Skip to content
Naked Security Naked Security

Mozilla to Apple: Protect user privacy with rotating phone IDs

Mozilla has criticized Apple for its latest privacy marketing campaign, urging it to provide more automatic protection for users behind the scenes.

Mozilla has criticized Apple for its latest privacy marketing campaign, urging it to provide more automatic protection for users behind the scenes. The nonprofit Mozilla Foundation has launched a petition to enhance a little-known feature in iOS devices that could make it harder for advertisers to track mobile users.

In a blog post, Mozilla praised Apple for its privacy track record but criticized its latest marketing campaign, with the slogan “Privacy. That’s iPhone.” The iPhone vendor has produced tongue-in-cheek videos showing people in various situations they’d rather keep private. Mozilla responded:

A key feature in iPhones has us worried, and makes their latest slogan ring a bit hollow.

Mozilla has a problem with the Identifier for Advertisers (IDFA), which is a hexadecimal code unique to every iPhone. When mobile users click a banner, play a video, or install an app, media companies can pass that information to advertisers along with the IDFA. The code doesn’t identify you, but it enables them to build up a profile of your activities.

The IDFA is a crucial tool in advertisers’ quest for attribution. This marketing concept ties individual product purchases or subscriptions to the advertisements that promoted them. The missing link is an individual’s series of responses to those advertisements over time. This is what the IDFA provides, and Mozilla finds it distasteful:

It’s like a salesperson following you from store to store while you shop and recording each thing you look at. Not very private at all.

Apple has sided with privacy advocates against advertisers before. In September 2017, it shipped IOS 11 with a new feature for the mobile version of Safari called intelligent tracking prevention. This feature, which also hit macOS Safari the same month, used machine learning to better manage cookies. These are small files, different to IDFAs, that websites and advertisers place in the browser to identify users later on.

Some sites use cookies to remember your session so you don‘t have to log in again. But others use it to tell advertising networks you‘ve been there, enabling advertisers to track you across multiple properties.

The intelligent tracking prevention feature works out which cookies make sites easier to revisit, and which of them spy on you. The original version blocked the latter from third-party use after a day and deleted them after a month.

Advertisers were so incensed by this that six major advertising groups published an open letter to the company calling it “unilateral and heavy-handed”.

Then, in June 2018, Apple updated the anti-tracking service, removing the 24-hour window for third-party cross-site trackers to use cookies in the browser. Advertisers protested again.

This should please privacy-conscious users, but the IDFA persists far longer than any cookie. In fact, it won’t ever change, unless the user intervenes. Mozilla explained:

Most people don’t know that feature even exists, let alone that they should turn it off. And we think that they shouldn’t have to.

Mozilla wants Apple to change the IDFA on its phones every month. This would still allow advertisers to track what you do on your phone, but only for a few weeks, instead of forever.

It is asking for this because most people don’t know about the IDFA or how to disable it, but now, you will. If you want to limit ad tracking via IDFA on your phone or tablet, go to Settings > Privacy > Advertising. Select the Limit Ad Tracking feature, and you’re done. This guide from Apple explains how to do the same on your Apple TV, and how to turn off location-based advertising on your iPhone, too.


There’s no Advertising tab in the settings>privacy on my iPhone(?)


Did you scroll right to the very bottom?

On my iPhone, when I open that page, there’s a list of apps and their location settings, followed by a grey explanatory box saying “As apps request access they will be added to the categories above.”

That grey box looks just like the end of the page – at first I thought there was no more to see, but scrolling down a bit anyway revealed two extra options at the end (Analytics and Advertising).


> I thought there was no more to see, but scrolling down a bit anyway revealed two extra options at the end

A dirty trick.
“huh, guess my phone doesn’t have that feature, or I’d have the option to block it”
[wanders innocently into the snake pit]


I think it’s just the screen resolution – on one of the taller new iPhone Xs screens I suspect the other options would be visible.


Perhaps. I’d need to see it, but the image in my head upon reading your last comment is one of deliberate obfuscation. Re-reading it still sounds the same.
This doesn’t sound like the Apple we’ve read about lately, flipping the bird to FBI phone crackers and such–but it sounds nonetheless like capitulating to advertisement revenue.


You’ve over-interpreted my comment (or I was not clear enough) – it looked like the end of the page to me simply because a sentence of text in a grey box aligned exactly with the end of the screen. That wasn’t planned – it was just by chance. I tried scrolling down anyway and the remaining options were there…

(Went into a shop today and tried the iPhone Xs Max, which has a tall thin screen, and all the options showed up on the main page.)


> You’ve over-interpreted my comment
I suppose there’s a bit of contextual, “occupational” hazard–given some of the things we read on these pages. I’m giving myself a pass.


Can’t WWW users be tracked through a combination of IP address, browser user agent, operating system, device model, referring URL, third party cookies (especially Google, Facebook, and other socials, even for non-members), inferred haptics (via javascript mouseover and typing speed measurements), and other chicanery?

Plus, there are a ton of ubiquitous and popular apps (including weather apps) that collect user’s device IMEI numbers, wifi SSIDs, and mobile phone numbers, to share with advertisers. WeatherBug and are now owned by data analytics and advertisers.


Aye, AC; it’s fingerprinting.
…yet it doesn’t excuse adding yet one more trick in the toolbag specifically for that purpose.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!