iOS 15 is the delayed detonation of the iOS 14.5 privacy bomb
If your jungle becomes a desert, your city becomes ground zero for a bomb cyclone, or your seaside getaway becomes the next centuries’ scuba diving expedition hot spot, that’s kind of a big deal. Just as big a deal, according to Apple CEO Tim Cook, as privacy.
Cook rates privacy at nearly the same level as climate change:
In terms of privacy—I think it is one of the top issues of the century,” Cook told Fast Company earlier this year. “We’ve got climate change—that is huge. We’ve got privacy—that is huge. . . . And they should be weighted like that and we should put our deep thinking into that and to decide how can we make these things better and how do we leave something for the next generation that is a lot better than the current situation.
You probably didn’t need that quote to know that Apple is all-in on privacy. It’s a core part of the company’s marketing messaging, it’s a key peg in Apple product strategy, and it’s the main reason for both the recent delivery of iOS 14.5 with App Tracking Transparency and SKAdNetwork, plus the messaging Apple has recently implemented to alert iPhone owners when they’re the target of sophisticated nation-state hackers.
Privacy and iOS 14.5
But the job is incomplete.
iOS 14.5 was supposed to boost iPhone owners’ privacy and protect them from internet tracking if they choose. And it does, in some narrow circumstances. Only about 20% of people allow tracking in App Tracking Transparency, and that has some impact on what adtech companies do, and what data gets shared.
But it hasn’t really boosted privacy that much, according to an independent investigation by former Apple employee:
App Tracking Transparency made no difference in the total number of active third-party trackers, and had a minimal impact on the total number of third-party tracking connection attempts. We further confirmed that detailed personal or device data was being sent to trackers in almost all cases.
Most in the industry know that fingerprinting is still a thing. Fingerprinting is probabilistic identification of devices — and by extension people — via collection of datapoints like IP address, location, software version, language, currency, carrier name, and even relatively obscure details such as battery level, screen brightness, last restart time, and total storage space.
It is true, however, that where you can fingerprint is extremely limited.
Most of the mobile ad ecosystem is not technically measurable via fingerprinting. Large platforms such as Facebook, Google, Snap, Twitter, Pinterest and others simply do not release any data that could be used for fingerprinting, which limits the scope of potential fingerprinting-based tracking on iOS to about 25% of the ecosystem.
The reality, however, when you’re talking about an adtech ecosystem that delivers trillions of ad impressions — and therefore device touches — and hundreds of billions of clicks and tens of billions of app installs plus many other different kinds of ad conversions … even 25% of an industry is a big deal.
Essentially, it’s still the whole world: the entire digital population.
Because, of course, people don’t just go to Facebook or Google or Snap or Twitter: they visit websites on mobile web, they use a unique set of hundreds of on-device apps with dozens in regular use. Most of the big emerging titans of mobile adtech touch billions of devices monthly.
If compliance is a problem and Apple is not going to investigate and/or toss millions of apps for non-IDFA tracking, what’s going to happen?
Privacy in iOS 15 with Private Relay
An Apple-branded VPN is what’s going to happen, in my opinion.
A I wrote a few months ago about Apple’s new Private Relay, which arrived in iOS 15:
Private Relay achieves [privacy] by separating your requests for the stuff you want on mobile web from the place that request goes, essentially by putting in two proxy servers. The inbound proxy gets your request. The outbound proxy relays it to the server, and they shake hands on the way back with your web page or resources. You’re invisible to the server, and even Apple doesn’t have the full end-to-end picture.
Right now it’s only mobile web. It’s brand-new, and it’s still somewhat unstable: I’ve received several notifications on my iPhone 13 Pro that “Private Relay is temporarily unavailable due to a technical problem” and that “it will resume working automatically when the problem is resolved.” At least one of those outages was over 6 hours long.
So it’s kind of a baby VPN right now.
But remember, Apple has a privacy imperative. Privacy is in all of their marketing, and Apple has defined privacy as part of their DNA as a big tech company and a key differentiating factor from the main competitor to its critical and massive iPhone cash cow: Android phones.
So Apple can’t really in good conscience maintain a privacy stance that isn’t backed up by real, solid, effectual action. And while conscience might not make up a big part of what most people think is a huge factor in what big tech companies do, for Apple I believe it is. (Frequently. Perhaps not always!)
