Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Advertising Privacy Apple

Advertisers Concerned iCloud Private Relay Could Put An End To Fingerprinting (9to5mac.com) 84

One of the new features announced at WWDC 2021 is iCloud Private Relay, a new security feature that lets users hide their real IP address from third-party servers so that they cannot track them across the web. It's called fingerprinting and it is quickly becoming a popular method for advertisers because it allows them to pull together information about your device to pinpoint your identity. As 9to5Mac reports, Apple's new fingerprint-blocking feature has the ad tech industry worried. From the report: As pointed out by a Digiday report, Private Relay comes to join forces with App Tracking Transparency, a feature introduced with iOS 14.5 to prevent apps from tracking users without asking permission. With ATT, Apple relies on developers to update their apps and ask users whether or not they want to be tracked. Private Relay is expected to considerably reduce user tracking at a deeper system level: "And herein lies the rub for ad execs. Apple has told them fingerprinting is off-limits but doesn't seem to be aggressively enforcing this policy. Few execs, however, believe this perceived inaction will last. Eventually, goes the thinking, Apple won't need to enforce a policy like ATT to rid its mobile operating system of fingerprinting -- it will have the technology to block it from ever happening in the first place. The reason: Private Relay."

However, this will probably result in even more companies upset with Apple. Nii Ahene, head of strategy at Tinuiti, warns that Apple needs to be careful to avoid Private Relay being considered "anti-competitive or too dictatorial," as the company has been facing accusations of monopolistic practices. Digiday reports: "'Apple needs to be careful when it uses its market position in a way that could be interpreted as either anti-competitive or too dictatorial,' said Nii Ahene, chief strategy officer at digital agency Tinuiti. 'This is why there's a gradual rollout of Apple's privacy plan. The company communicates what it will do early, starts to have conversations behind the scenes, and then over some time the enforcement of the ATT policy starts to kick in.'" When Apple introduced ATT, companies like Facebook publicly criticized the feature since it directly affects the advertising business, which is responsible for the main income of these companies. Now, it's only a matter of time before more companies speak out against iCloud Private Relay.

This discussion has been archived. No new comments can be posted.

Advertisers Concerned iCloud Private Relay Could Put An End To Fingerprinting

Comments Filter:
  • by BeerFartMoron ( 624900 ) on Thursday July 08, 2021 @07:49PM (#61564193)
    And here I thought the American Wambulance Service would go bankrupt. Someone call 9-Wa-Wa!! We need a WAMBULANCE!
  • by sconeu ( 64226 ) on Thursday July 08, 2021 @07:50PM (#61564199) Homepage Journal

    Anything that cuts into "targeted advertising" and tracking is a good thing.

    Oh, your business model depends on it? Go hang out over there with the buggy whip manufacturers.

    • by MobileTatsu-NJG ( 946591 ) on Thursday July 08, 2021 @08:09PM (#61564243)

      Anything that cuts into "targeted advertising" and tracking is a good thing.

      Wait wait. hang on.. didn't you catch the bit in the summary about how Apple is driving this? We don't take kindy to that 'round 'ere.

      • by sg_oneill ( 159032 ) on Friday July 09, 2021 @03:21AM (#61565055)

        I know I know Apple Bad.

        But heres the thing. Apples business model is basically selling Hardward, with a side gig in selling Apps and Media.

        Advertising really isn't THAT interesting to apple. Its dabbled in it, but I strongly suspect it would be fine if it just went away.

        In that respect Apple is a very diffrent beast to Google, because its value proposition is in being able to say to customers "When you buy from Apply YOU are the customer" as opposed to the unfortunate truth about Google where you , or specifically your data, are the product.

        So yeah, distrust Apple. I do. But its unreasonable to assume its lying about wanting to keep you private. It makes more money off giving you reasons to buy its hardware than it ever could in an industry it has no engagement with, selling your data.

