Privacy implications of IDFA/IDFV? (iPhone/iOS)

  • Apparently, iOS 6 introduced IDFA, "identifier for advertisers", which identifies your device so that advertisers can track you and send you ads. It appears they also introduced IDFV, "identifier for vendor".

    How do IDFA and IDFV work? What exactly do they identify? Are they different for each app on your phone, or are they the same for all apps on your phone?

    What are the privacy implications of IDFA and IDFV? Can they be used to track you? How do they compare to UDID and to cookies on the web, as far as the privacy impact?

    Do users have any way to tell which apps are gathering this information? Also, if you set "Limit Ad Tracking" to On in settings, what happens under the covers? How does that change what information apps receive?

    Background: Apple Has Quietly Started Tracking iPhone Users Again, And It's Tricky To Opt Out; Apsalar's Take on Apple's Recent Announcement; How To Get Advertisers To Stop Tracking Your iPhone.

  • D.W.

    D.W. Correct answer

    9 years ago

    Ars Technica has an article with an overview of IDFA and IDFV. It explains how these new mechanisms provide users with greater control over their privacy.

    IDFA is a persistent identifier that is consistent across all apps, and thus allows cross-app tracking. However, users can disable IDFA by setting "Limit Ad Tracking" to On.

    IDFV is a persistent identifier that is different for each app. This still allows tracking of users, but does not allow correlating your activities with one app against your activities with another app.

    The comments on that article clarify that, if the user sets "Limit Ad Tracking" to On, then this sets a global flag (advertisingTrackingEnabled) that advertising code is supposed to check before reading the IDFA. Advertisers are supposed to write their code to check this global flag and not collect the IDFA if it is set (though there is no technical measure that prevents them from doing so; they are on their honor). Thus, in this sense it is vaguely akin to the "Do Not Track" flag. Technically, it would be possible for an advertiser to still collect the IDFA even if the user has set "Limit Ad Tracking" to On. We have to hope that Apple has a way to detect that and would ban the advertiser from the app store.

    Actually, when "Limit Ad Tracking" is On the value returned is all zeros, so even though the developer can access the IDFA it is set to the same value for all devices with "Limit Ad Tracking" On so it is somewhat useless, if the setting is then switched to Off the value is newly created so it won't match the previous value. Users can also reset the value if they choose. That being said, an app using the combination of IDFV and IDFA could allow someone to simply update the IDFA value in their own records based on the fact that the IDFV value doesn't change.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM

Tags used