Can Facebook/Google Still Track You Even if You Turn on App Tracking Transparency (ATT)?

This article was written for Peak Prosperity by Terence Kam, founder and cybersecurity consultant at iSecurityGuru.com. You can follow his company on LinkedIn. Or subscribe to his writings on Medium, where he writes on a wider variety of topics.

From iOS/iPadOS 14.5, Apple has made it much harder for apps to track you with the “App Tracking Transparency” (ATT) feature. The job of this feature is to protect your privacy. Facebook is reported to have lost $10 billion because of ATT.

According to Apple, this is how the ATT works:

The big question is, even if you turn on the ATT, do apps still have other means to track you? In short, the answer is “Yes”!

First, you must understand what happens when you allow apps to track you with this ATT prompt:

Every device is assigned an Identifier for Advertisers (IDFA). The IDFA is a piece of random information that is uniquely assigned to each iOS/iPadOS device. The IDFA by itself does not reveal any information about you. If you allow an app to track you, you are basically allowing it to get your device’s IDFA.

The problem arises when you reveal personal information (e.g. your name, phone number, email) to apps that have access to your IDFA. When that happens, apps can associate your device’s IDFA with your revealed personal information. Usually, what happens is that apps send your IDFA, along with your associated personal information, to some third-party advertising companies. For example, when you sign in with Apple, you can potentially reveal your first and last name:

Different apps collect all sorts of information about you (e.g. your usage data, your browsing history), some of which are not even private. But if all this collected information from different apps are associated with the same IDFA, it can then be used to build a comprehensive profile about you. For example, let’s say you run a video app that has access to your IDFA. Even if you do not reveal your personal information to that app, your video browsing history in that video app will be associated with your IDFA. That app then submits your video browsing history and your IDFA to a third-party advertising company. At this point, the video app cannot link your video browsing history to you (since it did not collect your personal information). However, since that advertising company already has your personal information (e.g. name, email, phone number) associated with your IDFA, it can link your personal information with your video browsing history. In other words, the IDFA is the common link between all the disparate and dispersed collected information about you. So, when you ask an app not to track you in the ATT prompt, it can no longer obtain your IDFA. Without the IDFA, third-party advertising companies cannot link all these disparate and dispersed collected information to you.

The next questions are, who are the third-party advertising companies? The biggest ones are Facebook and Google. Some apps even send information about you to multiple third-party advertising companies! This is how, with IDFA, Facebook and Google can know what you are up to across many different apps by different companies. Since Facebook and Google have already collected a lot of personal information about you, if you run any of their apps and give them access to your IDFA, they can link the same IDFA to all your other collected information from other apps. This way, they can build an even more comprehensive profile about you!

Without IDFA, what can Facebook/Google do?

Without access to IDFA, third-party advertising companies need to collect other information from your device that can uniquely identify it. What sort of information can they collect from your device? Examples include:

• Cellular Carrier Name (e.g. AT&T, Optus, Vodafone, Telstra)
• Locale information
• Device screen resolution
• Device model
• iOS/iPadOS version
• Language
• Language keyboard
• Country
• Device name (more information about how to change or set it can be found here)
• Date & time in which your device was first switched on
• IP address

The problem with all this information is that each of them alone cannot uniquely identify your device. Also, some of them can be changed (e.g. your iOS version will change when you update it, or when you change your telecommunication provider, or when you restart your device). But if you combine all of them together, they can more or less be able to uniquely identify your device. Granted, they will still not be as foolproof as IDFA, but for the purpose of tracking, they are the best alternative for trackers.

Can you stop this alternative tracking method?

Unfortunately not, unless you are willing to install another third-party app (more on that below).

All this information about your device serves a purpose. Apps can have legitimate reasons for accessing some of this information about your device. For example, they need to know which country you are located in or your language so they serve you with country or language-specific information. They need to know your device’s screen resolution in order to display graphics properly.

