What effect does opting out from ad tracking have?

[SebastianZimmeck]

If a user sets their Android device such that tracking is no longer allowed (i.e., apps are not able to use the ad id anymore), what effect does that have on apps?

• The ad ID is zeroed out in all web traffic?
• What is the effect on browser apps vs non-browser apps? The former can still set cookies?
• Are there any limitations in addition to the ad id?
• How much of the limitation is based on the technical enforcement and how much is left to policy enforcement (#47)?

What does the device setting on the current Android version look like anyways? Can someone post a screenshot?

Some testing observing web traffic with pcap may lead to some insightful results here.

Possibly useful starting points:

• Get a user-resettable advertising ID
• API reference android.adservices.adid
• API reference WebView

[wesley-tan]

I will be using the comments to share my observations:

public boolean isLimitAdTrackingEnabled ()

Retrieves whether the user has limit ad tracking enabled or not. When the returned value is true, the returned value of [getId()](https://developers.google.com/android/reference/com/google/android/gms/ads/identifier/AdvertisingIdClient.Info#getId()) will always be 00000000-0000-0000-0000-000000000000 starting with Android 12 (but older devices may be problematic). This shows to me that Integration with previous devices may be an issue. Naive AdID solution will only be able to work on certain phones where the getId function has that certain functonality (https://www.deccanherald.com/business/technology/android-12-list-of-devices-eligible-for-the-latest-google-mobile-os-1031367.html)

[n-aggarwal]

This should not be a huge problem because according to google AdId Policy, if the user opts out of Ad tracking, the developers have to respect the decision. So if the app continues to use the AdId after the user opts it, then it would be violating the google play policy and would be subject to appropriate consequences. Additionally, according to the policy, the app is required to check if a user has opted out from ad tracking on each access of the Id.

Here is an excerpt from their policy:

Usage. The Android advertising identifier (AAID) must only be used for advertising and user analytics. The status of the “Opt out of Interest-based Advertising” or “Opt out of Ads Personalization” setting must be verified on each access of the ID.

Respecting users' selections. If reset, a new advertising identifier must not be connected to a previous advertising identifier or data derived from a previous advertising identifier without the explicit consent of the user. You must abide by a user’s “Opt out of Interest-based Advertising” or “Opt out of Ads Personalization” setting. If a user has enabled this setting, you may not use the advertising identifier for creating user profiles for advertising purposes or for targeting users with personalized advertising. Allowed activities include contextual advertising, frequency capping, conversion tracking, reporting and security and fraud detection. On newer devices, when a user deletes the Android advertising identifier, the identifier will be removed. Any attempts to access the identifier will receive a string of zeros. A device without an advertising identifier must not be connected to data linked to or derived from a previous advertising identifier.

https://support.google.com/googleplay/android-developer/answer/9857753?hl=en&ref_topic=9857752

[wesley-tan]

Another aspect I am interested in is in-app browsers (https://www.pcmag.com/opinions/psa-stop-using-in-app-browsers-now) (https://www.axios.com/2022/08/26/in-app-browsers-privacy-data) From what I can tell browser apps can use both third-party cookies (although Google Chrome is trying to phase this out - https://www.bidnamic.com/en-us/resources/google-is-phasing-out-third-party-cookies#:~:text=Google%20is%20currently%20set%20to,less%20intrusive%20targeted%20advertising%20technologies.) and AdID (I believe as long as they use the AdID API they will be able to do track via AdID) but for non-browser apps, they are only privy to AdID with the exception of non-browser apps with in-app browsers (Instagram, TikTok) (https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser) (https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser)

[kasnder]

This should not be a huge problem because according to google AdId Policy, if the user opts out of Ad tracking, the developers have to respect the decision. So if the app continues to use the AdId after the user opts it, then it would be violating the google play policy and would be subject to appropriate consequences. Additionally, according to the policy, the app is required to check if a user has opted out from ad tracking on each access of the Id.

Here is an excerpt from their policy:

Usage. The Android advertising identifier (AAID) must only be used for advertising and user analytics. The status of the “Opt out of Interest-based Advertising” or “Opt out of Ads Personalization” setting must be verified on each access of the ID.