        • by shm ( 235766 ) on Friday July 09, 2021 @06:38AM (#61565317)

          Between an iPhone and an android, I know which one I would give to my kids.

          Say what you want about big bad old greedy Apple, they do do sensible things as far as privacy goes.

        • Apple spends quite a lot on advertising, e.g. $1.8 billion in 2015.

          Perhaps you mean selling advertising space to other companies & agencies. What Apple are doing is in effect a VPN, i.e. hiding users' IP, location, etc., except that they have exclusive access to this data & they can do whatever they want with it.

          • Apple spends quite a lot on advertising, e.g. $1.8 billion in 2015.

            Google raked in something like $150 billion (with a b) in advertising last year. If you're wondering where your finish-line is, your mole-hill needs to be magnified by about 75x.

      • We donâ(TM)t?

    • by Kisai ( 213879 ) on Thursday July 08, 2021 @08:16PM (#61564255)

      It's a double-edged sword.

      On one hand, targeted advertising is good for "targeted" products. Physical products. No point putting ads for tampons in front of men, or beard grooming products in front of women.

      Digital products on the other hand are detrimentally "Targeted", since digital products can be used by everyone equally, there is no reason to target them. Yes, maybe there is some value in knowing the age demographic so you're not hawking sex toys to children, but beyond that, most "targeting" variables are not important and are only about not wasting advertising spend.

      eg, you may be familiar with the following questions you see any time a site you sign up for is going to sell your data behind your back:
      a) Name
      b) Age
      c) Gender
      d) Income*
      e) Education
      f) Language
      g) Postal/Zip code

      The income is the one that dictates most of the targeting. You may not realize it, but the second you say you're not making $100,000/yr, you get fed all the low-quality advertisements. Because there is a hard association between income level and disposable income.

      So BMW and Lexus don't want to waste advertising spend on people who don't make the income to buy their products, but here's all the fad-diet and sugary snack ads, cause you're not rich. And if you set your income at less than $20,000 ? Ads for how to spend your food stamps.

      • by rtb61 ( 674572 )

        Two of those are now illegal to use. Age to be used for age discrimination which is illegal. Gender which is used for gender discrimination and denies the person the right to define their own gender, not have a corporation do it for them. Income, yeah, as a question you can ask it, to data mine it borders on criminal.

        You align the add with content. Hey they are on a masculine aligned web site, probably shavers better than tampons on that web site. WHY THE FUCK DO YOU NEED TO KNOW ANYTHING ABOUT ME. If that

        • So the question now is, how do we make the rest illegal.

        • Wait hang on for a sec here...you seriously think age discrimination is no longer a thing?

          Setting aside that this is a tech site and we all know it is, how many 50 year old (paid) exotic dancers have you seen lately?

          No bonus points if your talking about your creepy gilf-cam fixation.
      • Facebook fed me ads for Rolls Royce, so I think they may be just a bit off.
      • by Z00L00K ( 682162 )

        It's a double-edged sword.

        On one hand, targeted advertising is good for "targeted" products. Physical products. No point putting ads for tampons in front of men, or beard grooming products in front of women.

        Why not?

        A lot of people are married or have persons of the other gender as relatives.

        • by triffid_98 ( 899609 ) on Friday July 09, 2021 @03:05AM (#61565025)
          I was married for 17 years and my opinions on tampon brands never came up one single time. I don't care if I get those ads, but I get that companies don't want to pay for them to go to me.

          What concerns me more is targeted pricing. This makes that more difficult so I'm all for it.
      • by AmiMoJo ( 196126 ) on Friday July 09, 2021 @04:50AM (#61565143) Homepage Journal

        Thanks to GDPR I've been requesting this data from ad agencies and then asking them to delete it, and add me to their permanently barred list.

        What I've found is that uBlock Origin and Privacy Badger, plus a few other tools like Cookie AutoDelete and Privacy Possom, are highly effective. The information they had was decades out of date, going back to before those tools existed. Wrong income, wrong marital status, wrong email addresses etc. Some even had the wrong gender, address and age because I had poisoned their databases with fake info way back.

