A new test of how Apple gathers usage data from iPhones has found that the company collects personally identifiable information while explicitly promising not two.
According to Apple’s analytics policy, “Personal data is either not logged at all, is subject to privacy preserving techniques such as differential privacy, or is removed from any reports before they’re sent to Apple.” But Mysk’s tests show that the DSID, which is directly tied to your name, is sent to Apple in the same packet as all the other analytics information.
“Knowing the DSID is like knowing your name. It’s one-to-one to your identity,” said Tommy Mysk, an app developer and security researcher, who ran the test along with his partner Talal Haj Bakry. “All these detailed analytics are going to be linked directly to you. And that’s a problem, because there’s no way to switch it off.”
The findings worsen recent discoveries about Apple’s privacy problems and promises. Earlier this month, Mysk discovered that Apple collects analytics information even when you switch off an iPhone setting called “Share iPhone Analytics,” an action that Apple pledges will “disable the sharing of Device Analytics altogether.” Days after Gizmodo reported on Mysk’s tests, a class action lawsuit was filed against Apple for allegedly deceiving its customers over the issue.
Apple did not respond to a request for comment. The company hasn’t said anything publicly about the apparent contradictions in its privacy promises, or the recent lawsuit.
Theoretically, Apple might argue that an ID number isn’t personal information. But the GDPR, the mammoth European privacy law which set the standard for data regulation worldwide, defines personal data as any information that “directly or indirectly” identifies a person, including ID numbers.
“I think people should be upset about this,” Mysk said. “This isn’t Google. people opt for iPhone because they think these kinds of things aren’t going to happen. Apple doesn’t have the right to keep an eye on you.”
Musk published information about the test in a Twitter thread late Sunday.
In some cases, this analytics data apparently includes details about your every move. Mysk’s tests show that analytics for the App Store, for example, includes every single thing you did in real time, including what you tapped on, which apps you searched for, what ads you saw, and how long you looked at a given app and how you found it. You can see the data, which is sent in real time, in a video on the Mysk YouTube channel.
Over the course of these tests, the researchers checked their work on two different devices. First, they used a jailbroken iPhone running iOS 14.6, which allowed them to decrypt the traffic and examine exactly what data was being sent. Apple introduced a privacy setting in iOS 14.5 that prevents other companies from harvesting data called App Tracking Transparencycuing users to decide whether or not to give their data to individual apps with the prompt “Ask app not to track?“
The researchers also examined a regular iPhone running iOS 16, the latest operating system, which bolstered their findings. The researchers couldn’t examine exactly what data was sent because the phone’s encryption remained intact, but the similarities to the tests on the jailbroken phone suggest the patterns they found there may be the standard on the iPhone. There is little reason to think that the jailbroken phone would send different data, they said, but On iOS 16, they saw the same apps sending similar packets of data to the same Apple web addresses. The data was transmitted at the same times under the same circumstances, and turning the available privacy settings on and off likewise didn’t change anything.
The findings are especially damning given the years Apple spent rebranding itself as a privacy company. Apple’s recent marketing campaigns suggest the company’s privacy practices are supposed to be far better than other tech companies. It emblazoned 40-foot billboards of the iPhone with the simple slogan “Privacy. That’s iPhone.” and ran the ads across the world for months.
But Apple is making strides to build an advertising empire of its own, built on the personal data of its billions of users. Even the company’s own privacy settings can be seen as part of a long game to kneecap its advertising competitorsalthough the company vehemently denies that accusation.
For his part, the findings come as a personal one shock to Tommy Musk. In the past, “I would always allow the app to share analytics with Apple, because I want to help them,” Mysk said. “But I always assumed the data was going to be sent out in an anonymous way.”