It is “moves and counter-moves” as social media platforms continue to find work arounds to improve their advertising products. In the battle of privacy enforcement and consumer data collection, analyst Felix Krause recently wrote on how Meta and TikTok have used in-app browsers to collect key data points that are against the spirit of Apple’s recent iOS privacy practices (ATT).
This past Monday, we detailed Apple’s advertising strategy, which encompasses building a walled garden to benefit its burgeoning advertising business over that of the social media companies that were once the disruptors. This, while framing the narrative surrounding the changes to iOS as privacy-first. Now, in part four of this series, we’ll look at the ways social media platforms are responding to Apple’s crackdowns on data tracking. It’s a development that demonstrates just how little this has to do with consumer privacy. At the center of this back and forth is control, power and who gets to decide what companies get full access to our internet behavior.
A series of reports from August help share a more complete picture of what’s going on in the proxy battle between advertising and privacy. First, Apple’s plans to build its annual ad revenue from $4 billion to the double-digit billions were reported. The company’s ads have a planned expansion into new Apple-owned digital real estate, appearing native apps outside of the app store (whose ad formats will also grow) in places like the Books, Podcasts, News and even the Maps apps.
Yes, Apple is growing its ad business while stifling the performance of competitors including Google and Meta. There is not one without the other. Performance marketers have reported seeing returns on Meta’s network of ads with diminished returns. As for performance insights, ad targeting and tracking are much less informed than they were before iOS 14 and it’s costing Meta dearly: the company said Apple’s privacy initiatives are costing it $10 billion per year. Apple’s App Tracking Transparency (ATT) feature, introduced last year, lets users easily opt out of an app tracing their data from around the internet. And Apple’s expansion of Privacy Relay are due to further impair email and other third-party tracking techniques. Of course, Apple is exempt from this privacy restriction because Apple supplies its advertisers with first-party data, a benefit that Amazon shares. In “A is For Ads,” we explained:
It’s part of a bigger strategic shift for Apple to rely less on hardware sales and see more revenue coming from existing users in the form of ads and other subscriptions and features. It’s also likely to trigger responsive features from companies like Google that are building out their own privacy features. There’s more to come, and this development is only the latest.
As predicted, other companies have been quick to make adjustments. For now, Meta’s most effective workaround has been via a loophole first reported by Krause. Instagram, which has been building up its own shopping capabilities and lets users swipe up on ads to shop from inside the app, can track user data when they’re using the in-app browser by injecting code into URLs that tracks your searches by recording your keyboard inputs, a practice called keylogging. This workaround skirts Apple’s own ATT feature, as well Safari’s third-party cookie security.
Instagram’s ability to track user data when users are on the in-app browser is nothing short of genius. With full control over its in-app browser, Instagram was able to add JavaScript that connects the browser activity to the host app. Technically, Instagram is still tracking within its own walled garden, even as users are browsing other companies’ sites – typically brands and media sites that add links to Instagram Stories or in their bios. It’s a crack in the wall that lets external data back in. It also undermines Apple’s promise to grant user privacy.
It’s not just Instagram. TikTok has found the in-app browser loophole as well, Krause reported in a follow up to his original post. And TikTok, unlike Instagram and Facebook, doesn’t give users the option to divert to a different browser when opening links. TikTok also digs further into consumer data, writes Krause, who lays out the information TikTok’s keylogging can see, or “subscribes to,” here:
TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data. (keypress and keydown). We can’t know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites. TikTok iOS subscribes to every tap on any button, link, image or other component on websites rendered inside the TikTok app. TikTok iOS uses a JavaScript function to get details about the element that the user clicked on.
When approached by Forbes magazine, TikTok confirmed that these features exist in the code, but said nothing is being done with them. This workaround appears more critical when you factor in the security issues surrounding TikTok for years. Born from China’s ByteDance, reports have popped up repeatedly claiming that ByteDance employees have mined TikTok for data on US users. The FTC has been called on to investigate the app, and a “cyber advisory” was issued by the House of Representatives in mid-August. It might be hand-wringing. But Apple should be the monitoring force standing between TikTok and its data leaks, and it’s not.
Has Apple’s rally for privacy backfired by submitting users to even riskier data tracking sites that they can’t opt out of and likely don’t know about? In a way, it backs up the argument that Apple’s updates weren’t about privacy to begin with – it is shaping up to seem like a benefit that Apple could sell to users. For it to be a convincing sell, Apple needs to plug security flaws like the in-app keylogging that the social media giants have employed. It’s not just keylogging: a recent WIRED report found that Apple iOS doesn’t fully route traffic through VPNs, opening users who think they’re protected to potential security threats. The report argues that Apple has known about this VPN flaw for years. This privacy issue undermines Apple’s insistence that that’s what all the changes have been about.
It’s unclear now what recourse Apple can take against in-app browsers tracking user data. But for now, brands are still struggling to find the same magic that Meta provided through Facebook and Instagram for over a decade. In May 2021, 2PM explained:
Apple’s intentions appear straightforward at first glance. The company wanted to improve the privacy of its end users. This virtuous effort came with a few additional outcomes. By upgrading its privacy practices, Apple will impair large ad networks that have grown with the help of those end users. This could potentially cripple Facebook’s current model with its new privacy demands.
Whether it’s TikTok, Instagram, or Snapchat housing the data, it leaves brands without the same analytical power that they once required. The most logical assessment is that Apple will continue to subvert its competitors as it grows its advertising business to surpass these platforms and maybe even Amazon. The best possible outcome is that Apple joins Amazon as the new generation of performance marketing platforms. It’s clear that its privacy-first policies do not stand on their own merit. It’s all about the advertising revenue, and Apple is its own Trojan horse.
By Web Smith | Edited by Hilary Milnes with art by Alex Remy and Christina Williams