        I very rarely actually see any ads but it's clear that e.g. Google who does have some accurate data about me is not simply selling it to these guys, they are struggling on their own to get it and I'm winning.

      • Most advertising is a zero sum game. Women will buy the same number of tampons whether they see your ads or not. Rich people will buy expensive cars and poor people won't. Advertising is about getting them to buy your brand of cars or tampons instead of some other brand.

        It doesn't matter whether ads are targeted or not, as long as the rules are the same for everyone. If your ads are better targeted than your competitors, you'll get business. If theirs are better targeted than yours, you'll lose busines

    • by Z00L00K ( 682162 )

      Even better if you'd have something that can totally mess up targeted advertising by totally messing up the data.

      Targeted advertising is something we never really wanted or had any use for as it's never giving people information about new things that they haven't heard about. So the advertisers are the stupid ones here.

      For me I don't have any interest at all in horses or horse related stuff, but I do have relatives that are really interested. But since we never interact on social media and just meet occasio

    • by tlhIngan ( 30335 )

      Well, advertisers have compensated. They're spending much less money on iOS and ramping up Android spending [macrumors.com], by at least 10%.

      So advertisers know and are spending less money on iOS because it's not letting them get at all the tracking information they wanted. Now, they're not reducing the spending, they're ramping it up on hapless Android users, knowing Google is not going to turn away all that juicy tracking information.

  • by Dan East ( 318230 ) on Thursday July 08, 2021 @07:51PM (#61564205) Journal

    Too dictatorial

    Make it an option that is on by default. Problem solved.

    • by AmiMoJo ( 196126 )

      They would have to ask permission in GDPR countries I think, the fact that personal data could flow through it needs to be made clear to the user before the service is provided.

  • by Growlley ( 6732614 ) on Thursday July 08, 2021 @08:02PM (#61564233)
    if those scum didn't invade peoples privacy and track you beyond their own website - the blocking technology wouldn't be needed.
  • by TigerPlish ( 174064 ) on Thursday July 08, 2021 @08:09PM (#61564245)

    If it gets banned in Russia or China I'll consider it.

    I learned of Protonmail from some poor sap at an MSP I was at. The note came from some miscreant using a protonmail account. This was like 4 years ago. Good enough for that, good enough for me! I do use protonmail and have relegated gmail and yahoo to spamtrap / random misdirections. I know, weird using a criminal to endorse email, but there it is.

    Then I hear signal (or telegram? I can't keep 'em straight) gets banned in Russia. Excellent endorsement. I don't use either, but good endorsement, getting banned in totalitarian states.

    If the ad guys are pissed at apple... bravo, apple. Yes, I use an iphone, have since 2009. Have been issued plenty others like galaxies, but my personal is always some kinda not-too-recent iphone. No I'm not an apple fanboi. But if it pissess off the mighty ad machine... all the best to them.

    Then there's the other face of apple, the one I don't think much of. But I'm sure plenty here will write volumes about that.

    • by AmiMoJo ( 196126 )

      It's not even launching in China. The government doesn't like VPNs in general, although it tolerates them because they are needed for businesses (e.g. Shenzhen based phone manufacturers who sell outside China need to test their Android distros with banned Google services).

      Signal... It's okay but the guy behind it is an arsehole and it desperately needs a fully open-source alternative that can be federated without strings attached.

  • by couchslug ( 175151 ) on Thursday July 08, 2021 @08:15PM (#61564253)

    May the idea proliferate!

