How does mobile in-app advertising contribute to our web profile and how can we guard against it?

Published by Alisha McKerron

This article is the third in a series which considers how we come to have web activity profiles. To recap: in my first and second articles, we learnt that third party cookies enable our web browsing to be tracked and that sets of data related to our device — data fingerprints — can be used to do this too. The discussion thus far has been in the context of our desktops and surfing the web. But what about our mobile devices?  With mobile device traffic accounting for over half (51.51%) of global online traffic and executives at Apple and Google unveiling on-device features to help people monitor and restrict how much time they spend on their phones, are we properly considering how applications may be adding to our already growing profile? More specifically, are we considering the privacy implication of the seemingly free apps which we happily download on our mobile phones?  

What is an in-app? 

It may not surprise you that there’s is no such thing as a free lunch; the developers who wrote the mobile apps need to eat too. Consequently some apps have ads in them  — called in-apps — from which app developers derive a revenue. When we download an in-app on our mobile device and agree to its privacy terms we enable our app usage to be tracked and our profile to be enhanced. This is made possible because of mobile advertising IDs — or MAID’s for short.

How do MAIDs work?

MAIDs help app developers identify who is using their app, via an API request to the mobile device’s operating system. Both of the ‘big’ mobile platforms have their own; Google’s version is known as the GAID (Google Advertiser Identification) in the case of the Android operating system, and Apple’s is called the IDFA (Identifier For Advertisers) in the case of the Apple iOS operating system. They all operate in an anonymous way and can always be reset or zero out i.e. a dummy ID of all zeros returned. 

A MAIDs value lies in identifying a user not a device. Combined with a large pool of data MAIDs can be used to match up someone’s mobile habits with their desktop, connected TV, and even their offline habits, thereby gaining a fuller picture of who they are and how to market to them. For example if the app user has a Facebook account, has installed the Facebook app on their mobile device and has downloaded various other apps, Facebook will be able to connect the identity of its Facebook account holder to the mobile device and start to track their app use — rather like third party cookies. This is all made possible with ad tech mobile infrastructure helped by software development kits (SDKs) that can be embedded in the app code by developers — sometimes with little understanding of how it works. For example, the AdMob SDK uses Google’s data and the MAID to display ads in developer’s apps that are actually personalized to the user (because they know who the user is from the MAID), instead of generic ones. As personalized ads generally perform better, the developer makes more money.  Unsurprising developers wishing to increase their users’ numbers, will use more than one SDK. We can tell how many SDK’s are embedded in an app by how many privacy notices it has. Everyone wins: with the use of a mobile advertising platform, developers are able to offer up ad requests to brands and brands with the help of publishers are able to increase the visibility of their products using targeting marketing. If the targeting is accurate (i.e. users engage with the ads and product is sold),  everyone makes money. Perhaps this may be one of many reasons why Chrome is able to phase out support for third party cookies.  However, with Apple’s iOS’s 14 update which requires developers to ask permission before accessing the IDFA, MAIDs may become less useful. 

How can we protect ourselves?

With just a few taps on either an Android or iOS platform, we can disrupt the profiles ad networks have collected about us. To do it on Android, go to Settings > Privacy > Advanced > Ads and toggle on Opt out of Ads Personalization. On iOS, navigate to Settings > Privacy > Advertising and toggle on Limit Ad Tracking. If we don’t want to stop ad tracking altogether—we’re getting ads anyway, might as well be relevant—we can navigate to those same screens and tap Reset advertising ID on Android or Reset Advertising Identifier on iOS to cycle your ad ID and essentially force advertisers to start a new profile on us. Android actually shows us our (very long) alpha-numeric ad ID at the bottom of this screen and when we initiate a reset we can watch it change. A clean slate never hurts.

But how effective is this really? While Apple and Google have increasingly limited what apps collect for advertising purposes, other hardcoded IDs still exist such as device identifiers like serial numbers and other permanent sequences like your Wi-Fi network’s MAC address  and some apps have legitimate reasons to collect them. 

Perhaps the answer lies in pressurising industry to comply by supporting consumers’ expectations to be able to tell any and all companies not to track them when they’re not intentionally choosing to interact with them.