By Willie Boag
IDAC’s team has found a concerning number of apps are sharing the Advertising ID of its users’ devices inappropriately. According to the Google Play Policy Center, the Android Advertising ID (AAID) “must only be used for advertising and user analytics.” But what exactly is the AAID, and how is it supposed to be used?
The AAID is Android’s unique ID for advertising (and Apple has the same concept with its ID For Advertisers (IDFA)) which allows for the association of all of a user’s data into a unique profile of them, though users do have the ability to reset this ID if they want to. The AAID is the passport for aggregating all of the data about a user in one place. If a merchant wants to advertise their brand of potato chips to people who like ice cream, then they can contact a platform and place an order for their ad to be shown to users whose AAIDs indicate that they like ice cream. The platform then shows those ads to the users, and the merchant pays the platform for the ad delivery.
Once third parties obtain AAID-linked information from an app, it can be very hard to trace where that data goes. Data brokers aggregate and sell data to another, to advertisers, to platforms, and even to governments. The safest way to avoid this is to ensure that the AAID is only being collected and sent to third parties when appropriate. We have noticed a few instances in which pre-built tools for developers (i.e. Software Development Kits, or SDKs) were automatically sending the AAID to third parties without the developers even realizing. In some cases, the developers weren’t even serving ads, themselves. This is especially concerning.
When an app does need to use the AAID, it should make that clear, and disclose that to the user. The puzzle game Dots demonstrates a clear way for communicating how information like this will be shared with third parties.