Menu Close

Trend Report: Apps Oversharing Your Advertising ID

IDAC News Logo

By Willie Boag

IDAC’s team has found a concerning number of apps are sharing the Advertising ID of its users’ devices inappropriately. According to the Google Play Policy Center, the Android Advertising ID (AAID) “must only be used for advertising and user analytics.” But what exactly is the AAID, and how is it supposed to be used?

The AAID is Android’s unique ID for advertising (and Apple has the same concept with its ID For Advertisers (IDFA)) which allows for the association of all of a user’s data into a unique profile of them, though users do have the ability to reset this ID if they want to. The AAID is the passport for aggregating all of the data about a user in one place. If a merchant wants to advertise their brand of potato chips to people who like ice cream, then they can contact a platform and place an order for their ad to be shown to users whose AAIDs indicate that they like ice cream. The platform then shows those ads to the users, and the merchant pays the platform for the ad delivery.

An innocuous app might share the user’s AAID alongside other information to third party services. This information (e.g. going to Hogwarts) could be associated in the user’s advertising profile and used to serve them ads based on inferences for things the user never disclosed to the platform (e.g. that they are a wizard).

This practice is especially concerning when this data transfer is not disclosed in the privacy policy. The Google Play Policy Center says that “[t]he collection and use of the advertising identifier and commitment to these terms must be disclosed to users in a legally adequate privacy notification.” However, IDAC found that some apps send the AAID without any such disclosure at all, let alone to whom.

Once third parties obtain AAID-linked information from an app, it can be very hard to trace where that data goes. Data brokers aggregate and sell data to another, to advertisers, to platforms, and even to governments. The safest way to avoid this is to ensure that the AAID is only being collected and sent to third parties when appropriate. We have noticed a few instances in which pre-built tools for developers (i.e. Software Development Kits, or SDKs) were automatically sending the AAID to third parties without the developers even realizing. In some cases, the developers weren’t even serving ads, themselves. This is especially concerning.

When an app does need to use the AAID, it should make that clear, and disclose that to the user. The puzzle game Dots demonstrates a clear way for communicating how information like this will be shared with third parties.

Excerpts from the Dots privacy policy. It is made clear what data is sent and for what kinds of purposes.