Reading List

Apple vs. Facebook is Kayfabe from Infrequently Noted RSS feed.

Apple vs. Facebook is Kayfabe

Infrequently Noted

Photo by Claudia Raya
Photo by Claudia Raya

Apple vs. Facebook is, and always was, kayfabe. In reality, Apple is Facebook's chauffeur; holding Zuck's coat while Facebook1 wantonly surveils iPhones owners.2

Facebook's gross profit over time.
Facebook's gross profit over time.

Facebook and Apple mugged convincingly for the cameras as "App Tracking Transparency" rolled out, talking up the impact to Facebook's business. But San Mateo's profits tell a very different story. Net income dipped between late 2021 and early 2023 thanks to accelerating capital expenditures, not reductions in revenue. Despite strenuous efforts to sell the move, it's hard to discern any impact from ATT whatsoever.

How can we be sure Apple's wise? Because Cupertino continues to allow Facebook's wide-scale abuse of In-App Browsers:

Open Web Advocacy - In-App Browser Primer

Apple has long facilitated and enriched mass surveillance through native apps, both directly from in-app activity, but much more insidiously through the In-App Browsers that lurk behind every link in Facebook, Instagram, Messenger, Threads, TikTok, Pinterest, etc.

I have written about them before, and they still stink to high heavens. Facebook couldn't ask for a better or more willing accomplice than Apple as it glides into the second decade of its browserjacking spree.

In-App Browsers are, for Facebook's purposes, ad-blocker blockers. Cheat codes for the enterprising panopticon proprietor. Much wringing of hands transpires every time one of these knockoff browsers is suspected of injecting script into web pages. The fear is that this will enable a level of tracking by apps that is not otherwise possible.

As scary (and real) as the threat is, it is also a misdirection.

To effect total surveillance, Facebook et al. don't need to inject scripts into the runtime, they only need your browser not to block their "ad tags" that are already embedded in every high-traffic page on the internet. Combined with the ability to watch every URL you navigate to in a WebView, this is more than enough to correlate in-app activity with web browsing without leaving overt fingerprints.

As long as users remain in the web purgatory of native apps, data collected from tracking endpoints remains immeasurably richer. It is, in effect, a loophole that only requires users be denied access to their browser of choice whenever it is convenient for native apps.

Real browsers matter because they are user agents; they represent the interests of users, rather than ad networks (Facebook, Google, ByteDance) and the OS vendors that are desperate to keep apps from decamping to portable, interoperable alternatives like PWAs. Users configure their browsers' privacy and security settings, knowing they will synchronize between devices. They can expand those protections with extensions that further ward against unwanted snooping.

By contrast, IABs from Facebook and ByteDance (etc.) do not feature many privacy-preserving settings or extensions, are fiendishly hard to disable, and do not sync between devices in the same app. They don't even synchronise preferences between multiple apps from the same company on the same device.3

Promising-looking options for users trying to disable Facebook's IAB. Now to find the right one...maybe we can just search? Promising-looking options for users trying to disable Facebook's IAB. Now to find the right one...maybe we can just search? Promising-looking options for users trying to disable Facebook's IAB. Now to find the right one...maybe we can just search?
Promising-looking options for users trying to disable Facebook's IAB. Now to find the right one...maybe we can just search?

Ok, let's search for 'web'...ah! 'Apps and websites', looks promising...well...no...maybe if we scroll. Hmmm. Nope. Ok, let's search for 'web'...ah! 'Apps and websites', looks promising...well...no...maybe if we scroll. Hmmm. Nope. Ok, let's search for 'web'...ah! 'Apps and websites', looks promising...well...no...maybe if we scroll. Hmmm. Nope.
Ok, let's search for 'web'...ah! 'Apps and websites', looks promising...well...no...maybe if we scroll. Hmmm. Nope.

Well, what if we search for 'browser' instead? Tapping on 'Browser' takes us to a tab that...doesn't let us turn it off? Hm. Let's go back to the start...might have seen something about 'Content Preferences'...hrm, nope, not that. Well, what if we search for 'browser' instead? Tapping on 'Browser' takes us to a tab that...doesn't let us turn it off? Hm. Let's go back to the start...might have seen something about 'Content Preferences'...hrm, nope, not that. Well, what if we search for 'browser' instead? Tapping on 'Browser' takes us to a tab that...doesn't let us turn it off? Hm. Let's go back to the start...might have seen something about 'Content Preferences'...hrm, nope, not that.
Well, what if we search for 'browser' instead? Tapping on 'Browser' takes us to a tab that...doesn't let us turn it off? Hm. Let's go back to the start...might have seen something about 'Content Preferences'...hrm, nope, not that.

Ok, it has to be in 'Settings and Privacy'...but where? We've tried 'Browser', and that's not it. It's not 'Content Preferences'...maybe 'Media'? Worth a shot... Ok, it has to be in 'Settings and Privacy'...but where? We've tried 'Browser', and that's not it. It's not 'Content Preferences'...maybe 'Media'? Worth a shot... Ok, it has to be in 'Settings and Privacy'...but where? We've tried 'Browser', and that's not it. It's not 'Content Preferences'...maybe 'Media'? Worth a shot...
Ok, it has to be in 'Settings and Privacy'...but where? We've tried 'Browser', and that's not it. It's not 'Content Preferences'...maybe 'Media'? Worth a shot...

