Here's what's actually going on:
- Apple has deprecated the UDID. We're still allowed to use it for a while, but in the long term it's going away.
- Apple has created a new identifier (the IFA), specifically for the use case of advertising. This identifier uniquely identifies a device across apps, but beyond that provides no information about the device or its user.
- This ID comes with strings. There's an option in Preferences to "Limit Ad Tracking." The terms and conditions specify that when this option is enabled, we still get access to the ID, but we are only allowed to use it for some specific purposes like conversion tracking (eg. making cost-per-action campaigns possible), and fraud detection (eg. preventing fake clicks). We are not allowed to use it to create profiles, or to improve our ad targeting algorithm. We are absolutely not allowed to divulge the information to third parties.
Without this, advertising wouldn't be possible. Some may think that that'd be for the best (myself included), but that's an entirely different argument, and you'd have to realize that the market would be very different (No free/freemium apps, and everything would be more expensive). You can't have your cake and eat it too.
I expected better from Schneier.
Apple continues to give apps access to the UDID; the recent leaks were apparently not as stark a reminder as some people thought.
The "Limit Ad Tracking" option seems wholly useless; another "X-Do-Not-Track". In this case, the user even expresses the wish to not be tracked, and Apple just continues to provide the data while telling the apps you checked a meaningless box. Apple is in no position to control what app developers do with the data after the fact; the only possible way here is to not disclose that data at all.
(Also, Google does just fine without a globally unique "advertising number". It can do so because people get actual value for the advertisements, and the advertisements are targeted. Apple is just providing this trove of data on the cheap to every hinterland app developer. Thats a huge mistake.)
https://github.com/ylechelle/OpenUDID/blob/master/README.md
Or just read the MAC address: http://stackoverflow.com/questions/677530/how-can-i-programm...
> Google does just fine without a globally unique "advertising number". It can do so because people get actual value for the advertisements, and the advertisements are targeted.
I don't understand, can you elaborate? How can advertisements be targeted without tracking?
http://android-developers.blogspot.de/2011/03/identifying-ap...
Web and mobile advertising does not need to become "impossible" in order for you to stop suggesting it's unavoidable.
Any fool can also make predictions of the future. Given Y, X will not exist. But given Z, X will exist. If we could be so certain about cause and effect and how to shape the future, mobile advertising would be quite easy, wouldn't it?
However we can all see that is not the case. Uncertainty favors those selling advertising services, not advertisers.
Allowing commercial activity does not necessarily mean the internet has to be an ad channel. I'd still buy things from Amazon even if I never saw a single web ad for the company. There are many other ad channels besides the web. They still work.
Sorry I'm pretty ignorant on how this kind of thing works, but when you say 'not allowed', what's actually stopping you? I mean, how is Apple or anyone else going to know if you do or do not use these IDs?
What did you really expect? Him to buy into your weak hand-waving rationalization for this information exposure? Computer security is about what is possible for malicious actors, contractual "strings attached" and what you're "allowed to use it for" are next to irrelevant. If we could safely assume everyone is acting with the other's best interests in mind and respecting their privacy, computer security wouldn't even be a thing.
I get it that you were on the inside of one of these companies. Its really easy to have your perspective shifted when you live something for so long. It lets you draw conclusions based on your anecdotal experiences there. That's fine and all, but don't attack the guy for pointing out the real issues you've chosen to marginalize.
Maybe it would be less successful, maybe less prevalent, maybe less useful, but I'm pretty sure advertising would still be possible in a world with no device-specific IDs made accessible to the advertisers.
Most freemium apps seem to rely on in-app purchases, not ads. (Leaving aside the ones that combine the two by having you pay for not having ads, but many apps manage to come up with something more creative than that.)
And quite a few free apps exist that don't have ads.
Good thing (for Apple) most of their customers have had too much koolaid to care.
> "Apple adds new "Limit Ad Tracking" feature to iOS 6"
http://news.ycombinator.com/item?id=4545602
3 weeks ago:
> "Google implements Apple's Ad Identifier for mobile tracking choice"
http://news.ycombinator.com/item?id=4581781
Both hacker news submissions have zero comments. Why is it that a month ago no one cared, but now everyone is grabbing his tin-foil hat?
Also I am pretty sure at least some of the more extensive iOS 6 reviews have mentioned the new "limit Ad tracking" feature. And aren't we presumed to be developers who uses this stuff? I did know that Apple had a replacement for the UDID.
PS: On Schneiers blog one commentator claims that he/she was notified of the Ad tracking by a prompt in the iOS update. Sadly I have no updateable iOS 5 device here to examine that. But I think this was only an info for the new privacy pane, wasn't it?
