Unique identifiers are useful tools for developers, advertisers and analytics companies. However, the use of unique identifiers raises important user privacy concerns. Use this resource page to educate yourself and stay alert to important unique identifier privacy issues.
1. Platform Unique Identifier Practices
2. Unique Identifier Solution Tools
3. Hashing for Privacy
Analytic companies or ad networks may rely on you to provide them with a unique identifier so they can track users and manage advertising. The SDK integrated into your app might require you provide a device ID, MAC address or other unique number to enable that same functionality. Using these identifiers has fostered privacy concerns, because they are considered more personal than cookies or other tracking mechanisms that users can clear or delete.
You should understand whether your ad network hashes and salts identifiers you provide them with, and whether it provides users with an opt-out. Seek to provide an identifier that can easily be cleared or managed by the user.
In August 2011, Apple decided that it would phase out third party use of Unique Device Identifiers (UDID). Third-party app developers are now instructed to stop tracking iPhone, iPod Touch, and iPad users by the unique identification number attributed to each of its devices and instead, create their own unique identifiers. This would enable tracking of users within individual apps rather than across apps. Those likely to be most affected are ad networks that currently leverage UDIDs to collect information about users from their use of unrelated apps. As of July 2012, its been suggested that iOS 6 will provide alternatives to the UDID, however, iOS 6 has not yet been released to the general public.
In anticipation of the deprecation, ad networks, platforms, and developers are exploring alternatives to device identifiers for identifying and delivering services to app users. However, there is little uniformity in this ecosystem, in which device identifier management is owned and operated by multiple providers.
1. Major Platform Device Identifier Practices
- Google: Mobile applications pass user device identifiers to Google when users access an app that displays Google AdSense or AdMob ads. Google engages in the practice of device identifier hashing between Android and its ad network AdMob before the device identifier is made available to developers. There are three main elements to Google’s device identifier practice:
- Double-anonymization of the device identifier, first by hashing the device identifier before it is sent to Google’s server, then by associating with an anonymous ID, preventing Google from seeing the actual device identifier
- User opt-out in Android market settings for Android handset users, and Google search app for iOS for iPhone and iPad users
- In-app notice through ads running across AdSense and AdMob in-app networks that users can see
2. Emerging Device Identifier Solution Tools - Pending details about the alternative identifiers to be provided by Apple, these are the options currently used by industry.
- OpenUDID - An open source device identifier initiative by Appsfire, a mobile app marketing platform. OpenUDID provides a replacement unique device identifier which can be access by any app, provides open-source code to “generate and access the OpenUDID, for iOS and Android,” and enables user opt-out.
- OFUID – OpenFeint Unique Identifier, created by the OpenFeint mobile gaming network for the gaming app developer community. Users that opt-in to the OpenFeint system provide access to the OFUID, a universal account system for the gaming network’s cross-platform users. Developers can use the OFUID to track users across apps.
- Device Fingerprinting – An emerging and much debated device identification technique in which a unique “fingerprint” is assigned to a device based on information from its properties and settings, and not on UDID. Once the device is fingerprinted, it is added to a database for future device recognition. Several device fingerprinting tools are listed below:
- dotMobi’s DeviceAtlas – Used by mobile ad network Adfonic
- 41st Parameter’s AdTruth – device fingerprinting service AdTruth now honors the Do Not Track technology in Mozilla Firefox
- Hashing for Privacy - Check out this blog post by Matt Gemmell discussing the importance of hashing in social apps.