Tim Cook’s privacy crackdown on mobile apps has been years in the making. In fact, it really began in the Steve Job’s age, around 2008. You need to look at Apple design (the key years being 1977-2008). Because the ads changed as the hardware changed. You need to look at the changes from a hardware perspective. Jobs had written early on that innovation distinguishes between a leader and a follower and had seen a perseptible shift occurring in the digital advertising business.
But it did not really take form until the Tim Cook era when internet users voiced growing concern about the volume of the data they were creating, and the security of that data. That concern resonated with governments around the world and regulations such as the European Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) in California were just warning shots of more to come.
Tim Cook decided “We’re going to disrupt the advertising industry“. First though, Apple had to come to terms with a monster of its own creation, and its top brass had to debate how far to go in cutting off the data collection that undergirds the ads business.
The following is a mashup of conversations and notes for a long piece I have been writing about the digital advertising industry – random thoughts, not fully formed, in search of a narrative. All part of my last pilgrimage to the annual Cannes advertising conference this Spring – or to give it its full honorific, the Cannes Lions International Festival of Creativity – as I hang up my conference spurs (sniff, sniff) and retire to Crete.
Why is Cannes Lions so important to me? Because it is what I like to call “The Conference of the World’s Attention Merchants”. Over the last decade, the festival has evolved to include not only more brand clients but also, due to media fragmentation which has led to the change of some and the birth of others, an expansion into tech companies, social media platforms, consultancies, entertainment and media companies — essentially the entire attention ecosystem. And over the last two years (pre-COVID) it has also attracted contacts and vendors from my other domains: cybersecurity and eDiscovery.
15 March 2022 (Paris, France) – A very long time ago (or as Billy Joel once sung “when I wore a younger man’s clothes), my first legal job (after 3 years on Wall Street as a currency trader, and then M&A analyst) was with Cleary Gottlieb Steen & Hamilton. How long ago? George Cleary, Leo Gottlieb, Mel Steen and Fowler Hamilton were still alive and they had their own wing in the office. Fowler Hamilton often came into the office canteen to get his own coffee. Alton Peters (a partner and husband of one of Irving Berlin’s daughters) had Irving Berlin’s Oscar for “White Christmas” on a special table, all lit up.
I was the most fortunate of young men. I came under the tutelage of senior partner Walter Rothschild. He did not want his staff sitting in their offices all the time. He continually sent us out to spend time with the client, to understand how a company is run, how markets work, etc. To “get in the trenches” so that we saw how the legal work we did affected (or did not affect) the business. So we did not think and act in a vacuum.
I got lucky. I sent a good chunk of my time at Ogilvy, the New York City-based British advertising, marketing, and public relations agency (which is now part of the WPP Group, the largest advertising and public relations companies in the world). It enabled me to learn the advertising business and allowed me to see the very beginnings of e-commerce and consumer data analysis which has informed so much of what I write about.
The 1970s. What heady times. The Beatles broke up, political crises were building (today’s headlines are hardly an anomoly), and the government put a ban on cigarette advertisements. It wasn’t until the mid-1970s when advertising companies really starting bringing in some serious money. And by the end of the 1970s, the advertising business was raking in the money, close to $28 billion.
I looked up an American Association of Advertising Agencies report for that time (an organization that has been around since 1917) which noted that by 1975 consumers were exposed to up to 1,600 ads a day. TV programming was now completely in color (actually as of 1972 in the U.S.) and sales of color TVs finally outpaced B&W – and television became the most sought-after medium for advertising. Television ads reached about $6 billion, in 1976 alone.
And while the 1960s became famous for the creative revolution, the 1970s brought about different ways of thinking. The use of computers skyrocketed in the 1970s, changing the way agencies did their everyday operations: billings, reporting, and more importantly – research. Technology helped agencies gather more detailed information, such as demographics, to analyze consumers, make projections and develop positioning for brands based on consumer behavior and perception. It was the birth of full-on consumer data analysis.
