Apple Won’t Budge On Its New Privacy Updates, Even in China

Apple Won’t Budge On Its New Privacy Updates, Even in China
Photo: Hector Retamal, Getty Images

Earlier this week, stories emerged that some China-based advertising groups were coming up with their own clever workarounds for the new anti-tracking tech that Apple’s including with upcoming versions of iOS 14. Now it looks like Apple’s fighting back.

On Thursday, the Financial Times reported that Apple sent off warnings to at least two Chinese apps that were caught trying to create their own unique identifiers for a given app — something that the Apple update pretty explicitly forbids.

The two apps in question were caught using something called the China Advertising Association ID (CAID for short), which was developed by the region’s trade association of the same name in late 2020 as a way to keep tracking and targeting iPhone users long after Apple’s updates went into effect. The Financial Times first broke the news that some of China’s biggest tech companies — like Baidu, Tencent, and Bytedance — were each allegedly running tests to implement the identifier. Collectively, these three digital giants reportedly control about 54% of China’s total ad spend.

It’s unclear what the Apple updates will do to the billions of dollars that spend translates into. Here in the U.S., we know that some major players in the ad-serving market — Facebook, in particular — have forecast some sort of significant revenue plunge from the iOS update, and have gone on a public PR spree over the past few months to defend their core business from Apple’s clutches.

We’ve written a bit about what these updates entail — and why Facebook’s on the offensive — in the past, but at the most basic level, the update would simply require apps to ask for user consent before using a specific advertising identifier (their so-called IDFA), that’s baked into their phone. Without IDFA access, these app devs don’t have the ability to track users outside their own app, which, as you can imagine, is pretty bad news for the companies that make bank off of doing exactly that. While some of them have tried to find their own underhanded ways to subvert the new Apple rules, there are actually some pretty strict guidelines outlawing just about all of them: no “fingerprinting,” no hashed data, and no creating identifiers of your own.

It turns out that’s what some of these China-based companies were attempting to do. TikTok’s parent company ByteDance, for example, uses an adtech platform called Ocean Engine to hoover up identifiers like a phone’s IMEI and hardware specs, both of which are then used to assign a unique CAID to the phone. If you look at the privacy terms for the CAID, it notes that this identifier is then designed to be stored on a server housed within the Advertising Association itself, meaning that any app using the Association’s built-in code could then call back that ID to market to whoever’s using their particular app.

If that sounds like it’s a violation of Apple’s strict guidelines here, that’s because it absolutely is. But as the initial Financial Times points out, Apple inexplicably hadn’t yet cracked down on the CAID, or any apps implementing it up. At least until now — per the Times, one developer who was caught sneaking it into their code was told that Apple found their app “collects user and device information to create a unique identifier for the user’s device,” and were given two weeks to update their app so it would be “compliant with the App Store Review Guidelines within 14 days.”

Right now, it’s unclear whether the major players in the mobile-app space will flinch. While Gizmodo wasn’t able to confirm whether Tencent or Baidu has budged just yet, as of this writing, Bytedance’s developer documents still list the CAID as an optional identifier if a user’s IDFA is unavailable.

We’ve reached out to Apple for comment on its enforcement and will update if we hear back.