App Tracking Transparency in Free VPNs
Since April 2021, iOS apps have had to ask permission before tracking your activity across other apps and websites in order to deliver targeted advertising.
This “Request to Track” should appear as a dialog box every time you install a new app containing ads on your iPhone or iPad, unless you have opted to universally block them in your privacy settings.
This new feature, dubbed “App Tracking Transparency”, is part of Apple’s ongoing public pivot to privacy. That strategy also included the launch of new App Store privacy labels, which we found to be flawed in a recent VPN (Virtual Private Network) app investigation.
In light of those findings and Apple’s spotty record at enforcing its own privacy guidelines, we decided to investigate whether free VPN app developers actually comply with users’ wishes when they refuse to consent to ad tracking.
This issue is of particular importance for VPN users, given the privacy-focused nature of personal Virtual Private Networks.
As most free apps generally are supported by advertising, it’s in their developers’ interest for you to say yes to ad tracking. Targeted ads are more effective, which means more revenue for the developers.
In the screenshots below you can see how the hugely popular free VPN app Hotspot Shield tries to nudge you into allowing ad tracking in a splash screen that’s displayed immediately before the “Request to Track” dialog.
Note that Hotspot Shield was one of the tiny minority of free VPN apps (15%) that actually respected users’ refusal to permit ad tracking.
Unfortunately, we found that the majority of apps are so desperate for revenue that they continue to share tracking data with advertisers even when consent is denied.
In the course of our investigation we also discovered that over a third of free VPN apps ignore Apple’s supposedly mandatory guidelines and fail to seek consent at all.
We also found a loophole exploited by the 80% of the VPN apps we tested, whereby they shared tracking data with advertisers in the window between first launching the app and the Request to Track being made.
How did we test the VPN apps?
To conduct our research, we identified the 20 most popular ad-supported free VPN apps on the U.S. version of Apple’s App Store. In a controlled testing environment, we installed each app and monitored its network traffic as we launched it then connected and disconnected to various VPN servers.
After determining the point that we denied the Request to Track, we were able to identify any subsequent traffic to third-party advertisers that contained user data that could be used for tracking.
We found three types of user data:
- Real IP address
- Highly-detailed device information with the potential for fingerprinting
- Basic device information
The sharing of a VPN user’s real IP address with third-party advertisers is particularly problematic given the core functionality of a VPN involves hiding that information.
The highly-detailed device info comprised long lists of very specific data points, some of which included:
- Network operator
- Free memory
- Battery level
- Screen brightness
- Device volume
- Device name (ie Bob’s iPhone)
- Free storage space
- Last time device was switched on
- Screen height
- Network Connection Type (ie WiFi)
- Screen width
- iOS version
- Device model
As with browser fingerprinting, the collection of such granular information about your device can be used to identify and track you. Apple says fingerprinting is against its rules.
We classed as “basic device information” any data sharing with advertisers that was limited to iPhone model, iOS version, screen height and width, language and country, along with some other general data points.
This basic information can’t strictly be used by advertisers to track you. However, we included it in our findings as in our view it should be made clear that this type of data will continue to be shared with advertisers even when you refuse to allow ad tracking.
Why did we do this research?
We’ve been campaigning to force Apple to pay more than lip service to its own guidelines as they relate to iOS VPN apps since 2018.
Free VPN apps are hugely popular, not only in the U.S. and Europe but also and especially in the global south and with people living in high-censorship regimes.
We want Apple to treat privacy as more than just a marketing gimmick that lulls iOS users into a false sense of security.
The goal of this investigation is put pressure Apple to actually enforce its own app privacy guidelines and remove any apps from its store that are in breach.
This would make it easier for anyone to choose a free VPN with peace of mind about their privacy.