Apple has long sought to protect the personal data of its customers, but that reputation was probably most cemented in the minds of the public by the way the company stood up to the FBI. Refusing to compromise its stance on iOS security even in the face of a legal demand by the highest federal law enforcement agency in the land sent an extremely strong message.
But Bloomberg yesterday ran a piece questioning Apple’s commitment to privacy …
Entitled Is Apple Really Your Privacy Hero?, the piece argues that Apple looks at only one side of the equation.
For years iPhone app developers have been allowed to store and sell data from users who allow access to their contact lists, which, in addition to phone numbers, may include other people’s photos and home addresses. According to some security experts, the Notes section—where people sometimes list Social Security numbers for their spouses or children or the entry codes for their apartment buildings—is particularly sensitive […]
When developers get our information, and that of the acquaintances in our contacts list, it’s theirs to use and move around unseen by Apple. It can be sold to data brokers, shared with political campaigns, or posted on the internet. [A new rule added last month] forbids that, but Apple does nothing to make it technically difficult for developers to harvest the information.
It even accuses Apple of misleading iOS users.
Apple has built in two direct consumer controls: one, when you agree to share your contact information with the developer; and the other, when you toggle the switch in your settings to deny that permission. But neither is as simple as it seems. The first gives developers access to everything you’ve stored about everyone you know, more than just their phone numbers, and without their permission. The second is deceptive. Turning off sharing only blocks the developer from continued access—it doesn’t delete data already collected.
The irony here is that Facebook’s carelessness in allowing third-party companies access to the personal data of people who didn’t consent to it – the friends of people who participated in ‘personality surveys’ – has effectively raised the stakes of what we now demand of companies.
It’s no longer enough for Apple to talk only about its own use of our data. Just as Facebook had to accept responsibility for the actions of Cambridge Analytica, because the social network made it possible for the political consultancy to obtain the data, so Bloomberg asks Apple to accept responsibility for the data it allows developers to gather.
I do think Bloomberg’s Sarah Frier makes a good point. Anyone who makes extensive use of the Notes field might have a lot of sensitive information about individuals, and if I’m in your contacts list and you share your contact information with an app developer, Apple doesn’t seek my consent to my details being shared.
Frier makes a couple of specific suggestions. First, when a user agrees to share contact data, only allow access to phone numbers and email addresses. Second, allow users the option to encrypt data for certain contacts.
Her broader point, though, is that Apple doesn’t currently even know what developers do with our data. And that is exactly what got Facebook into such hot water.
I don’t doubt that Apple’s commitment to privacy is genuine. But the company isn’t perfect. It already had to boost its privacy standards to comply with Europe’s GDPR privacy law, and the Facebook mess shows that there’s also a need to look beyond what Apple itself does with our data, and be proactive in limiting what developers can do with it.