And 1970’s advertising switched the focus from very to-the-point messaging, to more emotional approaches, sometimes to a fault. One of the most frowned-upon practices of 1970’s advertising was subliminal messaging. I am sure many of you have read the stories about sexually charged words and photos hidden in ice cubes, the folds of clothing, anywhere to get the target audience to associate the brand with innate desires. Advertising executives faced lots of criticism because of these practices, and consumers began to grow skeptical of advertising. Due to the vast array of skepticism, the Federal Trade Commission and the National Advertising Review Board created the first standards that advertising companies had to follow.
And e-commerce was born – the phrase first used in 1979 and regularly cited by 1982.
Ah, the simple days. In the beginning, e-commerce was very utilitarian. You knew what you wanted before you turned on your PC, you clicked on it and you bought it. The first really successful organizing layer on top of the web, search, was also very utilitarian and, of course, so was the first big online advertising model, which was explicitly based on search. But ever since then, e-commerce, discovery and advertising have been moving and expanding across the spectrum – expanding from utility to experience, and from search and lists to suggestion and discovery.
The global advertising business is now worth about $600bn a year, and at least half of that (and growing) is digital. A huge chunk of this is now being overturned, due to regulation – like the GDPR and the CCPA – on one side, and the duopoly platform companies (Chrome, iOS) on the other. Cookie-based, cross-site, third party tracking is going to disappear (well, in some manner), as is some of the related tracking that had been built into iPhones such as the Identifier for Advertisers (IDFA) which is a random device identifier assigned by Apple to a user’s device.
Yes, you can advertise based on what’s on the page (“context”), and you can advertise based on what else someone did on your site (“first party”), but advertising based on what someone did on another site (3rd party, those bloody cookies) is going to look totally different. What does that mean? How different? No one quite knows. It’s all fluid, something-in-progress.
What we have seen in recent years is significantly enhanced information sharing and networking capabilities among smartphone users, advanced by geospatial technologies which have undeniably permeated almost all aspects of modern life in our society. Social media apps are increasingly location-based, providing analysts with access to a wide range of shared spatial data, such as check-ins, geo-tagged images, video clips or text messages, or reviews of businesses and other localities.
But Apple decided to blow-up the mountain.
For years, Apple CEO Tim Cook has been the most vocal privacy champion among all of big tech’s top leaders. But within Apple, a decision to curtail ad tracking of iPhone users in 2020 sparked an intense debate about just how far to push privacy changes poised to upend the digital advertising industry. The digital media newsletter The Information notes:
On one side of the discussions was Craig Federighi, Apple’s software chief. He oversaw a team of privacy-minded engineers who wanted to curtail the powers of an Apple tool that unscrupulous advertising companies, mobile developers and data brokers were exploiting to track the behavior of iPhone users, according to people with direct knowledge of the discussions. On the other side were groups reporting to Eddy Cue, head of Apple’s services and advertising businesses, and Philip Schiller, then the company’s top marketing executive, who led its App Store. Cue’s and Schiller’s teams argued for more-cautious action against the tool, given that many developers relied on it for advertising revenue. Schiller’s group also worried about potential damage to App Store revenues, though Schiller himself was in agreement with Federighi.
In the end, the Apple leaders reached a solution. The company required app developers to ask users whether they wanted to allow their online activities to be tracked across websites and apps operated by companies other than the developer. Developers couldn’t use the tool anymore to track users who opted out but instead had to rely on an inferior system developed by Apple that better protected user privacy. For many companies in digital advertising, the impact of Apple’s changes—which the company began to enforce last April—has been seismic. That’s especially true for Facebook’s parent company, Meta Platforms, which expects the changes to shave $10 billion off its revenues this year because of their impact on the company’s prodigious data collection practices.
