The winners and losers of Apple’s anti-tracking feature

A person holding a skateboard while looking at their mobile phone.
Your iPhone got more private, but how much more? | Getty Images

Apple’s big privacy update came out a year ago. What did it do for you?

When Apple rolled out its long-awaited, much-hyped privacy update one year ago this week, it was accompanied by an ad that attempted to visualize what the new feature did. In it, there’s a man going about his day, and every time he interacts with a business, an employee latches on and starts following him everywhere he goes, collecting and broadcasting the man’s personal information. A prompt shows up on the man’s iPhone, giving him the option to “Ask App Not to Track.” He taps it, and all of his unwelcome guests pop like balloons, disappearing into clouds of dust.

While evocative, the ad isn’t entirely accurate. The feature, called App Tracking Transparency, doesn’t stop all the ways companies follow you around the internet and in your mobile apps because Apple can’t stop all tracking. Nor does it want to. Your data is still being collected, but what’s being collected and how may have changed. The end result, however, is roughly the same: You’re being targeted with ads.

That’s not because App Tracking Transparency doesn’t work. Exactly what it does is both limited and difficult for most iPhone users to understand because it’s all happening in lines of code within the opaque world of ad technology. For many people, the only obvious changes are those “Ask App Not to Track” prompts that sometimes pop up when you open an app.

A prompt asking users if they want to allow tracking on their phones.
You may have seen a few of these anti-tracking prompts lately.

But under the surface, a lot has changed. App Tracking Transparency upended the mobile ad industry, which is built on data, by abruptly cutting off one of its streams. Businesses that relied on it spent the last year scrambling to replace that data and rethinking their strategies. Meanwhile, those that didn’t rely on it grew even more powerful than some of them already were.

From a user privacy standpoint, App Tracking Transparency seems like a good thing. It’s just not as good of a thing as you might have thought, or perhaps as Apple wanted you to think it was.

Apple giveth and Apple taketh away

App Tracking Transparency is actually Apple’s attempt to solve a problem it helped create. Tracking people across the internet existed well before the iPhone did, but the iPhone and its third-party apps have led to an exponential increase in the user data being generated. People bring their mobile devices everywhere, do just about everything on them, and are constantly connected to the internet through them. The technology that makes all this possible also makes it easy for apps to collect and monetize the data people generate when they use them.

There’s now a massive, multibillion-dollar mobile advertising economy powered by tracking people through their mobile devices, building comprehensive profiles of them, targeting ads to them based on those profiles, and measuring the effectiveness of those ads. A lot of this tracking happens without the user’s knowledge.

Take Meta, for example. Facebook and Instagram’s parent company has trackers planted in millions of third-party apps and websites. Meta can then link what a device does in one app with what it does in all the other apps Meta’s trackers are in, and even combine that with the device owner’s Facebook or Instagram accounts. Businesses then target ads to that user on the apps and websites Meta’s trackers are buried in.

But people generally don’t like being spied on. Apple also didn’t like that other companies were using its devices to spy on its customers, and it probably didn’t love that third parties were enriching themselves with its users’ data. This situation also wasn’t the best look for the big-on-privacy reputation Apple has worked so hard to build, especially when Meta — a company that Apple has its own issues with — was one of the biggest beneficiaries of the leaky apps on Apple’s devices. App Tracking Transparency could stop one of the methods of tracking that people find to be the most objectionable and creepy, and it could do so without hurting Apple one bit.

The feature works by giving users control of the unique serial number assigned to their devices, known as the identifier for advertisers, or IDFA. The IDFA is how trackers recognize your device when you use different apps and, therefore, how they’re able to link what you do on a bunch of different apps to your specific device. Beginning with the mobile operating system update iOS 14.5 in April 2021, an Apple device will no longer send out the IDFA unless the user opts into being tracked. As far as we know, this is all working as Apple promised.

“A user’s data belongs to them and they should get to decide whether to share their data and with whom,” an Apple spokesperson told Recode. “With iOS and iPad OS, we have given users the choice whether or not they want to allow apps to track them across apps and websites owned by other companies.”

Getting around App Tracking Transparency the forbidden way

App Tracking Transparency’s limits are twofold. When users have opted out of being tracked — that is, opted not to send out their IDFA — they can still be tracked across apps through other means. There’s also the tracking that happens in ways that Apple allows, probably can’t do much to prevent, and also does for its own ad business.

Even without the IDFA, determined trackers can do what’s known as “fingerprinting.” This involves collecting as much seemingly innocuous device information as possible, including the name and model of the device, user settings, IP address, and carrier. When combined, these details may be unique enough to identify a specific device, effectively serving the same purpose as the IDFA. While the App Store’s policies forbid this practice, there’s nothing technically preventing trackers from doing it anyway. Users are left relying on Apple’s enforcement of its own policies, which some reports suggest has been lax.

“It’s a bit of a cat-and-mouse game,” said Konrad Kollnig, a researcher whose recent paper on the impact of Apple’s privacy measures found that some apps were still collecting device information that could be used to fingerprint users. “There’s one part of this tracking going on on the user’s device, but there’s another question around what’s going on inside these data companies. And that’s really difficult for Apple to control.”

There’s also a long history of companies that specialize in collecting user data finding any and all ways to keep collecting user data, no matter what. Serge Egelman, research director of the Usable Security & Privacy Group at the International Computer Science Institute at the University of California Berkeley, says it’s more than likely that’s happening now.

“It’s always an arms race,” Egelman said. “Browsers try to add more privacy protections, such as blocking third-party tracking cookies, and the people who have an interest in tracking have come up with new mechanisms for doing so that aren’t reliant on the technologies that are being phased out or blocked.”

