Is Apple lying about privacy?

Apparently, based on this article about the lawsuit in TechCrunch (which in turn links to the Gizmodo article), Mysk is a person. However, the legal filing – all 20 pages of which are embedded in the article, if you scroll down – does refer to Mysk as a “software company”. That’s not surprising; I might refer to “Sanstudio” as a “company” for some purposes, but it’s really just me.

From the TechCrunch article: “…app developers and independent researchers Tommy Mysk and Talal Haj Bakry discovered that Apple was still collecting data about its users across a number of first-party apps even when users had turned off an iPhone Analytics setting that promises to “disable the sharing of Device Analytics altogether.”

By “first-party apps” they apparently mean Apple’s own apps. The TechCrunch article goes into more details, with more links, that I don’t recall seeing in the earlier Gizmodo article.

The legal filing also identifies Elliot Libman as the Plaintiff, and Bursor & Fisher as the law firm/lawyers. The filing even gives their email addresses and phone numbers, if anyone feels like contacting them.

Lots of names being thrown around… but all we really care about is what the claims (in plain English, not legalese) actually mean, and whether, or to what extent, they might be true. And (as I indicated earlier) I’d like to know what Apple’s actual privacy behavior is like compared to Microsoft’s, because (despite being a Mac addict for many years) I could conceivably buy a Windows machine for my next box, save some money, and run most of the same software I do now.

From the TechCrunch article:

“ The complaint goes on to detail the researchers’ findings, specifying what data was being collected. Stocks, for instance, was tracking users’ watchlists, the names of stocks they viewed and searched for and news articles they saw in the app and more. And most of the apps shared consistent ID numbers, the suit states, which would allow Apple to track users across its apps.”

Actually, the Stocks app is about tracking how individual stocks are performing on a moment by moment basis, as well as what is happening to the all the stocks in a user’s portfolio, as well as stocks that are on the user’s radar in a watchlist. The app delivers stock market news stories, trends and analysis based on what’s in your portfolio and what you have been interested in reading and monitoring in a watchlist. They deliver live and historical ticker info, and enable users to check up on how the stocks in their portfolios are actually performing throughout the day, and to monitor how stocks they might be interested in buying are doing, as well as to monitor market and industry trends.

The app also delivers customized news from various sources based on what a user owns and would he or she be interested in, like the Apple News app does. And they are always upgrading features and developing more. Here’s the latest example:

Apple’s Stocks app work because they accumulate data that allows them to deliver information users need and want. So does Health, Games, News, etc., etc., etc. They do not share or sell the information they accumulate.

That’s where the notes section of password apps comes in handy (it’s harder to remember lies than it is passwords… ;-) Apple does not have my real birthday.

And you know this how? Because Apple says so? Or is there some independent research on this somewhere?

Perhaps the data does identity the person.

A quick Google for “does Apple share your data” turned up 1,970,000 results. The info I quoted was among these results, and the publishers I quoted are from respected, qualified and acknowledged sources. Unfortunately the Mysk bros have not released the scope of their findings, or any information at all about their methodology, sample sizes, scope, etc.

We don’t even know who or what the qualifications of the Mysk bros are. It sounds to me that it might be like “Bill And Ted’s Excellent Adventure” Just trade in the telephone booth for iPhones.

A search for “Apple violating privacy” turns up 7.1 million results, so there’s that.

3 Likes

I’m sort of losing track of things in this long thread. Earlier someone else challenged me to specifically link to the “mainstream news” I vaguely claimed were covering this story… and I (embarrassed) couldn’t. Now you refer to “respected, qualified and acknowledged sources” you quoted… um, which ones were those? Acknowledged by whom?

The whole point of this story is that maybe there’s some lying (or at least, prevarication) going on. The only way to pin this down is with specific, verifiable, impartial research… which I think none of us have been able to link to… but at this point I’m not even sure about that.

Just to muddy the waters further: this story appeared earlier today on Google News/Technology (is that “mainstream”?) but is already mostly gone from there, except for a few links to other websites, including the updated Gizmodo article (with some more details). I also found (for people wondering about the credibility of the plaintiff/accusers) that the Mysk dudes do have a blog. Their focus seems to be on uncovering privacy/dirt on companies in general, not just Apple. Credible, or just muckrakers? I have no idea.

