Privacy has become a central theme among major tech companies. Apple and Google present their latest updates as steps toward a safer digital environment where users are better protected against unwanted tracking. But how sincere are these promises? Julia Krämer, PhD candidate at Erasmus School of Law, examined these companies' use of so-called Privacy Enhancing Technologies (PETs) and raised critical questions about the privacy claims made by Apple and Google. Her article on this topic was nominated for the EDPL Young Scholar Award, an annual prize for promising researchers in the field of European data protection law. As a result of her nomination, Krämer's article will be published in the European Data Protection Law Review.
From data leaks to privacy promises
The immediate trigger for Krämer's research was a series of revelations about large-scale mobile tracking. "One notable example occurred last year, when journalists from netzpolitik.org and BNR uncovered datasets circulating online that exposed the location patterns of millions of EU citizens, including individuals working in sensitive sectors such as the military and critical infrastructure," says Krämer. The incident demonstrated how vulnerable users are in a world where apps and mobile operating systems constantly collect data. "This raised my interest in recent initiatives by Apple and Google aimed at enhancing user privacy," Krämer continues. "Both companies have introduced changes to their mobile operating systems, iOS and Android, to limit tracking through the use of Privacy Enhancing Technologies, or PETs. These technologies are already part of our daily lives: VPNs, background blurring during video calls, and end-to-end encryption in messaging apps like Signal or WhatsApp are all examples." Krämer set out to examine whether PETs truly enhance user protection or whether they mainly serve as a way for companies to retain control over data.
Apple and Google: Both gatekeepers and rule-makers
Tech giants like Apple and Google are developing and implementing tools to improve our digital privacy. According to Krämer, this presents a fundamental problem. "Because Apple and Google control both the app store and the underlying mobile operating systems, they are in a unique position to mandate which tools developers should use in their apps and how they function. This dual control reflects their infrastructural power, a concept that captures the deep, often invisible influence these companies exert over the rules, standards, and technologies that structure our mobile phones." This dominant position allows them to shape privacy standards in ways that do not necessarily serve the public interest but rather their own strategic goals. Krämer emphasizes: "Therefore, controlling both platform and the content of privacy rules is problematic."
How PETs work
PETs like Apple's SKAdNetwork and Google's Privacy Sandbox are presented as alternatives to traditional tracking mechanisms. Instead of collecting personal data directly, these technologies group users based on shared characteristics. In doing so, they aim to enable targeted advertising without explicitly identifying individual users. "In very simple terms, when using an app, you generate a lot of personal data. For instance, by putting information in the app yourself, but also just by using it. For targeted advertising personal data is important for two things: first, to tailor an add to a user's preference, and second, to ensure that this user is the user that interacted with the app," says Krämer. Apple and Google's PETs aim to achieve these goals without directly using personal data. The idea is to place users into anonymous groups and serve ads based on group characteristics.
Why PETs can actually strengthen tech companies' power
However, according to Krämer, this view is overly optimistic. "The problem is that these PETs do not significantly reduce the overall amount of data collected about users. Instead of stopping tracking altogether, they merely shift how it happens." Even sensitive data, such as biometric signals, political opinions, or health information, can still be used for advertising purposes as long as it is not shared externally. Krämer warns: "Tools like SKAdNetwork and the Privacy Sandbox close off certain data flows, but simultaneously open new ones that ultimately reinforce the company's infrastructural power. By controlling both the privacy rules and the platform itself, Apple and Google can shape data governance in ways that protect their business interests, often under the banner of privacy."
Privacy-washing and power consolidation
According to Krämer, a broader public must understand how companies like Apple and Google handle digital tracking. "It is important that people and policymakers can recognize when platforms are engaging in privacy washing, e.g. presenting changes as privacy-enhancing while continuing to allow tracking in more subtle or less visible forms." Despite the limitations that PETs seem to impose, Apple still uses these measures in its marketing to position itself as a privacy-friendly company. Nevertheless, Krämer argues that a critical perspective is necessary. "Understanding how PETs work helps users critically assess whether privacy claims are genuine or primarily driven by strategic branding."
With her research, Krämer hopes to contribute to a better understanding of this dynamic. "Through this paper, I aim to shed light on the tensions that arise when powerful platforms are both the gatekeepers and the rule-makers of digital privacy." Her ultimate goal is clear: "My goal is to encourage a more critical and nuanced examination of new tools, especially when introduced by dominant tech companies. While PETs are promising technologies that can theoretically enhance privacy, their deployment by influential platforms can also be leveraged to consolidate control rather than empower users. I would consider my research successful if it prompts deeper reflection and scrutiny of these dynamics, both in public discourse and in policy-making circles."
- PhD student
- Related content