Respecting users' selections. If reset, a new advertising identifier must not be connected to a previous advertising identifier or data derived from a previous advertising identifier without the explicit consent of the user. You must abide by a user’s “Opt out of Interest-based Advertising” or “Opt out of Ads Personalization” setting. If a user has enabled this setting, you may not use the advertising identifier for creating user profiles for advertising purposes or for targeting users with personalized advertising. Allowed activities include contextual advertising, frequency capping, conversion tracking, reporting and security and fraud detection. On newer devices, when a user deletes the Android advertising identifier, the identifier will be removed. Any attempts to access the identifier will receive a string of zeros. A device without an advertising identifier must not be connected to data linked to or derived from a previous advertising identifier.

https://support.google.com/googleplay/android-developer/answer/9857753?hl=en&ref_topic=9857752

This underlines that use of the AdId is still possible for non-advertising purposes, including the building of profiles for non-advertising purposes.

The policies also only speak of 'you'. It's unclear if third-parties may use the AdId for advertising, even after opt-out. Probably yes.

Further, it seems to be permitted to use an AdId, even after opt-out if this has been collected prior to opt-out. This does not seem compatible with GDPR, where data must be deleted if opt-ting is seen as an objection to legitimate interests (GDPR Art. 21(1)) or advertising (GDPR Art. 21(2)), or as a withdrawal of consent.

[kasnder]

I will be using the comments to share my observations:

public boolean isLimitAdTrackingEnabled ()

Retrieves whether the user has limit ad tracking enabled or not. When the returned value is true, the returned value of [getId()](https://developers.google.com/android/reference/com/google/android/gms/ads/identifier/AdvertisingIdClient.Info#getId()) will always be 00000000-0000-0000-0000-000000000000 starting with Android 12 (but older devices may be problematic). This shows to me that Integration with previous devices may be an issue. Naive AdID solution will only be able to work on certain phones where the getId function has that certain functonality (https://www.deccanherald.com/business/technology/android-12-list-of-devices-eligible-for-the-latest-google-mobile-os-1031367.html)

Does removing the AdId also set this flag isLimitAdTrackingEnabled() to true in Android 12+?

[SebastianZimmeck]

To further explore the question "What effect does opting out from ad tracking have?" we will do the following:

• @n-aggarwal will create an Android 13 app to understand how the AdID API works (need to include Google Play Services). Code can be committed to this repo. Maybe, also observe some other app's usage of the AdID via mitmproxy or some other proxy server.
• @wesley-tan will explore different versions of Android, say, 10 to 13 via emulators. What AdID functionalities do they have? How does it work and look?

Screenshots and API references posted here would be helpful for next week's discussion.

[n-aggarwal]

I think I have found a conclusive answer on the use of AdId for Ad tracking. The Android developer site says that AdId is the only Identifier that should be used for the purposes of profiling and Advertising. Here are some parts of the document:

"Only use an Advertising ID for user profiling or ads use cases. When using an Advertising ID, always respect users' selections regarding ad tracking. If you must connect the advertising identifier to personally-identifiable information, do so only with the explicit consent of the user."

"Don't bridge Advertising ID resets."

"Ads Targeting In this case, your app builds a profile of a user's interests, to show them more relevant ads. Recommended identifier to use: If your app uses an ID for ads and uploads or publishes to Google Play, that ID must be the Advertising ID. Why this recommendation? This is an ads-related use case which might require an ID that is available across your organization's different apps, so using an Advertising ID is the most appropriate solution. Use of the Advertising ID is mandatory for advertising use cases, per the Google Play Developer Content Policy, because the user can reset it. Regardless of whether you share user data in your app, if you collect and use it for ads purposes, you need to declare the ads purposes in the Data safety section of the App content page in the Play Console."

"Also, be aware that the Google Play Developer Content Policy requires that the Advertising ID "must not be connected to personally-identifiable information or associated with any persistent device identifier (for example: SSAID, MAC address, IMEI, etc.,).""

So if the user deletes their adId, in effect that would mean that they opted out of tracking. I don't however think that this blocks the use of cookies in WebViews in apps because cookies are not an Id, so they would not be subject to this. (Are WebView cookies deletable?)

I am also a bit concerned about the "explicit consent". According to Android policy you are only required to include two buttons-- "Agree" and "Not now/Skip". So in theory, the developers could repeatedly ask for the permission again and again, until the user agrees through fatigue, but I don't think this is a big issue because as of right now, I haven't noticed any apps doing this, especially not for AdId.