Therefore, when you ask apps not to track you in the ATT prompt, it is based on an honor system. Although Apple can prevent apps from accessing your IDFA, it cannot prevent apps from collecting other innocuous information from your device. If they collect all this information about you, it is up to them to honor your request not to track you.

How can you stop Google/Facebook from tracking you?

The only way to stop Google, Facebook and other third-party advertisers from tracking you is to cut off apps’ ability to ‘phone home’ to third-party advertisers and trackers. This will require cutting off your device’s Internet connections to known third-party advertisers and trackers.

There is an app to do that: Disconnect.me. It works by functioning as a VPN on your device. Their VPN server will filter away all Internet connections to advertisers and trackers.

This is a companion discussion topic for the original entry at https://peakprosperity.com/can-apple-keep-apps-from-tracking-you/

VPNs abound. disconnect.me has apps (some free) plus apparently a VPN service. The company is incorporated in Deleware (no taxes) and resides in Frisco (Silicon Valley). They are funded by venture capitalists (FirstMark Capital LLC/Crunchbase Venture Program) whos modus operandi is to go public at some point to make $millions. So it goes.
From my BRIEF research they don’t look so bad on paper while private, my concern would be when they go public or get bought out by someone not so privacy centric. It’s a little concerning their main page shows plugs by NON-PRIVACY centric companies/organizations:
Microsoft, Mozilla, NSA, CISA, et. al.
While I have nothing to hide (other than my privacy), these plugs don’t give me warm fuzzies.
 

Exactly my feeling. Protecting yourself by installing another “free” app might be an easy short cut (as easy as searching with Google ), but will compromise you possibly in the future.
It might however be the best you can do at the moment, based on an expert opinion.
Btw I’ve been running pi-hole (on a raspberry pi) for some time, this blocks all unwanted traffic by blocking them from coming in/exiting your home network (router). It did basically shutdown all free news websites after a while as you have to allow the adware to be active before you can enter most sites or view content (video is the worst). It’s ominous practice nowadays at most website so I had to stop using it to maintain a functional internet for the family.
I liked it, because it was community build software on an easy to build platform and it even had a community maintaining the black/white lists with snooper ip’s.
The relevance to IDFA is that it would help stop your IDFA’s being connected with your browsing behaviour while at home.
 

The pi-hole acts as your primary domain name server (DNS) on ethernet and returns “not found” for domains on the blacklist. This blocks embedded trackers for facbook, google, microsoft, etc. as well as requests for adsvertising from servers on the blacklist (currently 174 thousand on mine). Bandwidth and page load times are tpically reduced 2x. Individual sites like Facebook can be whitelisted or temporarily enabled through the web interface. You can set it up on an RPI2B for about US$50.
But it only works with Linux and Windows where you can set the primary DNS server. Android and Chromebook have ways to bypass that, and Wifi generally uses the DNS provided by your ISP (who also tracks you). Google is working on HTML language extensions that get rid of domain name translations entirely.
My pihole also is my “cloud” for documents that I want to view and modify on any of my PCs. The /share partition mounts as a network drive.

I’m feeling too lazy to do a thorough search right now, but at least in 2018,
you could specify plain-old DNS server and not be forced to use DoH (DNS over HTTP/S)
https://www.howtogeek.com/204672/how-to-change-the-dns-server-on-a-chromebook/
 
And Android is often pretty hackable (in the original sense of the word, not the "I’m
in a dark basement wearing a hoodie sense). So I’d think there are options there.
 
My fear is that corporate America will find some way to prevent
or workaround all ad blocking through similar (DNS cache poisoning) techniques.
 
Another option is to have ad blocking at the router. FreshTomato open
source firmware has this feature, and it’s mostly as simple as just turning
it on. FreshTomato runs on a lot of inexpensive consumer-level routers,
such as Netgear, Asus, D-Link, Linksys etcetera.
 