  • Our cloud servers geo-block visitors from untrustworthy countries such as Ukraine, Russia and the USA. As long as the relay servers aren't located in those countries, and don't relay visitors from those countries, no problem. Also, why is it being called iCloud Private Relay as opposed to 'Proxy'? Is this just more Apple-spin?
  • That pisses off FB is pretty much a net positive for society. I seriously hope Apple holds its ground. I donâ(TM)t have a problem with companies doing tracking and fingerprinting as long as itâ(TM)s opt -in. Governments have a legitimate case for accessing that sort of data on a wide scale (lots of people will disagree on that one). but Companies clearly have no right to track everything down to my bowel schedule unless I give the nod.
  • left / right (Score:4, Insightful)

    by fulldecent ( 598482 ) on Thursday July 08, 2021 @09:28PM (#61564363) Homepage

    Implementing a private VPN service and bundling it with your digital subscription service is...

    NOT AN ABUSE OF MONOPOLY

    Tying the Photos app into iCloud, and preventing third parties from doing same, which is the number one reason people by iCloud is...

    AN ABUSE OF MONOPOLY

  • by khchung ( 462899 ) on Thursday July 08, 2021 @09:41PM (#61564405) Journal

    However, this will probably result in even more companies upset with Apple.

    The more upset these cyberstalkers are, the better!

  • by Freischutz ( 4776131 ) on Thursday July 08, 2021 @09:45PM (#61564425)

    Advertisers Concerned iCloud Private Relay Could Put An End To Fingerprinting

    Cry me a river.

  • The advantage of 3rd parties not being able to track you is a bona fide bonus.

    But the tradeoff is that Apple now has EVERYTHING you do.

    If you didn't trust apple i guess you've already lost if you bought an iphone; so some trust at least is assumed. But do you really want to give apple all the keys to your kingdom?

    So, they control all your apps, hold all your data, process all your purchases, and have all your traffic.

    The cost of this privacy, then, seems to be to have none at all from Apple.

    • But the tradeoff is that Apple now has EVERYTHING you do.

      Read up how Private Relay works [appleinsider.com], Apple also does not know what you are doing either.

      Note that asper that article, and what Apple said about it at WWDC, Private Relay is not really a VPN, nor can it be used to hide region (which on the plus side means accessing websites that are region locked will work for you, and you are roughly located within a city or region you really are in).

      • by vux984 ( 928602 )

        "Apple also does not know what you are doing either."

        you send all your traffic to an apple run ingress server, who sends it out to a 3rd party egress server to connect to the destination site.

        Where does it say apple does not have the ability to know what you are doing? It says 'Apple doesn't' it doesn't say "Apple can't".

        • you send all your traffic to an apple run ingress server

          From the article:

          "When a device tries to access a server, it first sets up a network connection to the ingress proxy," says Fernandes. "This connection is set up using an IP address assigned by the network provider... [and the] egress proxy then forwards these requests to the destination servers by choosing an IP address that maps to the device's city or region."

          What this means for the user is that Apple doesn't track which websites they're accessing.

          • Just like GP said: It says "Apple doesn't". It does not say "Apple cannot".

            Because if they want, they can. And it would certainly not be the first time that line suddenly and stealthily vanishes from the spiel.

            • True, but Apple's business model disincentives that. They're trying to build a reputation for privacy and forgoing the potential revenue form selling user data in favor of growing a devoted user base willing to pay a premium for their hardware. Since hardware is their core business, and very profitable, it's an easy position to take.

              Of course you're right that they could change their mind at any time, but I doubt they could do so quietly or smoothly. And I'd expect quite the storm of lawsuits.

            • It's an encrypted tunnel from the client to the egress server. Sure if the ingress servers and the egress servers collude they could see your browsing history, but it's not in the egress server's best interest to do that. Typically they're a CDN, so this is a side hustle for them and not worth the publicity risk to their main business.

              • They are controlling both the machine you're using and the ingress server, with you not having any way of auditing either of them.

                You can trust them to not shaft you. That much you can. But that's about all you can do.

    • I think you answered your own question. If you don't trust Apple, you don't buy their phone. Their phone knows everything you do on the phone, every click, every screenshot, every interaction, and even listens to audio within microphone reach of the phone 24/7. I don't have an iPhone but imagine the face ID terms allow Apple to turn the front camera at will to to help verify your faceprint from the laser dots, but it can of course collect other data, like your mood, your surroundings, whatever else you can

      • by vux984 ( 928602 )

        I think you answered your own question. If you don't trust Apple, you don't buy their phone.

