Schneier on Security
A blog covering security and security technology.
« Master Keys |
| Studying Zero-Day Attacks »
October 15, 2012
Apple Turns on iPhone Tracking in iOS6
This is important:
Previously, Apple had all but disabled tracking of iPhone users by advertisers when it stopped app developers from utilizing Apple mobile device data via UDID, the unique, permanent, non-deletable serial number that previously identified every Apple device.
For the last few months, iPhone users have enjoyed an unusual environment in which advertisers have been largely unable to track and target them in any meaningful way.
In iOS 6, however, tracking is most definitely back on, and it's more effective than ever, multiple mobile advertising executives familiar with IFA tell us. (Note that Apple doesn't mention IFA in its iOS 6 launch page).
EDITED TO ADD (10/15): Apple has provided a way to opt out of the targeted ads and also to disable the location information being sent.
Posted on October 15, 2012 at 1:21 PM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Apple introduces iOS6, and you'll know why 2012 will look very much like 1984.
This is what you need to be providing here:
"How to opt out of interest-based ads from the iAd network"
You have to go to a link FROM YOUR IPHONE to disable the tracking. For brevity (and those who did not go to the support site), the opt-out site is http://oo.apple.com
Oh the irony... Someone needs to redo the Apple 1984 ad.
re: 1984 comment...
we have found the enemy and it is Apple.
When I upgraded to iOS6 over the air, it prompted me about the Ad tracking so I was able to turn it off (or rather, turn on the limit) right away. So people knee-jerking about 1984 need to chill.
Furthermore, it is not the same as Verizon's tracking. It assigns a randomized non-permanent and non-personal number. It lets advertisers track a party who is interested in their wares, but does not let them know it is you.
What's with the FUD Bruce?
The new "virtual UDID" system has been covered in detail previously. How is it surprising they've turned it on in iOS 6?
So, I just went there with my iPhone 4S running iOS 5.0.1 and opted out. Then I did it again moments later and it said I've already opted out.
Great, right? Here's the problem:
I was already at this site and opted out with this very same phone on iOS 5.0.1 months ago.
In other words, I was involuntarily shoved back in at some point. I'm sure it will happen again -- note that there is no word on how long this opt-out lasts...
iAd has corrupted Apple. Now that they sell advertisements, you are not just their customer, you are their product.
Advertisers have always been able to track users even without the UDID (which is still being widely used). There are other options including the MAC address or pasteboard options such as OpenUDID and just plain IP Address. Until Apple really cracks down and rejects any app who use any possible method then there is an option for people to use then advertisers will have their way. These changes are just meaning they have to change their methods.
...and, of course, Apple is hoping that many people either don't opt-out or forget to or can't remember how to.
Your comment is brilliant, Sir.
Interesting comment, thanks for sharing.
"For the last few months, iPhone users have enjoyed an unusual environment..."
This is false. The number/percentage of app submissions that were rejected after Apple announced the deprecation in iOS 6 is completely unknown to the public. I for one submit monthly (or more often) updates across 2 iOS applications and despite sending UDIDs to 4+ ad networks, I've never been rejected.
As soon as Apple announced the deprecation, Ad networks and others immediately began development of workarounds using one of many other unique or semi-unique identifiers. But, even as I write this and after the recent release of iOS 6, ad networks are leveraging both UDID and (most commonly) a new MAC-address based "inventories."
I can't imagine we're going to be able to prevent developers and tracking platforms from targeting users based on their activity and unique metadata. In fact, in a world were huge Internet companies rely on targeted advertising for monetization, you could argue it's a required entrance fee.
I don't believe this is correct. At the Apple link, Apple says: "Opting out applies only to Apple advertising services and does not affect advertising from other advertising networks." Users need to realize that Apple's iAd network, and its associated "opt-out" [https://support.apple.com/kb/HT4228?viewlocale=en_US&locale=en_US], is a separate beast from the subject of the Business Insider article, which covers 3rd-party ads and ad networks used by 3rd-party apps.
P.S. I almost always use "opt-out" in quotes because it usually signifies that Targeting gets turned off, but unfortunately it does not guarantee that data is no longer being collected [Tracking].
Isn't the whole point of a cell phone to be able to locate the phone and provide service/comms?
I'm not so sure clicking a button to say "I opt out", will really stop the trend.
Apple has made turning this off intentionally deceptive. And there's another location-based service setting. In addition to visiting http://oo.apple.com, do this:
Settings>General>About>Advertising>Limit Ad Tracking ON
"The tracking control is titled "Limit Ad Tracking," and must be turned to ON, not OFF, in order to work. That's slightly confusing — "ON" means ads are off! — so a large number of people will likely get this wrong."
Settings>Privacy>Location Services>System Services>Location-Based iAds>OFF
Settings>Location Services>System Services>Location-Based iAds>OFF
On all my Androids, this setting is made once per device through Android Market Google Play. And it covers all of Google's tracking/ad personalization. AFAIK.
I'm not sure why people are surprised that the iChurch is exploiting their followers.
If you don't want to be tracked then don't carry a network connected computer.
"and also to disable the location information being sent."
I have heard (no citation available) that location tracking is not actually "disabled", but that a kind of "Do not use" flag is set. Developers are politely asked to honor that flag.
Bruce you didn't do your homework on this as you can see from the comments.
There are two types of tracking and both can be turned off.
No way to turn such things off on Android devices for all the Android whiners. Not on individual apps which are not checked anyway and certainly no way to turn off Google's tracking of everything you do. Thats because with Android you are the product not the device. Fun right?
Apple gives you a way out and does not sell your data. They will also remove apps that violate location services and do not track.
Pretty hilarious that the Android kids see this as another chance to whine about Apple when Google is FAR worse in every regard.
"If you don't want to be tracked then don't carry a network connected computer."
Quite unreasonable in this day and age. Hence, the push for legislation & privacy protections.
Also, you can be tracked digitally & physically without a "network connected computer." The Tagging, Tracking and Identification technologies will only get better over time. Which leads us back to legislation & government accountability...
Quite unreasonable in this day and age.--@Nick P. No, it just takes discipline. Carrying a comp. w/ you everywhere doesn't necessarily make you more productive, it makes you more reliant on technology, which has become inherently untrustworthy as PCB's are too miniaturized to fix and software too bloated to give a damn about.
Which leads us back to legislation & government accountability...
--Which will lead us to failure. There are few things I can say with such certainty.
this is definitely a misstep from apple, and we are seeing more and more bad decisions from apple lately. their design and engineering teams are strong enough to keep them at the top for a while longer, but this should be a good barometer of their corporate culture / leadership. it's not encouraging.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.