Apple’s privacy game is getting it in trouble…again
Apple has been referred to as the brand built on privacy. But it has nevertheless been exposed to a number of cases of data breaches. In April this year, the Israeli firm Pegasus Spyware hacked iPhones belonging to human rights activists, lawyers and journalists. In the latest round of problems for the company, a report has brought Apple new claims.
Tommy Mysk and Talal Haj Bakry, iOS developers and security researchers, detailed that contrary to what Apple wants us to believe, it is actually collecting user information. The findings have landed Apple in a new lawsuit for breaching users’ privacy despite the sharing of analyzes being turned off in the settings.
In their report, Mysk and Bakry showed that Apple’s analytics data includes an ID called “dsId,” which upon verification was found to be a Directory Services Identifier. The ID number is used to uniquely identify an iCloud account, so when an API call is made to iCloud, the dsId information with username, email, and all data associated with the user’s iCloud account is sent to Apple.
Thus, all user activity on the App Store – including metrics about the app viewed and the duration of the app view – is sent to Apple even when personalized recommendations and sharing of usage data are turned off. Additionally, they confirmed that the same identifier was used for Apple Music and other company services.
Apple’s privacy game
However, these findings, seen against the background of recent privacy updates from Apple, paint a different picture. In August 2022, Apple revealed that it would bring ads to pre-installed apps like books, maps, podcasts and others on its devices. In addition, it tested placing ads in Maps to recommend nearby shops, restaurants or businesses.
The move showed that Apple intends to push hard on advertising, taking advantage of its App Tracking Transparency (ATT) policy, which gives users the choice to prevent third-party applications from collecting their data. ATT was a big blow to companies like Meta and Google, which in its latest quarterly results reported a big drop in revenue due to dismal advertising spending.
In fact, Search Ads, Apple’s platform for advertisers to host campaigns in the App Store, tripled in market share since the first half of 2020, according to AppsFlyer. Apple Search Ads work on a cost-per-tap (CTP) model, meaning that advertisers only have to pay if users engage with the ad. Apple will promote these apps every time users come to the App Store or search for something specific. One could connect the dots here and argue that Apple is certainly tracking user activity to show only those ads that a user is more likely to click to have a profitable bet on the CTP model.
Breach of privacy?
Although Apple should be held responsible for breaches of the privacy rules, it appears that Mysk and Bakry’s thesis on closer inspection has some loose edges. Mysk and Bakry cite an excerpt from Apple’s Device Analytics & Privacy statement, which states: “none of the information collected identifies you [the user] personal”, to show how having a unique identification number is a clear violation of privacy rules.
However, the rules that apply to Device Analytics do not apply to Apple’s services, which have a completely different policy. For example, in the App Store & Privacy document published in September 2022, the guidelines are quite clear. It says that Apple will have an overview of the browsing history, searches, downloads and purchases stored with a unique identifier, IP address and Apple ID to enable personalized recommendations, as well as to offer relevant ads on the App Store, Apple News and stocks. In addition, Apple will also collect information about the number of phone calls and emails sent and received to identify and prevent fraud.
Unit analysis vs service analysis
Nick Heer, writer at Pixel Envy, also points out—unit analytics is characteristic of services analyses. The Device Analytics Policy allows Apple to collect data about iPhone performance analytics and how users use their devices and applications, without this information personally identifying them. However, it is not clear whether Apple collects personal data outside of bug reports and crashes, which are said to fall under “privacy preservation techniques such as different privacy protections”.
The federated learning based on Apple’s differential privacy is built for utility applications, and generally to improve the user experience. In this model, the data collected from a user input is randomized before being sent to a central server. After that, the randomized information is clubbed into groups, subject to private algorithms.
In this way, Apple has been able to play a safe game, avoiding falling into privacy gray areas by drawing a fine line between device and app privacy narratives. That’s where all the confusion starts, and all hell breaks loose.