Apple Privacy Policy Fails to Protect Against App Trackers
A typical iPhone has thousands of trackers, silently reporting back to their motherships. And you’ve no way of knowing exactly what’s going on.
Who is tracking you? What data are they getting on you? How are they using it?
It’s a mystery. And people are saying Apple is complicit, despite the company’s overt stance on privacy. In today’s SB Blogwatch, we dig out the old Nokia 3110.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: D.I.S.C.O.
Smash Your iPhone
What’s the craic? Geoffrey A. Fowler flies off with the story—“Our privacy experiment showed 5,400 hidden app trackers guzzled our data”:
It’s 3 a.m. Do you know what your iPhone is doing? Mine has been alarmingly busy. … Your iPhone probably is doing the same.
…
At 11:43 p.m. … Amplitude learned my phone number, email and exact location. At 3:58 a.m. … Appboy got a digital fingerprint of my phone. At 6:25 a.m. … Demdex received a way to identify my phone and sent back a list of other trackers to pair up with. And all night long … a household name, Yelp … was receiving a message … once every five minutes.
…
Apps I discovered tracking me … include Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post … IBM’s the Weather Channel [and] Citizen, [which] shared personally identifiable information in violation of its published privacy policy. [A] typical example is DoorDash, the food-delivery service … sending data to nine third-party trackers. … Its privacy policy throws its hands up in the air: “DoorDash is not responsible for the privacy practices of these entities.”
…
In a single week, I encountered over 5,400 trackers, mostly in apps. [They] would have spewed out 1.5 gigabytes of data [per] month.
…
The more places personal data flies, the harder it becomes to hold companies accountable for bad behavior. … Isn’t Apple supposed to be better at privacy? … Apple turns more of a blind eye to what apps do with data we provide them or they generate about us.
And Xeni Jardin spreads the fertilizer—“Popular iOS apps use ‘background app refresh’ to send your location”:
You’re browsing a news app on your phone in bed, alone, late at night. Did you know your physical location [is] being shared with the app maker?
…
Apple’s response is that the privacy policies for each of these apps are required to disclose with whom they share user data. [This] does not provide protection that meets the claim implied by Apple’s marketing tagline: “What happens on your iPhone stays on your iPhone.”
The tyranny of the default? elagost asks some frightening questions:
Even for companies who are supposedly privacy-forward, their defaults say otherwise. A brand-new iPhone has all these privacy settings that are off by default, and that are usually confusingly labeled and buried several settings screens deep. Nobody really turns them on outside of a very small bubble.
Once companies have your trust, they can’t help but break it if it’ll earn them another few bucks. Yelp’s a household name and doesn’t seem like a bad actor, but that’s proven false by this article.
Furthermore, while they claim to have your best interests in mind, Apple (and Google) let companies perform this kind of shady behavior on their platforms that they completely control. If they let others get away with this, can you really trust that the “don’t upload my photos to your servers” switch really does what it says it does?
How do you know your phone isn’t recording audio and taking photos to send off to a datacenter in the middle of the night?
Yeah, how would you know? Even if evenifoutside doesn’t:
But the problem is we have absolutely no idea … if an app is doing something it’s not supposed to be.
Apple have a hard privacy position, but are allowing these apps to send data to various services at various times. With no ability to see what it was, or control given to the end user.
If people researched every app’s privacy notices no one would install them. Apple is the gatekeeper of the store and toot their horn about keeping bad things out, that should extend to this.
With a timely reminder, hr’s VwlsrFrSckrs: [You’re fired—Ed.]
This is a good reminder that every time Apple tells you they care about your privacy and that the iPhone is so much better than Android when it comes to privacy, it isn’t.
Both Apple and Google need to do a lot better at cracking down on these types of apps that collect all sorts of data that they don’t need in order to work.
But specifically? Alex Stamos suggestifies:
The mobile SDK ecosystem is a huge mess and the coarse-grained mobile permission system is not up to the task. Google or Apple could really lead here with a mechanism for user notification and consent.
…
Imagine if each [tracking] SDK that communicates home had to register with the platform providers, and if users could opt-in/out across the entire phone.
Having said that, Scooter is kinda-sorta impressed—“Apple is monstrously brilliant”:
They’ve convinced millions of people to overpay for their products by creating the illusion that they have better technology and better security. I guess it’s true, there’s a sucker born every minute.
Caveat user? Scott Davis says, “You must educate yourself or technology will overwhelm you”:
You use an app without reading the privacy notices? That’s not Apple’s fault. It’s yours.
You give an app permission to track your location when it’s open? How can you be surprised when it does exactly that?
…
Turn on the privacy options available to you. The time for anyone to expect that people will hold their hands and make sure they’re protected on the internet never even existed.
What would Orwell and Huxley have said? Enrique Rubio has a gentle rant:
This is truly outrageous. … We need to develop a powerful framework of human safeguards to make sure we don’t continue to become a commodity, only valuable for data-generation.
Meanwhile, Let’s remind ourselves what comedian Keith Lowell Jensen—@keithlowell—quipped six years ago:
What Orwell failed to predict is that we’d buy the cameras ourselves, and that our biggest fear would be that nobody was watching.
And Finally:
How Daft Punk Made Disco Cool Again
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Paulo Henrique (cc:by)
