An essential adage these days is to protect your private data to keep fraudsters at bay. A new paper has quantified the incidence of financial fraud complaints among app users who follow that advice. Titled “Consumer Surveillance and Financial Fraud,” the paper was co-authored by Wharton finance professor Huan Tang and finance professors Bo Bian at the University of British Columbia and Michaela Pagel at Washington University in St. Louis.
The authors focused on Apple’s App Tracking Transparency (ATT) policy, which by default opts out users on Apple’s iOS platform from sharing their data. They found that a 10% increase in the number of iOS users in a given zip code results in a 3.21% drop in financial fraud complaints from that location. The study also found that “the effects are concentrated in complaints related to lax data security and privacy.”
The drop in financial fraud complaints could grow tenfold if tight privacy laws are universally applied. “If the whole population of [cell phone] users on both the iOS and Android platforms were subject to a policy like the ATT, then the number of financial fraud complaints should drop to 32%, assuming the effect scales up linearly,” Tang said.
Apple’s ATT policy, which was launched in April 2021, required all app providers to obtain explicit user permission before tracking them across apps or websites owned by other companies. Consequently, without a user’s permission, Apple would not provide those apps and websites with so-called “mobile identifiers.”
Although the ATT policy only applies to mobile users, it has implications for commercial surveillance and fraud among the general population due to the prevalence of smartphones, the paper pointed out. After the ATT policy, companies with an app are 42% less likely to experience cyber incidents, compared to firms without an app, it added. The paper described the implementation of ATT as “an event that enhances data security and privacy standards.”
A Shock to the Data Industry
The ATT policy dealt “a major shock to the data industry,” especially providers of mobile apps that are available on the Apple App Store or the Google Play store, the paper stated. As of February 2022, 82% of users refused to grant permission to track them, or only 18% of app users allowed tracking among those who were asked for such permission, according to Flurry, a mobile advertising company.
“Facebook is the largest victim of Apple’s privacy campaign, because 98% of Facebook’s revenue comes from targeted ads.”— Huan Tang
Tang explained how exactly the ATT hurt Facebook. In order to target consumers for advertising, Facebook needs to link different pieces of data from various sources about the same individual using a mobile identifier that links all of the individual’s mobile devices and that links all user choices from different websites, she explained. But after ATT, Facebook couldn’t use mobile identifiers unless iOS users explicitly agreed to share their data with a third party, she added.
Facebook’s Loss, Apple’s Gain
Apple, in contrast, benefited because its users were happy that it was taking steps to protect their privacy, Tang said. “Apple’s privacy campaign is self-serving because it allows the tech giant to tap into the targeted ad industry,” she continued. “And its largest opponent besides Google is Facebook. By taking down Facebook, there’s a void to be filled.” Incidentally, France’s competition authority and Italy’s antitrust agency accused Apple of abusing its dominance in the market to set unfair conditions.
Apple stepped in later with crowd-level targeting, where it could use aggregated information of specific communities of users it created, Tang added. Other platforms that wanted to target Apple users had to adopt that approach, which allows “less refined targeting,” she explained. As Apple’s guide to search ads stated, “targeting specific audiences will prevent ads from appearing to users who have turned off the Personalized Ads setting.”
Apple had begun tightening the screws on data privacy more than a year before it launched the ATT policy, the paper noted. In December 2020, Apple introduced “nutrition” privacy labels, which required all developers to provide information about their data practices in a standardized and user-friendly format. Developers who failed to comply with that policy faced the risk of having their future app updates rejected by Apple’s app store.
In July 2022, Google too launched data safety forms on its Google Play platform, which also required firms to disclose the types of data they collected from users and how they would use that. Google’s data safety form also required disclosure of data security practices, including whether the user data is encrypted during transit.
How the Study Tracked Financial Fraud
The authors began with detailed foot traffic data from Safegraph (a provider of datasets on global places) to calculate zip-code-level shares of iPhone users out of all smartphone users. Next, they analyzed data from the Consumer Fraud Prevention Bureau (CFPB) and the Federal Trade Commission (FTC) on the number of financial fraud complaints and the amount of money lost due to fraud. They then applied the 82% opt-out rate of ATT to arrive at their finding of a 3.21% reduction in financial fraud complaints.
“Apple’s privacy campaign is self-serving because it wants to tap into the targeted ad industry.”— Huan Tang
Significantly, the study found that trends in the likelihood and number of financial fraud complaints were more pronounced among minorities, women, and younger people, suggesting that these groups are more vulnerable to surveillance and fraud. Those findings contribute to the process of creating new regulations and rules to enhance consumer data protection and privacy, the paper stated.
To isolate CFPB complaints that relate to financial fraud originating from lax data security, the authors used keyword searches to look for indicators such as fraud, scam, or identity theft. They used that in combination with a machine learning method that generates a likelihood of complaints being related to financial fraud caused by data security issues.
Main Findings of the Study
- A 10% increase in the number of iOS users in a given zip code results in a 3.21% drop in financial fraud complaints from that location.
- About 26% of financial companies listed in the CFPB complaints database own an app, and 11% of them collect and share user data with third parties, such as data brokers, other websites, and advertising networks. The effect of ATT on consumer complaints is more pronounced for companies that are active in the app market, share user data with third parties, or do not encrypt user data in transit.
- Complaints of financial fraud are more likely in categories like credit reporting and debt collection than in others like student loans and mortgages. Specifically, the ATT policy reduced the number of financial fraud complaints about credit reporting and debt collection in a zip code by 2.48% and 0.61%, respectively, when it has 10% more iOS users.
- The ATT policy helped reduce money lost in all complaints by 4.7%. Of that, the money lost as reported in internet and data security complaints would be about 40% less with the ATT policy.
“Our results provide compelling evidence in favor of industry-led regulations aimed at constraining consumer surveillance practices,” the paper stated. Tang recently presented her findings to the FTC, which she said is eager to use her paper’s findings in its efforts to frame future regulation on data privacy and security.
“For their cost and benefit analysis, the FTC was interested in the cost to consumers when firms collect excessive amount of data, but it is very hard to find empirical evidence of that,” she said. “This is where our paper comes in. We provide a point estimate.”
According to Tang, Apple’s efforts at strengthening data privacy for cell phone users have advantages over the European Union’s General Data Protection Regulation (GDPR) that was launched in 2018. She said users have found it cumbersome to navigate the privacy notices of firms that pop up on their screens, especially because they are not standardized and require multiple clicks before they can understand how their data might be used. A CNBC report referred to that experience of users as “consent fatigue.”
The paper pointed to other efforts that are underway to limit data transfers across firms, including Google’s plan to phase out third-party cookies in Chrome by 2024. Similar to the GDPR, laws in Virginia and Connecticut require opt-in consent for sharing sensitive personal information, according to a report by OneTrust, a firm that advises companies on issues including privacy standards. Other privacy laws in California, Colorado, and Utah follow an opt-out mechanism for consent in most areas, it added.