We often say cybersecurity is a team sport, but, pending a public advocacy campaign from one major tech developer to another, the same might be true for online privacy.
Mozilla is currently getting people around the world to lend their voices toward Apple, asking that the company place some extra barriers between iPhone users and online advertisers. Though cybersecurity researchers disagree about the technology behind the request, the campaign has proved popular. In little over a week, more than 11,000 individuals put their names to the cause.
Public advocacy campaigns, common amongst digital rights groups, are a tried-and-true practice for Mozilla, which racked up a couple wins in the past year-and-a-half. And, while such campaigns often target privacy abusers, Mozilla’s petition to Apple is different—it puts the pressure on another privacy champion.
So, why spend the time to push Apple to raise the bar? Because, according to Mozilla, it could work, which could then lead to an outsized benefit for users everywhere.
“Apple’s track record of protecting user privacy was actually a motivation, and not a deterrent, for launching this campaign,” said a spokesperson from Mozilla’s advocacy team. “It’s an issue they clearly care about, so we’re encouraging them to do better.”
Apple has not yet responded to the petition, and it did not respond to a request for comment, but if Mozilla succeeds, it will have made an important point: When the technology industry pushes itself to better respect user privacy, we all win.
The petition and the tech
In mid-April, Firefox developer Mozilla launched a public petition at Apple. The browser-making nonprofit asked Internet users around the world to push the world’s richest company into making one small change to its iPhones—regularly rotate an internal ID that lets advertisers track users’ online behavior.
“There is a unique ID living on your iPhone right now that allows advertisers to track the ads you click on, the videos you play, and the apps you install,” Mozilla wrote about the iPhone ID code, which is called an “ID for Advertisers,” or IDFA. Though the ID cannot reveal an iPhone user’s identity—and users can actually turn the identifying feature off—Mozilla argued that it still poses a roadblock to privacy.
“It’s like a salesperson following you from store to store while you shop and recording each thing you look at,” wrote Mozilla Vice President of Advocacy Ashley Boyd in a related blog. Pushing back against Apple’s recent advertising campaign that bills the iPhone as the near-definition of privacy, Boyd wrote: “Not very private at all.”
Cybersecurity researchers are split on the idea. Some experts—including Thomas Reed, director of Mac and mobile at Malwarebytes—actually called for even tougher privacy controls.
“I think that Apple should disable ad tracking and location-based ads by default, rather than the user having to opt out,” Reed said, referring to users’ ability to turn off the IDFA capabilities. “That would provide way more benefit than what Mozilla proposes.”
Forrester Research senior analyst John Zelonis, in speaking to ThreatPost, shared Reed’s sentiment, explaining that monthly IDFA changes—as Mozilla proposed—would not meaningfully impede on advertisers’ ability to track users online.
“Rolling the IDFA on a monthly basis would only be an effective anonymizer if the app owners weren’t able to track a user across those newly-generated IDFAs using login sessions or other methods of associating a user to an IDFA,” Zelonis told the outlet. “The impact of making this change would likely only increase the value of the data collected by apps that are finding ways to track across IDFA, not necessarily solve the problem at hand.”
However, a separate researcher also told ThreatPost that Apple should not have to change a thing.
“Apple’s current way of handling the IDFA is the correct one,” the researcher said.
Despite the researchers’ disagreements, there’s a separate story here. It’s about privacy champions pushing one another to do better.
Privacy vs. privacy
For years, Mozilla has not only advocated for privacy, it has also developed it into online tools.
In 2017, Mozilla released its privacy-focused Android web browser, Firefox Focus, earning more than one million downloads in the first month. In 2018, Mozilla developed a browser add-on to give users a more private experience when using Facebook, making it harder for the social media giant to collect information away from the platform itself. In the past two months, Mozilla has also released a secure file transfer service and a password manager.
The nonprofit then pivoted, using its earned reputation in privacy to push others to do better.
In 2018, before the release of Amazon’s “Echo Dot Kids Edition”—which includes a version of the smart assistant Alexa that tells children “wake-wakey, eggs and bakey”—Mozilla asked the retail giant to open up about how it would collect children’s data.
Months later, Mozilla launched a public campaign about the payment processing app Venmo, gathering 25,000 signatures to steer the company into making users’ payment transactions private by default.
“It’s a tactic we use often,” said the Mozilla spokesperson. “We’ve learned that when companies hear from consumers, they act.”
As an example, the spokesperson pointed to Mozilla’s success in getting Target and Walmart to stop selling a hackable children’s toy last summer.
Despite Mozilla’s familiarity with this turf, the target is new: Apple has a far better track record than Amazon or Venmo in defending user privacy.
In 2015, Apple began its famous fight against a government request to build a workaround to its secure mobile operating system. The workaround—which many in the technology community called a “backdoor”—would have let the FBI access encrypted data on a suspected terrorist’s iPhone. But the demand pushed too far, said Apple CEO Tim Cook in an open letter published the day after his company received the legal order.
“Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation,” Cook wrote. “In the wrong hands, this software—which does not exist today—would have the potential to unlock any iPhone in someone’s physical possession.”
Apple’s stance won the approval of many privacy rights advocates, including the American Civil Liberties Union, Electronic Frontier Foundation, and Center for Democracy and Technology. The move also won the approval of Mozilla, conjuring executive-penned op-eds in both Time and CNN.
It is these two tech developers’ strong privacy records that makes Mozilla’s petition seem more like a friendly reminder than a stern warning. But no matter the tone, if Mozilla gets the iPhone maker to move, the impact could go beyond Apple’s ecosystem.
As Mozilla’s Boyd wrote:
“If Apple makes this change, it won’t just improve the privacy of iPhones—it will send Silicon Valley the message that users want companies to safeguard their privacy by default.”