About
Downloads
Blog
Documentation
August 3, 2019

The way to end user tracking in apps once and for all

Commenting and improving on 'Thank Q, Next' by Bennett Cyphers, published on the Electronic Frontier Foundation's Blog.

In spirit, I whole heartily agree with Bennett’s blog post on user tracking in Android. However, he got the technical details wrong and therefore his demands, disabling the Ad Id altogether and selectively granting internet permission on a per app basis, simply won’t work in my opinion. Fortunately, there is a much more promising way to put a stopper on the user tracking nuisance.

Misconceptions about the Ad ID

Common misconception: Not everything part of the system settings is also part of the OS.
The first thing to understand about the Ad Id is that it is not part of the Android OS, but the Google Play Services Framework. That is, it actually can be disabled by disabling the Google Play App. Sure, that means no longer being able to access the Play store and download apps, however, when we are talking privacy, disabling the Playstore app, at least temporarily, when not needed, is the way to go anyway.

The Ad Id is, of course, a festering boil on the settings screen and the option to tell advertisers not to use it with no way of enforcing that choice, is sheer mockery. Virtually every advertiser wants to track and virtually no user wants to be tracked. But asking Google to allow users to turn the Ad Id off completely is putting the cart before the horse.

Google’s motivation for coming up with this tracking API was to standardize a pattern that has privately been in use by advertisers for years. Even if the API was retired altogether, it wouldn’t change anything thing except calling less attention to a bad practise.

The Ad Id pattern is so trivial to implement that even a junior developer, fresh from college, should have no trouble whipping up the code in less than an hour. In fact, sticking with a private implementation is, from an advertisers point of view, the way to go anyways. There is no good reason to use the standard API except saving a little bit of time at the cost of allowing the user to interfere with tracking.

Disabling Internet permission

Now, toggling internet access on a per app basis would be a dream come through (especially if it was off by default). But why ask Google to implement this? As far as tracking is concerned, they are one of the biggest offender after all. Even if Google did comply for whatever strange reason, it wouldn’t help in the long run. Adware developers would just start building network state detection routines and nag screens into their apps.

Currently, users can’t install an app without implicitly granting its request for internet access permission. With a per app toggle, they just wouldn’t be able to (properly) run it. Coming to think about it, that’s probably worse as it gives the app’s developer a better opportunity to get his foot in the door.

Addressing real issue

Looking for a technical solution to put a curb on user tracking is pretty much a waste of time. The problem has become cultural. The ad industry has us convinced that privacy is a currency that can be traded for products and services. But unlike real money, there’s no metric for it. Money allows us to measure how much we spend and there’s always pain of buying involved, so we don’t spend lightly. With privacy, neither is the case. I can give it up completely and it still doesn’t feel like having less. That’s the reason why paying with data so much more appealing to the average Joe than paying with money.

Another way to look at it is: the cost of money is having had to spend time on working a job in the past. Whereas the cost of privacy is maybe having to spend time in the future (e.g. clicking away ads, deleting spam, buying promoted products). The cost of money is real, the cost of privacy is abstract and hypothetical. That’s what makes parting with privacy easier than parting with money for most people.

The thing that actually needs to be done is to raise the cost of/for privacy. Once it no longer fits into the advertisers customer acquisition budget, they will automatically stop user tracking in order to run personalized ad campaigns. So, how can this be accomplished? Well, here’s a radical idea: let’s tax privacy!

The privacy tax

Whenever we want to tax something, we need to be able to quantify it first. But what’s a “unit of privacy” and how much is it worth? Let’s start by looking at an example:

  • Alex reveals gender
  • Tony reveals gender and age
  • Sasha reveals gender, age and location
  • Jordan reveals location and income

Obviously, the tax rate should increase from Alex over Tony to Sasha since more data is revealed. But what about Jordan? Is Jordan’s tax rate suppose to be lower (fewer datapoints) or higher (more sensitive information) when compared to Sasha?

From a seller’s perspective, the question is almost impossible to answer and inevitably results in comparing apples with oranges. So lets try to turn the problem around and look at it from the opposite direction. On the ad market data is only traded a technical sense. Conceptually, what advertisers really buy from ad brokers are filtered consumer contacts. To illustrate: Parker works for the makeup industry and wants to market a newly developed lip gloss (pink, sparkly). Accordingly, Parker would pay an ad broker to get in touch with women age 16 to 21. That is, consumers that revealed gender and age to the broker.

To an advertiser, it no longer matters which and how many datapoints an individual sells. Parker will neither buy the Alex nor the Jordan contact since neither can match the specified consumer profile. Sasha’s profile may be more valuable to an ad broker (since the contact can be offered to a wider range of advertisers), but Parker is not going to pay extra for irrelevant location data. This means, from the advertisers point of view, we don’t really need to deal with individual datapoints any more, but can take it to a higher abstraction level and simply tax the ability to be contacted instead. In this model, measuring privacy is easy: an Ad Id (=the contact channel) is one unit.

As for the value of one unit of privacy, I’ll come to that in a bit, as I need to put another puzzle piece on the table first.

Putting it into Play (pun intended)

Google build Play into a monopoly and for once that might be a good thing. If we can force Google to handle VAT for digital purchases, then we can certainly also force them to handle the privacy tax. In fact, let’s even put another twist on it and model the privacy tax after the VAT. That is, force the consumer to pay for it.

It's not 'free with ads', but 'paid for indirectly, expensively'.
Wait? What? Users are now suppose to pay for adware?! Yes! And when you think about it, it makes perfect sense, too.

The ad industry would have us believe, that ads are actually “consumer information” and personalized ads are better ads. So, unless that’s a lie, why wouldn’t consumers want to pay for a service presenting them with “consumer information” for products they supposedly like to buy? It’s, of course, a rhetorical question with an answer too obvious to spell out and not the point anyways. The goal here is to get the deceptive “free with ads” mindset out people’s heads again and replace it with a sense of value for privacy. Simply telling users that they should protect their privacy didn’t work for reasons laid out above. Forcing them to pay when attempting to trade it away will. Once there is a direct negative cost associated with giving up privacy, people will immediately stop to do so.

Now, there might be some objection that charging money for adware will disrupt uproot the app ecosystem. But that’s precisely the idea, isn’t it? User tracking is not desirable on any level. We want it to stop and the only way to end it for good is by introducing a game changer with the potential to kill the underlying business model. And let’s be honest here, ad-supported is a shitty monetizing model for software to begin with. Ads work best when riding piggy back on a stream of fresh and cheap content. An (individual) app cannot be either. It simply costs too much to develop and has a fixed feature set. Pretty much the only two ways to make a living as an adware developer are:

  • Leverage someone else’s content for cheap (e.g. newsreader, weather widget,…)
  • Get lucky and go viral (burn through new users with almost zero acquisition cost and no retention).

Very few can pull it off. For the rest it’s just a money loosing business. So why does everyone try anyway? Simple. Google, being an ad broker itself, rigged the Playing field for app developers in favor of it’s own business model: “either sell your users to advertisers (preferably through AdMob) or don’t have any users at all when putting a price tag on your product. Your choice.” As far as Google is concerned, Android is an ad distribution platform, nothing more, nothing less and apps are just someone else’s content that can be leveraged for cheap.

Forcing an upfront pricetag on adware levels the playing field and gives app developers a fighting chance to directly sell their product.

And now we can finally answer the open question of how high the privacy tax should be. The answer simply is: if we don’t want to app developers to sell their users to advertisers, then we need to offer them an alternative way to make a living. The easiest way is by making the privacy tax 100% of the average app sales price of the last 6 months.