I'm sorry...what? Are you actually kidding? The option is hidden two levels deep, not in the 'Browser' section, but in 'Media', and you have to scroll to get to it? I'm sorry...what? Are you actually kidding? The option is hidden two levels deep, not in the 'Browser' section, but in 'Media', and you have to scroll to get to it? I'm sorry...what? Are you actually kidding? The option is hidden two levels deep, not in the 'Browser' section, but in 'Media', and you have to scroll to get to it?
I'm sorry...what? Are you actually kidding? The option is hidden two levels deep, not in the 'Browser' section, but in 'Media', and you have to scroll to get to it?

Be honest: would you think to look in 'Menu' > 'Settings & privacy' > 'Settings' > [ scroll to 'Preferences' ] > 'Media' > [ scroll to bottom ] > 'Open links in external browser'?
Be honest: would you think to look in 'Menu' > 'Settings & privacy' > 'Settings' > [ scroll to 'Preferences' ] > 'Media' > [ scroll to bottom ] > 'Open links in external browser'?

This goat rodeo is wilfully obtuse in a way that only an organisation dedicated through-and-through to A/B testing can accomplish. You might very well think that Facebook is working hard to trick users into a knockoff browser in the hopes they don't notice.

Even without assuming intentional obfuscation, it is shocking how laughably incomplete the privacy and security settings of Facebook's IAB remain, more than a dozen years after it was introduced:

Facebook's IAB fails to provide standard security, privacy, and accessibility settings. This single page is the entire set of available configuration options, and they are not sync'd.
Facebook's IAB fails to provide standard security, privacy, and accessibility settings. This single page is the entire set of available configuration options, and they are not sync'd.

An identical thicket of pain awaits anyone trying to disable the Facebook IAB on iOS. Facebook's UI is screen-for-screen the same across mobile OSes, and iOS users enjoy no advantage in finding the settings to disable FB's IAB.

Chrome and Edge's sync'd settings are vast by comparison, as are the offerings from every other responsible browser vendor:

Firefox for Android has such detailed settings that users have to scroll twice to see just the top-level entry points. The 'Privacy and Security' section alone offers as many options as all of FB's IAB. Firefox for Android has such detailed settings that users have to scroll twice to see just the top-level entry points. The 'Privacy and Security' section alone offers as many options as all of FB's IAB. Firefox for Android has such detailed settings that users have to scroll twice to see just the top-level entry points. The 'Privacy and Security' section alone offers as many options as all of FB's IAB.
Firefox for Android has such detailed settings that users have to scroll twice to see just the top-level entry points. The 'Privacy and Security' section alone offers as many options as all of FB's IAB.

Opera is similarly flexible and settings follow logged-in users through sync. Opera is similarly flexible and settings follow logged-in users through sync.
Opera is similarly flexible and settings follow logged-in users through sync.

The difficulty in disabling Facebook's IAB, failure to synchronize opt-out choices, and a crippled privacy features are calculated to enable maximum tracking when tapping links. Even when Apple's vaunted "App Tracking Transparency" is enabled:

App Tracking Transparency was enabled, yet Facebook's IAB continues to be invoked when tapping on links. The IAB was also disabled on the same account via another device within the hour, showing that Facebook disregards privacy settings when it suits them.

Here are the results of the EFF's "Cover Your Tracks" testing tool on (left-to-right) the iOS Facebook IAB, Firefox Focus, and the DuckDuckGo browser, all with default settings under iPadOS 17.7.10:

FB's IAB scores worst of all FB's IAB scores worst of all FB's IAB scores worst of all
Facebook's IAB reports 'some protection' with 'some gaps', leaking a unique fingerprint, while both Firefox Focus and DuckDuckGo do better, featuring 'strong protection', despite using exactly the same browser engine under the hood, as Apple (unfairly) requires.

Users that install browsers, configure them to preserve their privacy, then use Facebook app's after selecting "Ask App Not to Track" are reliably sold up the river by Apple, who seem content to facilitate this end-run around the rules.

Privacy settings? Gone. Extensions? Poof! And because Facebook has code on every top site, the tracking suddenly roars back to life, out of band of the channels that Apple wants you to believe are important (or at least that it has taken heat for in the past).

FB's tracking is so pervasive in modern web pages that it doesn't need to exfiltrate data from the IAB to track you. It just needs to keep you away from your real browser, where it might not be able to join up clicks and taps.

It isn't exactly clear if the IAB is the basis for recent reports of secretive "deterministic matching" efforts, but it's safe to assume that Facebook's bullheaded determination to steal clicks and deny users their choice in browsers isn't simply an oversight.

None of this is news to Apple. They have read the posts and have made timid interventions to avoid being blamed for the most obviously nasty versions of IAB tracking. But acting against the deep rot? No joy.

