[varenc]

Mozilla suggests resetting the IDFA once per month...but that seems pretty trivial to workaround? If an app you used previously starts up and sees that your IDFA changed, it's easy for that app to know that the old IDFA and the new IDFA refer to the same user!

This tracking is all possible because iOS gives every app on the device the same IDFA (advertising identifier [1]). They can then correlate all your activity and target you for ads.

I'd love if Apple just killed this feature, but barring that, why not change iOS so that it scopes these identifiers at the per-app level. Different apps on the same device see different IDFAs, but an app can still use an IDFA to target you for ads. Apple already has similar per-vendor scoping with identifierForVendor. [2]

[1]: https://developer.apple.com/documentation/adsupport/asidenti...

[2]: https://developer.apple.com/documentation/uikit/uidevice/162...

[mojuba]

Unfortunately the majority of more or less useful or popular apps are also linked against various analytics/attribution platforms, often many of them at once. Mixpanel, Amplitude, AppsFlyer, Branch to name a few, plus Facebook and/or Google. In fact having any of the Google's or Facebook's SDKs means tracking, e.g. Maps, Login etc.

Somehow these platforms have no problem with identifying users across their client apps even without the IDFA. Maybe it's not 100% precise, but as far as I can tell these companies keep so much information about us away from our eyes, that even the big guys (G, FB) would be jealous.

Analytics is one big dark corner of the mobile business whose significance is not fully appreciated (yet).

[snarf21]

Right, how often does our external IP change on our home WiFi network or work WiFi network? There are so many other things that can be used to fingerprint. This is part of the reason encrypted DNS and other efforts have some merit. The cell providers have data and know exactly where you are via triangulation.

Has anyone been using Cloudflare's Warp VPN? I wonder if this is the best approach. Paying a private company to act as a one hop TOR to minimize fingerprinting. If the cell networks just see all CF traffic, they may know where I am but not who I'm connecting too. I get that this means I must trust CF but I trust them more than ATT/Verizon anyway. I just want some open source from CF on the mobile side that shows that the private keys are kept in the device's SecureEnclave and not anywhere on disk.

[peteretep]

> Maybe it's not 100% precise, but as far as I can tell these companies keep so much information about us away from our eyes, that even the big guys (G, FB) would be jealous.

Ooooh, think of the GDPR fines!

[api]

Mobile is all about surveillance as near as I can see. The whole purpose of it is to track users.

[BurningFrog]

There were mobile phones decades before any of this existed.

[krageon]

And to the extent that this was practical, they have always been used for surveillance.

[BurningFrog]

Maybe I'm splitting hairs, but that's definitely not their primary purpose, which is what I think OP was saying.

Sure, once they exist, there are secondary effects who are important in themselves.

[api]

Yeah I guess people carrying around transmitters is too easy to exploit for surveillance and it's just irresistible.

[kevin_thibedeau]

How else should a telescreen function?

[mrgreenfur]

I think the push to apps was to get persistent tracking while offering the user the olive branch of new apis/better battery life/etc. The browser is a prophylactic against apps and their uncontrolled behaviors.

[shermozle]

There is in fact just such an identifier, it's called IDFV. ID For Vendor. It's shared between all apps from the same vendor, so your Facebook and Instagram apps know they're on the same device.

Apple used to be quite strict that you had to actually have advertising in the app to ask for the IDFA permission. That seems to have disappeared.

[varenc]

That's the one I linked to right? =)

https://developer.apple.com/documentation/uikit/uidevice/162...

[dep_b]

There used to be a global ID that was free to use, then they switched to the vendor ID. The IDFA never had anything to do with the vendor ID and has way more checks. To me the vendor ID isn't that big of a problem.

[mobjack]

You don't need an IDFA to track someone in the same app. You can generate your own UUID to use.

The value of the IDFA comes from coordinating user behavior across apps.

Targeting ads is one use case, but it is also used in conversion tracking, which is very valuable to advertisers. They can know if ads in one app resulted in people buying things in another app.

Edit: fixed typo

[thenewnewguy]

The point is that the app can just record the old IDFA, and when the IDFA changes whoever is doing the comparison between two apps knows that the old and new IDFA are one and the same.

[tgsovlerkhgsel]

A likely-good-enough fix would be for Apple to first make extremely clear that this is not allowed, then catch one ad framework/library provider violating the rule and ban every single app/publisher using it to ensure the rule is actually taken seriously.

[scarface74]

How do you “catch” them? The ID is sent from the app and not in plaintext.

[tgsovlerkhgsel]

Through the usual software analysis methods (reverse engineering, static and dynamic analysis, ...)

[afiori]

I imagine with the usual review process

[scarface74]

The review process can’t tell the contents of the data being sent back.

[marc3842h]

What I think is that if the ID would be reused this would be kinda eliminated? I don't see a reason to not make them reusable.

[jessaustin]

How many users would care about this distinction you're attempting to draw between "targeting ads" and "conversion tracking"?

[kevinh]

How many users care about either of those at all?

[jessaustin]

That's the premise of this thread, that we care about these things.

[mrgreenfur]

Generating your own UUID is forbidden I thought?

What if apple sandboxed it to each app to make it safer/easier?

[tinus_hn]

You can’t look through device identifiers like the MAC address or the serial to create ids.

[varenc]

since iOS 7 Apple always returns "02:00:00:00:00:00" for the WLAN MAC address for this very reason.

Besides the IDFA Apples seem to have tried hard to get rid of the obvious ways for different apps to link activity between their users. Of course if you login or provide an email it becomes easy...and there's plenty of trickier less reliable ways like looking at IP address