13 November 2023

iPhone Privacy ‘Lies’ Exposed Again: Apple Analytics not Anonymous


Apple has been caught lying in a privacy policy. So say the now-notorious security researchers at Mysk.

Apple promised that the “device analytics” sent to its servers were anonymous. But it turns out that’s not true, according to the researchers. Everything you do in Apple apps, such as the Store, transmits an analytics row, containing a field that directly and uniquely identifies you. This field—the DSID—is linked to highly personal information in Apple’s databases.

Everything you do is logged and permanently linked to your identity. In today’s SB Blogwatch, we ponder moving to Android.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Who/Trek cross-references.

No Better Than Google—Perhaps Worse

What’s the craic? Thomas Germain reports—“Apple Says Your iPhone’s Usage Data is Anonymous, but New Tests Say That’s Not True”:

Findings are especially damning
The privacy policy governing Apple’s device analytics says “none of the collected information identifies you personally.” But an analysis of the data sent to Apple shows it includes a permanent, unchangeable ID number called a Directory Services Identifier, or DSID. … Apple collects that same ID number along with information for your Apple ID, which means the DSID is directly tied to your full name, phone number, birth date, email address and more.

According to Apple’s analytics policy, “Personal data is either not logged at all, is subject to privacy preserving techniques … or is removed from any reports before they’re sent to Apple.” But … the DSID, which is directly tied to your name, is sent to Apple in the same packet as all the other analytics information. … The company hasn’t said anything publicly about the apparent contradictions in its privacy promises.

The findings are especially damning given the years Apple spent rebranding itself as a privacy company. Apple’s recent marketing campaigns suggest the company’s privacy practices are supposed to be far better than other tech companies. … But Apple is making strides to build an advertising empire of its own, built on the personal data of its billions of users.


Apple FAIL!!1! But Ben Lovejoy gives Cupertino the benefit of the doubt—“Apple’s promises on analytics anonymity appear to be false”:

A very big deal
As the old saying has it, “Never ascribe to malice that which can be adequately explained by incompetence.” I’m pretty confident that Hanlon’s Razor applies here, and that the reason Apple’s assurances appear to be false is down to error rather than a deliberate intent to deceive. The company simply has too much to lose and too little to gain by any nefarious behavior.

However, as incompetence goes, this does seem pretty high up the scale. Privacy has become a huge part of Apple’s marketing message, so to fail to protect privacy in not one but two major ways is a very big deal. Apple needs to fix this—and fix it fast.

Horse’s mouth? Tommy Mysk and Talal Haj Bakry:

No way to stop it
Apple’s analytics data include … the “Directory Services Identifier”, an ID that uniquely identifies an iCloud account. Meaning, Apple’s analytics can personally identify you.

Apple states in their Device Analytics & Privacy statement that the collected data does not identify you personally. This is inaccurate. … DSID is associated with your name, email, and any data in your iCloud account.

The DSID is also sent by other Apple apps for analytics purposes. … Analytics data are directly linked to you. … There’s no way to stop it.



What will Apple do about it? devslash0 has no problem predicting:

It’s fairly easy to predict what their response will be. … Their line of defence: … The data contained within the payload sent to the server does not contain any personal information because the dsId field contains jibber-jabber.

They will attempt to completely downplay the fact that it can still be correlated with other data sets and lead to the same result. In other words, “We’re not sending any PII in the traditional sense but don’t try to tell us what we can do or not afterwards.”

Weasel words? And the rest, thinks klabb3:

Apple is basically loopholing all the ****ty adtech engagement surveillance BS that plagues the rest of the industry through the app store, pretending like it’s any other app. Of course they can, but a lot of the hard-line privacy stuff goes down the drain with the hypocrisy.

What bothers me is that Apple really doesn’t have to move in this direction. … They’ve been uniquely positioned to basically do things that nobody else can, because they sell so much expensive hardware. Instead, all mega corps seem to blend together and follow the same playbook. It’s sad.


However, Paul Figueiredo is not at all shocked:

Company lied to take advantage of some bad press for their competitors, choosing to use “privacy” as their holier-than-thou advertising schtick—film at eleven.

Of course every company is collecting your data. The only difference between Apple and Google is that Google admits it. Apple lies about it so that gullible millenials can pretend to be better than everyone while sipping their venti-soy-mocha with “sustainable” coffee beans.

Is there really a big issue here? YES, argues solq:

This is a complete failure of anonymization and a specific breach of trust. I refer you to [the iOS Device Analytics privacy policy]. Right at the top, 2nd sentence in fact, you can read the following, which we now know to be untruthful: “None of the collected information identifies you personally.” If the collected information identifies your iCloud account then it also identifies you personally.

Apple is trusted on privacy and security in excess of their execution record and this issue adds to that.

Meanwhile, ZeroFox explains like we’re 15:

Someone at a high-rise in a major city, somewhere, knows what kind of porn you like.

Security Boulevard

No comments: