By Holden Williams
Google recently announced new updates to Google Play store policies that will include enhanced consumer security and privacy features. Our tech team is closely following these changes and how it might impact the digital mobile app ecosystem. This announcement is another step in the right direction for the Android platform, but more information is needed on how these new policies will be enforced and how it will impact user privacy. Google must be transparent and cooperative with third party researchers, including independent watchdogs like IDAC, to ensure these changes have the desired effect to better protect individual user privacy.
As part of its updates, Google is making several changes to how unique, personal identifiers are used within Android applications. Users on the Google Play store have several different categories of personal identifiers that depend on their device and the account they use. It is essential for users to have control over these identifiers to ensure their privacy.
With the updates to Android 10, Google made it so users have greater control over their non-resettable persistent device identifiers, like the device serial number and IMEI, by preventing third party applications from requesting this information. These persistent identifiers make it easy for third parties and data brokers to track users across the web because these identifiers remain the same for the device even if the user is logged out of an account or using a different account. By restricting the access to these identifiers, users have more control over their privacy. In a previous report, IDAC showed how these identifiers can be used by Android apps to infer a user’s physical location in addition to tracking a user’s digital activity.
Google is continuing to build on this progress by introducing new changes to the both resettable and non-resettable identifiers. The four new updates which the company will begin to implement in October 2021 include:
- Changes to Limited Ad Tracking
- Introduction of the “app set ID”
- Change of policy prohibiting ID linkage with sensitive user data or resettable IDs
Starting in October Google will introduce a major change to the Android Advertising Identifier (AAID) to give users a new layer of anonymity when using Android applications. The AAID gives users more control over how third parties track their activities online. It is an unique identifier for a Google account that remains the same across the internet, similar to an IP address; however, the AAID can be reset to a new value as often as the user would like. Users also have the ability to reset their AAID and enable “Limited Ad Tracking” which signals that the user does not want to receive behavioral or targeted advertising.
As part of this new change, when users opt-out of advertising tracking, the AAID will be replaced with a string of zeros — providing users with a new layer of anonymity when using Android applications. An AAID set to a string of zeros means users cannot not be tracked across the internet by using the AAID alone, thus advertisements will rely on the context of the user’s activity instead of the entirety of their online behavior.
However, app developers and third parties are not required to follow these guidelines and could continue to use the AAID for serving behavioral advertising when users opt-in to “Limited Ad Tracking.” IDAC has previously found that Android apps are regularly oversharing AAID, so turning the AAID from a unique identifier to a generic string of zeros will give users the ability to more effectively prevent apps and third parties from using their AAID for behavioral advertising and cross-site/app tracking.
In September, Google will introduce a new app-specific identifier called the “app set ID” which appears to be replacing the functions of the AAID when the user opts into “Limited ad Tracking.” The app set ID will be used for analytics and fraud prevention only, and, according to Google, “cannot be used for ads personalization or ads measurement.” The app set ID is different from the AAID because the user cannot manually reset it and the identifier only exists within the context of the respective application in use; this means that, in theory, the app set ID cannot be used to track a user across other applications. The app set ID will likely also replace the functionality of the Secure Settings Android ID (SSAID) which is also a persistent identifier that is unique to the context of applications with the same signing key. Both these identifiers are resettable with a device factory reset, and the app set ID is reset after 13 months of unused or the app(s) is uninstalled, therefore these are practically persistent identifiers. The primary difference between the app set ID and the SSAID appears to be that the app set ID cannot be used for targeted advertising; however, it is not clear how this will be implemented and enforced.
If the rules for the app set ID are not strict or enforceable, then it is likely it could be used like the SSAID to engage in id-bridging and id-linkage, thus continuing the practice of the creation of shadow profiles. Nevertheless, the introduction of the app set ID has the potential to be a win for consumers if the app set ID proves to be a persistent identifier that can provide security and anti-fraud services, which helps app developers make their app function properly, without the risk of it being used to track a user without their consent or knowledge.
The possible answer to the question of how the app set ID rules will be enforced is with the new changes to Google Play policies. Google is making a massive change to the User Data policy to explicitly prohibit the linking of persistent identifiers, like the app set ID, to sensitive user data or resettable identifiers, like the AAID. The combination of making it more difficult to track users with the AAID and the policy prohibiting ID-linkage will better protect users from the creation of shadow profiles and gives Google grounds to punish apps for engaging in practices like ID bridging.
The introduction of Google Privacy Labels, as we have previously stated, will also give users more control over their online privacy. Another addition to the User Data policy will require developers to provide accurate information about how their app uses, collects, or shares users’ personal or sensitive data. In the recent update from Google, it was demonstrated how Google Privacy Labels will potentially provide users with a clean and easy to follow UI to understand the lifecycle of their data in the context of each application. With more awareness of how their data is used, consumers can more effectively manage what apps have access to their sensitive information.
For the most part, these are exciting changes by Google and can positively impact consumer privacy. As with most technology problems, there will likely need to be several iterations of changes. IDAC will be following the implementation closely to see the impacts on user privacy.
We hope to better understand how Google will enforce these policy changes and how it changes developer and third parties behavior. Google must be transparent and cooperative with researchers and watchdogs throughout this process to better support user privacy in the mobile app ecosystem.