Apple’s iOS updates came in April 2021 in the form of “App Tracking Transparency”— where apps have to ask permission before tracking users activity across other apps and websites— in order to deliver targeted advertising. However, a new investigation by Top 10 VPN has found that iOS’ new policy is flawed, as majority of the Virtual Private Network (VPN) apps continue to share tracking data with advertisers, even when consent is explicitly denied by the users.
The investigation further revealed that over one-third of free VPN apps ignore Apple’s supposedly mandatory guidelines and fail to seek consent at all.
“In light of Apple’s spotty record at enforcing its own privacy guidelines, we (Top 10 VPN) decided to investigate whether free VPN app developers actually comply with users’ wishes when they refuse to consent to ad tracking,” the company wrote in a blog post.
Apple’s new “AppTrackingTransparency” policy means a user has to grant explicit permission before an app can track them or access their “device’s advertising identifier”.
The advertising identifier is a unique id to serve targeted ads and it records what sites you are visiting, your interests, where you shop, where you wish to shop and so on.
According to Apple’s description page for developers, tracking as defined by them means “the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes. Tracking also refers to sharing user or device data with data brokers.”
What the investigation found?
The investigation revealed that out of 20 free VPN iPhone apps, only 3 free VPNs (15 percent) respected users choice to not allow advertisers to track.
At least 7 free VPNs (35 percent) failed to even ask for consent to allow advertisers to track iOS users. In addition, 13 free VPNs (65 percent) shared users real IP address with advertisers even after refusing permission to do so.
Notably, 9 free VPNs (45 percent) shared detailed information about the user, and 15 free VPNs (75 percent) shared basic information about users iPhone devices with advertisers. The company also found a loophole exploited by the VPN apps, revealing that 16 free VPN apps (80 percent) shared users IP address before even asking permission to allow ad tracking. And 10 apps (50 percent) have already shared detailed information about iPhone users by this point.
How was the investigation carried out?
The company identified 20 most popular ad-supported free VPN apps on the U.S. version of Apple’s App Store. In a controlled testing environment, these apps were installed and monitored. After denying the request to track, the company was still able to identify any subsequent traffic to third-party advertisers that contained user data that could be used for tracking.
According to Top 10 VPN, three types of user information was shared with advertisers, this includes their— real IP address, highly-detailed device information with the potential for fingerprinting, and basic device information.
The highly-detailed device info comprised long lists of very specific data points, some of which includes: network operator, free memory, battery level. screen brightness, device volume, device name (such as Bob’s iPhone), free storage space, last time device was switched on, screen height, network connection, screen width, iOS version. and device model language.
“As with browser fingerprinting, the collection of such granular information about your device can be used to identify and track you. Apple says fingerprinting is against its rules,” the company adds in its research post.
The goal of this investigation was “to put pressure Apple to actually enforce its own app privacy guidelines and remove any apps from its store that are in breach, the company added. “This would make it easier for anyone to choose a free VPN with peace of mind about their privacy.”
In a statement earlier, Apple, said it believes that its new guidelines is a simple matter of standing up for its users. “Users should know when their data is being collected and shared across other apps and websites — and they should have the choice to allow that or not. “