Apple is introducing a feature in iOS 11 that tries to balance user privacy against developers’ need to prevent fraud. It could also shake up the used iPhones industry.
The feature is called DeviceCheck, and it will let developers to connect a user to a particular iPhone, even after you delete the app or wipe your phone. Remember when Apple CEO Tim Cook spanked Uber CEO Travis Kalanick for “fingerprinting” users? It’s kind of the same thing, but DeviceCheck does it with privacy in mind.
Device tracking is not the same thing as location tracking. Apps need to ask your permission to know your location, and you can change your mind at any time. This won’t be changing in iOS 11 (and isn’t likely to change ever). The issue surrounding DeviceCheck has to do with fingerprinting your iPhone.
Fingerprinting is when a developer of iOS and tvOS associates your device with you, the user. DeviceCheck will do this by allowing developers to tag a device with two bits and a timestamps. That tag persists even if a user deletes the app in question, but it’s being stored by Apple, not the developer.
Furthermore, the tag is limited to four types of binary bits (it happens to be 00, 01, 10, and 11, but that’s only a technical detail. The important news for everyone else is that Apple set up DeviceCheck to allow developers to assign whatever meaning they want to these bits.
What This Means
In one example reported by Gizmodo, a developer could offer a seven-day trial for their app, before a user has to subscribe or delete the app. When starting a trial, developers could assign the iPhone the bits 00, for instance, to indicate the trial has started. A timestamp could be added to note the start date.
When the trial is over, a different set of bits—maybe 01—could be sent to Apple’s servers to indicate you’ve used the trial. A timestamp could be added again to note the end date. Katie Skinner, a privacy engineer for Apple, gave a talk to developers and provided more details:
There are many developers who are currently using a variety of techniques to try and identify devices. Now, they may be trying to identify and answer questions like: Has this device received a free trial? Has this device participated in fraudulent activity?
This means [the bits] will be stored by Apple through deletion of your app, reinstallation of your app, through erase all contents and settings, as well a transfer of that device between users.
DeviceCheck could create problems for people that buy and sell used iPhones. Since it works persistently even after wiping your iPhone—or assigning it with a new Apple ID—the person buying your iPhone may be blocked from starting the free trial.
Developers were warned they would need to find a way to handle cases like that. That may include providing a way for users to contact them if the iPhone’s fingerprint needs to be reset.
The move by Apple is seen as a way to balance fraudulent behavior and user privacy. There’s a compelling case for developers to prevent fraud, but hopefully it doesn’t make buying used iPhones more difficult.