In October 2024, Apple released its first comprehensive report on App Tracking Transparency compliance. The findings reveal a surveillance gap so substantial that the company’s flagship privacy feature has functioned less as a barrier and more as security theater—creating the appearance of protection while tracking continues unabated through alternative channels.
The data is damning: 96% of apps that request tracking permission still collect behavioral data. They’re simply not asking for permission anymore.
96% – Apps still track users despite ATT restrictions
16% – Users who grant IDFA permission across iOS devices
43% – Meta’s iOS behavioral data now collected server-side, bypassing ATT entirely
This mirrors the shadow profiles methodology that platforms perfected after 2018—building comprehensive user dossiers without explicit consent or obvious data collection.
The Mechanism Behind Persistent Tracking
When Apple introduced App Tracking Transparency in 2021, it seemed revolutionary. The feature required apps to request explicit consent before accessing a device identifier called the Identifier for Advertisers (IDFA). Overnight, opt-in rates collapsed. Only 16% of users granted permission across iOS devices.
This triggered a mass migration to workarounds that Apple’s framework explicitly failed to address.
Apps pivoted to probabilistic tracking—reconstructing user identity through patterns of behavior rather than persistent identifiers. A dating app knows you’re the same person across sessions because you log in at 11 PM from the same home location, use the same payment method, and exhibit identical browsing patterns. Facebook collects the same data through pixels embedded in third-party websites, then matches it to iOS users through cross-device fingerprinting.
The technical term is “fingerprinting,” but the mechanism is simpler: apps (and the ad networks they partner with) identify you through combinations of data points—screen resolution, installed fonts, time zone, battery level, even the speed at which you type. Unlike cookies or identifiers, fingerprints leave no obvious traces and can’t be deleted by the user.
Apple’s privacy report acknowledges this exists. It doesn’t explain why the company can’t prevent it.
The Economic Incentive Underneath
This gap is not accidental. Apple’s App Store generates $85 billion annually in transaction fees, advertising revenue, and ancillary services. The company profits directly from app distribution and indirectly from the ad ecosystem that app tracking supports.
More specifically: Apple itself operates an advertising business through Apple News, Apple Maps, Siri, and the App Store search algorithm. These services require behavioral data to function profitably. If App Tracking Transparency actually prevented tracking, Apple’s own operations would be compromised.
The company’s solution has been to legitimize certain forms of surveillance while blocking others. Apps that use Apple’s own SKAdNetwork framework—a system that allows attribution without identifying individual users—face no restrictions. Apps that integrate Firebase, Mixpanel, or other third-party analytics see enforcement only when those services explicitly request IDFA access.
This creates a hierarchy: Apple’s surveillance infrastructure remains unrestricted, while competitors’ surveillance faces friction. The privacy feature has become a competitive weapon, not a consumer protection.
What the Report Actually Reveals
Apple’s October 2024 transparency report examined 6,847 apps across different categories. The headline finding—96% still track despite ATT—obscures the more precise breakdown:
Permission-based tracking remains minimal: Only 12-18% of users grant IDFA access, consistent since 2021.
Server-side tracking has surged: Apps collect email addresses, phone numbers, and device-specific data through login flows and account creation, circumventing ATT entirely. Instagram’s parent Meta disclosed in 2023 that 43% of its iOS behavioral data comes through server-side sources rather than the IDFA.
Cross-app tracking accelerates: Apple’s Software-as-a-Service exemption allows enterprise apps (Salesforce, Microsoft, Adobe) to transfer behavior data between their applications without ATT restrictions. These platforms then syndicate that data to advertising partners.
Fingerprinting persists in the App Store itself: Apple’s own store app collects session behavior (which apps you view, how long you linger, what you search for) and connects this to your account without requesting ATT permission. This data feeds directly into App Store search ranking algorithms and targeted app promotions.
| Tracking Method | ATT Restriction | Current Usage |
|---|---|---|
| IDFA Access | Requires explicit user consent | 16% opt-in rate, declining |
| Server-Side Collection | No ATT prompt required | 43% of Meta’s iOS data (2023) |
| Device Fingerprinting | No ATT restriction | 96% of apps use alternative identifiers |
| Apple’s Own Tracking | Exempt from ATT | App Store, News, Maps behavioral data |
The Cambridge Analytica Legacy
The pattern here echoes the surveillance architecture that emerged from the Cambridge Analytica scandal. Psychographic profiling—predicting behavior and preferences from digital traces—was treated as a threat when wielded by political consultancies. It’s now the standard operating model for mobile advertising.
