With iOS 6, Apple tracking is back

But IFA tracking technology is still not without risk because the information being collected could be misused and abused

While you are getting to know your new iPhone5, iPad or iPod Touch, it will be getting to know you too - very well.

Apple's iOS6 will track pretty much every detail of your online activities - what websites you visit, where you go to eat, what apps you download, where you shop and what you look to buy, what movies or TV shows you stream, what kind of social and professional networking you do, where you're going when you ask for directions, and more.

That is not a bad thing, according to those in the marketing world. All that information that Apple's updated mobile operating system is collecting is just being used to give you the kind of information you might want anyway. Wouldn't you rather get ads for things you've already expressed an interest in, that fit your lifestyle?

Besides, tracking is not new. And the new tracking technology Apple is using, called IFA or IDFA (Identifier for Advertisers) doesn't identify you personally. It just provides data that advertisers can use to send relevant ads to the right devices.

There is general agreement that IFA is an improvement over the previous system of Unique Device Identifiers (UDID). They were, "the unique, permanent, non-deletable serial number that previously identified every Apple device," Jim Edwards wrote last week atÃ'Â Business Insider.

Since UDIDs were attached to the hardware, and couldn't be changed or reset, a breach could be a big problem. That is what came to light last month when BlueToad, a Florida-based technology provider for digital publishers, acknowledged it had been the victim of a hack that left more than a million Apple UDIDs exposed.

"The UDID was quickly abused by app developers as well as others to tie a person to a device for tracking and also to scavenge personal information (like contacts). It was a mess for iPhone owners and Apple alike," wrote Sean Kalinich at Decrypted Tech.

Apple's response was to ban app developers from using UDID last March. So, for a few months, the tracking of iPhone users was all but disabled -- until the rollout of iOS6 last month. And the chances for abuse appear to be lower.

"Unlike UDIDs, IFA is located in a device's settings rather than in the hardware," Business Insider's Laura Stampler wrote this week. "An IFA is a random, non-permanent, and anonymous number (meaning users aren't personally identified) that can be reset or even turned off -- although its default is to be on. It's kind of like a cookie."

[See also:Ã'Â Anonymous had bad month, but no less 'reliable']

However, privacy advocates say IFA is still not without risk because the information being collected could be misused and abused. After all, it is not entirely clear yet what information is being collected and distributed. "We still don't know a lot about what advertisers can see and do with the new Identifier for Advertisers," Stampler wrote.

Kalinich wrote that while the IFA is less intrusive than UDID in one way -- because it is less likely to be tied to a person -- it is more intrusive in another because it "tracks your habits further than was possible with the UDID."

"IFA can track you all the way through to purchase or app download, giving advertisers more ammunition to fine tune their ads and targeting algorithms," he wrote. "This last item is where the most likely exploit would be, if you can track a purchase with IFA then there is a chance you can tie that purchase to a person although what information you can gather after that is questionable."

Advertisers note that the customer has control of tracking - that it is possible to limit IFA. Those on the privacy side agree, but note that the default setting for IFA allows tracking, and that it is a bit tricky to disable it. They also note that Apple does not promote IFA on its launch page about "What's New" with iOS 6.

While a user might expert to find IFA controls in the "Privacy" settings, it is instead under "General," then "About," and then "Advertising," where it is titled "Limit Ad Tracking," and must be turned "On" instead of "Off," which might confuse some users.

Mobile Theory CEO Scott Swanson told Edwards: "The biggest thing we're excited about is that it's on by default, so we expect most people will leave it on."

Rebecca Herold, CEO of The Privacy Professor, said Apple should be more transparent and aggressive about letting users know what their options are. "A key privacy concept is notice to the individual of the types of information that are collected, why that information is necessary, and the purposes for which it is used."

Herold said "opt-in" is the requirement in most other countries, as opposed to the "opt-out" provided in iOS6.

And even if users do turn off tracking, Kalinich and others find it hard to believe it will be entirely off.Ã'Â "Our guess based on what we have seen is that [IFA] are not completely off. It is possible that your search and browsing habits are still tracked, but that that IFA no longer tracks the purchase or download like it did before," he wrote. "We are sure that there are people out there working on ways to exploit IFA and get more than it was intended to offer ... after all the mobile market is now a major space for advertising."

Those who advocate for the collection of information note that it is one of the reasons so many apps are "free." The slogan is, "If you're not paying for the product, you are the product,"Ã'Â Kalinich said.

But Rebecca Herold does not find that argument persuasive. "Just because people choose to share their personal information online does not mean that anyone else should be able to usurp their ability to make a choice," she said. "Choice by the individual to share online is completely different than choice by others to post an individual's personal data online.

"If app developers are collecting personal information from the app users, and they are not charging them to use the apps, at the very least they should describe to the app users what data they are collecting, why, how they are using it, and with whom they are sharing it," she said.

"In the long run, nothing is ever 'free' if you are paying with your personal data," Herodl said.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts