Pando

What I found out when I blocked apps from tracking my iPhone for one week

What happens on your iPhone doesn’t stay on your iPhone after all

By Rob Sturgeon , written on September 9, 2020

From The Privacy Desk

When Apple made an appearance at the CES tech conference in Las Vegas in 2019, they also put up a sign. It wasn’t a billboard, as many news outlets claimed, but a 13-story Apple ad plastered onto the side of a hotel. It had one message: “What happens on your iPhone, stays on your iPhone”.

To anyone who knows the first thing about what makes smartphones smart, this doesn’t make a lot of sense. In order to browse any website or use most apps, you need to be connected to the internet.

Requests need to leave your phone, travel to a server, and a response needs to return with the information you want. But those requests aren’t always for data the user has requested. In fact, in many cases, those requests aren’t initiated by the user at all.

And so I tried a little experiment: blocked apps from tracking my iPhone for just one week

And during that time I was tracked 4,341 times by 33 tracking platforms.

Some highlights:

  • Google tracked me nearly twice as much as all others combined
  • Facebook and Amazon tracked me more than any other company (except Google)
  • The rest of the data goes to 29 companies, most of which I've never heard of

Let’s remember this was just one week. If we assume the rate of tracking has always been somewhat similar, we can extrapolate from there. If all 52 weeks in a year are the same, I’m being tracked 225,732 times a year. And I’ve been using iPhones exclusively for 10 years, which means…

My iPhone has been tracked 2,257,320 times.

 

How I blocked 400 trackers

Jumbo is a freemium app that protects your privacy by automatically changing your privacy settings on the most popular social networks. This includes restricting how advertisers can use your data on Twitter and Facebook, giving you the option of deleting old posts and archiving them in the app if you want to.

Alongside these free features, Jumbo also has a Pro subscription, which allows you to pay what you think is fair for some premium features. I agreed to pay the minimum possible subscription, which was just under £100 ($130) a year, and was given a 7-day trial before the payment would be taken.

You can do the same if you want to see what companies are tracking you. If you cancel the subscription as soon as you agree to it (in iOS Settings > Apple ID > Subscriptions) you will still be given the trial, but you will not be charged at the end of it.  

This is an easy way to try out any subscription on iOS without accidentally being charged for something you never intended to pay for. Once you see what I saw, however, you may want to keep that subscription going.

Jumbo blocks the 400 trackers on its blacklist by providing a VPN profile, which you can install on your phone very easily.

I’ve used VPNs before, but their protection was a lot less tangible because I didn’t have access to a list of what they were actually protecting me from. Jumbo provides a list of names for all the trackers on the blacklist, along with their category and the number of times it was blocked.

This isn’t a huge amount of information, but that data provides me with enough insight to draw the inevitable conclusion.

We’re all being tracked too much.

 

Google tracked me nearly twice as much as all others combined

The Google portion of this chart is a veritable Pac-Man, voraciously eating the lunch of any company hoping to become a major player in the space.

It’s a happy coincidence that I used Google Sheets to make this chart, as the first 4 colors match Google's corporate colors.

Although this level of market dominance by one player is troubling, I’m not oblivious to the benefits of tracking users.

I’m an iOS developer, so I’m no stranger to a tool such as Google Crashlytics (blocked 390 times or 9%) that provides me with a stack trace in the event of a crash. This data hopefully points me to the exact line of code that caused a problem and narrows down my search for the solution to a bug far faster than customer feedback would (if I even receive feedback from them). Crashlytics comes as part of Google Firebase (blocked 1156 times or 26.6%), which gives apps a range of capabilities from authentication to database storage.

Let’s assume that Jumbo only blocked analytics sent by Firebase, as blocking the authentication or storage features would break a lot of apps that use those capabilities.

Then there’s DoubleClick (blocked 184 times or 4.2%), acquired by Google as far back as 2007. It seems that this subsidiary’s product has now been renamed to Google Marketing Platform, but it is still shown as ‘DoubleClick.net’ in Jumbo’s blacklist. I didn’t mention Google Syndication(blocked 15 times or 0.3%), which makes up such a tiny orange slither that it almost isn’t worth mentioning. According to Who Tracks Me, Google Syndication provides “advertising or advertising-related services such as data collection, behavioral analysis, or retargeting.”

 

Analytics are far more popular than any other category of tracker

This is more than a little disturbing, because the defenders of trackers tend to claim that they exist for reasons that ultimately benefit the user. If an app we regularly use crashes, we can at least be reassured that the developer has probably been notified. Though the developer failed to catch the crash in testing, they get a second chance at finding it and fixing it with crash management.

Apparently advertising is more useful to users if it’s personalised, as we’re more likely to take an action like buying a product or downloading an app. That makes it sound a lot more useful to the advertisers if you ask me. I often hear the defense that if we have to see ads everywhere, they might as well be for things we want. I don’t really have that need as a user, as I have plenty of ways of discovering new things without being targeted based on the most personal information I possess.

Instead of fixing crashes or providing targeted advertising, the majority of trackers on my iPhone are just plain old analytics.

Not everything that can go wrong with an app causes a crash, so there’ll plenty of things in this category that do actually help to improve the app. The user experience can also benefit from teams analyzing how long parts of the app take, or what features users like. The main thing that is unnerving is the fact that everything we do on a phone is tracked and monitored.

When the nightmare scenario of a crash isn’t occurring, developers still want to know how their app is being used, and a tool like Google Analytics (blocked 1262 times or 29.1%) boasts that it provides “free, unlimited reporting on up to 500 distinct events.”

Google Analytics used in apps shares its name with the possibly better-known web analytics service that dominates the web.

According to industry publication Marketing Land:

69.5 percent of Quantcast’s Top 10,000 sites (based on traffic) are using Google Analytics, and 54.6 percent of the top million websites that it tracks.

Tracking website visitors is very important to companies, as this data tells them who has even a passing interest in their products. Assuming a company has an app, getting a website visitor to download an app is extremely important. But according to data from comScore:

…only about one-third of smartphone users download any apps in an average month, with the bulk of those users downloading only 1–3 apps. A very small fraction of users will go on to download 4 or more apps per month.

Without being featured on the App Store, it’s difficult to stand out as an app developer.

 

I don’t even use Safari as my main browser

The tricky thing about Jumbo’s use of the product name Google Analytics is I don’t know whether we are talking about app or web analytics. The default iOS browser has had a strong emphasis on privacy for a while, but Safari is taking extra steps in iOS 14 to make tracking harder. Despite this, I switched my browser preference a while ago to the DuckDuckGo app. This is probably the most extreme approach you can take in terms of protecting your online privacy, because it cannot store a history of websites you visit. On top of this, I have chosen the option to automatically clear all tabs and website data if I close the app, or if I have put it into the background for more than 15 minutes.

Sometimes this has a negative effect, as I am unable to resume what I was doing after becoming distracted from my task. But most of the time, if I don’t return to the browser in 15 minutes, I don’t care if sessions end, cookies are deleted and tabs are erased. I’m sure the average person doesn’t care enough to take this approach, so I should point out that this interval can be increased up to an hour, or the automatic erasure feature can be turned off entirely.

Although my browser of choice is DuckDuckGo, in iOS 13 I had very little choice about the default browser. Although iOS 14 still requires that every browser uses WebKit, and is therefore a wrapper for Safari’s underlying rendering engine, we do now have a choice of what wrapper we want that to be. I’m currently on a beta of iOS 14, but I can’t find the browser choice in the iOS settings at this stage.

That means that my default browser during this 7 day period was still Safari.

Any link in an app that opens in a browser, therefore, opens in Safari. Despite its privacy protections, I do have cookies enabled there, so it’s possible that my web activity is being tracked too. It’s unclear whether using DuckDuckGo as a browser successfully prevents Google Analytics from being sent, as their blacklist isn’t publicly shown as Jumbo’s blacklist is.

But the biggest privacy risk of tracking cookies saved on your device is the fact that they stick around, watching your every move even after you leave the original site.

A browser that deletes all website data once your browsing session is over is the only way to guarantee that no website can track you.

 

Facebook and Amazon tracked me more than any other company (except Google)

You may have noticed that the pie chart shown above had individual segments for Amazon Adsystem (blocked 285 times or 6.6%) and Facebook Graph (blocked 250 times or 5.8%). The prevalence of Google in the list might be that the iOS apps I work on use Google tracking products, and these are being run when I am testing apps. But if you’re looking for a globally representative sample from any single person, you’re probably not going to find it.

However, I suspect that the popularity of Google’s tracking products makes my findings somewhat representative.

 

The smallest slice goes to a wide range of companies

I found it impossible to make a pie chart that showed all 33 trackers that were blocked. Instead, I’ve carved out the remaining chunk of those that aren’t made by Google, Facebook, or Amazon.

The top 5 of the small companies are MParticle, HelpShift, Branch, MixPanel, and AppsFlyer, but not one of these was responsible for more than 2% of the trackers that were blocked on my phone.

 

29 other companies, most of which I’ve never heard of, are tracking my behavior every single day

The troubling aspect of this slice of the pie is not that these companies know a lot about me and my behavior. As a proportion of the tracking that takes place, they inherently know a lot less. But the disturbing thing is how many of them there are. How many companies in this list can you name? Perhaps more importantly, how many of these companies have you actually read the terms of service for? Probably none of them, because the terms of service you receive from an app come from the developer that makes the app.

The analytics tools that a developer integrates are not visible to the end-user, and so none of us have any idea what companies own data about us. What if one of these companies suffered a data breach? Assuming we saw a news story about the hack, we wouldn’t even recognize the company. Would the companies that use the service even bother to inform us? It’s a chilling thought, but these companies are only the frontline of the companies that gather our data without our knowledge.

Data brokers buy and sell user data, and while we can opt-out of many ‘people search sites’, we never chose to opt into them in the first place.

While Apple is fighting to improve privacy on its platform, Google has so many reasons to try and increase the amount of data that can be collected from iOS and Android users.

They take the lion’s share of both the advertising and the analytics pies, and they will continue to do so for the foreseeable future.

 

What did we learn?

To quote the last scene of Burn After Reading:

CIA Supervisor: Jesus Fucking Christ. What did we learn, Palmer?
Palmer: I don’t know sir.
CIA Supervisor: I don’t fucking know either. I guess we learned not to do it again. I’m fucked if I know what we did.
Palmer: Yes sir, it’s hard to say.

This film is primarily about a CIA analyst and a US marshal who both believe that the world is against them in one way or another. The US Marshal, played by George Clooney, becomes increasingly paranoid that he’s being spied on. These days it isn’t at all paranoid to think that you’re being spied on, in fact we all know it. If you care about your privacy, the worst thing you can do is surrender yourself to the inevitability that your phone is spying on you.

You can tighten your iPhone’s privacy settings and check out the free privacy benefits of Jumbo.

Just because it would be hard to eliminate all trackers from your phone, it doesn’t mean that you should lose hope.

 

Use a Virtual Private Network (VPN)

Free VPNs can harvest data in ways you don’t expect, like when Onavo was bought by Facebook and used to analyze web traffic from other apps.

Opera now comes with a free VPN, so I use that as my browser on my Mac. The problem with browser-based VPNs is that they don’t cover every app you’re likely to use, so paying for something that only works in one app isn’t going to be very useful if you’re serious about your privacy and security.

I was able to find a paid VPN on The Next Web Deals, which still has a lot of cheap offers. A lot of people care about their privacy, but they can’t imagine paying a subscription for a VPN for the rest of their lives. The important thing about getting VPNs from TNW is that, instead of paying a subscription, many of these are lifetime one-off payments.

Looking at the link right now, there are 3 VPNs for $19, each of which can be used on up to 5 devices.

Hopefully, this lowers the barrier to entry with VPNs, as a one-off payment for a lifetime of cover is a lot easier to justify than a recurring subscription.

Make sure you look up a VPN on the Best VPN website before making a purchase, as there could be hidden downsides to purchasing that product that you weren’t aware of. For instance, many VPN providers do a certain amount of logging of activity on their networks.

Just make sure that the offer uses the word lifetime, instead of specifying the number of years.

 

Don’t “Allow Apps to Request to Track” in iOS 14

When I was looking for the option to select a default browser in the iOS 14 beta, I noticed there is now a new section of the Privacy settings menu called Tracking. Inside it is a single switch that seems to be off by default. This seems to be similar to the Limit Ad Tracking option that was shown in previous versions of the OS. If you permit this tracking, your unique device ID, Advertising Identifier (which can change), your name, and your email address can be associated with this third party analytics data.

Although ‘Tracking’ was not enabled I was still tracked 4,341 in a week.

I should probably be pleased that my personal details were not associated with the data so explicitly.

Enabling the Tracking setting removes your ability to be anonymous on the iPhone, which seems to be against the privacy principles that Tim Cook insists that Apple stands for.

Although the tracking setting is off by default, we don’t know if that default will change to on in a later version of iOS.

If you are interested in this setting, check out the blue ‘Learn more…’ link on the iOS Settings > Privacy > Tracking page for a lot more information about how enabling this setting would probably be a bad idea.

 

This article was originally published on Medium by Rob Sturgeon