Not only has Apple not responded to advocacy on behalf of users from groups like OWA, it has failed to impose either common-sense, pro-privacy restrictions on IABs, or to support action by regulators. As we've seen above, it doesn't even require apps to avoid privacy-degrading IABs when ATT is enabled or provide a global opt-out.

And Apple is absolutely aware of these concerns because they have been raised publicly and in regulatory circles for years. Yet it does not act.

Why?

Facebook's dark patterns are directly facilitated by Apple and Google. It is their SDKs and policies that make this not only possible, but pervasive. So why do they deliver users unto perdition?

Denying users true browser choice helps keep the big app vendors in the store. Those whales understand that native APIs offer increased data collection, which they monetize.

Keeping big fish in the store, in turn, helps Apple and Google corral others into their API enclosure ghettos. If users know that to get their "main" apps, they must go to the store, then the store becomes the place to look for all software. Moreover, for competitors to have any hope of equivalent profits, they must enter the same Store-enabled race to the privacy bottom.

And that race to the bottom helps the duopolists, no matter how much they want you to believe otherwise.

Apple and Google are trying to maintain a distribution model chokehold over mobile software. Their duopoly allows them to tax developers outrageously for access to commodity APIs. Dependence on proprietary versions of bog-stock APIs, in turn, makes it hard for software vendors to consider building for other platforms with their limited engineering budgets.

This, not coincidentally, reduces the size of the (potentially) portable software catalogue, harming the prospects of new entrants that might challenge the duopoly. For users, a lack of apps in open ecosystems make it hard to escape for less predatory alternatives.

The entire point of the multi-layered exercise, in the end, is to subvert interoperability. And to do that, it's necessary to keep the anchor apps happy. Which is why Apple and Google let Facebook spy on you via through the web.

Apple isn't defending your privacy, it's retreating just far enough into the hedge that you won't notice the App Store dangling Facebook, Messenger, Instagram, and TikTok to take the blame for the APIs that Apple itself has recklessly provided. Compared to the web, iOS native apps have facilitated a universe of privacy invasion that was previously unthinkable. Apple did that, and continues to do that, and now it wants credit for forcing developers to "comply" (wink wink) with anti-tracking rules it can't be bothered to enforce.

The answer is blindingly obvious: forbid IABs, particularly under ATT, and/or force native apps to use the system-provided browser-overlay systems — SFSafariViewController and Android Custom Tabs — where user's choice of browser and customisations will be respected.

This isn't hard. In fact, it's one of the simplest interventions possible. And yet neither Apple nor Google are willing to pick a real fight with Facebook and do right by users.

And until they do, you can be certain the privacy preening is all for show.4

FOOTNOTES

  1. I will continue to refer to Facebook as "Facebook" and Twitter as "Twitter" despite their sweaty, grasping rebrands.

    It is an act of complicity to assist folks this guilty in turning the page on their transgressions. Using their new names helps oligarchs who retain standing through collective amnesia by disconnecting what is from what was, and they know it. Which is why they tried to rebrand in the first place.

    The US legal fiction of "corporate personhood" does not entitle that corporation to respect. As a corporation's feelings cannot be hurt, either because it has none, or because it is a sociopath (as the market demands). If a billionaire is so embarrassed of their monster that they long for its rebirth it, I say fine; go ahead. I'll happily call it something else, just so long as it dies first. Liquidate the assets, pay your bloody taxes, fire everyone, put the winnings into a holding LLC, then start afresh. Then I'll call the new thing whatever they please.

    Never deadname a trans person, but the pet amphisbaenas of billionares? Always and forever.

  2. At least until Apple can wrestle away Facebook's ad business for itself.

  3. A reliable measure of a tech firm's disrespect is making users frequently re-select privacy-enhancing choices. A good proxy for this is which settings are sync'd. Chrome's disregard for choices which Google dislikes is evident when logging into each new device:

    Every time a user visits settings on a new device, they're obliquely informed that the settings they laboriously configured on previous devices have been disregarded.
    Every time a user visits settings on a new device, they're obliquely informed that the settings they laboriously configured on previous devices have been disregarded.

    Chrome settings after verifying that sync has completed for the profile.
    Chrome settings after verifying that sync has completed for the profile.

    All of this has been carefully considered, and it is exceedingly likely that Figma mocks exist for versions that respect user choices. Those designs were not put into production. It's impossible to know from the outside exctly who made the call, but it's a reliable guess that the ads team won a Product Manager cage match.

    Facebook, for its part, is even worse, failing to join up browser choice settings on any surface or across apps. Hardly a surprise, but in a world where almost every other setting is synchronised, the difference is confirmation of anti-user intent.

  4. It should go without saying that the only truly effective solutions in this space will be legislative and regulatory. That neither Apple nor Google have put their aggressive lobbying teams to work to get effective privacy laws passed should also be a warning flag.

    Until and unless they're willing to put the same sorts of money behind drafting model legislation and donating to the coffers of electeds via proxies that they do to degrade right-to-repair and browser engine choice, it's all kayfabe.