        I don't think trust is a yes/no question.

        As it happens, I run a private nextcloud for example, and that's where my contacts and calendars sync to.

        It's true that apple and microsoft and samsung could steal that data from me easily enough since they control the os on my devices, and I do generally choose to trust them not to do that. But that doesn't mean I feel any desire to just give them all my data, or think that "since they could steal it" means "I should just roll over and give it to them"

        • In this case you are allowing your data to go iCloud relay instead of just through Apple TCP/IP stack, so the amount of disclosure is pretty much the same. The difference is that it would be easier for Apple to covertly perform deep inspection in the cloud rather than on your phone, so it all comes back to trust. Agreeing to iCloud relay doesn't grant Apple any more rights to collect your data than they already have - you are not rolling over and giving them any more data. To use your Microsoft example, if

    • Good point, though I'd be more worried about an Apple VPN banning websites Apple doesn't like. We've already seen what they do in their app store bans...
  • by SuperKendall ( 25149 ) on Thursday July 08, 2021 @10:23PM (#61564537)

    Not sure if the summary made this really clear, but the App Tracking Transparency stuff is effective right now - meaning you cannot submit an app update that uses users personal data in any way, without now prompting for and constantly re-checking permission.

    I saw one example where an app simply required an email for login, they could not get an app update in without implementing ATT to prompt and track the users agreement (which can be revoked any time after they initially agree).

  • History tells us life has never been fair and the playing field was never level.

    But on the surface we live in a free, democratic world - and yet below that things are actually so much bent towards those who already have more power and money than they know what to do with - these two things don't match.

    Every step where we claw back a bit of freedom is important. And not being tracked and watched and having your data sold is one of those pieces, because freedom relies on being able to act freely - and living

    • It always was a sad world. But when the internet was new, the powers that be were caught off guard, and for a while we forget how sad of a world it really is. Now theyâ(TM)re back, and we remember.

  • Mis-Named or Con (Score:5, Interesting)

    by ytene ( 4376651 ) on Friday July 09, 2021 @12:59AM (#61564815)
    There's something not quite right here.

    As I understand it, there are two separate elements we need to consider... One is - can the web site you are accessing identify you based on your IP address. On the basis of the descriptions, this looks to be something that "Apple Private Relay" should be able to defeat. APR looks to be like a vendor-specific implementation of TOR (The Onion Router).

    But that's only part of the story - one third, at best.

    The next element of tracking concerns cookie technology - the ability of the server you access to leave a small local file in your browser, for example the sort of thing used for session management, so that the server knows if you have authenticated or not. (Note: if sites used a reverse proxy server and enforced TLS encryption, the dependency on session cookies could be reduced, since the mutual authentication would have been handled by the TLS setup and perpetuated by shared secret, symmetric encryption keys. That's another story). The point being that no amount of APR is going to be able to block cookies between client and server because of the extensive use as session tokens. Until we get a much better solution to cookies, APR will have limited use.

    The third element here is fingerprinting - and it's where I really take issue with the description that prompted the title to this post. Fingerprinting is a server-side technology that captures and stores a broad range of meta-data, by interrogating the browser, to determine if the combination of those elements make that browser unique. Examples of the meta-data elements harvested by fingerprinting would be the browser signature [browser type and version], the OS / platform, the display size, the color depth, the local time, any data on battery performance, installed fonts, and so on.

    Researchers discovered that even if you use a proxy, even if you turn off most everything else, there are enough data bits of unique, identifying data to be able to track down almost any individual user with a high degree of certainty. You can learn a bit more about just how dangerous this is - and test your own browser, to see for yourself - here [eff.org].

    In short, I'm not seeing anything from Apple's announcement that is going to finally stop fingerprinting, even though they are better placed to do that than most [given that the meta-data for Safari on an iPad *should* be the same as for every other similar iPad made]. That isn't true today - the EFF privacy scanner reports that Safari on iPad are still uniquely identifiable.

    So I'm a bit suspicious of these claims until we see them independently tested and verified. And even then, of course, you have to pay for them with "iCloud+". If Apple were such champions of privacy, why are they charging extra for it?
    • I don’t have the time at the moment to respond properly to your post, but I suspect the claims are based in large part of the fact that Apple has been rolling anti-fingerprinting technology into Safari for several years now. Safari will return false results when sites ask for your installed fonts, for instance. There’s a lot more to it than just that, but you may want to check that avenue for the answers you seek.

      Mind you, that doesn’t help someone using a different browser, but it is part

      • by ytene ( 4376651 )
        Thanks, Anubis, this is a crucial piece of information. It's important because by far the most intrusive and simultaneously the "least visible" of the privacy-busting technologies out there is fingerprinting. So if Safari has built-in anti-fingerprinting technology [and if you saw some of my earlier posts about the facelift of Firefox you would know how important I think this is] then that is a huge win for Apple users.

        But it seems a bit misleading - still - given that the focus of the announcement was A
    • There's more explanation of the service here - https://appleinsider.com/artic... [appleinsider.com]

      It's not entirely clear though. It says all Safari web browsing is proxied, as is DNS and HTTP, but TLS isn't. So, how is all of Safari's browsing proxied? I don't know. Is HTTPS proxied in Safari but nothing else?

      But if they charge extra for it, I could understand why. Their servers don't run for free, and presumably they have to pay the other proxy service.

      • by amp001 ( 948513 )
        My reading of this is that if you use Safari as your browser, all of that traffic will be proxied through this (assuming you have the subscription and have enabled this feature). Outside of Safari, system-wide DNS lookups will be proxied through this (using DNS-over-HTTPS), as will non-TLS HTTP traffic from apps that use Apple's standard web client frameworks. The result will be that 100% of DNS and web (browser or web service) traffic from the device will be TLS encrypted at least as far as the egress prox
    • So I'm a bit suspicious of these claims until we see them independently tested and verified. And even then, of course, you have to pay for them with "iCloud+". If Apple were such champions of privacy, why are they charging extra for it?

      Yeah, a whole $12 per year (US$0.99/month).

      Totally a rip-offâ¦

  • IP address is one of a large number of bits of data used to fingerprint a device and user. Changing your IP address and even browser does very little to impact how you are uniquely fingerprinted. These include (for web browsering); User Agent, HTTP_ACCEPT Headers, Browser, Plugin Details, Time Zone Offset, Time Zone, Screen Size and Color Depth System Fonts, Are Cookies Enabled,Limited supercookie test, Hash of canvas fingerprint, Hash of WebGL fingerprint, WebGL Vendor & Renderer, DNT Header Enabled?,L
  • The Internet surveillance advertising industry has no right to exist. We are not required to arrange Internet services so that it is easy for them to stalk people across the Internet. We do not need the danger of being tracked by malicious actors across the Internet - both criminal and government.

    The Internet surveillance advertising industry must die. It is parasitic and dangerous

  • Boo hoo for the fingerprinters. My heart weeps for them. Not.

  • Not just "your" computer, err, device... but all your connections too. Hail Apple

  • They quote an advertiser implying that Apple is going to face anti-trust suits over this, and I just can't see any basis for that. Am I missing something? It can't be anti-competitive behavior if Apple isn't competing with marketing/tracking services, right?
  • I'm not entirely sure how this private relay works, but I do wonder if it's possible to detect that a customer is coming from one of its endpoints.

    If the websites who use advertising networks are able to get $x per visitor using the private relay, or $x + 5 per visitor not using a private relay, I can well imagine that private relay users may become unsupported and a helpful deactivation guide provided to re-enable access.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...