But if you read the analysis done by Bloomberg Business, and The Verge and mega-mobile-analysts like Ben Thompson and Casey Newton Meta wasn’t the primary target of the company’s changes, despite a long history of thinly veiled rhetoric from Cook viewed as critical of the company’s practices. Instead, Apple was going after the most egregious forms of abuse – for example, weather apps that sold data about users’ locations to brokers. And what particularly galvanized the Apple executives into action was a dawning recognition that it had, in effect, created a monster in the digital tracking tool that became a pillar of the ads business and the surveillance industry. As Eric Schmitt, an ad tech analyst at Gartner (often quoted in these things), had said:
“They opened a proverbial Pandora’s box”.
At the heart of the Apple effort to shut that box was Erik Neuenschwander, an influential 15-year veteran of the company who heads up its privacy engineering team. His role is all the more noteworthy because he was the Apple employee who over a decade ago came up with the idea for the now controversial tracking tool, called identifier for advertisers, according to people familiar with its development. Neuenschwander’s original vision for the IDFA, as it is better known, was as a way to improve user privacy by giving them the option to turn off tracking while still providing what Apple believed was a harmless tool to deliver targeted ads.
But over time, as the ad industry evolved, the Apple privacy team grew increasingly concerned that advertising practices were becoming too invasive, as companies connected user data across apps and services into mega-profiles. Meanwhile, a cottage industry of intermediaries was abusing the IDFA to go even further by tracking and surveilling people around the world, including their physical locations. In early 2020, The Wall Street Journal exposed one such form of surveillance in a report about federal agencies that used cell phone advertising identifiers to help locate targets for immigration enforcers.
As Politico noted in a long report about this subject, the Apple privacy team has become a strong opponent of tracking and surveillance and believes the only foolproof way to prevent bad actors from compromising user privacy is for Apple to minimize the data it can collect about users in the first place. In a presentation last year to introduce his team to other groups at Apple, he showed a slide that simply read: “Disempower Apple Inc.”
Last year I wrote a long analysis of Apple’s privacy changes so I shall not drag you through that again. So herein just a summary of the impact of those changes:
Apple’s privacy changes – known as app tracking transparency (ATT) is a feature of its iPhone operating system that it began to enforce last April – are likely to reverberate throughout the tech industry for years to come. The vast majority of iPhone users have chosen to opt out of allowing their online activities across apps to be tracked, with only 26% of global users on average opting in to apps that show the prompt as of last month, according to Flurry Analytics.
While Meta may be the biggest casualty of Apple’s actions, it has company in its suffering. Ad tech firm Lotame estimated that the changes shaved off 7% of Twitter’s and YouTube’s revenues and 13% of Snap’s revenues in the third and fourth quarters of last year. And Google – whose ads business has held up amid Apple’s changes – last month followed in the iPhone maker’s footsteps by announcing plans for its own version of Apple’s app-tracking changes for its mobile operating system, Android.
One enormous mobile app advertising agency (it manages $3.5 billion of advertising spending for clients, and prefers to stay anonymous) told me they have felt the pain of Apple’s privacy changes. Their clients’ revenue fell 30% in the third quarter of 2021 compared to the second quarter of that year due to the rollout of ATT. They said Apple should have consulted with the ad industry more closely before implementing ATT. Their point was: Apple built the apps industry to be advertising-heavy and they took away the ability to make advertising functional. These guys aren’t acting like a partner.
By contrast, Google is participating in an open dialogue with the ad industry, delaying any changes to its own mobile advertising identifier for two years and asking for feedback.
Apple, when questioned, always trots out this mantra:
“At Apple, we believe privacy is a fundamental human right, which is why we design every product and feature from the ground up with privacy in mind. Our teams work collaboratively across Apple, putting the same effort into privacy innovation as we put into all of our product designs, and the result is greater choice and superior products for our customers. App Tracking Transparency is an example of how this purposeful approach has delivered increasingly granular control for users.”
