Ad firms are cheating App Tracking Transparency to spy on iPhone users

Firms are manipulating device fingerprinting to target and spy on iPhone users

App Tracking Transparency was introduced with iOS 14, and was so effective at preventing advertisers harvesting data that Facebook announced that its revenue would be down $12.8 billion in 2022 alone. Despite Apple's success, though, some advertisers have simply moved to a different method of tracking.

Rather than directly tracking when an iPhone user clicks on an ad, the new method involves firms collating large amounts of data and then spotting the patterns advertisers want to know.

According to 404media, ads within hundreds of thousands of apps are effectively made "part of a global surveillance capability." The publication says that in response to its investigation, Google and ad firm PubMatic, have cut off a company linked to the surveillance.

The surveillance was done using a tool named Patternz. It's marketed by a company of the same name, which says "We help national security agencies detect audience patterns and user behavior using digital advertising data mining and analytics.

It works by exploiting a regular ad tool called real-time bidding. By bidding against other advertisers to put ads in front of, say, NFL fans, all advertisers can be told how many such fans there are.

That's one broad category, but if the Patternz user specifies a much more specific search — say, NFL fans in Chicago, using iPhone 15 Pro — it can get it. Patternz users bid for ads using far more detailed searches, and they are rewarded with over 90 terabytes of data every day.

In a video that 404media says was removed once the publication began investigating, a spokesperson for the Patternz company demonstrates what it can do. The software returns GPS locations for a user, for instance, with the claim that accuracy can be down to a meter.

The Patternz demo also showed a user's brand of phone, its OS version, and even their home and work addresses. More startlingly still, it also retrieves a list of other users who were near to the target one.

This level of detail requires the use of an advertising network that is willing to support it.

Apple did not respond to the 404media investigation, but Google has terminated its relationship with a firm named Nuviad. The company is suspected, but not proven, to be involved in the surveillance.

Senator Ron Wyden, who in 2023 raised the issue of spying via push notifications, reportedly contacted Google regarding this Patternz tool in June 2021.

"It has taken far too long, but I'm glad Google is finally cutting off another sketchy surveillance company from access to its users' data," Senator Wyden told the publication. "Google should have acted when my office first alerted the company to this abuse of user data back in 2021."

"It shouldn't have taken a question from a reporter and the threat of bad press for the company to act to protect its users from spies," he continued.