Privacy By Design For Everyone

Targeted Advertising on Mobile

Mobile Advertising Is A Nightmare

Two recent studies in 2021, one from Oxford and one from University of Edinburgh, have attempted to develop metrics for how much advertising-related tracking of personal information and behavior actually happens on Android and iOS devices.

Shocking no one, the answer is: a lot. The first study compares the apps in iOS and Android, looking at the level of tracking and personal information that is gathered by these apps, much of it likely in violation of various privacy laws in the EU. The authors conclude that consolidation in the tracking industry means that few a companies (particularly Google, Apple, and Facebook) have extensive access to user activities, and Apple and Google have no incentive to reduce bad behavior among apps.

The second study examines various distributions of Android OS itself: how the different device manufacturers such as Samsung and Xiaomi include all sorts of tracking in the stock operating system that is included with their devices. CalyxOS has zero trackers built into the OS, although CalyxOS was not included in this study.

The Future of Mobile Advertising

Both Google and Apple have designed their operating systems to facilitate the process of turning your personal information into a revenue stream, for apps you have installed and ultimately for carriers, device manufacturers, and Google or Apple. This is not simply a question of advertising: the extent of the personal data accumulated for the purpose of marketing is truely staggering, and has increasing consequences in our everyday lives, including health care, insurance, credit, immigration, and incarceration.

After years of public criticism, both iOS and Android have gradually made it harder for app developers to track users without going through the recommended hoops. While it was once possible for normal apps to track users with immutable identifiers related to the device, such as the IMEI number, this is no longer possible.

For both iOS and Android, major changes are coming soon (or newly deployed) to make tracking user behavior across apps and platforms more difficult.

In iOS 14.5, users now have to opt-in to being tracked on a per-app basis (previously they could opt-out). In Android 12, the ability to opt-out of tracking will actually be enforced on a per-device basis (previously, the opt-out was just a flag sent to the apps, now the apps won’t get the tracking identifier).

The operating systems can enforce these changes because there are basically three identifiers that the vast majority of advertising networks and data brokers use to correlate user behavior and personal information:

  • Apple Advertising Identifier (IDFA): provided to each app by the OS on Apple devices and shared among all the apps.
  • Android Advertising ID (AAID): provided to each app by the Google Play Services on stock Android devices and shared among all the apps.
  • Facebook App User IDs: An additional unique identifier for a Facebook user account that can be used by the Facebook ad network if the app is privvy to the user ID (for example, if you used Facebook to authentication for the app or if you linked your account in any way).

The Google advertising network uses AAID (on both stock Android and iOS devices), Apple’s network uses IDFA (on iOS only), but most third party networks (including Facebook’s) can use all three. If you supply an app with an email address, or other unique identifier, that is certain to be used as well.

With the changes made by Google and Apple, there is likely to be attempts recover some of the lost revenue. As with websites, many apps may stop working if you have interest-based advertising disabled. Or, apps may attempt to track users by other means, such as building a unique fingerprint of the hardware by measuring slight variations in the sensors. Some website do this already with web browsers, allowing a website to uniquely identify a visitor even if all cookies are turned off (although this practice is not common). The use of any hardware-based identifiers for advertising tracking is strictly forbidden by the Google Play terms of service, but enforcement has always been lax.

Lest one think that Google and Apple are making these changes because of a sudden change in heart, the new privacy enhancements in their respective platforms have the consequence of limiting the information that advertisers have about your personal information, but not limiting how this information is retained by Google or Apple themselves, potentially increasing their strategic leverage over competitors.

How Does All This Relate to CalyxOS?

In CalyxOS, the Android Advertising ID (AAID) is always random, every single time an app requests the value. There is no way to turn off this behavior. Like it or not, CalyxOS prevents all tracking with the AAID, which has the effect of preventing most tracking by all ad networks and data brokers.

However, you will still see ads, and CalyxOS doesn’t do anything to prevent tracking through the Facebook ID.

With Android, if you want to block ads themselves you have two options:

  • rooted devices: install an app that modifies your system to block certain domains known to be used for tracking. This is a bad option, because running a device with root privileges completely undermines the security of your device. CalyxOS does not support this.
  • unrooted devices: install an app that sets up a fake VPN that filters out certain domains. This is also a bad option, because then you cannot run a real VPN.

For apps available in F-Droid, TrackerControl supports the VPN approach, and AdAway supports both rooted and VPN approaches. Additionally, there are numerous similar commercial apps available in Aurora Store.

In the future, CalyxOS will incorporate a simple way to block ads and tracking in apps, but in a way that does not require a rooted device and still works with VPN. This will allow you to both not see advertising in apps, and also prevent tracking that uses other networks that don’t rely on AAID.

One additional note: mobile carriers still have access to the hardware identifiers on Android and can use this to correlate hardware information with advertising IDs that might be reset. Verizon, for example, directly owns one of the largest advertising networks and is also the largest mobile carrier in the US. I have not seen research or reporting that answers the question of how Verizon uses it privileged position as a mobile carrier to enhance it’s ad network, but chances are they do. CalyxOS does not allow carrier apps with special access to hardware identifiers to be automatically installed (as is usually the case on stock Android), but these apps can still be installed manually through Aurora Store. The carrier obviously always knows most of the hardware identifiers, because that is how you connect to the mobile network, but the carrier only can tie this to your advertising identifier if they additionally have an app installed on the device.