The creation of the IDFA became an enormous project, started in 2011 – needed in the wake of a scandal which was dubbed “locationgate” in the press. Apple had stored user location data in an unencrypted file on users’ iPhones. Apple did a massive review of internal requests for user data and set up early input on privacy features developed by other parts of the company to ensure they met Apple’s standards. It was an amazing cross-company coordination project. At the time, iPhones had unique identification codes embedded in their hardware, which advertisers had begun to use to link people’s activities across apps and services on their devices. But the hardware-based codes had serious drawbacks because they couldn’t be changed or turned off. If people sold or gave away their iPhones, for example, advertisers couldn’t tell different people were using the devices.
As an alternative, Apple came up with the IDFA, a software identifier comprising 32 random letters and numbers that would reset when a user sold or gave away the phone, meaning that data about the new owner wouldn’t be mixed in with data from the old owner in advertisers’ databases. The team also added a privacy-friendly feature that allowed users to turn off the software identifier by flipping a switch in the iPhone’s menu.
While that option concerned some advertisers, it didn’t deliver a major shock to the industry because the IDFA switch was buried under multiple iPhone menus. In the first few years after Apple introduced the IDFA, the percentage of users who chose to limit ad tracking by turning the feature off was in the single digits, according to three people familiar with the situation.
Eventually, the ad industry began to use the IDFA in ways the privacy engineering team hadn’t intended, building an entire tracking ecosystem around it. Unscrupulous developers started using it to gather location data on users and sell that information to data brokers for additional revenue.
Meanwhile, Apple’s privacy engineering team became aware that some developers weren’t honoring the wishes of users who turned off the IDFA switches on their phones – a violation of Apple’s policies that was difficult to detect. In 2014, the privacy team added new rules governing the use of the IDFA to prevent this behavior. They made no technical changes, however, to force developers to honor these rules, and many developers ignored them.
Around 2016, Apple went further, making it impossible for developers to ignore do not track requests from iPhone users. Anytime someone disabled the IDFA on their phone, a string of zeros would replace the identifier so developers couldn’t see it. But they eventually found workarounds that allowed them to still keep tabs on users’ habits.
Around this time, the privacy team began circulating internal memos that they regretted creating the IDFA, in part because others like Google followed with a similar identifier a year later. The growing ubiquity of the practice troubled every one.
Meanwhile, as Apple’s privacy team was playing a cat-and-mouse game with developers, Cook began to intensify his criticism of data collection practices. In 2015, he publicly declared that privacy was a “fundamental human right” and that Apple didn’t believe in monetizing user data collected in exchange for free services. In 2018, Cook gave his now famous interview in which he was asked what he’d do if he was in the situation of Mark Zuckerberg, CEO of Meta, then called Facebook, which was in the midst of the Cambridge Analytica scandal. Cook said he wouldn’t be in Zuckerberg’s situation:
“The truth is we could make a ton of money if we monetized our customer, if our customer was our product. We’ve elected not to do that.”
Still, as I noted in my Apple privacy memo, Apple really needed to do more to clean up its own act by preventing use of the IDFA for aggressive forms of user tracking. In 2019, the Mozilla Foundation, a nonprofit tech advocacy group, launched a campaign asking that Apple automatically reset a user’s IDFA every month to make it tougher for companies to build profiles of users over time. (Apple engineers didn’t think Mozilla’s solution would fix privacy concerns as developers could easily work around this by linking old IDFAs with new ones.)
That same year, Apple finally decided it had to do something about the IDFA. Before Apple could make any such public announcement, there had to be a consensus about how far the feature would go in crimping tracking and how Apple could soften the expected impact the changes would have on developers. Why? The potentially serious impact of the IDFA restrictions on revenues for the App Store. While Apple doesn’t take a cut of developers’ advertising revenues on the iPhone, it benefits indirectly from the ad ecosystem.
