Apple to Ad Tech: “Fingerprinting is Never Allowed”

It was generally anticipated that Apple would address the practice of fingerprinting at this year’s WWDC, and on Thursday, in a session titled, Explore App Tracking Transparency, it did. The presentation is just under 14 minutes long and starts with an examination of Apple’s justifications for introducing its App Tracking Transparency (ATT) privacy policy, as well as background on the concept of “tracking” as is defined for the purposes of ATT. Apple makes the point early in the video that no identifier — including a user’s email address — may be co-mingled with third-party data in cases where the user has opted out of tracking through the ATT prompt.

Later in the video, Apple makes two additional points that are germane to ongoing developments in the mobile advertising ecosystem. The first is that leaking user data out of an app to a third party is considered a violation of ATT even if the resultant performance reporting shared with either an advertiser or a publisher is aggregated. This clarification seems to be directed at various solutions being explored by ad tech vendors and ad platforms alike that ingest user-level data from partners but only surface back to them aggregated, campaign-level performance data.

The second point is more consequential, and it is made at the outset of the final segment of the video: Fingerprinting is Never Allowed. The video defines fingerprinting, rather broadly, as “using signals from the device to try to identify the device or user.” This is an all-encompassing interpretation that ignores any distinction between use cases, such as attributing an install versus attributing purchases, and operational implementations, such as with probabilistic methods. Apple’s edict here is straightforward and unequivocal: fingerprinting, even when a user has opted in via the ATT prompt, is in violation of ATT guidelines.

Of course, Apple’s privacy policy already makes this clear. Mobile device fingerprinting is rampant because Apple has not enforced its policy; I conjecture as to why in Why isn’t Apple policing mobile ads fingerprinting?. The strident proclamation about fingerprinting in this WWDC session suggests that Apple may begin to actively prevent or arrest the practice. I had anticipated that Apple might introduce a technological solution or user feature at WWDC that would obstruct fingerprinting, such as what I hypothesized in this piece. Apple didn’t do that, so the question arises: how can Apple police fingerprinting?

A precedent exists for doing so. Back in April 2021, Apple began rejecting updates from apps in which a specific ad tech vendor’s SDK was integrated; some of the notifications cited the presence of that SDK as the basis for rejection, and others pointed to the fact that certain device parameters were being collected. The ad tech SDK in question was quickly updated to remove the violating access and Apple began approving app updates in which that SDK was included.

If Apple has utilized the app approval process to police fingerprinting before, why won’t it now? As I explain here, app rejections punish app developers first and foremost, and regulating fingerprinting through wholesale ad tech SDK rejection (vs. just one specific ad tech SDK) would cause app updates from every scaled app to be disrupted.

But if Apple appears sufficiently serious about eradicating the practice (and rejecting app updates in the process), maybe the threat of being caught will motivate the general abandonment of the practice. Or Apple may reject enough updates that word of enforcement spreads and the offending SDKs are either updated or stripped out of apps by developers en masse. So while no apparatus or conumer feature, like an expanded Private Relay, was introduced at WWDC to regulate fingerprinting, Apple did assertively and very visibly proscribe its use.