So I see Apple extending Private Relay to mobile app traffic in addition to mobile web traffic. Private Relay is in public beta right now in iOS 15, but is certainly under significant development, and will likely see major improvements in the various point releases coming over the next year: iOS 15.2, iOS 15.5, and so on.
Too expensive for Apple?
Some have said that’s too expensive, but Apple has a staggering 700 million people paying for a monthly subscription service, and most of those are guaranteed to be iCloud+ accounts, where the base paid level of subscription starts at just 99 cents/month and ramps to $10/month for 2 terabytes of storage.
An enhanced iCloud+ with a permanent always-on VPN could be a new option, or included at higher price points. And it’s not out of reach.
Currently, the price of VPNs on iOS ranges from $0 to not-quite $10 per month on an annual subscription:
- $7/month for ExpressVPN
- $6.50 for Surfshark
- $5/month for NordVPN
- $3/month for Private Internet Access
- $2/month for VyprVPN
- $0/month for Cloudflare’s 18.104.22.168. service (or $7/month for WARP+, a faster VPN)
Insight one: cost
If no-name VPN companies can do it for a couple bucks a month, Apple can certainly do it.
An important point here: getting just any VPN for “improved privacy” is a horrible idea. The number of VPNs that have been exposed as actually doing the opposite of what they’re supposed to do and tracking you for profit is not small.
MSN puts it this way:
Many VPN companies will employ trackers in their apps regardless of how much they say they care about your privacy. Those VPNs put users’ privacy at risk so they can make as much money as possible. And what some of these VPN apps track and share with third parties is actually quite alarming. This is the biggest reason we advise you to avoid using free VPNs.
Remember, if it’s free, you … are … the … customer.
Insight two: liability
Increasing privacy is one reason Apple will likely expand Private Relay in subsequent versions of iOS 15. Another is to limit liability. Cheaper or no-name VPNs can be fairly scuzzy. They are literally perfectly positioned to totally screw you, as they have access to everything you send and receive to and from the internet, and some certainly have abused that responsibility. Depending on the VPN, your data could even be going directly to a country’s security services, or straight to commercial clients.
Clearly, Apple would have a reason to ensure that does not happen.
Growth marketers should get ready
If I’m right about all of this, it will be a massive change.
There’s somewhere north of a billion active iPhone users, and Apple says 700 million of them are subscription-paying customers. If a new fully-fledged version of Private Relay handles both mobile web and app traffic and is included with iCloud+, Apple’s massive subscription service, marketers are going to lose whatever fingerprinting-based probabilistic measurability they thought they had.
For some, that will be incredibly challenging: a 64% drop in trackability via unauthorized and not privacy-safe measurement.
You already have 20-30% who have completely turned App Tracking Transparency off device-wide for all apps. That only leaves something like 825 million you can even ask for IDFA accessibility. Marketers and adtech players who are counting on fingerprinting to see them through the lack of old-school deterministic and granular measurement would lose more than half of their device visibility.
And that would essentially kill by technology what Apple has not yet been able to mandate by fiat.
(Oh, and by the way, Apple wouldn’t even need to make Private Relay as big as I’ve speculated above. Apple could simply turn off unapproved access to dozens of device parameters that 99.9% of websites and apps don’t really need, and/or obfuscate those details when reporting them. Either would make fingerprinting dependent on far fewer necessary parameters, making it significantly less accurate and probably unworthy of the privacy exposure risk.)
So: whether it’s in iOS 15.something or iOS 16, an expanded Private Relay is almost certainly coming. When it’s in place, privacy-safe marketing measurement is all you’ll have:
- Apple-created and approved SKAN
- Privacy safe probabilistic measurement methodologies such as Incrementality and media mix modeling
Which means mobile marketers have a finite amount of time to get good at new techniques. The bad news here is that even today, months after SKAN’s introduction, nine out of ten marketers we surveyed in one of our recent SKAN webinars said they were still not confident about using the data they currently get for managing and optimizing their marketing campaigns.
My suggestion: now would be a very good time to get good at SKAN.
Get some help with SKAN?
If you’d like some help with SKAN, we’d be happy to help. After all, leaders like Rovio use Singular’s SKAdNetwork implementation incredibly successfully. We were the first to offer SKAN support, and we’d be happy to help.
Book some time, and let’s chat.