Cookieless World

Media Review #17: Apple’s Double Trouble, Privacy Sandbox Progresses, AWS Clean Rooms, and other news

Users looking at smartphone

Last Updated on: 24th May 2024, 09:22 pm

In this Media Review, we bring together 5 stories, including Apple facing a new lawsuit over its data collection practices, the Privacy Sandbox expansion for web testing in 2023, and the EU’s Digital Services Act entering into force.

Table of Contents:

Apple faces new lawsuit over its data collection practices in first-party apps, like the App Store – TechCrunch

= The article announces that a new class action lawsuit is being filed against Apple by plaintiff Elliot Libman and other impacted customers. The grounds for this are the revelations from Gizmodo’s report, published just a few days prior to the lawsuit announcement, which depended on documenting that Apple still tracks iOS users even when they select the “disable the sharing of Device Analytics altogether” option. Gizmodo points out that first-party apps, such as the App Store, continue to send the same amounts of analytics data before and after withdrawing your consent. This constitutes a violation of the California Invasion of Privacy Act (CIPA) and, according to the plaintiffs, makes Apple’s marketized privacy-at-heart approach “utterly false”.

= The subject drags on with a tweet published by security researchers called Mysk. They reported that Apple’s first-party applications send an identifier called Directory Services Identifier (DSID), which allows Apple to uniquely identify iCloud accounts and cannot be disabled. It is also proven by them that the DSID is linked to the name, email, and any data stored on iCloud. The authors of the report point out that, under the reported circumstances, Apple’s “none of the collected information identifies you personally” statement in the Device Analytics & Privacy policy is untrue.

AWS Announces AWS Clean Rooms – Amazon Press Center

= Amazon announces the launching of AWS Clean Rooms, which is a functionality aimed to provide a safe space to combine, analyze, and collaborate on data between separate entities. On top of that, it is communicated that AWS aims to introduce LiveRamp’s identity resolution within its Clean Rooms product to make data matching easier in the next few months.

= Additionally, Amazon Ads is reported to have started testing FLEDGE interest groups. Ian Meyers acknowledges that to this point there have only been 2 active testing entities other than Google – RTB House and Criteo – so such a huge player joining the testing community is a big deal for FLEDGE’s future.

Data in Fashion and Sports [REPORT]
The fashion industry is in a state of rapid change... but then that’s nothing new. Top fashion brands have always sprinted from one season to the next. The real challenge is not just keeping pace with change but staying ahead of it.

Expanding Privacy Sandbox for the Web testing into 2023 – Chrome Developers

= Google emphasizes that good testing takes time and keeps on enlarging the scope of the trials while making the actions planned for 2023 more transparent – the first half is a test-and-learn phase by separate testers for individual APIs, and the second half is about launching the Privacy Sandbox to all Chrome users so that testing is performed for all its sub-solutions at scale in combination.

= The Privacy Sandbox origin trial multiplies its scale with Google’s request to expand the page load threshold from 0.5% to 5% so now testing will include up to 5% of page loads for up to 5% of the Chrome users.

= Additionally, the Android Privacy Sandbox will enter Beta in early 2023, according to AdExchanger, which marks yet another milestone for Google’s mobile environment. The article states that while the majority of its characteristics are a copy of what Privacy Sandbox for desktop has to offer at this point, there is one distinguishing feature that makes Android’s future upgrade ever so impactful – SDK Runtime. It is emphasized that this will technically enable blocking third-party applications from accessing, collecting, and sharing device data (AKA fingerprinting). On top of that, the article suggests that GAID (Google Ad ID) might be completely disabled in the future.

A set of news on limiting covert tracking techniques: Safari on disguised third-party trackers, Chrome on tracking via federated identity, IP addresses and Accept-Language header – Apple WebKit, Developer Chrome, GitHub

= As part of Safari 157, Apple introduces restrictions on the use of first-party cookies for tracking purposes. The most important change is to cap the lifetime of first-party cookies that respond to third-party IP addresses to 7 days. This is another installment of the fight against the so-called CNAME Cloaking, which consists in hiding third-party trackers under the guise of first-party cookies.

= Chrome introduces Federated Credential Management API along with the stable version of Chrome 108. It’s a privacy-preserving tool to sign in to websites by trusted third-party identity providers, which up to this point has been only supported by Google Accounts, but credential provilanguage preferences in the Accept-Language header to only their first most-preferred language.

= Another feature, which has been evolving and will hinder the life of entities leveraging third-party trackers, is IP Protection (formerly known as Gnatcatcher). It is aimed to impede cross-site tracking by anonymizing IP addresses using a proxy, but only for a list of third parties, which are known for using those addresses for cross-site tracking.

= Last but not least, Google launches an origin trial for Accept-Language Reduction with Chrome 109 Beta. This solution is going to limit fingerprinting surfaces by cutting the user’s language preferences in the Accept-Language header to only their first most-preferred language.

EU’s Digital Services Act enters into force — but no confirm if Twitter will feel its full force yet – TechCrunch

= TechCrunch reports that the Digital Services Act (DSA) came into force as of 16th Nov 2022 – digital platform owners have 3 months to report their active user amounts. These are needed for the European Commission to determine which products are VLOPs (Very Large Online Platforms) or VLOSEs (Very Large Online Search Engines) under the DSA, and therefore subject to tougher oversight.

= The author notes that the European Centre for Algorithmic Transparency (ECAT) is being set up to support the supervision of VLOPs/VLOSEs by providing internal expertise with algorithmic auditing.ders are encouraged by developers to use this API.

If you have any questions, comments or issues, or you’re interested in meeting with us, please get in touch.