Apple Device Analytics Contain Identifying iCloud User Data, Claim Security Researchers

[steve09090]

You really can't be serious. The fact alone that IT IS identifiable is problem from the privacy perspective. If you don't understand that, you don't understand the privacy at all.

If I would record cars passing by some point while keeping information about
- registration plate
- rest of the car
- cell phone number of all phones passing by at the same time

while censoring the actual face in the photo. That's the similar thing like this case. Would you call it good privacy? With all these information gathered, you are able to link cars to people pretty reliably.

No. There is an ID identifier. No where is does it say it is linked to a name and address. Read the article again.

Do you know what an Directory Services Identifier is?

The other rubbish about mobile phone numbers etc is irrelevant because nowhere does it even elude to being able to read the contacts of the iCloud.

 

[solq]

read the article

What article?

 

[solq]

The other rubbish about mobile phone numbers etc is irrelevant because nowhere does it even elude to being able to read the contacts of the iCloud.

Well, Apple can, for sure. So they can cross-reference your device analytics to your iCloud account. This is the opposite of their claim of anonymizing the device analytics.

The difference is between "we know how our customers as a group use their devices" vs "we know the individual use pattern of each customer".

 

[steve09090]

What article?

Probably better to read the source Twitter thread and attached video.

They did this on iOS 14.6 apparently, so whilst it might be the same on ios16, it also might not be. But probably is.

What I read is that Apple sees an identifier of your iCloud when using the App Store, and has nothing to do with other data you may use in any app, other than the App Store. Whether it can identify you, is unknown and only implied.

 

[steve09090]

Well, Apple can, for sure. So they can cross-reference your device analytics to your iCloud account. This is the opposite of their claim of anonymizing the device analytics.

The difference is between "we know how our customers as a group use their devices" vs "we know the individual use pattern of each customer".

Based on what knowledge that you have?

So, by saying 'for sure' actually means nothing without something to back it up. Can they really cross reference your device to your iCloud account? Really? How do you know?

I'm sorry, but whilst it’s healthy to have a certain level of skepticism, I can’t see where the evidence is.

And by "use pattern" are you saying they know what apps you have downloaded? Well yeah, that’s the point of the App Store.

 

[solq]

Probably better to read the source Twitter thread and attached video.

They did this on iOS 14.6 apparently, so whilst it might be the same on ios16, it also might not be. But probably is.

What I read is that Apple sees an identifier of your iCloud when using the App Store, and has nothing to do with other data you may use in any app, other than the App Store. Whether it can identify you, is unknown and only implied.

I read the source. @laszlo182 used the word "article" so I asked for clarification.

If device analytics use some ID that's unique and can be correlated with your iCloud account, then this is clearly an anonymization failure. Whether intended or not, whether Apple actually correlates or not is beside the point and unanswerable given the information we know.

In any case, the sane security practice is to turn off analytics.

 

[solq]

Based on what knowledge that you have?

So, by saying 'for sure' actually means nothing without something to back it up. Can they really cross reference your device to your iCloud account? Really? How do you know?

I'm sorry, but whilst it’s healthy to have a certain level of skepticism, I can’t see where the evidence is.

And by "use pattern" are you saying they know what apps you have downloaded? Well yeah, that’s the point of the App Store.

I will refer you to https://www.apple.com/legal/privacy/law-enforcement-guidelines-us.pdf

If you look at page 11, section J, you'll see that Apple DOES have access to your iCloud data, since they're able to share it with law enforcement. Most telling is "Apple retains the encryption keys in its U.S. data centers", so they clearly have both the encrypted data and the encryption keys, which means they have full access to your iCloud data.

 

[steve09090]

I read the source. @laszlo182 used the word "article" so I asked for clarification.

If device analytics use some ID that's unique and can be correlated with your iCloud account, then this is clearly an anonymization failure. Whether intended or not, whether Apple actually correlates or not is beside the point and unanswerable given the information we know.

In any case, the sane security practice is to turn off analytics.

Yeah I agree with you there. It does show though, that a security expert is able to get a pretty random number through whatever means they are doing it and show that the random number associates with an iCloud that is probably super protected from others.

So I can’t really see that it’s a breach, but rather a single example, being the App Store that doesn’t allow for turning off analytics in that single example.

Maybe it’s required in the system, maybe it’s some kind of oversight, or maybe Apple are doing things wrong. They should probably address it, but I can’t see any evidence that it is nefarious.

 

[steve09090]

I will refer you to https://www.apple.com/legal/privacy/law-enforcement-guidelines-us.pdf

If you look at page 11, section J, you'll see that Apple DOES have access to your iCloud data, since they're able to share it with law enforcement. Most telling is "Apple retains the encryption keys in its U.S. data centers", so they clearly have both the encrypted data and the encryption keys, which means they have full access to your iCloud data.

Sure. But this is a number that is available Through security tunnelling of some kind that links an App Store query to an iCloud number. What is actually the problem here?

But notwithstanding all of that, they’re hardly trawling your data in the way google are. This is a very very minor issue in my opinion.

 

[EuroChilli]

Time to buy an electric typewriter!

or go back to one of these: (yes, this photo was taken a few days ago, and it still works, 25 years later)

 

[mike090910]

remember, twitter is one of the most trusted news organizations on earth.

 

[solq]

What is actually the problem here?

I explained what the problem is. If indeed Apple intended to anonymize analytics data, as they claim, it's an anonymization failure which enables Apple (or possibly some other actor) to associate the device analytics data to an individual user.

Comparing this to Google is nor here nor there. Whether you trust Apple or not is irrelevant.

It's a privacy flaw in the way Apple designed the collection of analytics. A rather glaring flaw, if you ask me. If you want anonymization, you shouldn't even think about at most completely random report identifiers.

 

[Nuno Lopes]

I feel pretty safe, still.

The last known words of wise man …

You trust them because they do what they say, than when they don’t … trust them anyway.

So why do you feel safe? Faith?

 

[solq]

or go back to one of these: (yes, this photo was taken a few days ago, and it still works, 25 years later)

View attachment 2116624

Hey that's cool! My old Ericsson 388 still turns on but no more 2G networks here...

 

[steve09090]

I explained what the problem is. If indeed Apple intended to anonymize analytics data, as they claim, it's an anonymization failure which enables Apple (or possibly some other actor) to associate the device analytics data to an individual user.

Comparing this to Google is nor here nor there. Whether you trust Apple or not is irrelevant.

It's a privacy flaw in the way Apple designed the collection of analytics. A rather glaring flaw, if you ask me. If you want anonymization, you shouldn't even think about at most completely random report identifiers.

How can you have completely random iCloud identifiers? The flaw is that a security expert found out that the App Store ONLY attaches to an icloud number. It’s not a security flaw, it’s a number that means nothing to anyone.

Unless an unknown actor can hack apples systems to find that a number associates to a specific iCloud account and then is able to bypass all iCloud security, once getting through Apples servers, get the encryption keys for that iCloud account and access the data, then and only then would it be a problem. Because they would be able to see what App someone looked at downloading.

As I said. A very very minor issue.

 

[rjw1678]

I have always been a person that prepares for the worst and hopes for the best. I have never fully trusted any "for profit" corporations with my security and my privacy, so I have always checked all security & privacy settings when I get a device and checked them again after updates & upgrades. Just remember stockholders always want more revenue and more profit - that usually causes corporations to find creative ways to make more revenue & profit from existing customers.

 

[solq]

How can you have completely random iCloud identifiers? The flaw is that a security expert found out that the App Store ONLY attaches to an icloud number. It’s not a security flaw, it’s a number that means nothing to anyone.

Unless an unknown actor can hack apples systems to find that a number associates to a specific iCloud account and then is able to bypass all iCloud security, once getting through Apples servers, get the encryption keys for that iCloud account and access the data, then and only then would it be a problem. Because they would be able to see what App someone looked at downloading.

As I said. A very very minor issue.

You misunderstood and perhaps I didn't explain it well. If Apple wanted to send some sort of report ID, they should have randomized it like a UUID.

As for it being a minor issue, that's a value judgement. If you'd have some experience in data anonymization you'd have a completely different outlook on this This is a complete failure of anonymization and a specific breach of trust on Apple's side. I refer you to https://www.apple.com/legal/privacy/data/en/device-analytics. Right at the top, 2nd sentence in fact, you can read the following, which we now know to be untruthful: "None of the collected information identifies you personally." If the collected information identifies your iCloud account then it also identifies you personally.

I think Apple is trusted on privacy and security in excess of their execution record and this issue ads to that. Now whether you trust them more is completely up to you.

 

[steve09090]

You misunderstood and perhaps I didn't explain it well. If Apple wanted to send some sort of report ID, they should have randomized it like a UUID.

As for it being a minor issue, that's a value judgement. If you'd have some experience in data anonymization you'd have a completely different outlook on this This is a complete failure of anonymization and a specific breach of trust on Apple's side. I refer you to https://www.apple.com/legal/privacy/data/en/device-analytics. Right at the top, 2nd sentence in fact, you can read the following, which we now know to be untruthful: "None of the collected information identifies you personally." If the collected information identifies your iCloud account then it also identifies you personally.

I think Apple is trusted on privacy and security in excess of their execution record and this issue ads to that. Now whether you trust them more is completely up to you.

How does it actually identify you personally? It identifies a number which may or may not be directly associated with an iCloud account. It may also refer to a number that leads to an encrypted identifier to a iCloud account for all we know.

As I said earlier. There are 3 possible reasons for this that I can think of, which none of us are actually aware. I doubt it was deception, and more likely a failure of systems. I can’t see this hurting me, and whilst I don’t trust anything on the internet to be actually safe, my value judgement is that it is a minor issue, but still one that needs to be addressed By Apple.

Is it good enough by Apple? No, probably not. Did Apple knowingly lie to us? Also, probably not. Maybe if we had more facts than a half baked, parochial reporting (suggesting contacts details could be linked to it), we’d be wiser.

 

[solq]

How does it actually identify you personally? It identifies a number which may or may not be directly associated with an iCloud account.

No, it's pretty clear. There's an identifier sent in the analytics report that identifies the iCloud account associated with the device, and I would say most people's iCloud account directly identifies them, since Apple directly keeps or correlates the iCloud account with a user's identity including contacts (which has a "you" section, including your phone number and home address) as well payment methods etc. Tons of stuff.

The only way to avoid this - maybe - is to create your iCloud account with a fake name and preferably disposable, anonymized email address, never add payment information or any personal data, and obviously don't use iCloud for anything like photos, email, documents etc that could be traced back to you, which really means not using it at all (including avoiding iCloud backups).

For most people (I'd wager 99%) their iCloud account and whatever else user-based info Apple keeps will easily point to them because there will be enough personal information there.

 

[macos9rules]

I always turn off device analytics. There's no reason to upload personal usage data to Apple, especially as it can increase your exposure to security issues.

I don’t think it’s possible to turn off analytics. There’s only an option to stop sharing them.

 

[tomnavratil]

No, it's pretty clear. There's an identifier sent in the analytics report that identifies the iCloud account associated with the device, and I would say most people's iCloud account directly identifies them, since Apple correlates the iCloud with a user's identity including contacts (which has a "you" section, including your phone number and home address) as well payment methods etc. Tons of stuff.

The only way to avoid this - maybe - is to create your iCloud account with a fake name and preferably disposable, anonymized email address, never add payment information or any personal data, and obviously don't use iCloud for anything like photos, email, documents etc that could be traced back to you, which really means not using it at all (including avoiding iCloud backups).

For most people (I'd wager 99%) their iCloud account will easily point to them because there will be enough personal information there.

This is the point where more technical information is needed because there is a chance (and I've seen that deployed across larger enterprise system) where that information gets anonymized throughout the process before it's stored (and you still limit access to it through principle of least privilege and so on.

That's why I think it's critical for Apple to comment on this before everybody jumps to conclusions. I'm not saying they are innocent in this but making conclusions based on certain data points on older iOS is far from ideal.

 

[solq]

I don’t think it’s possible to turn off analytics. There’s only an option to stop sharing them.

That's correct, I used it as a shorthand for turning off sharing. As far as I can tell your Apple device always collects analytics.

 

[steve09090]

No, it's pretty clear. There's an identifier sent in the analytics report that identifies the iCloud account associated with the device, and I would say most people's iCloud account directly identifies them, since Apple directly keeps or correlates the iCloud account with a user's identity including contacts (which has a "you" section, including your phone number and home address) as well payment methods etc. Tons of stuff.

The only way to avoid this - maybe - is to create your iCloud account with a fake name and preferably disposable, anonymized email address, never add payment information or any personal data, and obviously don't use iCloud for anything like photos, email, documents etc that could be traced back to you, which really means not using it at all (including avoiding iCloud backups).

For most people (I'd wager 99%) their iCloud account and whatever else user-based info Apple keeps will easily point to them because there will be enough personal information there.

And someone could easily access this personal contact information by getting an iCloud identifier like those they found?

 

[cyanite]

Same as “Ask App not to track” was enabled by Apple as default for so many years.

That's not true. The switch that allows apps to ASK if you want them to track or not is on by default, but each app has to explicitly ask. This feature is also quite new, so I don't know where your "many years" comes from.

 

[solq]

This is the point where more technical information is needed because there is a chance (and I've seen that deployed across larger enterprise system) where that information gets anonymized throughout the process before it's stored (and you still limit access to it through principle of least privilege and so on.

That's why I think it's critical for Apple to comment on this before everybody jumps to conclusions. I'm not saying they are innocent in this but making conclusions based on certain data points on older iOS is far from ideal.

Of course but Apple is a fairly opaque company when it comes to security stuff. They say "trust us, we're looking out for your best interest and not our profit" and most people are happy to do so.

Whether you trust them to anonymize a data report originating from your device after they receive it, when they can clearly use it to identify you, even when they say it cannot be used like that, is up to you.

iOS14.6 is just a year and a half old. Plus, these guys say it's likely this behaviour persists in iOS16.

You can ascribe malicious or incompetent behaviour as seems more appropriate to you. I personally go with incompetent unless I have reason to believe otherwise. I mean, at some point iOS code completely failed SSL certificate validation (as in, validated anything) because of an if fall-through, which to me was interesting not as much as the bug per se, critical as it was, but the complete lack of regression testing in the SSL certificate validation which should have caught such a bug in pre-release stage. This indicated at the time a very shoddy software development process, especially in respect to sensitive security code.

If you know One Punch Man, there's a character called King who's widely believed to be the strongest man alive and an extraordinary super-hero, when in reality he's completely ordinary and a coward. But he's got a very serious look and he's almost always silent and this lets everyone project their imagination on the character. It's extremely funny.

I feel that Apple's security and privacy reputation are based on obscurity on their side and projection on the user's side.

And someone could easily access this personal contact information by getting an iCloud identifier like those they found?

Well, Apple can for sure. They say that analytics data are not personally identifiable (I quoted you their own document) but this appears to be incorrect. Apple has everything it needs to make the connection, since they send analytics reports with uniquely identifiable iCloud ids.

I understand this is not an issue for you, perhaps you'd be happy to share analytics which can be traced back to you (most people wouldn't care).

It doesn't mean it's a non issue Your logic is a little circular: you trust Apple in respect to privacy, but when it is revealed that something Apple does is not as they say it is, you nevertheless don't think it's an issue because you trust Apple in respect to privacy.