The info safety battle Apple will not be waging
Elena Lacey, Getty Images
For at least a decade, data protection officers dreamed of a universal, legally enforceable “do not track” setting. At least in the most populous state in the United States, this dream has now become a reality. So why isn’t Apple – a company that is increasingly using privacy as a selling point – not helping its customers get these benefits?
When California passed the California Consumer Privacy Act (CCPA) in 2018, the law was given a large asterisk. In theory, the CCPA gives California residents the right to instruct websites not to sell their personal information. In practice, exercising this right means clicking through an endless number of privacy policies and cookie notices on each website you visit. Only a masochist or die-hard privacy enthusiast would go to the trouble of clicking through the cookie settings every time they look up a menu or buy a vacuum cleaner. Privacy will remain a right on paper for most people until there is an easy way to opt out of tracking across the internet with one click.
The good news: this ideal is getting closer and closer to reality. While the CCPA doesn’t specifically mention a global opt-out, the California Attorney General’s 2020 Interpretation Rules stated that companies must comply, just as they do with individual requests. The technology for a universal opt-out did not yet exist, but last fall a coalition of companies, nonprofits and publishers unveiled a technical specification for global data protection control that can send a CCPA-enforceable “Do Not Track” signal on Browser or device level.
If you live in California today, you can enable global privacy control by using a privacy browser like Brave or downloading a privacy extension like DuckDuckGo or Privacy Badger in any browser you already use. (Seriously, go for it. The full list of options is here.) Once you do, you are automatically telling websites you visit that you will not sell my personal information without clicking something – and unlike previous efforts to create a universal opt-out, every decent company doing business in California is required by law to do so, which requires adding just a few lines of code to their website.
The state of enforcement of the CCPA remains in the dark as some companies oppose the Attorney General’s broad interpretation of the law. However, the California government has started to make it clear that it intends to enforce global privacy control requirements. (The recently passed California Privacy Rights Act, which will come into full effect in 2023, makes this requirement clearer.)
In mid-July, Digiday reported that Attorney General Rob Bonta’s office had “sent at least 10 and possibly more than 20 letters to companies asking them to respect the GPC”. And a listing of CCPA enforcement actions recently appeared on the Attorney General’s website stating that a company was forced to respect the signal.
Now the bad news. While it’s much easier to install a privacy extension or browser than clicking your way through a million privacy pages, the vast majority of people still find it unlikely to do so. (It remains to be seen whether DuckDuckGo, billboarding America’s highways and cities, will inspire a new wave of privacy professionals.)
This is very important as online privacy rights are collective, not individual. The problem with ubiquitous tracking isn’t just that it can allow someone to access your personal location data and use it to ruin your life, as happened recently to a Catholic priest whose commercially available Grindr data took a sample of Exhibited gay bars. Even if you personally decide against tracking, you still live in a world that is dominated by surveillance. Tracking-based advertising contributes to the decline in quality publications by eating up the premium advertisers pay to reach their audiences. It’s cheaper to find these readers on social media or even on extremist news sites that feed on below. It increases the incentive to relentlessly maximize engagement on social media platforms. None of this will go away until a critical mass of people decides against the widespread persecution.
This is why an absence on the list of companies in support of global data protection control is so noticeable. Apple improved its already strong reputation for privacy earlier this year by introducing App Tracking Transparency, a setting that reverses the privacy standard on iOS devices by forcing apps to get a user’s permission before sharing their data. This is a really big step forward in privacy as the difference between standard logging out and enabling is huge – and in fact, early reports suggest that most iPhone users are reluctant to allow apps to to pursue them.
But Apple, despite its stated (and heavily promoted) commitment to privacy, has not built global privacy controls into Safari, the most popular mobile browser in the US and the second most popular desktop browser. It’s also not built into iOS, which accounts for more than half of the US mobile operating system market. That means it isn’t doing as much as it could to protect tens of millions of users from selling and sharing their data. The app tracking transparency framework is important, but it relies on Apple intercepting app developers who violate the policy. Safari’s tracking prevention feature, on the other hand, is based on a technical approach to blocking cookies and other trackers that can often be bypassed.
“For years, companies have found ways to bypass technical data protection. It’s basically an arms race, ”said Ashkan Soltani, a privacy researcher who helped develop global privacy controls. “Technical tools are not enough. You have to have the force of the law behind it. ”This is where global data protection control differs significantly from existing tracking prevention. If a company doesn’t do this, it’s not just breaking the Terms of Service or bypassing a code – it’s breaking the law and risking hefty fines or penalties.
However, so far, none of the major browsers has incorporated the feature, so it is not widely used. In the case of Google, which didn’t add it to Chrome or Android, that’s not shocking: the world’s largest surveillance advertising company isn’t known for caring too much about user privacy. (Google declined to comment on the story.) A Mozilla spokesman said the company is “reviewing global privacy controls and actively considering the next steps in Firefox”. It’s not clear why Apple hasn’t joined the party yet or whether it is planned to do so in the future. The company didn’t respond to multiple requests for comment over the past week.
In the past, Apple has used software design and App Store policies to protect users, breaking the vacuum created by the lack of comprehensive data protection laws. In California and every other state that follows his lead – Colorado, for example, companies must comply with global data protection controls by 2024 – the law is finally ahead of technology. The public will not see the full benefit until the private sector catches up. However, when even a privacy-focused company like Apple isn’t interested, the wait may be longer than you think.
This story originally appeared on wired.com.