Apple Launches New Consumer-Friendly Privacy Site

[ApfelKuchen]

Is Apple Pay really that secure, though?

There's one thing that has bothered me for a while and I cannot get an answer on Apple's discussion forums. There is at least one merchant where my paper receipt contains the last 4 digits of my ACTUAL credit card, even though I use contactless pay. This happens regardless of whether I use my iPhone or my Apple Watch to pay, and regardless of which credit card I use. Everywhere else, the last 4 digits will be that of the device account number as it should be. At this particular merchant, payments show up on my credit card bill as having been paid using the contactless method (as they should). But the paper receipt I get baffles me.

What does it mean that the last 4 digits of my ACTUAL credit card are always printed on the receipts from this merchant? Are they receiving my actual credit card number when I use Apple Pay? They shouldn't be, and it bothers me to no end only because it means Apple Pay may not be as secure as Apple claims.

I don't know for certain, but I suspect this is what's happening:

Apple Pay generates a unique token, which is passed to the vendor's terminal. The vendor's terminal passes the token to the credit card processor/bank, the credit card processor/bank returns the information to the vendor's terminal. Perhaps this particular bank has chosen to pass back the actual last-four. Perhaps they're not supposed to be pass back the actual last-four but are doing it anyway? It may be worth an inquiry.

 

[Nozuka]

Apple also can profit from user data, and there is evidence of them violating user privacy. A couple of examples: Apple was caught saving location history locally on iPhones. An high-ranked employee said they have enough users for any potential learning projects based on iMessage data* (goes against their claims of end-to-end encryption).

why would it be a security problem, if the location data is stored locally? the phone actually uses past location data for more accurate suggestions. it becomes a problem if it leaves the device.

and: "they have enough users for any potential learning projects based on iMessage data*"
all this says, is that they have enough users. not that they have the data.

 

[cmwade77]

And this is all good, except Apple IDs get hacked fairly frequently.

Glad to see Apple taking a stand. Shame on Google and Microsoft.

Huh? Google has long had plain, easy to understand TOS and they take just as tough of stand on privacy as Apple does. Google just admits to what they actually do with the data they can see.

 

[ramallite]

I don't know for certain, but I suspect this is what's happening:

Apple Pay generates a unique token, which is passed to the vendor's terminal. The vendor's terminal passes the token to the credit card processor/bank, the credit card processor/bank returns the information to the vendor's terminal. Perhaps this particular bank has chosen to pass back the actual last-four. Perhaps they're not supposed to be pass back the actual last-four but are doing it anyway? It may be worth an inquiry.

I don't think so, because if that were true, then the same credit card would behave similarly elsewhere, right? But it only behaves this way at this particular store. I use the same credit card (stored on Apple Pay) almost everywhere I go; my receipts always shows the last 4 digits of the device account number as they should. Only at this restaurant do the last 4 digits of my real credit card appear on the receipt. My concern is that Apple Pay (as I understand it) promises that your actual credit card number is never transmitted to the store. If this particular contactless terminal can be "programmed" to somehow extract the actual credit card number (if that is indeed what its happening), that's a problem.

 

[springsup]

Apple also can profit from user data, and there is evidence of them violating user privacy. A couple of examples: Apple was caught saving location history locally on iPhones. An high-ranked employee said they have enough users for any potential learning projects based on iMessage data* (goes against their claims of end-to-end encryption).

* Search "why imessage won't come to android"

Yes, you have a location history. It’s not a secret. It’s all under Settings > Privacy > Location Services > System Services > Significant Locations. You need to authenticate to view the list, and you can also clear it or disable it.

I believe the explanation was that this list was used as part of Siri learning about you. That falls under the same privacy protection as other personal Siri data. That data is end-to-end encrypted. That’s not a claim; it’s a technical feature you can prove and verify.

Of course, certain services do need to adapt to your life habits (or are significantly better when they do). The challenge is how to do that in a way which preserves privacy. Apple’s approach is to use differential privacy (including random noise injection) to anonymise anything leaving your device, combined with local learning, and local processing of data using the generated models via CoreML and optimised hardware.

That differs from Google’s approach, which is to do everything in the cloud. Not only that, but the learning happens in a limited privacy scope, so that Google can decide and continually refine its decision-making about which kinds of ads work best on you.

 

[dampfnudel]

It's strange how they tout TouchID as the most advanced security technology on a phone when they were saying FaceID is more secure... I guess they'll update the page once X is released?

