Naked Security Naked Security

Apple bans ads, third-party tracking in apps meant for kids

The new policy: Ditch third-party trackers in apps designed for youngsters, lest the app get booted out of the App Store.

On Monday, at its World Wide Developers Conference (WWDC), Apple had a big on-stage announcement of its new Sign In with Apple offering.

But it also made a less ballyhooed tweak: the company swept kids up in its privacy march.

On Monday, Apple updated the Kids category in its App Store developer guidelines to include a new ban on third-party advertising or analytics (which are ostensibly used for tracking) in content aimed at younger audiences.

Previously, the guidelines only restricted behavioral advertising tracking – e.g., advertisers weren’t allowed to serve ads based on kids’ activity, plus ads had to be appropriate for young audiences.

The current guidelines also (still) stipulate that apps can’t include links that take a user outside of the app, or other things that would “distract” kids, unless they’re behind a parental gate: a feature used in apps targeted at kids that keeps them from buying stuff or following links out of an app to websites, social networks, or other apps without the knowledge of their parent or guardian.

Apple also reminded developers to pay attention to privacy laws around the world when it comes to the data they collect from kids.

Is Apple a hypocrite over privacy claims?

Before giving Apple the thumbs-up on this move to protect kids’ online privacy, we should point out that other tech players have found its strenuous privacy marketing a bit disingenuous. In April, for example, Mozilla called out Apple over its “Privacy. That’s iPhone.” slogan. Mozilla said Apple’s done great with privacy, but it could do more: specifically, tweaking a little-known feature in iOS devices that could make it harder for advertisers to track mobile users.

Mozilla compared the Identifier for Advertisers (IDFA) – a hexadecimal code unique to every iPhone – to “a salesperson following you from store to store while you shop and recording each thing you look at. Not very private at all.”

Mozilla wants Apple to change the IDFA on its phones every month: doing so would still allow advertisers to track what you do on your phone, but only for a few weeks.

Users who want to shake off that virtual “salesperson” and don’t want to wait to see if Apple adopts Mozilla’s suggestion can reset it manually by going to Settings > Privacy > Advertising > Reset Advertising Identifier… or set it to all zeroes by going to Settings > Privacy > Advertising > Limit Ad Tracking.

Besides Mozilla, Apple’s come in for a good amount of heat in other quarters over its recent marketing campaign, in which it claims that “what happens on your iPhone stays on your iPhone.”

Oh, really? Well, maybe not so much. Last week, the Washington Post reported that its “privacy experiment” showed that in a single week, 5,400 hidden app trackers were guzzling iPhone data. From the article:

Even though the screen is off and I’m snoring, apps are beaming out lots of information about me to companies I’ve never heard of. Your iPhone probably is doing the same – and Apple could be doing more to stop it.

Technology columnist Geoffrey A. Fowler found that several iPhone apps were tracking him, passing information to third parties while he was asleep, including, perhaps unsurprisingly, IBM’s the Weather Channel – the app that Los Angeles sued over selling users’ location data.

Another investigation earlier this year – this one by TechCrunch – found that some apps were using so-called session replay technology: a type of analytics software that records the screen when an app is open. Apple told developers to knock it off, TechCrunch later reported, noting that apps using the technology included ones built by some big names.

But think of the children

Kids’ privacy has been jeopardized by all manner of internet-enabled products targeted to them, be they eavesdropping Barbies, GPS-tracking smartwatches that are vulnerable to being taken over by attackers, or devices with flaws that could allow hackers to remotely take control and spy on the 3- to 11-year-old children for whom they’re marketed.

A complaint to the Federal Trade Commission (FTC) filed by consumer advocacy groups recently prompted Google to slap its Google Play policies into shape when it comes to kids’ apps.

Apple’s latest move will hopefully truly prevent apps from tracking kids. We don’t want to find ourselves writing about it being only a skin-deep marketing move. Hopefully, this “no-tracking-kids” move will truly keep developers from doing just that with, say, kids’ iPhones while they sleep – or anytime, for that matter.

If not, Apple will potentially hear from the FTC.