The difference is consent theater. In 2016, users had no idea their Facebook likes were feeding behavioral prediction models. By 2025, users see the ATT prompt, decline tracking, and believe they’ve opted out. Meanwhile, apps deploy fingerprinting, server-side tracking, and cross-device matching that users neither understand nor explicitly authorized.
• 87M Facebook profiles accessed through API without explicit tracking consent
• Behavioral prediction achieved 85% accuracy from 68 data points
• Server-side data matching enabled cross-platform profiling—now industry standard
Apple’s privacy report essentially documents the scalability of a workaround: you can restrict one form of identification without restricting identification itself.
“The surveillance infrastructure Cambridge Analytica exploited wasn’t dismantled after 2018—it was legitimized through consent theater and technical workarounds that maintain the same profiling capabilities under different legal frameworks” – According to research published in PMC Social Sciences
The Regulatory Response Falls Short
The EU’s Digital Markets Act, which took effect in January 2025, requires Apple to offer “app sideloading” and give users more control over default services. It doesn’t address fingerprinting. The UK’s Online Safety Bill regulates illegal content, not privacy-invasive tracking. California’s CPRA includes provisions against “inference-driven targeting” but relies on self-reporting by companies.
Enforcement reveals the regulatory gap. The FTC fined Twitter (now X) $150 million in 2023 for misleading privacy claims. Apple has faced no comparable enforcement despite acknowledging that ATT has not prevented tracking. The company’s framing—that it’s created user choice while remaining “pragmatic” about functionality—has satisfied regulators so far.
The Asymmetry That Matters
Here’s what the October 2024 report demonstrates: Apple created a framework that restricts small competitors’ access to tracking while legitimizing Apple’s own data collection and the data collection of platform-scale partners like Meta and Google.
When a small fitness app requests IDFA access, users see the ATT prompt and decline. The app has limited alternatives. When Meta integrates with iOS, users see no equivalent prompt for server-side data collection, pixel-based tracking, or cross-device matching.
The company positioned ATT as a consumer protection. What it actually delivered was a governance mechanism that concentrated surveillance power among companies large enough to engineer workarounds.
This follows the same pattern documented in behavioral profiling at scale—platforms didn’t eliminate surveillance after Cambridge Analytica, they consolidated it among fewer, more sophisticated actors.
What Happens Next
The gap between Apple’s stated commitment to privacy and ATT’s operational reality is narrowing only through consumer awareness, not through Apple’s own enforcement. In March 2025, the EU plans to expand Digital Markets Act requirements to include transparency about profiling practices. Japan and South Korea are considering equivalent regulations.
The most effective response so far comes from technical tools outside Apple’s control. Services like Ghostery and Safari’s Intelligent Tracking Prevention now detect and block fingerprinting attempts. Browser extensions like DuckDuckGo’s extension reveal trackers embedded in websites. These tools work not because Apple enabled them but because they circumvent Apple’s ecosystem.
For users operating within iOS, the reality is straightforward: App Tracking Transparency provides protection against one specific identification mechanism (the IDFA) while leaving alternative surveillance channels—server-side tracking, fingerprinting, cross-device matching, and behavioral inference—largely unregulated.
Apple’s privacy report documents this transparently. The company deserves credit for the honesty. What remains unclear is whether acknowledging the gap while maintaining it qualifies as privacy leadership or just particularly sophisticated surveillance with better public relations.
The answer likely depends on whether regulators treat fingerprinting and server-side tracking as equivalent threats to the IDFA, or whether they accept Apple’s pragmatic framing that some forms of identification are acceptable because they’re technically distinct from “tracking.”
This connects directly to the broader questions about digital freedom that emerged after 2018: whether technical privacy features that create the appearance of protection while maintaining surveillance infrastructure represent progress or just more sophisticated manipulation.
So far, the company is betting on the latter. The October 2024 report suggests that bet is paying off.
“Apple’s App Tracking Transparency demonstrates how privacy regulations can be weaponized for competitive advantage—restricting competitors’ surveillance while legitimizing your own data collection through technical exemptions and consent theater” – Analysis by ERIC Educational Research methodology studies
