Apple, CAID, and China: rock, meet hard place

Early this week, it was revealed that the China Advertising Association (CAA), a state-backed advertising trade group in China, has rolled out its China Advertising ID (CAID) to a consortium of large Chinese advertisers for use as an alternative to the IDFA, which is set to be deprecated imminently in iOS 14.5.

The CAID is effectively a crowd-sourced persistent ID derived from device fingerprints: the CAA has created something of a data co-op, where members — which pay a participation fee — pool IP-indexed fingerprints to allow for devices to be identified as they engage with apps. The general idea is that if enough parameters are captured for a given device in a fingerprint, and the device is fingerprinted in enough apps in a short amount of time, the device can be identified even when its IP address changes because the other parameters (like memory utilization) stay relatively constant.

Building this type of probabilistic identity mechanism is fairly straightforward, but in order for it to be viable, participation and coordination are required from publishers that have large and overlapping user bases. This is the reason I was skeptical of such a solution being broadly adopted, as I articulated in this Twitter thread from a few months ago: in order for a fingerprinting solution based on IP addresses to provide utility, frequent touchpoints with users must be maintained to capture fingerprint snapshots that change subtlely enough for an identity to be probabilistically valid. It seemed unlikely that Western companies would be willing to cooperate to the degree necessary to deliver that. But the ability to coordinate nearly unimaginable, mass-scale projects, of the flavor seen during COVID, is the Chinese government’s distinctive advantage. Whereas a data co-op comprised of large US-based app publishers and ad networks is nearly unimaginable, apparently, ByteDance, Tencent, and Baidu are all participating in the CAID program that is organized by the state-sponsored CAA.

The development and adoption of the CAID puts Apple in a difficult position. Rock, meet hard place: China is Apple’s second-largest market after the US, and the specter of a WeChat ban on the iPhone during the Trump administration was estimated to potentially reduce Apple’s iPhone sales revenue by up to 30%. Apple already applies a separate standard with its App Store guidelines for certain Chinese developers, allowing eg. Tencent to run what is essentially an app store inside of WeChat. Would Apple simply extend this notion of a separate Chinese principle to privacy and allow CAID to be used for persistent identity by Chinese companies while subjecting companies domiciled elsewhere (read: Facebook) to the restrictions of ATT, which explicitly prohibits fingerprinting?

I argued in this Twitter thread that Apple cannot allow a separate, geographically-defined standard to be utilized for asserting ATT compliance. And it appears that Apple is not doing that. As per the Tweet above, I was shown a rejection notice received by a Chinese app developer that cited the collection of various device identifiers for the purposes of creating “a unique identifier [to] track the user” as the point of guideline non-compliance.

Yes, Apple currently applies a different standard to content approval with the App Store in China — that is common knowledge. But I don’t believe that it can do the same thing for privacy: to create a “China privacy policy” that is inconsistent with its enforcement of ATT for companies like Facebook. There are a few reasons for this:

  1. Much of ATT compliance is based on a sort of Mutually Assured Destruction dynamic between Apple and the various ad platforms (eg. Facebook). Apple has no transparency into the data that is transferred between Facebook and advertisers in a server-to-server setting; Facebook seemingly is fully complying with ATT through eg. restricting the use of custom audiences for opted-in users because it realizes that contravening ATT policy with workarounds could have extreme ramifications for its own apps. If major Chinese technology companies are employing similar workarounds, perhaps Facebook feels less pressure to conform fully? Apple has proposed a broad, somewhat abstract privacy policy with ATT, not just an IDFA-gating mechanic. The vaguer the policy gets through inconsistent enforcement, especially geographically, the more inclined big platforms will be to search for workarounds that aren’t detectable by Apple. Note that the first part of the last sentence applies exactly to inconsistent App Store guidelines enforcement, but the second part doesn’t, which makes this situation different from Apple’s China policy related to content;
  2. Theoretically, any company could participate in the CAID given enough of a critical mass of users in a single geography being tracked by the system. What happens if American firms begin utilizing the CAID? Then the IDFA, which is currently device-resettable through LAT, has been replaced with a crowdsourced, IP-based identifier that is formulated on Chinese servers, with the complete activity stream of users visible by the Chinese government. President Biden campaigned with a hawkish posture towards China: it seems unlikely that his administration sits idly by as Apple causes American mobile data to be routed through Chinese servers in ultimately accomplishing the same level of tracking that the IDFA allows for now;
  3. There was no legal or regulatory onus for ATT: the need for ATT is wholly of Apple’s invention, and ATT potentially engenders more profound problems than it solves. Any outcome from ATT that produces hubs of IP-based identifiers — especially in countries where privacy protections are weak — is a disaster from a human rights perspective. Yes, the IDFA is problematic, but the IDFA is resettable and can be obfuscated. What if everything that every user does is now tracked by confederations of private companies and is available to any entity that wants to buy access? And this new tracking identifier cannot be reset or obfuscated?

The stakes are higher with a “China privacy policy” than with a “China App Store content policy.” Apple is currently indicating that it will not allow for the CAID to be used for identity, and it certainly seems that it cannot. Obviously, this exposes Apple to a serious revenue vulnerability if it finds itself on the wrong side of the Chinese government. It’s important to note that the Chinese government has held its domestic technology powerhouses in the crosshairs recently for what it deems to be monopolistic behavior and privacy abuses: it’s possible that Apple’s position on CAID is consistent with the Chinese government’s, although the CAA is a state-backed entity.

Regardless, Apple has found itself between a rock and hard place with CAID. Almost certainly, Facebook sees this CAID weakness as a pressure point to activate in attempting to reverse, slow, or mitigate ATT, especially after the French anti-trust regulatory body refused to issue an injunction against ATT in the country, which would have potentially paused the rollout of ATT in the entire EU (my understanding is that Facebook was internally optimistic about the French ruling). Apple has no good options in the case of the CAID. Apple can continue to reject Chinese apps harvesting — and especially apps from Tencent, ByteDance, or Baidu — and jeapordize its business in the country, or allow for a dual-track ATT policy that tempts the biggest US-based platforms to simply go underground with their tracking activities.

Photo by Macau Photo Agency on Unsplash