Chinese Tech Companies Reportedly Testing New Tool to Circumvent Apple's App Tracking Transparency Rules

[MacRumors]

Apple plans to begin enforcing its App Tracking Transparency changes following the release of iOS 14.5, and all apps that access an iPhone's ad identifier or IDFA will need to ask a user's permission before tracking is allowed.

According to a new report by the Financial Times, however, the state-backed China Advertising Association (CAA) is testing a tool that could be used to bypass the new Apple privacy rules and allow companies to continue tracking users without their consent.

The new method of tracking users is called CAID, which is said to be undergoing testing by tech companies and advertisers in China. According to the report, TikTok owner ByteDance has already provided its developers with an 11-page guide suggesting that advertisers "use the CAID as a substitute if the user's IDFA is unavailable."

However, the CAA told FT that the tool "does not stand in opposition to Apple's privacy policy" and that the association "is currently actively communicating with Apple," while the CAID solution has not yet been formally implemented.

Apple declined to directly comment on the potential use of CAID to get around its new App Tracking Transparency rules, but told the newspaper that it wouldn't grant any exceptions.

"The App Store terms and guidelines apply equally to all developers around the world, including Apple," the company told FT. "We believe strongly that users should be asked for their permission before being tracked. Apps that are found to disregard the user’s choice will be rejected."

However, two people briefed on the issue told the newspaper that Apple is aware of the tool and seems to have so far turned a blind eye to its use.

Apple is believed to have the capacity to detect which apps use the CAID tool and could block them from its App Store in China, if it wanted to. But such a response could ignite a major confrontation if CAID receives the support of China's technology companies as well as its government agencies.

Three people with knowledge of briefings between Apple and developers also said the Cupertino, California-based company would be wary of taking strong action, despite a clear violation of its stated rules, if CAID has the support of China's tech giants as well as its government agencies.

Rich Bishop, chief executive of AppInChina, a leading publisher of international software in China, suggested that Apple might "make an exception for China" because tech companies and the government are "so closely aligned."

It still remains unclear how the CAID system works, but Beijing-based data privacy company Digital Union believes that the system has been designed with Apple's rules in mind because its tracking methods may not uniquely identify users. "This is the room that the industry has left to explore," the company's co-founder Yang Cong'an told FT, suggesting the grey area was intentional.

CAID is reportedly scheduled to be publicly released as soon as this week, and although the system is intended to be used by local app developers in China, at least one French gaming group is said to have been encouraged to apply to use it and several foreign advertising companies have already applied on behalf of their Chinese divisions.

Article Link: Chinese Tech Companies Reportedly Testing New Tool to Circumvent Apple's App Tracking Transparency Rules

 

[Shirasaki]

Well, is this really a surprise? I’d say no.
Maybe Apple can double-standard again and disable IDFA tracking request in Chinese iOS.

 

[Razorpit]

China circumventing privacy rights? Color me shocked.

 

[n0va]

definitely did not expect this. the chinese communist party never fail to surprise me

 

[Captain Trips]

Well, this is just like the ongoing battle between offensive and defensive capabilities for military capabilities throughout history.

And this isn't the first time we have seen this back and forth in computing, either.

 

[Kebabselector]

I'm expecting companies around the world to attempt to circumvent app tracking. The Chinese app appears to be the first that is known about.

 

[Rob_2811]

Will Tim Cook condemn this like he does Facebook?

 

[icanhazapple]

This issue is not exclusive to Apple, with respect standing up to China. There are a number of tech companies that could take a similar position, but they have chosen not to.

But only Apple has a $2 trillion market cap/has the cash reserves to lead the charge on this privacy issue. We look to Apple to be better, and they've deferred on standing up to China.

Remember that Apple's dedication to human rights ends where it potentially precludes Apple from taking action on a privacy issue that would upset China to the extent they would restrict the sale of iPhones.

Same is true with encryption of iCloud backups.

 

[pavvel]

What more reason do you need NOT to use any app that decides to use this tool to bypass Apple's privacy protection?

 

[pavvel]

Will Tim Cook condemn this like he does Facebook?

Probably. Why wouldn't he?

 

[LeadingHeat]

*Facebook and Google engineers furiously writing down notes*

 

[Rob_2811]

Probably. Why wouldn't he?

He won't get invited to the next audience with the CCP

 

[Shirasaki]

What more reason do you need NOT to use any app that decides to use this tool to bypass Apple's privacy protection?

With any chance, “those apps” are Chinese-only apps which dont matter much for most other people around the world. However, there is no guarantee that devs somewhere else (including inside US) would just honour Apple’s mandatory tracking request and give up collecting user data. If you remember web browser “Do not track” request, I bet most major websites just ignore that request anyway and collect just as much if not more. If you really rely on big tech to protect you from being tracked, at one point you probably will find you cannot install any app on your shiny new iPhone because “All apps will implement some form of tracking without your consent”.