And of course, you can set your router to use OpenDNS as your DNS
server and let them block the annoying stuff for you. Again, of course,
this assumes that you’re not bypassing standard DNS by having the client
device configured for DoH or similar.

It needs to be appreciated that tracking is not, fundamentally, about advertising revenue. It is, in fact, about putting you in a Skinner box, categorizing you, conditioning you, manipulating you. This sort of “advertising” is completely incompatible with liberty, on a fundamental level, and makes any sort of free choice, or democratic governance, fundamentally impossible.
Do not trade your liberty – and your children’s liberty – for trinkets. STOP USING ANDROID. Stop using Google. Stop using Microsoft. Look for a way to stop using any and all tech which is experimenting on you and yours. These companies and people are your blood enemies, even if you have not noticed them stabbing you yet. Don’t be naive, and don’t sell your privacy and autonomy for convenience nor trinkets. Certainly, START using 100% ad blocking 100% of the time. Use VPNs if possible, but – most of all – start blocking all ads all the time. If you can’t see the ad, you can’t react to it. If you can’t see the ad, they can’t catalog whether you slowed down for a microsecond in reaction to an image or a sound. Garbage in, garbage out. Give them garbage, if possible, but most of all, give them n-o-t-h-i-n-g to work with.
 

I quit my job last summer and decided to go back to school, so my work cell phone got shipped back and I didn’t have a personal one at the time. (Turned out my company was a WEF corporate-sponsor, freakin losers). It was quite liberating not having a cell phone for 3 months, but I eventually broke down a got a Rob Braxman de-googled phone, here: https://brax.me/prod/host.php?f=_store&h=rob&p=&version= . 3rd-party review video here: https://www.youtube.com/watch?v=UHblNY6TSdk
It is a motorola running Linage OS with mostly F-Droid apps. Typically my phone is usually in airplane mode with location off, and I only check messages periodically through the day. I don’t do social media, and only occasionally check the web, with the browser being DuckDuckgo with TOR and Orbot VPN.
I am very pleased so far and my learning curve has advanced enough that I’m also playing with Linux OSs on a PinePhone. It has six physical on/off switches for it’s various emitters under the back cover. On the PinePhone I’ve played with Manjaro, Postmarket, and Ubuntu OSs. These OSs seem more at the J-V level, but I sense there will be much improvement coming soon. PinePhone skinny here: https://en.wikipedia.org/wiki/PinePhone
I’m also playing with Linux on some older laptops laying around. Having good luck with Zorin OS. Also playing with Linux on Raspberry Pi 4, and am currently replacing my big-tech streaming devices with multiple RP4s.
To me it’s important to figure this out now, in order to avoid being culled into transmoronism in the coming years. You snooze you looze. Happy Hunger Games and let the odds be in my favor…

Pinephone seems cool, wish I had first hand experiences with them. So far they do not support Wifi calling (obviously totally tracked), but makes a phone more useful when you do not have a cell signal, but DO have Wifi.
No idea which is the “best” VPN, and that may very well depend upon where you live? Seems like it’s a good idea to get one, and then mess with them. If you work for a medium-large company or edu, you are surfing through a proxy, frequently behind a VPN of some kind.
I track all sockets when browsing (and disallow js until I deem it’s needed…which is frequently). So, mess with 'em: change your language/location (you speak or read french/german/spanish–good time to brush up on your language skills)? OK, then stick with english, change your location to canada/US, Mex, Aus. Ensure your VPN is giving you a new IP address every few days/week. This is easy, just pick a different VPN server every now and then (they always give you different server locations). Use different computers/phones/pads. Clear your cookies & history frequently. Use browser plugins sparingly (yet, you probably should use a few). Change you browser plugins every now and then.
I’d love to provide more suggestions, but they are a PITA for people who just want their shit (laptop/phone/pad) to work. Most just don’t have the time nor patience nor at times background to make their websites and/or small networks safer and less prone to tracking.
This is where software developers need to devote their talents (even part-time). Defaults that use google are evil. Recall, Youtube == google. Almost every freaking website I visit uses some google remote socket call (amongst others). It’s up to 95+% now based on my laborious browsing. Remember, the cloud just means your stuff is on SOMEONE else’s computer. Great for testing and such, but for security? Just think about that for a moment.
From the original post (tweak these for some semblance of anonymity).

• Cellular Carrier Name (e.g. AT&T, Optus, Vodafone, Telstra)
• Locale information
• Device screen resolution
• Device model
• iOS/iPadOS version
• Language
• Language keyboard
• Country
• Device name (more information about how to change or set it can be found here)
• Date & time in which your device was first switched on
• IP address

May the force be with you.  

My iGadgets are getting old and can’t run many recent apps, including Disconnect.me
I can’t afford to purchase new iGadgets, which is good from the point of view of not adding to the growing mountain of e-waste, but not good if I want to keep current in the arms race between users and snoopers.
Up until recently I made almost no use of my phone, cellular. I detest the thing. Sadly, the blasted check-in regime could have forced me to take it out of the drawer (which no doubt was one of its purposes) had Canberra not implemented a scheme where people lacking portable phones are issued with a check-in card which the store scans. No need for a phone at all. No tracking of tht nature at all. Within the ACT I don’t need to carry one anywhere.
I have a largely unused Faraday bag, so when I travel outside the ACT and must take the ball-and-chain, oops, phone, with me, I will bring the Faraday bag too. That may help just a little. I amuse myself wondering what the surveillance squad will do with my popping in and out of existence. I am presuming that even when a modern phone is switched off, it still responds to signals from the cell tower.

Who knew there was this much experience hiding at PP? Very cool stuff.

Many reviews of disconnect.me give this product low ratings to useless.
I am using search engines that stop alot of ads etc. e.g. Brave or at times Opera until something is better and easier to use.

Nice article, certainly hits on some tricky topics that need to be mastered. The scary part is what happens to your data, not just now but in the future (computers never forget and AI is getting better every year).
Check out Michal Kosinski’s work at Stanford. With 500 likes, they can predict your personality better than your spouse. Liking cat photos doesn’t seem like much, but when they have other people submit to deep psychological assessments… and those other people are also liking similar cat photos… then bingo we have a match and that deep pyschological profile is accurately correlated to you just from liking cat photos.

Good article, learned some cool stuff. It did a good job of defining the problem.
Proposing a product solution, disconnect.me, without any nuanced discussion of its pros and cons is kind of jarring though, and doesn’t build any credibility. I don’t know if it’s the intent, but it reads like an advertorial.
In the author’s defense, the link doesn’t appear to be any sort of affiliate link.

As a past software engineer (presently self employed as a real estate investor for passive income) my personal belief is we are trackable no mater what we do if we turn on any device that connects to the internet. Not conspiracy belief just feeling that its so much work to be invisable and errors occur thus wasting most of the prior effort.
PLUS we run our whole business on google/gmail/google docs, the whole tool set. The only thing I pay is $1.99/mo for more google drive storage. All your and my clicking is paying for my businesses IT infrastructure and I’m SOOOO glad for all those clicks and tracking cookies.
If no one looks at ads, eventually what we use for free will need a monthly fee. Which I agree with, but in the mean time we get treamendous value for almost free. Including ads for stuff that I just bought. LOL, geeze thats a wasted tracking cookie!
Best to all. Glad you are taking charge of all your interactions with the world. I agree its important to know how all this glues together. Curt

My apologies.
The last part on Disconnect.me was a last minute add-on to the article. I thought it was wasn’t good to end an article without a solution. So, I added that in the last minute and so it appeared jarring.

I was just talking with my mom about her friend’s cataract surgery. Speaking in person. Within a half hour Youtube is suggesting videos for cataract surgery. My Android phone is listening to me.

The 2021 world ranking of the most loved games has just been announced. Slope 2 is a spectacular ingenious uphill running game to the top