This is something I have explained before. Mobile ads that run inside apps often promote the downloading of other apps. And many of those apps in turn generate revenue when users buy them outright or make in-app purchases – transactions that Apple does take a cut of. If new restrictions on the IDFA resulted in users seeing fewer ads, they might download fewer apps. Plus IDFA changes could push developers and advertisers to shift their focus and spending to Android apps, where they could more accurately measure the impact of ad spending. Plus internal issues by going too far in eliminating tracking. Apple’s has its own iAd advertising network – which places search ads on the App Store and display ads in Apple News – so that makes it especially sensitive to the consequences of kneecapping the IDFA.
And so, the plan: iPhone users would have a choice of whether to opt into app tracking, which Apple executives felt was more defensible if developers and the online advertising industry pushed back. They would also be able to do this on a per-app basis, which Apple executives also felt would benefit advertisers. This was a big change from Apple’s earlier IDFA controls, which enabled tracking across all apps by default.
So the project was tackled in the fall of 2019 – giving them roughly nine months to complete it in time for Apple’s 2020 Worldwide Developers Conference, a June event that often showcased new software features. They were tasked with making sure the feature worked technically, as well as consulting with Apple lawyers to tread carefully around decisions that could raise regulators’ eyebrows.
For example, they discussed the precise wording of the ATT tracking prompt so it didn’t look like they were pushing users in one direction or another. They even labored over the definition of the word “tracking” in Apple’s developer rules, narrowly defining it as the linking of user data collected from the developer’s app to other user data from another company’s app or services.
That meant developers including Apple could continue collecting user data to improve their own services as long as they didn’t share it with other parties. The ad industry and Apple’s competitors have criticized the nuance, as it gives developers with a large network of apps and services – including Apple’s own ads business – a clear advantage.
Apple announced ATT at its developer conference in June 2020, promising to release the technology in the next version of iOS, which it typically released with the latest iPhone in September. In the meantime, representatives from Facebook, Google and others started meeting regularly with Apple to better understand the changes, discovering that the IDFA would be toggled off by default on each app unless a user opted into tracking for that specific app.
Apple made a few changes to SKAdnetwork to appease Meta and Google, the biggest sellers of internet advertising—for example, adding ways to measure whether consumers scrolling through content or watching videos were actually clicking on ads and making purchases. But the company refused other requests that it believed would undermine user privacy.
In brief, SKAdNetwork is another way to receive the attribution of advertising campaigns on iOS. Advertising networks must register with Apple, and developers must work to ensure that their apps are compatible with the registered networks and the new framework.
Just weeks before Apple was supposed to release ATT in its iPhone software in September, it told developers that it would delay ATT’s enforcement. Enough developers had pushed back to persuade Apple to hold off on the feature’s release as they needed more time to adjust and learn how to use SKAdnetwork.
But the entire privacy team was well aware that Apple’s changes wouldn’t completely end tracking. Developers could technically still use other methods of identifying or fingerprinting users, though Apple had long banned those techniques. In one such example, several Chinese tech giants, including Baidu, Tencent and ByteDance, banded together in the months after Apple announced ATT to create a system that would allow them to continue to track users between apps.
In response, Apple blocked updates to several Chinese apps that tried to use the tracking feature, leading to the collapse of the project. Apple also began to reject apps using third-party tools that violated its new guidelines, such as those from Adjust, a mobile marketing firm that helped developers measure the effectiveness of their ads with these other tracking methods.
In December 2020, Facebook escalated its objections over Apple’s privacy changes by taking out full-page newspaper ads saying it was standing up for small businesses that the lack of access to advertising data would disadvantage. A day later, Cook tweeted that Facebook could continue to track users across other apps and websites, as it had been doing, but it would need to ask for permission to do so in the future.
Of course, Cook’s comments never acknowledge Apple’s own role in creating the privacy abuses it was taking action against. The entire Apple privacy team knows that it was a mistake for Apple to include the IDFA in its iPhone operating system years ago.
Why? When something like IDFA becomes so embedded and intertwined in the mobile infrastructure, it is a bitch to extricate. As I have detailed in numerous posts, location tracking is baked into the web’s modern data collection regime. It is a complicated regime to understand. To do so you need to get into the pipes …
More to come.