The lesson here is not to assume that you aren’t still being tracked across your apps just because Apple said so.

Getting around App Tracking Transparency the Apple-approved way

Another way to understand how Apple’s anti-tracking feature affected user privacy is to look at how it impacted the companies that relied on that tracking. Suffice it to say, they were not thrilled by the idea.

Apple said it doesn’t know how many users declined to be tracked. Estimates vary, but most say that the majority of users — that’s hundreds of millions of devices — opted out. So while trackers are still getting device-level data from the Apple users who opted in, as well as Android users (at least until Google unveils its App Tracking Transparency copycat), they still lost a lot.

“The change was massive. It really turned the mobile marketing space upside down,” Shani Rosenfelder, head of content and mobile insights at AppsFlyer, explained. “[Now] marketers have to break their addiction to user-level data.”

Some companies are shifting to, of all things, the mail. No, not email — mail mail. Email, too, although Apple is coming up with ways to stop email-based tracking. Some businesses Recode spoke to have shifted their ad spending away from Meta, which they say hasn’t given them the kind of results it did before. Zachary Ehrlich, director of paid ads at Doctors Internet, said he’s encouraging clients to use Google search ads. For clients who insist on using Facebook, he puts tracking phone numbers on ads to know if they’re getting returns on those ads, as Meta’s feedback isn’t as accurate as it used to be. Jon Shanahan, co-founder and chief marketing officer of Stryx, a men’s skin care line, said he used to split ad spending between Meta and TikTok. Last August, he moved all of it to TikTok.

“It used to be, you could put money in the [Facebook] machine, you get $5 or $6 back,” Shanahan said. “And now you’re lucky if you get a one-to-one ratio back.”

Meta’s not the only digital ad business to take a hit — Snap is also having problems, for instance — but it’s one of the most prominent, both because of its size and how loudly it complained about Apple’s privacy changes. Meta has said all along that App Tracking Transparency would be bad for its business (actually, it framed it as bad for small businesses that buy ads on Meta, but … you know), and it turned out Meta was right. Meta’s ad business is still growing, and it’s still making plenty of money. But it’s not growing as much as it was before. And for a company like Meta, that’s a big problem.

“Despite Apple’s harmful policy, we’ve continued to adapt our systems to help businesses succeed while honoring privacy, and shared extensive steps they can take to maximize performance and measurement on our platforms,” Meta told Recode.

Luckily for Meta, there are several ways that it — and everyone else — can track users while staying on the right side of Apple’s law. Apple doesn’t let companies track and target you across apps on an individual device level, but it can still track and target people in aggregate. In other words, you can still be targeted as part of a large, anonymous group rather than as a unique user. (Google tried something similar to this with FLoC, its ill-fated attempt to replace web-based trackers.)

There are also “contextual” ads, which aren’t new but are apparently enjoying a renaissance in the relative absence of user-level data. This isn’t just happening because of App Tracking Transparency; privacy laws and the death of website cookies also played a role here. Contextual ads are ones for products that you’re likely to be interested in based on what you’re already looking at. If you’re using a fitness tracker app, for instance, you might get a bunch of ads for exercise gear.

How walled gardens grow

And then there’s the tracking that arguably got the biggest boost from all this. Apple also doesn’t forbid companies from tracking what you do on their own platforms — collecting what’s known as first-party data — and from using that data to target ads to you on those same platforms. Apple does this, too. If they didn’t have their own first-party data sources already, many companies are now building them up or merging with other companies to acquire them. This is why an increasing number of companies strongly urge or even require you to create accounts with them to use their services.

“A retail company can just go advertise directly on Amazon, for example,” Nina Goetzen, a digital advertising and marketing analyst at Insider Intelligence, said. “They have all this data because everyone’s logged in. … And that hasn’t really been affected [by App Tracking Transparency]. These walled gardens are just stronger because of it.”

You may not mind first party-tracking if you think you have an idea of who’s collecting your data, what they’re collecting, and what they’re using it for. And you may be perfectly happy to exchange your data for a free service when you know who you’re making the deal with and what deal you’re making, as opposed to unknowingly sending your data out to a bunch of companies embedded in an app.

But there may be some unintended consequences here. The companies that are benefiting the most from the rise of first-party data and the fall of third-party data are the ones that have the most first-party data, and those companies are going to be some of the biggest in the world — namely, Google and Amazon.

Apple’s ad business, which uses first-party data, is growing — quite a bit, according to some reports. Companies hurt by its privacy measures have cried foul over this, which Apple countered by commissioning a new report that points to several factors for this growth aside from App Tracking Transparency.

There are also concerns that the increased value of first-party data will give the already-powerful walled gardens even more power. Big brands and companies will have the resources to adjust to the changes; small businesses might not. This means they’ll be more reliant on walled gardens than ever, and will fall further behind while the established giants move further ahead, according to Diana Lee, CEO of Constellation, an ad tech company.

“Overall, more monopolies are created this way, whether it be Big Tech or big brands,” Lee said.

Or maybe the existing monopolies are being reinforced. Apple has its own share of antitrust woes, and the App Store is one of the targets of pending federal legislation (Apple denies that it is anti-competitive). Then it flips an entire industry and a lot of businesses’ fortunes upside down with the flick of a switch. Sure, those businesses probably shouldn’t have been so dependent in the first place on sneaky practices consumers didn’t like. But there’s hardly a better example of Apple’s power and control than that. And if you’re an Apple user, that’s a lot of power over you, too.