App Tracking Transparency faces regulatory scrutiny

Two recent regulatory developments related to Apple’s App Tracking Transparency (ATT) privacy policy are worth exploring. The first is the release from the UK’s Competition and Markets Authority (CMA) of the final version of its Mobile ecosystems market study, which contains an entire appendix (Appendix J) related to platform privacy policies. The interim version of this report, which I covered in a Twitter thread when it was released in December of last year, only explored Apple’s ATT privacy policy; the final version expands Appendix J to also cover Google’s deprecation of third-party cookies in Chrome as well as the deprecation of the GAID for Android.

The final version of the report issues a fairly blunt and uncharitable appraisal Apple’s ATT privacy policy:

However, we are concerned that Apple’s current implementation of ATT is likely to result in harm to competition, make it harder for app developers to find customers and to monetise their apps, and ultimately harm consumers by increasing the prices or reducing the quality and variety of apps available to them. As discussed in Chapter 8, we consider that there are a number of ways in which the potential competition harms of ATT could be mitigated while retaining the benefits in terms of user choice and privacy.

This line of thinking invokes the concept of Pyrrhic Privacy: that Apple introduced restrictions in ATT that were unnecessarily stringent and framed by the notion that privacy gains are measured as a function of the destruction of advertising efficiency. It’s unclear why a more functional version of SKAdNetwork, for instance, couldn’t have been introduced alongside ATT such that consumer privacy was safeguarded while limiting disruption to the mobile ecosystem. Apple clearly has the capacity to design a practical and effective measurement framework, since they did just that in the latest version of SKAdNetwork.

Consumers should have agency over their data and be empowered to navigate the Privacy/Utility tradeoff. But ATT — owing to the shortcomings of SKAdNetwork, as well as other severe limitations — caused immense damage to the digital advertising ecosystem, much of which was unnecessary in order to deliver consumer privacy at the current standard. Per the diagram below, ATT moved the digital advertising ecosystem from Point 1 to Point 2, when care could have been taken to arrive at Point 3.

Ultimately, the CMA’s point — and I agree with it — is that Apple created in ATT a privacy policy that was needlessly destructive to the mobile ecosystem, inhibiting third-party ad measurement and targeting to a degree that wasn’t necessary to protect consumer privacy. This is to say: Apple could have introduced a version of ATT that was less onerous and restrictive and yet secured consumer privacy to the same extent as is done now. The full CMA report is long at more than 400 pages, but Appendix J is a quick read and is chock full of insightful analysis.

The second development originates from Germany’s Federal Cartel Office, or Bundeskartellamt. In a short press release published this week, the office announced that it has initiated a proceeding to investigate potential anti-competitive behavior related to ATT. From the press release:

The Bundeskartellamt has initiated a proceeding against the technology company Apple to review under competition law its tracking rules and the App Tracking Transparency Framework. In particular, Apple’s rules have raised the initial suspicion of self-preferencing and/or impediment of other companies, which will be examined in the proceeding…A corporation like Apple which is in a position to unilaterally set rules for its ecosystem, in particular for its app store, should make pro-competitive rules. We have reason to doubt that this is the case when we see that Apple’s rules apply to third parties, but not to Apple itself. This would allow Apple to give preference to its own offers or impede other companies.

The press release is brief and vague, but I believe the initiative as described misses critical nuance. ATT doesn’t provide a form of immunity to Apple with respect to tracking. Apple does not engage in tracking. But Apple also defines the term tracking in such a way that it doesn’t describe the workflow that powers Apple’s ads targeting. This circular tautology is the entire crux of the privileged-access problem with ATT. Apple defines tracking in a specific, prescribed way such that its own mechanisms for data collection and targeting are exempted from ATT’s restrictions. I go into much more detail in ATT advantages Apple’s ad network. Here’s how to fix that.

Apple Apple defines tracking, very specifically:

“Tracking” refers to linking data collected from your app about a particular end-user or device, such as a user ID, device ID, or profile, with Third-Party Data for targeted advertising or advertising measurement purposes, or sharing data collected from your app about a particular end-user or device with a data broker.

There are two relevant questions to ask when considering the application of the above definition of tracking, and neither is, “Does Apple engage in tracking?” Those questions are:

  1. Why doesn’t Apple engage in tracking? Because all app downloads and in-app purchases made on any Apple hardware represent, according to Apple’s rules, first-party data. Apple doesn’t need to engage in tracking: it has first-party access to all of the data that any ad platform would use tracking to collect. The use of the word tracking in the ATT prompt is a red herring: what’s more relevant from the consumer perspective is whether any entity should have access to a given user’s data in ways of which they are not apprised. Apple does collect user data from non-owned apps, and that data is utilized for ads targeting. Yes, Apple does this in ways that are privacy safe, for example by putting users into fairly large targeting groups that are stored on device and not shared with third parties. This is commendable, but it’s also beside the point;
  2. Does Apple’s ad network enjoy access to superior tools and resources relative to other ad platforms as a result of Apple’s ownership of the operating system? Yes. Apple’s ad network, Apple Search Ads, does not use SKAdNetwork for measurement but rather a proprietary API called the Apple Ads Attribution API which conveys more granular reporting data. Further, the consent prompt for Apple’s ad network utilizes much softer and more amenable language than does the ATT prompt;
  3. Should Apple’s ownership of the operating system, iTunes, and the App Store provide it with first-party privileges to all install and purchase data emitted by apps that it does not own? I believe that this is the critical question that should animate any consideration of the application of ATT guidelines.

I have no idea how serious or formidable these two efforts are. But having spoken to a number of regulators on the topic of ATT, my sense has always been that many in government are gripped by the digital advertising fear complex: the belief that all targeting technology is ineffectual smoke and mirrors and that data-driven ads targeting is no more accurate than random. This, and the generally esoteric nature of ad tech, explains why the third question hasn’t been asked in either of these investigations, or even more broadly. If ad targeting is seen as a privacy-plundering sleight-of-hand, then why not allow it to be obliterated?