References: https://developer.android.com/training/articles/user-data-ids https://support.google.com/googleplay/android-developer/answer/11150561#zippy=%2Cuser-interface-ui

[n-aggarwal]

Here are a few screenshots and a short video of accessing and using the AdId settings on Android 13:

https://user-images.githubusercontent.com/121606501/229375006-2d78d768-03ed-47ba-8f36-5cefde34c8af.mp4

[SebastianZimmeck]

Thanks, @n-aggarwal! Do you also have a screen of the opt out option, i.e., opting out from tracking (assuming such exists)?

[n-aggarwal]

I haven't see the opt out from tracking option in my phone (Android 13). I think it was removed for Android 12 and later versions and that option was replaced with the Delete AdId option.

[SebastianZimmeck]

I think it was removed for Android 12 and later versions and that option was replaced with the Delete AdId option.

But that delete AdID option just replaces the current AdID with another one, right? So that does not stop tracking. It just creates a new starting point for tracking.

Also, in older Android versions, think Nougat, etc., to my knowledge there was never a Do Not Track me (i.e., zero-out AdID) option. @n-aggarwal and @wesley-tan, can you check whether such existed at any time?

Because that is our premise.

[SebastianZimmeck]

What does the "Delete advertising ID" above actually do?

When you delete your advertising ID, does it create a new one, your AdID is zeroed out, something else, ...?

[n-aggarwal]

When you delete the AdId, it is zeroed out-- disabling personalized ads. When you reset the AdId then the old AdId is just replaced by a new one, creating a new starting point for tracking.

So in essence, the "Deleting Advertising Id" does equal the "Do Not Track me" from the older versions.

[wesley-tan]

On top of that, the path at Settings is the same for both (in terms of Settings >> Google >> Ads) I believe that we can check the Android version through something like the following:

int currentVersion = Build.VERSION.SDK_INT; if (currentVersion >= Build.VERSION_CODES.S) { // code for Android 12 or above } else { // code for Android 11 and below }

[SebastianZimmeck]

I believe that we can check the Android version through something like the following

Yes, that is important. We want to surface the "Deleting Advertising Id", "Do Not Track me", or whatever else the setting is called that zeroes out the AdID in the various Android versions. So, we may have to detect in our app which version of Android is installed on a device (maybe, also not, if the API is the same, and it is just the UI that is different in the different Android versions).

[kasnder]

I think I have found a conclusive answer on the use of AdId for Ad tracking. The Android developer site says that AdId is the only Identifier that should be used for the purposes of profiling and Advertising. Here are some parts of the document:

"Only use an Advertising ID for user profiling or ads use cases. When using an Advertising ID, always respect users' selections regarding ad tracking. If you must connect the advertising identifier to personally-identifiable information, do so only with the explicit consent of the user."

"Don't bridge Advertising ID resets."

"Ads Targeting In this case, your app builds a profile of a user's interests, to show them more relevant ads. Recommended identifier to use: If your app uses an ID for ads and uploads or publishes to Google Play, that ID must be the Advertising ID. Why this recommendation? This is an ads-related use case which might require an ID that is available across your organization's different apps, so using an Advertising ID is the most appropriate solution. Use of the Advertising ID is mandatory for advertising use cases, per the Google Play Developer Content Policy, because the user can reset it. Regardless of whether you share user data in your app, if you collect and use it for ads purposes, you need to declare the ads purposes in the Data safety section of the App content page in the Play Console."

"Also, be aware that the Google Play Developer Content Policy requires that the Advertising ID "must not be connected to personally-identifiable information or associated with any persistent device identifier (for example: SSAID, MAC address, IMEI, etc.,).""

So if the user deletes their adId, in effect that would mean that they opted out of tracking. I don't however think that this blocks the use of cookies in WebViews in apps because cookies are not an Id, so they would not be subject to this. (Are WebView cookies deletable?)

I am also a bit concerned about the "explicit consent". According to Android policy you are only required to include two buttons-- "Agree" and "Not now/Skip". So in theory, the developers could repeatedly ask for the permission again and again, until the user agrees through fatigue, but I don't think this is a big issue because as of right now, I haven't noticed any apps doing this, especially not for AdId.

References: https://developer.android.com/training/articles/user-data-ids https://support.google.com/googleplay/android-developer/answer/11150561#zippy=%2Cuser-interface-ui

Interesting. I would imagine though that those developer docs aren't contractually binding.

[SebastianZimmeck]

The conclusion here is that the different versions of Android zero-out the AdID upon opting out or deleting.