The Privacy Battle That Apple Isnt Fighting
For at least a decade, privacy advocates dreamed of a universal, legally enforceable âDo not trackâ setting. Now, at least in the most populous state in the US, that dream has become a reality. So why isnât Appleâ"a company that increasingly uses privacy as a selling pointâ"helping its customers take advantage of it?
When California passed the California Consumer Privacy Act in 2018, it came with a large asterisk. In theory, the law gives California residents the right to tell websites not to sell their personal data. In practice, exercising that right means clicking through an interminable number of privacy policies and cookie notices, one by one, on every site you visit. Only a masochist or a die-hard privacy enthusiast would go to the trouble of clicking through to the cookie settings every time theyâre looking up a menu or buying a vacuum. Privacy will remain, for most people, a right that exists only on paper until thereâs a simple one-click way to opt out of tracking across the whole internet.
The good news is, that ideal is inching closer and closer to reality. While the CCPA doesnât explicitly mention a global opt-out, the regulations interpreting the law issued by the California attorney general in 2020 specified that businesses would have to honor one just as they do individual requests. The technology for a universal opt-out didnât actually exist yet, but last fall, a coalition of companies, nonprofits, and publishers unveiled a technical specification for a global privacy control that can send a CCPA-enforceable âDo not trackâ signal at the browser or device level.
Today, if you live in California, you can enable the global privacy control by using a privacy browser like Brave or downloading a privacy extension, like DuckDuckGo or Privacy Badger, in whatever browser you already use. (Seriously, go do it. The full list of options is here.) Once you do, youâll automatically tell sites you visit âDo not sell my personal informationâ without having to click anythingâ"and, unlike with previous efforts to create a universal opt-out, any decent-size company that does business in California will be legally obligated to comply, which requires adding just a few lines of code to their website.
The state of CCPA enforcement remains murky, because some businesses object to the attorney generalâs broad interpretation of the law. But Californiaâs government has begun making clear that it intends to enforce the global privacy control requirement. (The more recently passed California Privacy Rights Act, which goes into full effect in 2023, makes this requirement more explicit.)
In mid-July, Digiday reported that attorney general Rob Bontaâs office had âsent at least 10 and possibly more than 20 companies letters that call on them to honor the GPC.â And an item appeared on a recent list of CCPA enforcement actions on the attorney generalâs website noting that a company had been forced to start honoring the signal.
Now, the bad news. While itâs a lot easier to install a privacy extension or browser than click through a million privacy pages, the vast majority of people are still unlikely to do so. (It remains to be seen whether DuckDuckGo papering Americaâs highways and cities with billboards will inspire a new wave of privacy connoisseurs.)
This matters quite a bit, because online privacy rights are collective, not individual. The trouble with pervasive tracking is not merely that it can allow someone to access your personal location data and use it to ruin your life, as recently happened to a Catholic priest whose commercially available Grindr data revealed a pattern of frequenting gay bars. Even if you personally opt out of tracking, youâre still living in a world shaped by surveillance. Tracking-based advertising contributes to the decline of quality publications by eating away at the premium that advertisers pay to reach their audiences. Cheaper to find those readers on social media or even on bottom-feeding extremist news sites. It turbocharges the incentive to relentlessly maximize engagement on social media platforms. None of that will go away until a critical mass of people opt out of being tracked across the board.
Thatâs why one absence from the list of companies supporting the global privacy control is so conspicuous. Apple burnished its already strong reputation on privacy earlier this year by introducing App Tracking Transparency, a setting that flips the privacy default on iOS devices by forcing apps to get a userâs permission before sharing their data. That is a genuinely big step forward for privacy, since the difference between being opted out by default and opted in is enormousâ"and indeed, early reports suggest that most iPhone users are declining to give apps permission to track them.
But Apple, despite its stated (and heavily advertised) commitment to privacy, has not incorporated the global privacy control into Safari, the most popular mobile browser in the US and the second-most-popular desktop browser. Nor has it built it into iOS, which accounts for more than half of the US mobile operating system market. That means itâs not doing as much as it could to protect tens of millions of users from having their data sold and shared. The App Tracking Transparency framework is important, but it relies on Apple catching app developers who violate the policy. Safariâs tracking-prevention feature, meanwhile, relies on a technical approach to blocking cookies and other trackers that can often be circumvented.
âFor years, companies have found ways to circumvent technical privacy protections. Itâs basically an arms race,â says Ashkan Soltani, a privacy researcher who helped develop the global privacy control. âTechnical tools are not enough. You need to have the force of law behind it.â Thatâs where the global privacy control is crucially different from existing tracking prevention. If a business disregards it, it isnât just violating terms of service or evading some codeâ"itâs breaking the law and risks being slapped with major fines or penalties.
So far, however, none of the biggest browsers have incorporated the feature, keeping it from widespread adoption. This is not shocking in the case of Google, which hasnât added it to Chrome or Android: The worldâs biggest surveillance advertising company is not exactly known for caring much about user privacy. (Google declined to comment for this story.) A Mozilla spokesperson said the company is âlooking into the global privacy control and actively considering next steps in Firefox.â It isnât clear why Apple hasnât yet joined the party or whether it plans to in the future. The company didnât respond to multiple requests for comment over the past week.
In the past, Apple has used software design and App Store policies to protect users, stepping into the vacuum created by the lack of comprehensive privacy legislation. Now, in California and any other states that follow its leadâ"Colorado, for example, will require businesses to honor the global privacy control starting in 2024â"the law has finally gotten ahead of the technology. The public wonât start seeing the full benefits until the private sector catches up. If even a privacy-centric company like Apple isnât interested, though, the wait might be longer than you'd think.
More Great WIRED Stories
0 Response to "The Privacy Battle That Apple Isnt Fighting"
Post a Comment