ARCHIVES: This is legacy content from before Marketing Dive acquired Mobile Marketer in early 2017. Some information, such as publication dates, may not have migrated over. Check out the new Marketing Dive site for the latest marketing news.

UDID breach highlights mobile tracking, privacy issues

While it is not entirely clear how many iPhone and iPad identifying codes hackers may have gained access to this week, the news of a possible large-scale leak has reinvigorated the discussion around the need for an alternative to UDIDs.

Hackers this week claimed to have stolen more than 12 million identifying codes attached to Apple devices while over 1 million of these UDIDs were released online. However, both the Federal Bureau of Investigations ? which the hackers say are the source of the data via an agent?s laptop ? and Apple insist they do not know where the data came from.

?This leak highlights exactly why ?permasolutions? like the UDID are not viable options for today?s privacy-concerned environment,? said James Lamberti, vice president and general manager of AdTruth.

?UDID is permanent and is always associated with a specific device so once the UDID is exposed and out there, that device - including any and all information associated with it ? is directly traceable back to the user,? he said.

Growing concern
UDIDs have been a growing focus of privacy concerns because it is possible to link these indentifying codes to a specific user and the information shared with third parties.

Apple had previously said it would begin deprecating UDIDs, in a move to address the privacy issues. However, it quickly became apparent how much of an impact the overnight disappearance of UDIDs would have on advertisers.

Mobile marketers would be particularly hard hit if UDIDs were to disappear since this information is used to track how well an ad converts into an action on iOS. This data helps determine how much advertisers and ad networks pay for in-app ads.

One report from MoPub found that a pp developers could see their advertising revenues drop by as much as 24 percent if Apple were to eliminate UDIDs.

Apple does not want to be in the position of policing the activity companies operating on iOS. However, it also does not want to be responsible for shutting down marketing activities by eliminating UDIDs.

?I don?t speak for Apple but it does seem that they recognized that completely getting rid of MUDIDs overnight was going to have a huge negative impact on the mobile industry and that would in turn have an impact on consumers,? said Alan Chapell, co-chair of the Mobile Marketing Association?s Privacy Committee and president of Chapell and Associates.

?If, all of a sudden, nobody could an UDID without an alternative, I?m not sure that advertisers are going to want to spend in mobile,? he said.

?Apple is caught between a rock and a hard place because they don?t? want to be seen as facilitating bad privacy practices but they also don?t? want to destroy the mobile advertising ecosystem."

Looking for alternatives
This week?s news about a possible leak of UDID brings new urgency to the search for a replacement because it provides regulators and privacy advocates ? who are keeping a close eye on mobile ? with an example they can point of how mobile can compromise consumers? privacy.

Any alternative to UDID needs to be embraced by a wide enough cross segment of the market for it to be meaningful to marketers.

One step marketers can take right now is to insure that they do not run afoul of regulators is to de-identify data so that it is not attached to an identifying code in perpetuity.

?If you are taking reasonable steps to delink the data, if you can demonstrate this, you may be viewed differently should any issues arise,? Mr. Chapell said.

An alternative approach embraced by AdTruth is to use a probabilistic model, one that does not connect an individual permanently to a specific device and that does not leave any type of identifiers on the device itself.

The AdTruth model uses a hash that would need to be decoded in order to be associated with an individual. The hash changes over time so the connection with an individual is temporary.

The approach works across all devices whether desktop, mobile or any other internet connected device.

?It may be appealing to continue to use UDID while it lasts, the reality is that UDID is obviously not privacy friendly ? nor does it work well for non-iOS devices or understanding app vs. mobile web behaviour,? Mr. Lamberti said.

?Clearly the risk of exposure is a serious concern for consumers, so it?s likely that UDID?s days are numbered,? he said.

?Now is the time to make the switch to tracking technology that can work across device-types, can identify a user across web and apps, is consumer friendly and future secured.?

Final Take
Chantal Tode is associate editor on Mobile Marketer, New York