Apple’s promises of privacy: Are iPhones as secure as the company claims?

“Privacy. That’s Apple.” The Cupertino company’s famous slogan could be in trouble. Two Mysk software researchers claim that Apple collects personal information from iPhone usage data even when the company explicitly promises not to do so. According to Mysk’s findings, the company knows and can identify the specific behavior of users in Apple’s own apps. EL PAÍS has contacted Apple, which provided no comment on the matter at this time.

Tommy Mysk and Talal Haj Bakry, independent researchers at Mysk, analyzed Apple apps and the usage data they send to the company’s servers. “We focused on the App Store because users have no other alternative for downloading and installing apps on iOS,” says Mysk. He adds that other apps, including Apple Books, iTunes Store, Apple Music and Apple TV, send similar data to the tech giant.

Some of this information includes “what a user does in these apps, what they view, when they view it, and for how long.” For example, according to Mysk, the App Store usage data records how many milliseconds a person spends reading a specific app’s privacy section. All of this data can be useful for developers in improving their apps. But Mysk notes that they typically ask users for permission to collect the data and also anonymize it so that a user cannot be personally identified.

On its web page about iPhone analytics, Apple states that none of the information it collects identifies the user: “Personal data is not logged, is subject to privacy protection techniques (such as differential privacy) or is removed from reports before being sent to Apple.” But Mysk says that data sent to the company includes a permanent, immutable identification number called a directory services identifier, or DSID. This number “can personally identify a user,” because it “is associated with their name, email and any data in their iCloud account.” It is unclear what exactly Apple does with the data and whether it separates the personal identification from other information.

The researchers performed these tests on a jailbroken iPhone (meaning that the phone allows for the removal of some Apple-imposed limitations) with the iOS 14.6 operating system to decrypt the traffic and examine what data was sent to Apple. They also tested a cell phone that runs iOS 16, the latest operating system. In the latter case, the researchers were unable to decrypt the data. Nevertheless, they claim that they detected a similar network traffic pattern, so they believe that it is “very likely that the App Store is sending the same data.”

A dead end?

Mysk says that Apple collects this information even when the iPhone’s “Share iPhone analytics” setting is disabled, despite the tech company’s promises to “disable the sharing of device analytics data completely.” Mysk points out that “the policy is ambiguous and gives users the impression that disabling device analytics would also disable usage data and app analytics.”

The researchers note that users cannot prevent Apple applications from collecting usage data and linking it to their identity. Samuel Parra, a lawyer who specializes in technology law, says that users could respond to this possible violation of their privacy by filing a complaint with regulatory bodies. In fact, one user, Elliot Libman, filed a class action lawsuit against Apple, “on behalf of himself and everyone else in a similar situation,” in a California federal court for precisely this reason.

A crisis of confidence?

Apple often boasts that privacy is one of the company’s main priorities, and it uses that claim to distinguish itself from the competition. So, where does the Mysk research findings leave the tech giant? “First of all, from the perspective of Apple as a brand that apparently prioritizes privacy, [doing] that would be a violation of its customers’ trust,” says Parra.

In addition, the information that Apple allegedly collects without the user’s consent or knowledge “would make it possible to create very precise profiles about tastes, preferences, political ideology and even health,” which, as Parra points out, could be used to manipulate users’ preferences. For example, the data could be employed to change users’ minds in a particular political context. “What Cambridge Analytica did showed us that, if we know the users, it is quite possible to shape them according to the interests of the highest bidder, even in issues related to political ideology,” he observes.

The researchers’ findings could also affect Apple’s reputation in the future, Álvaro Orts Ferrer, a privacy lawyer and the director of Orts Consultants, says: “If what the Mysk company claims is true and if Apple’s policies assure us that it does not collect personal data, we would not only be dealing with a violation of the Apple user agreement –and therefore a legal violation – but also significant reputational damage.”

Parra agrees and wonders: “Will we believe similar messages from Apple again?” The situation might also go beyond Apple itself. “The big corporations could be sending a message to society that is not reassuring: whatever you do, we are watching you. Because I get the feeling that if someone can spy on us, they will,” says the expert.

For his part, Mysk argues that “a company that believes that privacy is a fundamental human right should describe its ‘many’ privacy statements much more clearly.” He also emphasizes that the company collects too much user data and should provide an option to prevent it. “[Apple’s] privacy statements sound more like they were written by Google, Meta or TikTok,” he says.

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition