Surprised that Google didn't take proper pre-cautions here to not run into this.
If there is indeed such an identifier, enabled by default its pretty obvious that its technically possible to track a user. And with all the other data Google has, they also can link to the actual identity pretty easily.
The identifier itself it made to track the user by 3rd party apps, so it's pretty clear why its there :)
Apple provides the exact same API - https://developer.apple.com/documentation/adsupport/asidenti... although IIRC it manages it better (users can revoke it, but it's on by default). I wonder why Google is singled out here though - if Apple is also mining our data, they should also be on the hook.
I wonder if all other OS vendors could be fined as well because the OSes are full of tracking identifiers - device MACs, device install identifiers, serial numbers, etc. There's plenty of apps out there that use those identifiers to track user behaviour.
I looked at your link and I did not see how it could be turned off. It doesn't really say what Limit Ad Tracking does. You'd think that if it caused your advertising ID to be zeroes, then Reset Advertising Identifier would be greyed out if you turned on Limit Ad Tracking.
OK, so your new link @ Apple is more clear, and I do vaguely recall seeing this years ago: for all modern iOS versions, Limit Ad Tracking does set the Ad ID to all zeroes.
> When Limit Ad Tracking is enabled on iOS 10 or later, the Advertising Identifier is replaced with a non-unique value of all zeros to prevent the serving of targeted ads. It is automatically reset to a new random identifier if you disable Limit Ad Tracking.
I think they are deliberately making things confusing. Also the double negative thing which is not very typical for other settings.
I added a link to an Apple support doc which to me suggests that limit = off (or it’s an even bigger conspiracy than I thought, but I’m not that paranoid)
> When Limit Ad Tracking is enabled on iOS 10 or later, the Advertising Identifier is replaced with a non-unique value of all zeros to prevent the serving of targeted ads. It is automatically reset to a new random identifier if you disable Limit Ad Tracking.
Surely it's easier for Google to ask forgiveness than permission. Why wouldn't they do this if they want to track you, especially if they can muster even a shred of plausible deniability to allow them to keep it in place longer?
It's not easier to ask forgiveness than permission - asking permission is free but having to 'ask forgiveness' under GDPR if you've intentionally not asked permission may involve fines up to 4% of annual global turnover which comes out to something like 6 billion dollars for google.
It is easier, at least in the short term, because it gets right away to that tracking sweetness. It might be regretted in the long term, although global companies don't seem to be taking GDPR seriously yet, probably because they don't sufficiently fear the enforcing bodies. (Let's see those consent walls come down first.) In the meantime, who knows how much Google made off the tracking information that they got this way?
The title should have mentioned the person by name: it's Max Schrems [1].
He has a legal background, and has fought a number of high-profile privacy cases in Europe.
The day the GDPR came into effect, he filed violations complaints against Facebook and Google in four different jurisdictions. He's a spearhead figure in this regard.
I already knew it was him when reading the headline, weird that they skipped over that. It's kind of a household name if you are at all interested in privacy or are aware of the Facebook privacy issues at this point.
> The day the GDPR came into effect, he filed violations complaints against Facebook and Google in four different jurisdictions.
When people do this it comes across as malicious harassment rather than a genuine legal complaint for harm caused. Why so many jurisdictions, and why on the very day it came into effect?
Oh no, somebody save Google, please. A single lawyer is harassing this poor trillion dollar company.
He has any right to use all existing laws to file complaints. When a new law is being introduced it should be followed immediately, especially when it impacts the lives of many. Would you argue that a speeding ticket is harassment when the fines were raised just the day before? No, you wouldn't because that would be ridiculous.
> When a new law is being introduced it should be followed immediately, especially when it impacts the lives of many. Would you argue that a speeding ticket is harassment when the fines were raised just the day before?
When there's a new law or a new speeding limit on an existing road the police do usually spend a while just politely warning people about it before they charge anyone.
He's an activist. Not someone who's genuinely been harmed and seeking a legal resolution as a last resort after trying to resolve in good faith first.
As another poster pointed out, GDPR had a 2 year (!) period where it was already a law in all EU countries but was not enforced for exactly that reason. Try telling a cop that you need to be notified 2 years in advance.
Privacy advocates have been saying for years that Google is building profiles for every user on the internet. You were not able to get to know what Google knows about you. This changed and it is really good that it changed.
The EU tried to resolve the issue in good faith - they passed the GDPR with two years between publishing the law for all to see, and the date at which it would start being enforced. The various privacy-violating companies did not act in good faith by attempting to comply with the law and the guidance surrounding it, instead hoping that they could put it off until they got sued over it.
> it comes across as malicious harassment rather than a genuine legal complaint
Legal harassment is an issue when individual citizens and small businesses are targeted with frivolous lawsuits clearly intended to burn as much of their time and money as possible.
This is not the case here. Google and Facebook deserve every privacy lawsuit they get. They have the resources to deal with it too.
> When people do this it comes across as malicious harassment rather than a genuine legal complaint for harm caused. Why so many jurisdictions, and why on the very day it came into effect?
The very day should be obvious: because these companies had two years to prepare for and become compliant with the GDPR.
This wasn't Facebook et al. saying "oh no, we need more time please'. This was them saying "we made up our mind on the implementation; if you disagree, we'll let a judge decide."
No idea about the jurisdictions, but I'd expect there to be good reasons, too. He's an activist, but I never perceived him as an over-the-top "in-your-face" activist. On the contrary.
For anyone complaining about this: the advertising ID is a very good thing for us tech people
Nobody know how to change it or turn it off. That means a lot of developers and advertisers assume it is actually a good way to track users. So if you go in and reset/disable it, you'll be in such a small minority that you'd become an edge case and they'd lose the historical data on you.
Obviously this isn't true 100% of the time but if it didn't exist then advertisers would use a hardware fingerprint probably, which is a lot harder to spoof
As a denizen of statistics and technology, fooey with non-anonymized identifier bits outside of bug reports. We have ways of making data speak. We genuinely rarely care the specific record identifier.
I think there’s subtle distinction, when they say “tech” it means web based human exploitation TECHniques aka “Ad”, and when they say “engineers” without specifying which(civil, mechanical, electronics etc) it implies social script engineering. I think the idea is if you think it means technology and software engineering respectively then they’d declare it a problem with your naivety thus quote-unquote your own fault.
There's no reason they can't do both especially considering privacy-conscious people and those adverse to advertising are the very people advertisers would pay a lot of money to reach.
My theory with this is that someone privacy-conscious, ad-adverse and those who block ads signal both that their time is too valuable to be wasted by advertising and they have the skills to install technical countermeasures against them. This correlates favourably with developers and similar positions that typically have higher than average salaries (thus more purchasing power) and the possibility of influencing purchasing decisions at their company for enterprise products.
People who avoid ads aren't even considered a target audience. They exercise too much critical thinking for advertisers who want to grab people by the feels and get them to buy their product for a dopamine rush.
Thanks for the added perspective, you're definitely correct. Measuring penetration is a big deal for price setting ad space. Even still, it doesn't seem to push Google to include their Ad ID system in AOSP instead of the Play Store. They could have forced ROM developers to go digging for the API to remove it.
Close, this means that if you reset it on a regular basis advertisers will see you as a new person each time because so few people do it that they don't invest resources into handing it.
If there is indeed such an identifier, enabled by default its pretty obvious that its technically possible to track a user. And with all the other data Google has, they also can link to the actual identity pretty easily.