Imagine  tens of millions of users potentially receiving a popup asking the user to grant permission to be tracked, in September 2020.

The striking news emerged from this year’s Apple WWDC conference. Apple will limit the use of the IDFA “tracking identifier”. This identifier allowed advertisers to track the users across applications, sometimes websites. Users could reset or disable it but some likely never did it - perhaps they did not know about this option. It no longer matters because the landscape radically changes now. When the app will want to use the tracking identifier, the user will see a popup asking the user to grant permission to be tracked. The way it works technically is simple - it is similar to any other permissions, by now well known both under iOS/iPhone, Android, or web browsers. Prior to granting the permission the identifier will be zeroed:

Until a user grants authorization, the UUID returned will be all zeros: 00000000-0000-0000-0000-000000000000.

Inevitably, it may be illuminating to users when suddenly most/all of them understands what is going on (tracking), on what scale (millions of users at the same time?), and where (most apps?).

Wait, European Union did this first?

In Europe, web sites need to ask users for consent on the use of tracking cookies. Many non-EU countries (and people in the EU) ridicule the European push for such transparency measures. Now they will be standard all around the world. This, therefore, means that Apple is deploying, to millions of users, this sometimes controversial practice of “cookie consent popup” (in 2018 reinvigorated at the occasion of GDPR)  known from the European Union. By the way: pre-ticked consent is invalid, and thanks to the default working of the iPhone now, there will be no way for pre-ticked consent for the tracking identifiers.

Mass deployment to the whole world is certainly an interesting example of European values-based influencing.

The technology, design and strategic challenges ahead

The great technology challenge is caused by the need to rethink many concepts, including such basic ones as the link between the service and the user (is/was it based on trust?), as well as many technology choices (do you really want to track immediately and by default, or do it differently). Tough privacy engineering and even standardisation choices. Who is prepared to understand and really feel such changes? Bonus points: do this in few months.

Permission to track and ePrivacy?

This is potentially also a significant technology policy intervention in the European debate around the ePrivacy Regulation (more here; as of 2020 the regulation is now kind of stalled). The status quo further changes:

  • many users in 2020 blocking ads
  • most web browsers blocking tracking by default in 2020
  • Also in 2020: a very popular mobile vendor blocking tracking by default

The usual problem is whether the responsible policymakers understand the implications. Debating tracking policy as if it was still 2017 has an increasingly limited sense today when the default becomes “not tracking”. Europe should consider moving forward with the excellent anticipatory result obtained at the European Parliament.

The only issue is that the technology policy moving forward may become a bit more complex now. But  deployers, implementers, engineers, auditors need to understand the implications much sooner.

Did you like the assessment and analysis? Any questions, comments, complaints or offers? Feel free to reach out: