←back to thread

Everyone knows your location: tracking myself down through in-app ads

(timsh.org)
1957 points apokryptein | 3 comments | 02 Feb 25 17:07 UTC | HN request time: 0.214s | source
Show context
nomilk ◴[03 Feb 25 06:43 UTC] No.42915614[source]
> Advertising Tracking ID was actually set to 000000-0000... because I "Asked app not to track".

> I checked this by manually disabling and enabling tracking option for the Stack app and comparing requests in both cases.

> And that's the only difference between allowing and disallowing tracking

This is revealing! I'd wondered about Apple's curious wording "Ask App not to track" leaves suspicious wriggle room - apps may not track by an id, but could easily 'fingerprint' users (given how much other data is sent), so even without a unique ID, enough data would be provided for them to know who you are 99% of the time.

Amended Dead Privacy Theory:

The Dead Internet Theory says most activity on the internet is by bots [0]. The Dead Privacy Theory says approximately all private data is not private; but rather is accessible on whim by any data scientist, SWE, analyst, or db admin with access to the database, and third parties.

[0] https://en.wikipedia.org/wiki/Dead_Internet_theory

replies(1): >>42916841 #
1. K0nserv ◴[03 Feb 25 10:29 UTC] No.42916841[source]
Apple sets Advertising Tracking ID to 00000-0000 because it's the only technical control they have. However, apps are also supposed to respect the signal with regards to other methods of cross-site/app tracking and disable fingerprinting mechanisms.

See https://developer.apple.com/app-store/user-privacy-and-data-... for details

replies(2): >>42918618 #>>42923136 #
2. alexvitkov ◴[03 Feb 25 14:41 UTC] No.42918618[source]
It's not the only technical control they have - every single datapoint an app can gather is ultimately provided from the OS. They could let you disable access to metrics that have proven to be useful for fingerprinting. They could also attempt block known tracking code - all games with IronSource ads will run the same tracker binary, byte for byte. There's a lot of things they could do, but don't, since in the mainstream they have a pretty good reputation when it comes to privacy.
3. diebeforei485 ◴[03 Feb 25 21:06 UTC] No.42923136[source]
They have other controls. For example, a game does not need to know your precise battery level (respect the low power mode setting), or precise screen brightness (respect the dark mode setting), or precise storage or volume (appropriate is sufficient). They really don't need to know if you're using wired or bluetooth headphones, and can request a specific entitlement if they have a valid use for that information.

99% of games do not need precise location (some exceptions are pokemon go, etc). They can request and receive an entitlement.