 

[koil]

Curious about how this could work. The whole idea behind this IDFA change is that iOS will no longer report any uniquely identifiable information to apps unless users allow it, and there's no way in the iOS SDK around that restriction that Apple will actually approve to be shipped on the App Store.

I'm guessing they use some other channel to uniquely identify devices, probably on the network/operator/ISP level would be my guess. If so, I don't really see how Apple could stop that without committing serious resources to code analysis. Perhaps they could analyse larger apps and block updates, which would really put a dent in the systems usefulness, but since this tracking is presumably assisted by external factors, it would just look like a standard authentication scheme I guess, and they can't really block anything like that.

 

[LeadingHeat]

Didn’t the terms in the developer contract say that your app could be banned if you try to circumvent the app tracking transparency, at all? Or was it really limited to if they only try to circumvent the IDFA method?

 

[Quackington]

Will Tim Cook condemn this like he does Facebook?

Exactly. Apple doesn’t have the balls to do so. How about saying something about the human rights abuses China is committing by against the Uighur people and the forced slave labour contributing to tech products all over the world?

 

[ruka.snow]

With any chance, “those apps” are Chinese-only apps which dont matter much for most other people around the world. However, there is no guarantee that devs somewhere else (including inside US) would just honour Apple’s mandatory tracking request and give up collecting user data. If you remember web browser “Do not track” request, I bet most major websites just ignore that request anyway and collect just as much if not more. If you really rely on big tech to protect you from being tracked, at one point you probably will find you cannot install any app on your shiny new iPhone because “All apps will implement some form of tracking without your consent”.

The uptake of "Do not track" was/is abysmally low.

 

[dwsolberg]

Will Tim Cook condemn this like he does Facebook?

Unlike facebook, this seems to be done in the open. Facebook will secretly track users, then if found out, will claim it was a "bug".

 

[2021]

The uptake of "Do not track" was/is abysmally low.

Ironically, dnt requests themselves could be used for more precise tracking as far as I remember.

 

[femike]

Sorry but Facebook is way ahead of you guys on this.
And besides, Apple iOS 14.5 only asks app not to track. Apps are entitled to not do what you ask it. I would of preferred 'deny app tracking' or something like that.

 

[pavvel]

Sorry but Facebook is way ahead of you guys on this.
And besides, Apple iOS 14.5 only asks app not to track. Apps are entitled to not do what you ask it. I would of preferred 'deny app tracking' or something like that.

Absolutely agree.

 

[Starscape]

Absolutely no surprise at all. One day the world will take more aggressive steps against China‘s use of the world as its technology grab-bag.

 

[LeadingHeat]

Sorry but Facebook is way ahead of you guys on this.
And besides, Apple iOS 14.5 only asks app not to track. Apps are entitled to not do what you ask it. I would of preferred 'deny app tracking' or something like that.

“Unless you receive permission from the user to enable tracking, the device’s advertising identifier value will be all zeros and you may not track them as described above.

“While you can display the AppTrackingTransparency prompt whenever you choose, the device’s advertising identifier value will only be returned once you present the prompt and the user grants permission.”

User Privacy and Data Use - App Store - Apple Developer

The App Store is designed to be a safe and trusted place for users to discover apps created by talented developers around the world.

developer.apple.com

That being said, I do agree with you that the verbiage were more clear. “Ask not to track me” should be “do not allow”. But the fact remains, they are not allowed to track you unless you give permission.

edit for typos

 

[dlewis23]

*Facebook and Google engineers furiously writing down notes*

They already know what to do and have known for months. There are many ways to track a user with out the IDFA. The IDFA just made it really easy for developers to implement, everyone used the same ID so it made things consistent across ad networks and everyone was using one id.

Now we are going to get "work arounds" that are more complex and will dive in deeper to the users info to generate a fingerprint for identification. They won't just be relying on your IP addresses.

 

[dlewis23]

“Unless you receive permission from the user to enable tracking, the device’s advertising identifier value will be all zeros and you may not track them as described above.

“While you can display the AppTrackingTransparency prompt whenever you choose, the device’s advertising identifier value will only be returned once you present the prompt and the user grants permission.”

User Privacy and Data Use - App Store - Apple Developer

The App Store is designed to be a safe and trusted place for users to discover apps created by talented developers around the world.

developer.apple.com

That being said, I do agree with you that the verbiage were more clear. “Ask not to track me” should be “do not allow”. But the fact remains, they are not allowed to track you unless you give permission.

edit for typos

A good thing to add to this, is the system prompt asking to allow tracking can only be shown one time for an app install. So the app can ask once and never again.