Apple Device Analytics Contain Identifying iCloud User Data, Claim Security Researchers

[MacRumors]

A new analysis has claimed that Apple's device analytics contain information that can directly link information about how a device is used, its performance, features, and more, directly to a specific user, despite Apple's claims otherwise.

On Twitter, security researchers Tommy Mysk and Talal Haj Bakry have found that Apple's device analytics data includes an ID called "dsId," which stands for Directory Services Identifier. The analysis found that the dsId identifier is unique to every iCloud account and can be linked directly to a specific user, including their name, date of birth, email, and associated information stored on iCloud.

https://twitter.com/x/status/1594515229915979776

On Apple's device analytics and privacy legal page, the company says no information collected from a device for analytics purposes is traceable back to a specific user. "iPhone Analytics may include details about hardware and operating system specifications, performance statistics, and data about how you use your devices and applications. None of the collected information identifies you personally," the company claims.

In one possible differentiator, Apple says that if a user agrees to send analytics information from multiple devices logged onto the same iCloud account, it may "correlate some usage data about Apple apps across those devices by syncing using end-to-end encryption." Even in doing so, however, Apple says the user remains unidentifiable to Apple. We've reached out to Apple for comment.

Apple has historically taken a hard stance on user privacy, repeatedly claiming it believes privacy is a "fundamental human right." Apple's privacy claims have been under increasing scrutiny in recent months, with the company now facing a class action lawsuit accusing it of tracking users without their consent.

Article Link: Apple Device Analytics Contain Identifying iCloud User Data, Claim Security Researchers

 

[Eldaerenth Faexidor]

I feel pretty safe, still.

 

[steve09090]

can be linked directly to a specific user, including their name, date of birth, email, and associated information stored on iCloud

Doesn't mean it IS linked. Context is everything and it’s only a guess at this stage. It’s a nothing story at this point.

 

[gpat]

can be linked directly to a specific user, including their name, date of birth, email, and associated information stored on iCloud

Doesn't mean it IS linked. Context is everything and it’s only a guess at this stage. It’s a nothing story at this point.

You can't be serious.

 

[madmin]

More reports like this are coming out lately, while Apple keeps quiet. They should probably do an announcement to clarify exactly what they do and don't do and what (if anything) has changed, for the sake of openness.

 

[solq]

I always turn off device analytics. There's no reason to upload personal usage data to Apple, especially as it can increase your exposure to security issues.

 

[moons_mooniverse]

I would like to refer to this thread regarding the privacy discussion:

https://forums.macrumors.com/threads/its-not-about-privacy-for-apple.2356000/

 

[WiiDSmoker]

I always turn off device analytics. There's no reason to upload personal usage data to Apple, especially as it can increase your exposure to security issues.

Really should be off by default if Apple actually cares about privacy instead of saying they care about privacy.

 

[steve09090]

You can't be serious.

Where does it say that Apple are linking a persons id and details to the cloud?

 

[0924487]

I have been debating this and have it on and off for a long time now.

From now on, I will turn it off for good.

 

[moons_mooniverse]

When you visit apple.com using Safari, Safari says there is no Analytics Tracker like Google analytics or Facebook pixel.

(The once that safari is preventing to fire off).

But when you use another Browser let’s say DuckDuckGo you can see that Apple has its own tracker enabled.

 

[moons_mooniverse]

Really should be off by default if Apple actually cares about privacy instead of saying they care about privacy.

True. Same as “Ask App not to track” was enabled by Apple as default for so many years.

Also the old default “App is allowed to track” was created by Apple.

It was not Facebook who hacked your phone to track you. It was Apple giving your data to Facebook by default.

Now that companies depending on it, they started to turn it off by default and needs user explicit permission to enable. “Ask App not to track”

 

[Skyuser]

Personal data is not logged at all, is jubject to privacy preserving techniques such as differencial privacy, or is removed from any reports before they're sent to Apple.

Perhaps the reports displayed in the Analytics & Improvements section are not the final version that's sent to Apple. There may be an on-device screening procedure before these data are sent.

 

[3530025]

can be linked directly to a specific user, including their name, date of birth, email, and associated information stored on iCloud

Doesn't mean it IS linked. Context is everything and it’s only a guess at this stage. It’s a nothing story at this point.

Where does it say that Apple are linking a persons id and details to the cloud?

You really can't be serious. The fact alone that IT IS identifiable is problem from the privacy perspective. If you don't understand that, you don't understand the privacy at all.

If I would record cars passing by some point while keeping information about
- registration plate
- rest of the car
- cell phone number of all phones passing by at the same time

while censoring the actual face in the photo. That's the similar thing like this case. Would you call it good privacy? With all these information gathered, you are able to link cars to people pretty reliably.

 

[Shirasaki]

Not terribly surprised that Apple Is collecting all sorts of data. Apple‘s customer base Is far more valuable than google ones, thus It makes sense to keep the illusion to keep the Customer loyalty high.
Now I wonder where some of those apple customers would go. This is what duopoly can bring to us.

 

[NightFox]

You really can't be serious. The fact alone that IT IS identifiable is problem from the privacy perspective. If you don't understand that, you don't understand the privacy at all.

If I would record cars passing by some point while keeping information about
- registration plate
- rest of the car
- cell phone number of all phones passing by at the same time

while censoring the actual face in the photo. That's the similar thing like this case. Would you call it good privacy? With all these information gathered, you are able to link cars to people pretty reliably.

Some people's privacy concerns are based on capability, others are based on intent. I've long learned that it's a very personal thing that you just have to respect.

 

[symphony1010]

Time to buy an electric typewriter!

 

[JonaM]

The story is based upon App Store analytics data feed - the App Store app has to know who you are as any Apps purchased are linked to your account, so there *may* be some confusion here between the analytics referenced in the privacy policy and the one you turn on and off in settings, and the data exchanged between the App Store app and Apple whilst browsing/buying apps.

I'll wait for more detail before declaring evil

 

[vegetassj4]

Et tu Tim Apple?

 

[nistromo]

Madness that you can say "toaster" around another manufacturers devices and suddenly you see toasters everywhere but no one investigates this.

Apple gives you a screen about analytics when you setup the device - details here...

Legal - Device Analytics & Privacy- Apple

Data & Privacy

www.apple.com

"If you agree to send Analytics information to Apple from multiple devices that use the same iCloud account, we may correlate some usage data about Apple apps across those devices by syncing using end-to-end encryption. We do this in a manner that does not identify you to Apple."

 

[laszlo182]

I always turn off device analytics. There's no reason to upload personal usage data to Apple, especially as it can increase your exposure to security issues.

read the article

 

[steve09090]

The story is based upon App Store analytics data feed - the App Store app has to know who you are as any Apps purchased are linked to your account, so there *may* be some confusion here between the analytics referenced in the privacy policy and the one you turn on and off in settings, and the data exchanged between the App Store app and Apple whilst browsing/buying apps.

I'll wait for more detail before declaring evil

Agreed. People need to actually read and understand the article before they jump to conclusions that aren’t there.

 

[Wildkraut]

I hope the EU comes up with a huge fine, Apple needs a lesson.

 

[tomnavratil]

Interesting find - security researchers are not praised enough, hopefully Apple increases the bug bounty program as the new website is nice but doesn't do much.

Regarding the findings, one issue is that we do not know what the payload is when these are send to Apple. These can be easily stripped, made pseud-oanonymous or completely anonymous or even mixed and processed in a more complex way. Not saying that's the case but I'd be careful about making a story out of these findings alone.

Apple should however make a technical comment on the findings, that's for sure and release a statement outlining, in more plain language, the process behind this collection and processing and align that with the iOS settings so users can make up their own mind.

 

[tomnavratil]

Agreed. People need to actually read and understand the article before they jump to conclusions that aren’t there.

First day on the internet?

On a serious note, this is becoming an alarming trend where people even share information they haven't fully processed nor understood.