Apple has always been a vocal and outspoken advocate for customer privacy, but its statements may just be a gimmick.
For many years, a widespread belief said that iPhones are among the most secure devices people can buy. For the most part, this is undeniably accurate. This is because the company is pretty much restricting third-parties from accessing too much information about its users.
But how about "first party?" How does Apple collect data?
According to Apple's device analytics policy, it's stated that "none of the collected information identifies you personally."
But according to Tommy Mysk, an app developer and security researcher, who ran the test along with his partner Talal Haj Bakry, Apple is sending sensitive user data to its servers.
Based on their data analysis, the data sent to Apple includes a permanent, unchangeable ID number called a Directory Services Identifier, or DSID.
Apple collects that same ID number along with information for users' Apple ID.
Read: 'First-Party' Trackers, And How Tech Companies Can Still Track People In A Different Perspective
New Findings:
1/6
Apple’s analytics data include an ID called “dsId”. We were able to verify that “dsId” is the “Directory Services Identifier”, an ID that uniquely identifies an iCloud account. Meaning, Apple’s analytics can personally identify you pic.twitter.com/3DSUFwX3nV— Mysk (@mysk_co) November 21, 2022
What this means, DSID data is directly tied to users' full name, phone number, birth date, email address, iCloud data, and more, according to Mysk’s tests.
"Knowing the DSID is like knowing your name. It’s one-to-one to your identity,” said the researchers.
"All these detailed analytics are going to be linked directly to you. And that’s a problem, because there’s no way to switch it off."
While Apple said that "Personal data is either not logged at all, is subject to privacy preserving techniques such as differential privacy, or is removed from any reports before they’re sent to Apple," Mysk’s tests show that the DSID and other data are sent to Apple using the same packet as all the other analytics information.
"I think people should be upset about this," Mysk said. "This isn’t Google. people opt for iPhone because they think these kinds of things aren’t going to happen. Apple doesn’t have the right to keep an eye on you."
The argument here is that, Apple might be able to say that an ID number isn’t personal information.
But it's worth noting that according to GDPR, the European privacy law which set the standard for data regulation world wide, defines personal data as any information that "directly or indirectly" identifies a person.
In other words, all sorts of ID numbers are included.
3/6
Apple uses DSID to uniquely identify Apple ID accounts. DSID is associated with your name, email, and any data in your iCloud account. This is a screenshot of an API call to iCloud, and DSID it can be clearly seen alongside a user's personal data: pic.twitter.com/x59lr0AzWf— Mysk (@mysk_co) November 21, 2022
Mysk’s tests showed that analytics for the App Store, for example, includes every single thing users do, including what they tapped on, which apps they searched for, what ads they saw, and how long they are on a given app, and how they found the said app.
The data is then sent in real time, explained Mysk.
To come to this conclusion, the researchers checked their work on two different devices.
First, they used a jailbroken iPhone running iOS 14.6, which allowed them to decrypt the traffic and examine exactly what data was being sent.
Mysk chose this because Apple introduced a privacy setting in iOS 14.5 that allows users to decide whether or not to give their data to individual apps with the prompt "Ask app not to track?"
Second, the researchers also examined a regular iPhone running iOS 16.
In the end, the researchers couldn’t actually examine exactly what data was sent because both iPhones have encryptions as their default security.
However, they found similarities to the tests, in which the same apps were sending similar packets of data to the same Apple web addresses. The data was transmitted at the same times under the same circumstances, and toggling the available privacy settings on and off didn’t change anything.
Read: Apple Is Found Tracking All User Activity While Using The App Store, In Real Time
5/6
This means that your detailed behvior when browsing apps on the App Store is sent to Apple, and contains the ID needed to link the data to you. We showed the extensive details that the App Store sends to Apple in this video,and it is all linked to you: https://t.co/YnDOCHqPLU— Mysk (@mysk_co) November 21, 2022
This suggests that the patterns they found there may be the standard on the iPhone.
The company may not use the data if users turn the related privacy settings off, despite still receiving it, but that’s not how the company explains what the settings do in its privacy policy.
And the thing that makes it confusing, is the way Apple works, in which it seems to be unwilling to explain its practices.
Apple rarely responds to situations like these when its confidentiality claims are questioned.
6/6
It is worth noting that the DSID is also sent by other Apple apps for analytics purposes.
You just need to know three things:
1- The App Store sends detailed analytics about you to Apple
2- There's no way to stop it
3- Analytics data are directly linked to you— Mysk (@mysk_co) November 21, 2022
The findings are worrying, since Apple has spent years marketing itself as a privacy company.
Apple’s marketing campaigns suggest the company’s privacy practices are better than other tech companies.
While Apple does shield its users from third-party apps that wish to siphon their data, there is no way of properly preventing Apple from doing the same.
Apple is making strides to build an advertising empire of its own, built on the personal data of its billions of users even when it promises to not use users' personal data for its own gain.
"I would always allow the app to share analytics with Apple, because I want to help them," Mysk once said. "But I always assumed the data was going to be sent out in an anonymous way."