A game of cat and mouse has started between Apple and Chinese technology companies, while the iPhone maker tries to enforce its new privacy policies in China.
Apple is expected to launch changes to iPhones in the spring, which will give users more privacy from mobile advertising, a market that reached $ 240 billion last year, according to App Annie.
The changes will force apps to ask for permission before collecting tracking data about users, a move that has been hard fought by Facebook, since most users must say no.
But even before making the changes, Apple is facing problems in China, where tech companies are testing ways to beat the system and continue to track users without asking for their consent. Apple said earlier that it would reject from its App Store any applications that “were considered negligible by the user’s choice.”
On Thursday, Apple fired cautionary warnings for at least two Chinese apps, telling them to stop and give up after naming a dozen parameters like “setDeviceName” that could be used “to create a unique identifier for the user’s device” .
“We found that your app collects user and device information to create a unique identifier for the user’s device,” says a screenshot of a warning to a developer who was using a new way to identify users called CAID, developed by the state – supported the China Advertising Association.
Its guidelines suggest that an update must be “compliant with the App Store Review Guidelines in 14 days” or “your app will be removed from sale”.
Jackie Singh, a former senior cybersecurity employee in the Biden campaign, said the warnings demonstrated Apple’s sophisticated ability to use automated tools to detect violations of its privacy guidelines.
“Apple clearly has the technical capacity to deny the existence of applications in its ecosystem that carry out activities designed to uniquely identify people and track their behavior outside Apple’s walled garden,” she said.
“The real question is whether they will choose to apply these policies broadly or narrowly within the context of the whims and desires of a foreign government – and how Apple will choose to respond to these challenges from other nations in the future.”
Apple’s move is an attempt to nip in the bud any resistance to its new policy, which has been deeply unpopular with developers around the world, many of whom offer free apps that make money from ads.
A marketing industry veteran who wanted to remain anonymous added: “Apple’s new policy will undermine the advertising industry’s ability to check its traffic. In China, large and small companies were testing CAID, but Apple’s recent actions will end those tests. “
The Financial Times obtained information about software development kits from five of China’s largest technology companies, including Baidu, ByteDance and Tencent, which show that they are testing or implementing CAID as a way to identify users in the future.
The ByteDance guide recommends that developers use their SDK, “Ocean Engine”, to “issue” two new identifiers, CAID1 and CAID2, one based on the user’s IP address and the type of browser and phone; another in a phone’s IMEI – a unique number that identifies a device on a mobile network.
Both new IDs violate Apple’s rules, which state that developers must obtain permission to use “other IDs with a third-party ad network”.
As a “replacement”, ByteDance also recommends that developers use “fingerprint and probabilistic correspondence” methods to identify users – another violation.
A notice sent by Apple to a Chinese application developer © FT
Technology experts say that the fact that Chinese technology companies are creating multiple identification systems suggests that Chinese applications will adjust their shipments in a number of ways to outperform Apple’s application.
“The SDKs suggest that [Chinese app developers] are ready to play that cat and mouse game, ”said Irene Knapp, a former senior software engineer at Google and now a member of the Tech Inquiry campaign group.
Singh noted that CAA’s privacy terms, which are publicly available, suggest that a CAID can be created initially on servers hosted by application developers, rather than on the device itself. She said this may indicate that developers may try to get their applications approved by Apple, making changes at the server level that are more difficult to detect.
“If the application is written in such a way that the actual CAID code exists remotely and the parameters are sent to a server, this can make detection more difficult,” she added.
Efforts to undermine Apple’s new privacy effort will put the $ 2 trillion tech giant in a difficult spot.
“Or [Apple] disrupts Chinese companies – in some cases owned or supported by the government – potentially halting their meteoric growth in China over the past decade and disrupting a central part of their supply chain, or gives Chinese developers special privilege and opens that can of worms, ” said Alasdair Pressney, director of product strategy for AdColony, a network and mobile application market.
Apple declined to comment.
How does CAID work?
© Getty Images
The state-backed China Advertising Association, which led the development of CAID and earns revenue from its use, said it plans to provide “more personalized services” to consumers by collecting and storing personal information, including “device startup time, country, language, device name, system version, physical memory, hard drive, time of last system update, device model, time zone. ”
These seemingly trivial data points can, when put together, create a “fingerprint” almost exclusive to a device.
When an iPhone user installs an application that uses the system, he collects this data and sends it to a central server to create a CAID to identify the user.
If the user clicks on an ad from another app and downloads it, that app will also generate a CAID in the same way.
If the two CAIDs are the same, the first application can prove to the second that your ad worked, proving that the money spent on advertising was worth it.
CAA says users will be able to opt out of CAID to avoid tracking, but Apple’s new rules do not allow exceptions to App Tracking Transparency, its framework for any developer who wants to collect data about users.