Apple Under Fire in EU Over iPhone ‘Tracking Code’

By Robert Bateman

Privacy advocates across the EU have filed complaints against Apple over a “tracking code” installed on millions of its devices. 

The code, known as the IDFA (ID for advertisers), is generated without user consent and enables Apple and third parties to track users’ activity across websites, apps and devices.

Experts told Digital Privacy News that IDFA was an intrusive tool that compromised user privacy.

Complaints were filed with privacy regulators in Spain and Berlin by Austrian nonprofit None of Your Business: European Center for Digital Rights (NOYB), headed by lawyer and privacy advocate Max Schrems.

Apple strongly disputed NOYB’s complaints.

The case could have severe consequences for Apple and its partners.

In July, thousands of businesses were affected after a legal claim brought by Schrems invalidated the “Privacy Shield” framework, which facilitated transfers of personal information from the EU to the U.S.

Stefano Rossetti, an NOYB data-protection lawyer, told Digital Privacy News that the complaints against Apple cited the ePrivacy Directive — an EU law passed in 2002 that regulated how information was stored on user devices.

“We want to enforce these principles and assess how easy … it is to protect the interests of the consumers in this vital field.”

Stefano Rossetti, NOYB.

“The ePrivacy Directive is an ‘old’ law that establishes crucial principles for millions of European citizens,” he explained.

“The implementation of this directive has been fragmented across Europe — and there are so many procedural and non-procedural obstacles and so many different interpretations that some have put the effectiveness of these principles into question.

“We want to enforce these principles and assess how easy (or difficult, depending on the perspectives) it is to protect the interests of the consumers in this vital field,” Rossetti said.

Apple’s Position

In a statement, Apple said: “The claims made against Apple in this complaint are factually inaccurate — and we look forward to making that clear to privacy regulators should they examine the complaint.

“Apple does not access or use the IDFA on a user’s device for any purpose.

“Our aim is always to protect the privacy of our users — and our latest software release, iOS 14, is giving users even greater control over whether or not they want to allow apps to track them by linking their information with data from third parties for the purpose of advertising, or sharing their information with data brokers. 

“Our practices comply with European law and support and advance the aims of the GDPR and the ePrivacy Directive, which is to give people full control over their data,” the company said.

“The claims made against Apple in this complaint are factually inaccurate.”

Apple Inc.

But Apple’s defense against NOYB’s complaints — that it does not “access or use” the IDFA — might not demonstrate its compliance with the ePrivacy Directive, Rossetti countered, which requires businesses to obtain consent for the mere storage of information on a user’s device. 

“Since we believe that the IDFA is ‘information,’ we argue that the initial installation should be authorized by the user,” he explained.

“Whether other parties access it is important — but not crucial.”

The Legal Issues

Eleni Kosta, professor of technology law and human rights at Tilburg University, detailed the legal issues at play to Digital Privacy News.

“The problem with the Apple identifier is that it allows the tracking of the user — and it allows a lot of companies, mainly advertisers, to track the user and collect information about the user,” Kosta said.

“European legislation does not say that this is not possible,” she continued. “And this is important: It could be possible.

“But in order to do it, you need to get the consent of the users.

“The problem with the Apple identifier is that it allows the tracking of the user — and it allows a lot of companies, mainly advertisers, to track the user and collect information about the user.”

Eleni Kosta, Tilburg University.

“If Apple had, let’s say, a pop-up — an interface that would tell users: ‘We want you to install this identifier to offer you better advertising,’ with all necessary information — and people could consent, then that wouldn’t be a problem,” Kosta explained.

“The problem is that all this is happening without the consent of the user.”

Trading on Privacy

Apple trades on its respect for user privacy, and upcoming updates to its iOS operating system, expected next year, will require third parties to obtain user consent before using IDFA.

However, some privacy advocates argued that the changes would not go far enough.

“IDFA is a dangerous, privacy-intrusive tool that goes against Apple’s stated concerns about user privacy,” said Bennett Cyphers, staff technologist at the Electronic Frontier Foundation in San Francisco.

“It is designed to help advertisers and tracking companies at users’ expense,” he added.

“IDFA is a dangerous, privacy-intrusive tool that goes against Apple’s stated concerns about user privacy.”

Bennett Cyphers, Electronic Frontier Foundation.

“Apple’s proposed permission model is an improvement, but the company should go further and remove IDFA altogether.

“Apple isn’t alone in utilizing this tool,” Cyphers told Digital Privacy News. “Google deploys a nearly identical identifier on Android, known as the ‘Ad ID’ — and gives users even less control than Apple does.”

Retargeting Ads

Finn Myrstad, co-chair of Transatlantic Consumer Dialogue (TACD) in Norway, explained how Apple could use IDFA “to create a rich profile or digital twin based on your online data, then retarget you with ads and messages.”

Using IDFA, along with other data — “such as our IP address, WiFi connections, phone ID, browser fingerprints” — Apple and third parties can track user activity “across apps and websites,” Myrstad said.

This tracking can be used to “manipulate or discriminate against” people, he added.

NOYB’s complaints in Spain and Berlin are just the start of the group’s efforts on this issue.

IDFA tracking can be used to “manipulate or discriminate against” people.

Finn Myrstad, Transatlantic Consumer Dialogue.

“Our plan is to continue the ePrivacy enforcement project also in other jurisdictions,” NOYB’s Rossetti said. “Hopefully, until the long-awaited ePrivacy Regulation (a draft EU law that could pass next year) will consistently regulate the matter.”

Robert Bateman is a writer in Brighton, U.K.

Source: