A security researcher has discovered that Apple analytics data is collected and sent from iPhones, whether or not users consented during the setup process. The amount of data collected was described by the researcher as “shocking.”
A class action lawsuit has now filed, which says that Apple’s privacy promises are “completely illusory” …
Background
The discovery was made by developer and security researcher Tommy Mysk, who previously found that many Apple apps bypass VPN connections when sending data to Apple.
He ran his own tests, looking at which IP addresses were being accessed when a VPN was active, and found that many stock Apple apps ignored the VPN tunnel and instead communicated directly with Apple servers.
This means that all the data sent to and from these servers is at risk from snooping by ISPs or hackers operating man-in-the-middle attacks, using easy-to-create fake Wi-Fi hotspots.
Mysk previously discovered that the Mail app on the Apple Watch was not using the Mail Privacy Protection feature. Apple subsequently fixed this.
Apple analytics data sent without consent
Every time you set up a new iPhone, you are asked whether or not you consent to Apple collecting analytics data. If you decline consent, you’d of course expect no analytics data to be sent to Apple.
However, Mysk found that Apple apps were collecting and sending this data regardless of this setting. Indeed, he could see no difference at all in the data sent whether the user had chosen to grant or decline permission.
Mysk initially found this behavior in the App Store app.
The recent changes that Apple has made to App Store ads should raise many #privacy concerns. It seems that the #AppStore app on iOS 14.6 sends every tap you make in the app to Apple.👇This data is sent in one request: (data usage & personalized ads are off).
As the user browses the App Store app, detailed usage data is sent to Apple simultaneously. The data contains IDs to map the behavior to a profile.
Mysk said that both the volume and detail of data would be excessive even with consent, as it included everything needed for device fingerprinting – a technique used by companies like Meta as a workaround to App Tracking Transparency. It should be noted that Apple explicitly forbids such workarounds in its developer guidelines.
The App Store app was sending real-time data on your app searches, the ads you’d seen, how you found the apps you viewed, and even how long you spent looking at an app’s page. Gizmodo points out that even this data can be sensitive – for example, searching for apps related to LGBTQIA+ issues, or abortion. This can be seen in the video below.
The site suggested that Mysk check out other stock Apple apps, and this revealed that the same was true of Apple Music, Apple TV, Books, and Stocks. For example, the Stocks app shared with Apple your watched stocks, as well as the names of other stocks you searched for or viewed – together with the news articles you read in the app.
Class action lawsuit filed
Gizmodo reports that a class action lawsuit has been filed in California.
The lawsuit accuses Apple of violating the California Invasion of Privacy Act. “Privacy is one of the main issues that Apple uses to set its products apart from competitors,” the plaintiff, Elliot Libman, said in the suit, which can be read on Bloomberg Law. “But Apple’s privacy guarantees are completely illusory.” The company has plastered billboards across the country with the slogan “Privacy. That’s iPhone.”
Apple did not immediately respond to a request for comment.
Mysk said that, even with consent, “the level of detail is shocking for a company like Apple,” but it was even more concerning that it happened with or without agreement.
“The way to disable sharing analytics with Apple is unclear,” he told us. “There are personalized ads, personalized recommendations, and sharing iPhone analytics. Switching all these options off is not trivial. When we switched them all off, we didn’t notice any change in quantity or detail of data synced with Apple.”
Apple has already come under fire for its growing ad business, in seeming contradiction to the company’s position that, in ad-funded business, the customer is the product.
FTC: We use income earning auto affiliate links. More.
Comments