A story not becoming popular on its first (or second) submission is not necessarily indicative of its importance. Relatively few people see new links, and the success of failure of these links in "going viral" is in the hands of relatively few. So no, it's not necessarily that no one would have cared about this a month ago and it's not an indication of hypocracy on behalf of this community; there are significant random factors that play into the exposure any particular topic or submission will receive.
It is explained (from the developers point of view) in the WWDC 2012 session "Privacy Support in iOS and OS X".
https://developer.apple.com/videos/wwdc/2012/?id=710
The old UDID is splitted into three new API:
1. Application ID, which scope is the app and lifetime is till uninstallation of this app.
2. Vendor ID: scope is developer and lifetime is till uninstallation of all developer's apps.
3. Advertising ID (identifierForAdvertising or IFA): scope is the device and a new ID is created by "Erase all contents/settings" and it is not restored across devices (practically lifetime is lifetime of the device). This means when you start to use a new iPad it will have its own Advertising ID and not use that of your old iPhone, because the ID is not tied to your Apple ID account, but tied to a device.
It is noteworthy that after Apple banned the usage of the UDID some developers and ad networks started bypassing Apples privacy rules and made their own open source ID replacement:
https://github.com/ylechelle/OpenUDID/blob/master/README.md
But I don't know if this will be permitted in the future or you have to use Apples provided ID system (I would assume the latter).
But mostly probably luck. My impression is that if a story doesn't get votes for the minority of people who cruise the "new" section in the brief period of time where it's on the first page or two, it's dead.
They now use an anonymous, temporary, random ID that can be turned off.
How is this not an improvement?
Somehow, all mentions of this on tech blogs that I could find are completely devoid of links to Apple's official documentation on this.
> EDITED TO ADD (10/15): Apple has provided a way to opt out of the targeted ads and also to disable the location information being sent.
Ok, why is that "edited to add"? Seriously. The page he links to on apple.com says it was last modified more than a month prior. Why did Schneier post his article, get some hits, and only then add this little tidbit which basically turns the whole thing into a non-story? Couldn't he have researched it all up front before posting the story? The page on apple.com is the very first hit for "iAd opt out" on Google. It's just beyond lazy to have posted this story without having done that search first.
I realize Schneier is a bit of a sacred cow in most tech circles, but this seriously just smacks of sensationalism:
"OMG Company X does something horrible!"
* wait for pageviews to roll in *
"EDIT: Eh, not really. Shoulda Googled first."
Come on. Really.
When it comes to general advice, he's spot on. When it comes to commenting on actual implementations, he does miss details. Hell, it's not like he's Chuck Norris.
Coming down from high horse: Oh crap, my phone's software is programmed by an advertising company...
Conclusion: My life is being bought and sold out of my control.
I remember that the system asked about it first time it needed location (and every time you turn this option on). The downside is that Google Now does not work without it.
I do miss Google maps, and have used it every now and again, and the GPS in my old Samsung Galaxy S may as well be nonexistent, so not using location services sucks. Opera renders some popular websites poorly (quite possibly not their fault) but it is good at other things. I also still rely on Google Play (fdroid doesn't have enough stuff, and I don't mind paying for some stuff) but alternatives like Amazon are probably just as bad. Overall its not so bad.
One day I'll try to use my phone without any of my Google accounts and see how I go.
I'm still trying to figure out when I want to turn off these sorts of things, versus when I'd rather keep them on.
1. Why is Apple tracking the location of my iPhone?
Apple is not tracking the location of your iPhone.
Apple has never done so and has no plans to ever do so.Am I the only one who finds that humourous? An "unusual" environment? What exactly is "normal" about tracking people's movements in the name of convincing advertisers to pay you?
This briefly enjoyed environment should not be unusual. It is the one we've lived in for hundreds of years. It should be the norm. iAd should be _opt-in_ not opt-out. There are no valid arguments to the contrary that are not motivated out of just a tad bit too much greed, the unhealthy kind.
(Why do I say the greed is excessive and unhealthy? Because Apple has already sold a highly marked up device composed of cheap electronics and booked that revenue. But this is apparently not enough. The casualty of this greed is the consumer's basic notions of privacy. That price is arguably far too high for anyone to pay to any company in return for "helpful suggestions" of products and services they _might_ want, based on seller guesswork. Apple made a fortune selling iPods. They didn't need to track users' listening preferences to do it. There are limits to what is reasonable.)
This is completely false. It hasn't changed at all in any meaningful way.