From iOS/iPadOS 14.5, Apple has made it much harder for apps to track you with the “App Tracking Transparency” (ATT) feature. The job of this feature is to protect your privacy. Facebook is reported to have lost $10 billion because of ATT.
According to Apple, this is how ATT works:
The big question is, even if you turn on ATT, do apps still have other means to track you? In short, the answer is “Yes”!
First, you must understand what happens when you allow apps to track you with this ATT prompt:
Every device is assigned an Identifier for Advertisers (IDFA). The IDFA is a piece of random information that is uniquely assigned to each iOS/iPadOS device. The IDFA by itself does not reveal any information about you. If you allow an app to track you, you are basically allowing it to get your device’s IDFA.
The problem arises when you reveal personal information (e.g. your name, phone number, email) to apps that have access to your IDFA. When that happens, apps can associate your device’s IDFA with your revealed personal information. Usually, what happens is that apps send your IDFA, along with your associated personal information, to some third-party advertising companies. For example, when you sign in with Apple, you can potentially reveal your first and last name:
Different apps collect all sorts of information about you (e.g. your usage data, your browsing history), some of which are not even private. But if all this collected information from different apps are associated with the same IDFA, it can then be used to build a comprehensive profile about you. For example, let’s say you run a video app that has access to your IDFA. Even if you do not reveal your personal information to that app, your video browsing history in that video app will be associated with your IDFA. That app then submits your video browsing history and your IDFA to a third-party advertising company. At this point, the video app cannot link your video browsing history to you (since it did not collect your personal information). However, since that advertising company already has your personal information (e.g. name, email, phone number) associated with your IDFA, it can link your personal information with your video browsing history. In other words, the IDFA is the common link between all the disparate and dispersed collected information about you. So, when you ask an app not to track you in the ATT prompt, it can no longer obtain your IDFA. Without the IDFA, third-party advertising companies cannot link all these disparate and dispersed collected information to you.
The next questions are, who are the third-party advertising companies? The biggest ones are Facebook and Google. Some apps even send information about you to multiple third-party advertising companies! This is how, with IDFA, Facebook and Google can know what you are up to across many different apps by different companies. Since Facebook and Google have already collected a lot of personal information about you, if you run any of their apps and give them access to your IDFA, they can link the same IDFA to all your other collected information from other apps. This way, they can build an even more comprehensive profile about you!