By: Ginny Kozemcak, Will Monge, Nathan Good, Gauri Gupta, Joel Reardon, Dan Kinney and William Boag
A majority of Americans feel they have little control over how their personal data is collected and shared online. There is widespread concern about the future of our privacy as users lack proper legal protections and control over their data. And, because much of our data flows through our mobile devices, the mobile app ecosystem is especially subject to data abuse. The International Digital Accountability Council (IDAC) is concerned about a trend identified throughout several of our investigations: the circumvention of user privacy preferences on mobile devices through the proliferation and misuse of identifiers or numbers that are uniquely assigned to an individual’s mobile device in order to track users over time. While this practice can be put to good use, for example, to address fraud or for enterprise mobile management, our investigations found that many mobile apps collect multiple identifiers without notice or choice for users in order to monetize the personal information collected for third party profiling and advertising. Some apps also share personal information with data brokers.
We refer to the practice of organizing and linking information gathered through unique identifiers as “Shadow Profiling”. The app may employ ID bridging, which links multiple identifiers for the same user on different devices and across multiple apps, which permits tracking over time across platforms. ID bridging circumvents user privacy preferences by using the link to maintain the association with a user even after the user or platform has reset a past identifier.
These practices appear to be “unfair” and “deceptive” under Section 5 of the FTC Act and to violate existing law. For example, the Children’s Online Privacy Protection Act (COPPA) requires verifiable parental consent before collecting or sharing any personal information from children, including persistent identifiers such as unique device identifiers and the newly-enacted California Privacy Rights Act, which applies to data collected as of January 2022, provides a number of new privacy protections, including, among other things, opt-in sharing of “sensitive personal information,” limits on profiling of such data, and a new consumer right to opt-out from sharing personal information for “cross contextual behavioral advertising.”
Both the Apple and Android platforms have also adopted measures to limit persistent tracking in their operating systems by moving toward the use of resettable advertising identifiers in lieu of permanent identifiers. In particular, Apple’s recent change to the privacy rules for apps in the Apple Store, which require apps to provide a pop-up notice asking for opt-in consent to track the user across websites and apps from other companies, is likely to significantly impact shadow profiling. But the size and scale of the app ecosystem also requires due diligence by investors and developers, new third-party regulatory and certification initiatives and cooperation and support for independent investigators and researchers.
This issue brief outlines IDAC’s previous research and possible use cases for identifier transmission, including those purposes valuable to the user such as security, anti-fraud, telephony, or enterprise mobile management — as well as more problematic and potentially privacy-violating ones, such as user tracking, the creation of behavioral profiles, and harmful targeted advertising.