Most of Apple's statements, policies, beliefs, etc. are not set in stone. It wouldn't be good business policy to be inflexible.

 

[fairuz]

Yes, you have a location history. It’s not a secret. It’s all under Settings > Privacy > Location Services > System Services > Significant Locations. You need to authenticate to view the list, and you can also clear it or disable it.

I believe the explanation was that this list was used as part of Siri learning about you. That falls under the same privacy protection as other personal Siri data. That data is end-to-end encrypted. That’s not a claim; it’s a technical feature you can prove and verify.

Of course, certain services do need to adapt to your life habits (or are significantly better when they do). The challenge is how to do that in a way which preserves privacy. Apple’s approach is to use differential privacy (including random noise injection) to anonymise anything leaving your device, combined with local learning, and local processing of data using the generated models via CoreML and optimised hardware.

That differs from Google’s approach, which is to do everything in the cloud. Not only that, but the learning happens in a limited privacy scope, so that Google can decide and continually refine its decision-making about which kinds of ads work best on you.

I didn't know about that. I'm referring to an unrelated, older service that used to store your entire detailed location history permanently on the device in an unencrypted text file. It was before Frequent Locations existed. Apple called it a bug: http://mashable.com/2011/04/20/iphone-location-history/#4YoV8mHb2Oq4 . I hate Mashable but couldn't find the MR article that also explained this. It's too easy to get results about Frequent Locations by searching this, so you have to look from articles from 2011 rather than 2013.
[doublepost=1506548290][/doublepost]

why would it be a security problem, if the location data is stored locally? the phone actually uses past location data for more accurate suggestions. it becomes a problem if it leaves the device.

and: "they have enough users for any potential learning projects based on iMessage data*"
all this says, is that they have enough users. not that they have the data.

Nobody knew why Apple was collecting the data. The issues were that it was unencrypted and that it did indeed leave the device when you made backups. I'm editing my post to make it clear that I'm not referring to the data stored by Frequent Locations.

Re iMessage data: They're saying more than that they have enough users. They're saying that they could get data from the users.

 

[lsmith1981]

As long as no one confuses what's being stated here: https://www.apple.com/privacy/ with what's being stated here: https://www.apple.com/legal/privacy/en-ww/ then you should be okay. One is marketing the other is not. In case anyone is confused, this one is marketing: https://www.apple.com/privacy/
[doublepost=1506531766][/doublepost]


You guys should get out more. https://privacy.google.com/index.html#

I wish people understood this even more.
[doublepost=1506554599][/doublepost]

he's saying teh googs lies to you and Apple doesn't

True. Overall that point shouldn't be taken literally unless the individual truly understands how both Apple, Google stores the data " Encrypted" . At least with Google you can go to your google activity page and see every thing you searched for over the years, as well as your devices used and the searches on any connected platform. I'm not sure if Apple offers such a thing for the loyal consumer to look over, and no i'm not saying Google is better than Apple. Then on a serious note, with Apple's Siri transition from Bing to Google should raise an eyebrow anyways. Data is a big commodity in this age now. You have the data brokers out there trading and selling data from every branded platform/device at a price. Apple, Google, MSN, Yahoo and other big tech firms know this. ON request, the FBI can draft a NSL " National Security Letter" from the firm if the individual is red flagged for some reason.

 

[DeepIn2U]

One BIG reason to choose Apple Over Android.

Yeah I don’t feel like being nobodies whore.

And the fact that Apple lays it out for their consumers to have it for reference the material anytime someone has questions or concerns. Apple values the consumers privacy on a high level.

Let’s not forget this WHOLE stand by Apple began when BlackBerry decided to openly co operate with the USA government 3yrs ago while Apple made a HUGE deal out of that taking the absolutely no side. But they still will cooperate - with due justice legal cause and warrants. Something that is NOT on their page.

Is Apple Pay really that secure, though?

There's one thing that has bothered me for a while and I cannot get an answer on Apple's discussion forums. There is at least one merchant where my paper receipt contains the last 4 digits of my ACTUAL credit card, even though I use contactless pay. This happens regardless of whether I use my iPhone or my Apple Watch to pay, and regardless of which credit card I use. Everywhere else, the last 4 digits will be that of the device account number as it should be. At this particular merchant, payments show up on my credit card bill as having been paid using the contactless method (as they should). But the paper receipt I get baffles me.

What does it mean that the last 4 digits of my ACTUAL credit card are always printed on the receipts from this merchant? Are they receiving my actual credit card number when I use Apple Pay? They shouldn't be, and it bothers me to no end only because it means Apple Pay may not be as secure as Apple claims.

Great find! I’ll be looking up my own receipts shortly. Especially from Apple.

As long as no one confuses what's being stated here: https://www.apple.com/privacy/ with what's being stated here: https://www.apple.com/legal/privacy/en-ww/ then you should be okay. One is marketing the other is not. In case anyone is confused, this one is marketing: https://www.apple.com/privacy/
[doublepost=1506531766][/doublepost]


You guys should get out more. https://privacy.google.com/index.html#

Yet Google is ready to track and take ALL my information from any services they offer by default! Also that I must go through their arcane centralized website to individually delete browser history with YouTube, Maps history/searches (why is this even there in the first place?!), email, etc.

We’re still waiting for no ads in email. If you really believe anything about privacy on their website please ask the creator of Android Andy Rubin why HIS name is still used in every new gmail account created for a greating?!?! Hmmm.

 

[69Mustang]

Yet Google is ready to track and take ALL my information from any services they offer by default! Also that I must go through their arcane centralized website to individually delete browser history with YouTube, Maps history/searches (why is this even there in the first place?!), email, etc.

We’re still waiting for no ads in email. If you really believe anything about privacy on their website please ask the creator of Android Andy Rubin why HIS name is still used in every new gmail account created for a greating?!?! Hmmm.

Seems like you've been saving this one for a while. Just waiting to spring it on somebody. Anybody apparently. Since it literally has nothing to do with anything in my quote. But thanks for including me.

 

[chatin]

More than a few financial institutions may suffer from lack of customers when Apple gives help transacting on a very small scale.

 

[Sy7ygy]

Oh, the irony.

Apple, privacy, security. Oxymoron.

 

[I7guy]

If that was the case they wouldn't have extorted $3billion from Google to be the default for Siri & have used Duck Duck Go instead, they wouldn't track/use information about you to sell ad slots etc.

The amount of misinformation about what Google doesn't do and what Apple does is rather sad.

The is already one the most tired memes on the internet.

As long as no one confuses what's being stated here: https://www.apple.com/privacy/ with what's being stated here: https://www.apple.com/legal/privacy/en-ww/ then you should be okay. One is marketing the other is not. In case anyone is confused, this one is marketing: https://www.apple.com/privacy/

So one is not true then? Or is is not okay to provide a broad overview on what apple is doing with respect to security and privacy? And I've been to google's privacy site and use google products, but let's be honest, with google you are the product no matter what spin is put on it.

 

[69Mustang]

So one is not true then? Or is is not okay to provide a broad overview on what apple is doing with respect to security and privacy? And I've been to google's privacy site and use google products, but let's be honest, with google you are the product no matter what spin is put on it.

No, one is a marketing piece. It should be recognized as such. The other is Apple's legal privacy policy. They aren't same and shouldn't be conflated. There's no spin to be put on that.

 

[I7guy]

No, one is a marketing piece. It should be recognized as such. The other is Apple's legal privacy policy. They aren't same and shouldn't be conflated. There's no spin to be put on that.

One is a technical overview not to be confused with marketing. There aren’t two buckets, legal OR marketing.

 

[69Mustang]

One is a technical overview not to be confused with marketing. There aren’t two buckets, legal OR marketing.

Confused regarding your purpose. Isn't that exactly what my mini-PSA is all about? Not confusing one with the other.

 

[I7guy]

Confused regarding your purpose. Isn't that exactly what my mini-PSA is all about? Not confusing one with the other.

There is no confusion. One is the legalese. The other is apples approach (ie technical overview) and a restatement of the legalese into consumer friendly terms. The two overlap in certain areas and say the same thing in certain cases.

 

[69Mustang]

There is no confusion. One is the legalese. The other is apples approach (ie technical overview) and a restatement of the legalese into consumer friendly terms. The two overlap in certain areas and say the same thing in certain cases.

Agree to disagree.

 

[Naraxus]

The is already one the most tired memes on the internet.

But unlike most memes this one is actually true

 

[DeepIn2U]

Seems like you've been saving this one for a while. Just waiting to spring it on somebody. Anybody apparently. Since it literally has nothing to do with anything in my quote. But thanks for including me.

Then you obviously don’t read nor think about the information or the sub links in what you post do you?

https://privacy.google.com/how-ads-work.html

We do not sell your personal information to anyone.

Much of our business is based on showing ads, both on Google services and on websites and mobile apps that partner with us. Ads help keep our services free for everyone. We use data to show you these ads, but we do not sell personal information like your name, email address, and payment information.

& yet the heading right below states...
We use data to make ads relevant

We try to show you useful ads by using data collected from your devices, including your searches and location, websites and apps you have used, videos and ads you have seen, and personal information you have given us, such as your age range, gender, and topics of interest.

If you are signed in and depending on your Ads Settings, this data informs the ads you see across your devices. So if you visit a travel website on your computer at work, you might see ads about airfares to Paris on your phone later that night.

Sounds VERY contradictory including the blurb about “depending on your Ads Settings. Which I’ve specifically mentioned, along with the google sites we’ve both posted means you have to spend a lot of time digging rough and fine tuning but by bit not a delete all and disable all toggle switches.

So even if I do NOT and have NOT ever signed into Chrome one one computer yet only signed into the website for gmail (either using Chrome or EI or FireFox, etc) - deleting cookies cache and folders for installation entirely along with Windows registry related to browsing - why do sites still have same ads shown in gmail and the browsers of choice?!

I’d like to see how you explain privacy from google here using your links. Everything I’ve posted IS relevant to your post. And yes I was waiting for it as nothing in that link has changed in the past 12mths. I’ve read it fully. Have you?

Google survives by selling ad space and information. No different from AirMiles and giving the end user an incentive to benefit from their information. Problem I see is we should be paid for our data NOT Google alone.

 

[I7guy]

But unlike most memes this one is actually true

It’s a true meme.

 

[69Mustang]

Then you obviously don’t read nor think about the information or the sub links in what you post do you?

https://privacy.google.com/how-ads-work.html

We do not sell your personal information to anyone.


& yet the heading right below states...
We use data to make ads relevant


Sounds VERY contradictory including the blurb about “depending on your Ads Settings. Which I’ve specifically mentioned, along with the google sites we’ve both posted means you have to spend a lot of time digging rough and fine tuning but by bit not a delete all and disable all toggle switches.

So even if I do NOT and have NOT ever signed into Chrome one one computer yet only signed into the website for gmail (either using Chrome or EI or FireFox, etc) - deleting cookies cache and folders for installation entirely along with Windows registry related to browsing - why do sites still have same ads shown in gmail and the browsers of choice?!

I’d like to see how you explain privacy from google here using your links. Everything I’ve posted IS relevant to your post. And yes I was waiting for it as nothing in that link has changed in the past 12mths. I’ve read it fully. Have you?

Google survives by selling ad space and information. No different from AirMiles and giving the end user an incentive to benefit from their information. Problem I see is we should be paid for our data NOT Google alone.

Google doesn't sell your information. Bolded: Everything you've posted is pretty clear evidence you looked at Google's privacy policy. It's also pretty clear evidence you didn't understand what you read. Your interpretations are, figuratively speaking, way out in left field.

 

[ersan191]

But unlike most memes this one is actually true

There are really people out there saying with a straight face that Apple should have made "DuckDuckGo" the primary search engine for Siri?

 

[LV426]

I don't think so, because if that were true, then the same credit card would behave similarly elsewhere, right? But it only behaves this way at this particular store. I use the same credit card (stored on Apple Pay) almost everywhere I go; my receipts always shows the last 4 digits of the device account number as they should. Only at this restaurant do the last 4 digits of my real credit card appear on the receipt. My concern is that Apple Pay (as I understand it) promises that your actual credit card number is never transmitted to the store. If this particular contactless terminal can be "programmed" to somehow extract the actual credit card number (if that is indeed what its happening), that's a problem.

Not necessarily. It depends on the terminal equipment being used, for one thing.

Apply Pay uses the EMV tokenisation scheme to instigate transactions over NFC. This definitely does not send your card number from your device. Once the transaction is under way, the payment processor (Verifone, WorldPay, whatever) negotiates in real time with your bank using a payment reference. It is common practice that when a payment processor conducts a transaction, the last four digits of the actual card account being used are returned to the terminal equipment as a descriptive field. For instance, I operate a payment website for our company where we never see a card number - we delegate that completely to Verifone. As part of the transaction, however, our website receives a notification from Verifone of the last four card digits of the card that was used. We don't use this, but it's easy to see how this could be useful when printing a receipt from a card terminal.

 

[OllyW]

The Verge spin on this: "New Apple document shows what happens when Face ID doesn't work".

Did you get past the headline?

It's a good, detailed article which goes on to explain what happens when Face ID doesn't recognise you, with absolutely no negative spin.