Some of the tech-site stories about this online have said “Apple didn’t respond to a request for comment” (that’s a Gizmodo quote) or something similar. Here’s my imaginary vision of what’s happening at Apple now:

Apple Marketing Dudes: “We’ll write a strong statement denying everything! Accusing the accusers of everything! Muddy the water so everybody gets bored and turns to the sports page! We can do this!” (After all, bloviating is their profession, right?)

Apple Lawyer Dudes: “Shut your ignorant traps. Nobody at this company will say a goddamned thing until we, the Legal Department, issues a 50-page incomprehensible statement.”

This whole thread, which maybe I shouldn’t have started in the first place, reminds me of a dog chasing its tail… just like much of real life in general. (sigh)

One thing I’ll say is don’t discount the possibility that if there is non-anonymized data being collecting that it’s merely an unintentional mistake/bug rather than an intentional skirting of Apple’s intention not to collect such data.

Also that log files on the phone and tablet do not necessarily mean that they were uploaded to Apple.

2 Likes

I’ll admit that I’m rather at sea with this situation too. I don’t necessarily doubt that the security researchers saw some traffic going to Apple, which seems like it shouldn’t happen if the user has flipped that switch. But as Doug said, it seems likely that if that is happening, it’s a bug, not Apple trying to steal this largely uninteresting information for nefarious purposes. If Apple really wanted to do that, it would be game over—we’d never know.

3 Likes

Plus, this worry about Apple potentially receiving data it shouldn’t still pales in comparison with what Meta/Facebook intentionally does at all times. That giant sucking sound you hear is your data disappearing into the maw…

2 Likes

See “Ingestion and Aggregation” in this article to learn how all identifying information is stripped from the upload:

Reportedly, there are only two Apple employees who could possibly get to the data before being anonymized.

1 Like

Statements like that should be taken with a grain of salt.

While there may be only two people whose account can access that data today, there are administrators and update mechanisms which can be used to change the software running on the back-end servers, and an update could make it possible for others to also get access (whether a deliberate design choice, a bug or malware).

One would like to hope that Apple (like any other company running high-profile cloud services) has very strict review mechanisms to prevent any unauthorized code from running on these servers, but mistakes can and do happen (hopefully very infrequently).

2 Likes

Here’s an interesting analysis, pointing to a distinction between “device analytics” and “services analytics” with different policies for each

1 Like

And there’s some more very disturbing info about Facebook collecting information of hospital patients:

1 Like

I’m happy to take as read that Meta et al are much worse than Apple. That’s one of the reasons why I use the Apple ecosystem. But pointing to other actors as worse still does not answer the question about whether Apple is being deceptive.

2 Likes

I, maybe for one, don’t see any proof of deception so far. I think Apple is upfront about analytics and how they keep them private.

Apple was also upfront about scanning for CSAM, so I’d like a third party to evaluate this.

I just stumbled upon this:

“ It is important to highlight that Mysk researchers used a jailbroken iPhone running iOS 14.6 for their tests in order to be able to decrypt the traffic and determine which data are sent back to Apple.

The experts also tested an iPhone running iOS 16, but security measures implemented by Apple could not allow them to “jailbreak” the device to inspect the traffic. Anyway, the experts argue that a jailbroken phone would send the same data as the latest iOS.”

And the Myst guys just investigated App Store traffic, not everything an iOS user does.

But pointing to other actors as worse still does not answer the question about whether Apple is being deceptive.

I agree. Health data – and the personal tax data that Adam referred to, reportedly being sent where it shouldn’t (such as to Facebook, even if you don’t have an account there) by several tax-preparation companies’ online services – sounds much worse than this Apple stuff.

However, concern with one threat doesn’t preclude concern with the others too. The internet/slang term for that is “whataboutism”. All these things are part of a larger, alarming pattern: it seems like our privacy and security are under assault from every direction.

1 Like