Tag Archives: ads

That Tracking Popup on Your Phone? Here’s What’s Actually Going On Behind It

Iphone app-tracking

Every iPhone user has seen that little prompt asking whether an app can “track your activity across other companies’ apps and websites.” Most people instinctively tap Don’t Allow and carry on with their day. But very few stop to ask what they’re actually saying no to, and more importantly, what was happening before this prompt even existed.

Here is the break down.

The Quiet Identifier You Never Knew About

Before Apple introduced its App Tracking Transparency (ATT) framework in iOS 14.5, every iPhone carried something called an IDFA — Identifier for Advertisers. Think of it like a license plate bolted to your phone. Every app you installed could read it. No questions asked. No prompts. No consent.

So when you browsed gulab jamun on a shopping app at 10pm and then saw an ad for the exact same pair on Instagram the next morning, that wasn’t a coincidence and it wasn’t your phone “listening” to you. What actually happened is far more mundane and far more systematic. Both apps were reporting your behaviour to the same advertising exchange, tagged with that one persistent ID. Your browsing history, your purchase intent, your location patterns, all stitched together into a neat behavioral profile. Not by one company, but by an entire ecosystem of ad networks, data brokers, and demand-side platforms that most people have never heard of.

The IDFA was the thread that connected all of it.

What Apple Actually Changed

With ATT, Apple did something deceptively simple, it made apps ask before reading that identifier. That’s it. The tracking infrastructure didn’t disappear. The ad exchanges are still there. The data broker pipelines are still humming. Apple just added a gate at the front door.

And it turned out that gate was devastatingly effective. Somewhere between 75–85% of users opted out when given the choice. Billions of dollars in ad revenue evaporated almost overnight. Meta alone attributed a $10 billion annual revenue impact to this single change. One prompt. One toggle. That’s all it took to collapse a surveillance advertising model that had been running unchecked for over a decade.

SOURCE: https://www.forbes.com/sites/danielnewman/2022/02/10/apple-meta-and-the-ten-billion-dollar-impact-of-privacy-changes/

Look at Which Apps Are Asking

Here’s what I find interesting, pull up the Tracking settings on your iPhone and look at the list of apps that have requested this permission. Food delivery apps. Shopping platforms. Payment wallets. News aggregators. Social media. Ride-hailing services.

Not one of these needs cross-app tracking to function. Your food delivery app doesn’t need to know what you were browsing on a fashion app to deliver your biryani. Your payments app doesn’t need to correlate your reading habits with your transaction history.

They want this data because your cross-app behavioral profile is worth more to advertisers than what you actually pay for the service. In many cases, especially with free apps, you are the product being sold, and the IDFA was the barcode.

What “Don’t Allow” Actually Does (And Doesn’t Do)

Here’s the part most people get wrong. Tapping Don’t Allow does not mean the app stops collecting data about you. It means the app can’t correlate what you do inside it with what you do outside it. Within its own walls, the app still sees everything: your searches, your clicks, your time spent on each screen, your purchase history, your location if you’ve granted that separately.

What ATT blocks is the cross-pollination, the stitching together of your identity across unrelated apps and websites using that shared advertising ID. That’s an important distinction, because it means your privacy posture after tapping “Don’t Allow” is better, but it’s not airtight.

The Workarounds Are Already Here

The ad industry didn’t just accept this and move on. A parallel infrastructure of workarounds has been growing since the day ATT launched.

Fingerprinting uses device-level signals like screen resolution, installed fonts, battery level, network configuration to build a probabilistic identity without needing the IDFA. Apple’s policies technically prohibit it, but enforcement is inconsistent and the practice is widespread.

Server-side tracking moves the data exchange off your device entirely. Instead of the app sending your IDFA to an ad network, the app’s backend server talks directly to the ad platform’s backend. The tracking still happens and it’s just invisible to Apple’s on-device enforcement mechanisms.

Cohort-based models group users into behavioral clusters rather than targeting individuals. Google’s Privacy Sandbox and similar initiatives pitch this as “privacy-preserving,” but critics point out that sufficiently small cohorts can still approximate individual targeting.

The tracking prompt can’t reach any of this. The surveillance didn’t end. It just moved one layer deeper.

So What Should You Actually Do?

Keep tracking off for everything. That’s the baseline. But don’t mistake one toggle for comprehensive privacy. Here’s what a more realistic posture looks like:

Review app permissions regularly. Location, microphone, contacts, photos. Note that each of these is a separate data surface that apps routinely over-request. Audit them under Settings → Privacy & Security.

Use a DNS-level content blocker. Tools like Pi-Hole, NextDNS or AdGuard can block tracking domains at the network layer, catching what ATT misses. This is especially useful against server-side tracking and fingerprinting scripts.

Be skeptical of “free” apps. If a service is free and feature-rich, ask yourself what the business model actually is. If it’s not obvious, the answer is almost always advertising — and advertising at scale requires surveillance.

Limit the number of apps on your phone. Every installed app is a potential data collection endpoint. If you used it once three months ago and haven’t opened it since, it doesn’t need to be on your device.

The Bigger Picture

That one little prompt on your iPhone represents something much larger. It’s a rare moment where a platform company made surveillance visible and gave users a genuine opt-out. The fact that the overwhelming majority chose to opt out tells you everything about how people actually feel about being tracked when they’re given an honest choice.

But it also revealed how fragile privacy gains are when the entire economic model of mobile apps is built on behavioral data extraction. One wall, no matter how well-built, doesn’t make a fortress. It’s a start. Treat it that way.

#privacy #ads #devicefingerprint #ATT #do-not-track #AppTrackingTransparency

How E-commerce Companies In India Rely On Black Hat SEO

Ok, taken for granted that competition is intense and running an e-commerce company is difficult especially in our country. I have friends who say they are not sure about their company existence for the next financial year. But does it mean that you have to resort to unethical tactics, in this case Black Hat Search Engine Optimization (SEO)?

I was looking for a mobile phone and was researching about its availability online. Nothing eye-catching about the results as in the picture below. The usual promoted listings and the normal search results on Google. Now had I read that this particular model of phone is available exclusively at Amazon India. I was surprised and glad to see the product listings (promoted listings/ads) at other sites like Snapdeal and Flipkart as well. The ease of shopping online at the convenience of our fingertips, coupled with deals and coupons, and also the refund policies of some these vendors. The reason for stressing on the refunds are becuase I have had to return One Laptop and One netbook and much of it was accomplished without any fuss. Interestingly I never saw those products for sale again!

Google Search results (look besides the arrows):

blackhatseo-ecommerce-india

Now if the phone is exclusively available at only one site, what are the other two sites showing their ads for?

I clicked on three ads in separate tabs and as advertised the Amazon India site showed up Micromax Canvas A1, which they are selling exclusively, while the resulting pages were for totally different products at Snapdeal and Flipkart. Not sure if this violates any law in India, if you are aware of the laws and regulations on improper/false advertising, please drop an email or tweet to me at @terminalfix. The paid listing by Snapdeal lands on a product page for Karbonn phone, running Android one like Micromax Canvas A1. Flipkart’s listing lands on a product page for Spice Android One Dream Uno, also running Android One.

Flipkart’s ad for Micromax Canvas A1 shows Spice Android One instead:

flipkart-blackhat-seo

Snapdeal’s page shows Karbonn:

snapdeal-blackhat-seo

Actually this is not the first time I have seen such tactics being used. Previously as documented here (Why Flipkart Is Wrong To Hijack Crossword’s Name Using Sponsored Ads), Flipkart was listing its ads for the term “crossword bookstore”. After I had pointed this out, they had removed the listings.

I am not much familiar with Google’s Terms and Conditions when it comes to violations but if a company is consistently doing it, it deserves some action big or small. Over to Google, Flipkart, Snapdeal and Micromax for more on this…