are funded by subscription, with a partial paywall that lets you access a portion of their content free. Others are funded by gathering your data and selling it to advertisers.
Stop treating Apple as if they're the ones who should be responsible for everything under the sun, just because they make iPhones (and truckloads of money).
The New York Times has a paid subscription AND targeted advertisements AND trackers AND sells your information to third parties. If we want these practices to stop, they need to be made illegal.
The property owner does not track you. You can pay your $2000/month and not be tracked.
It is when you choose to have a pizza delivered to you, or a package sent to you by third parties that hidden cameras overlooking your bed, your kitchen, and your toilet, may be used.
The camera is also specifically designed so that it cannot be used to track you across other buildings, but only for limited cases by one vendor.
The title is at best misleading. They do not attack M. Schrems in Justice or even morally. They are the object of two complaints and they defend themselves invoking that privacy laws are not applicable as they are not directly processing data. This seems a perfectly valid argument. I'd be curious to understand in details their role in the process and see how courts will treat it.
Beyond privacy laws, there might be also allegation of fraud as their marketing campaigns seem to relies heavily on privacy and they seem to have a curious conception of it.
I still prefer getting an ad about a video course I can buy than a random spam video about a mobile game I will never download.
Advertisements keep the internet going, if anyone has a different business model then please say it, because people right now are not willing to pay for news, social media or YouTube.
It is not my (the "consumer's") responsibility to invent a viable business model for news/social media/video. That is their problem. If the only thing they can come up with is advertising, I, for one, am quite happy to let them die and will continue blocking any and all ads I can possibly block.
Using display ads instead of targeted ads would solve the privacy problem, and is still a viable business model.
Because ads would be targeted at apps or publishers, not users, premium content would control the premium ad space. This would be good for content creators, consumers, and high quality sites / development houses. It would be bad for ad auction houses, but they don’t provide nearly as much societal value as the newspapers and magazines they replaced.
I try to read this very article, and get presented with one of these "Ad-Choices" screens that is completely messed up.
You cannot bypass it without consenting, it just won't close if you click "save preferences" without agreeing to things that seem to not be lawful with GDPR. They seem to think that there is somehow a "legitimate interest" for unnamed third parties to "Create a personalised ads profile" (and many more things) when I read an article on their website.
These "ad choices" screens conflate the legalese beyond recognition to make you give in to unlawful demands, which is their real purpose.
And undoubtedly my Apple advertising ID gets passed to these unnamed third parties in the process.
It needs to stop. And I don't care that companies might not be able to exist without it. Good riddance.
Good luck Max Schrems fighting this, and please add all these web publishers with their "Ad Choices" scam to your target list.
I do not know this company, Amplitude, and never consciously gave them permission to use my Apple IDFA or combine it with my browser cookies, yet I don't doubt they have an accurate combination of those about me and sell it to any client who can afford it. And that is what this article is about: Apple is enabling this at the source.
There are undoubtedly many more Ad-tech companies who market data they gathered about me without freely given consent. Again, it needs to stop.
I don't see any reference here to IDFA being combined with browser cookies?
It's worth noting that Apple has already chosen to kill off IDFA (something that was created as a transition away from developers having to the device's raw UDID) and Apple took this step without needing to be pressured by consumer rights groups.
> I don't see any reference here to IDFA being combined with browser cookies?
You should read again. Under "Determining Unique Users" you can see they link every "device id" to a unique user ID. A device id can be a browser cookie, an Apple IDFA or an Android AdID.
> Apple took this step without needing to be pressured by consumer rights groups.
Well, Apple is a smart company and better than most others with privacy. They may have concluded for themselves that they would probably get under pressure for this.
<sarcasm>Yes, read the official docs and move along, nothing to see here.
Especially never talk to any ad-tech companies. They are worth billions, but really do not offer anything on top of what Apple and Google have in their docs about advertising.
"Privacy" is just a marketing word for low information consumers.
Those that need privacy won't use Apple.
Edit- What's wrong? Serious privacy users are going to use an obscure Linux distro. Don't believe the Apple "security theatre", it only puts you at risk.
While it's true that people who need privacy don't typically use closed source software that spies like OSX, but it really shouldn't have to be this way. We are paying extremely high prices for Apple hardware and I'll be damned if I can't get the most privacy oriented experience possible from it.
What is it there for then?
If Apple doesn't access the IDFA, but provide the mechanism to do so for others, then clearly Apple is still violating the law.
Apple put the IDFA there. Others accessing it is similar to one website giving you a cookie without consent and other websites looking at that cookie. It's still a violation by the website that gave you the cookie without obtaining your consent.