Apple tracks and identifies users whether they like it or not

Apple privacy policies are central to its publicized ethos – see its ad campaign “what happens on your iPhone, stays on your iPhone.” Or, perhaps what comes to mind is when in 2019 Tim Cook, Apple CEO, refused a request from the FBI to unlock a suspected terrorist’s iPhone because it would make the phones less secure for everyone. For a long time, Apple’s dedication to the security of its users’ data has been a huge selling point. But what if it’s all been false promises?

Some privacy does exist, at least for Apple’s competitors. App Tracking Transparency (ATT) that asks iPhone users if they’ll allow an app to track their usage data has been estimated to have cost Meta US$13 billion in ad revenue; German regulators are investigating whether the feature is anticompetitive. Crucially, Apple privacy isn’t applied when it comes to its own customized ads and users’ data in general.

As far back as 2016, Apple introduced search ads for the app store. The searches that produce these are tracked, with data collected by Apple to show ‘contextual’ ads in its apps. Topics and categories of stories read, publications followed or subscribed to, and which apps have notifications set to ‘on’: all are tracked.

Apple privacy in choices

Maybe it’s not a cause for worry that Apple knows users read the Guardian and it’s possibly convenient being recommended Jay Rayner’s newest podcast. But some data can be more personal, like Apple knowing the pet name one might use for your partner, or the name of the alarm that wakes you up for work. These aren’t paranoid suggestions, but examples of the data that devices send to Apple via Siri and Dictation.

In theory, any information about a user is anonymous, associated with a random identifier not an Apple ID. The advertising system uses not a personal profile but data from a user’s Apple account and Apple’s other services to decide which ads to serve. Plus, users can opt out of analytics when setting up an iPhone, or in Settings (although the user is warned doing so is at great detriment to the quality of Apple-supplied services).  These are all marks in the “innocent” column, and Apple privacy is therefore upheld.

The results are smart, regardless. According to Apple, in Q1 last year, 78 percent of searches in the App Store were for apps that users would have been shown ads for had they turned on personalized advertising. The suggestion, then, is that each iPhone user’s (anonymous) data is analyzed to save the effort of typing a search.

It’s transpired, however, that anonymity and data privacy standards aren’t living up to Apple’s privacy marketing hype.

Unmysked: the apps phoning home

In late 2022, a certain Tommy Mysk (of Mysk Co.) disputed Apple’s privacy claims. Investigations by Mysk showed that the App Store app was sending Apple real-time data on ads viewed, how those apps were found, and even how long a user spent looking at an app. Similar tracking was observed in Apple Music, Apple TV, Stocks and Books. According to Mysk, “the level of detail [collated] is shocking for a company like Apple.”

NEW: A third class action lawsuit filed against Apple and cites our findings. This time Apple is sued for "flagrant violation of consumer privacy"https://t.co/OmjNzkgjVo

— Mysk 🇨🇦🇩🇪 (@mysk_co) January 17, 2023

More revelations followed. Mysk detected no difference in the data tracking of a user who had opted out of data analytics compared with that of someone who had consented. The final blow was the discovery that analysis of data sent to Apple includes a permanent and unchangeable ID number (DSID). The DSID is directly linked to a user’s full name, date of birth, email address, phone number – Tommy Mysk said “knowing the DSID is like knowing your name. It’s one-to-one your identity.”

The issue is twofold. On the one hand, there is an illusion of choice and consent that has been shattered. On the other, the broken promise of anonymity.

Apple has positioned itself as the most secure and private phone OS, but its claims are questionable. At present it seems not to sell or give data to third-parties, but that is, in pure business terms, an untapped revenue stream. If users stop buying Apple hardware as regularly as shareholders would like, we may find that Apple decides to monetize its data assets collected on its “privacy respecting” OS.