Researchers have spotted identification numbers in user data sent to Apple, again undermining the company’s claims about its privacy commitments.
Last week, researchers reported that several Apple apps were harvesting user data even when asked not to, a finding that has prompted a class action lawsuit. But a follow-up suggests the situation could be even worse than expected. The same two iOS developers (and casual security researchers) who post under the Twitter account mysk now claim to have designated unique ID numbers in usage data submitted to Apple, which appears to contradict the company’s claims that all such data is anonymous.
As the developers explain in their tweet, “Apple’s analytics data contains an identifier called dsID that uniquely identifies an iCloud account.” Which means Apple’s analytics data can identify any user individually. In a six-part thread, the latter reveal that DSID (Directory Services Identifier) numbers appear consistently in the data revealed. They also publish a video that shows the process in real time:
? New finds:
Apple’s analytics data includes an identifier called “dsId”. We were able to verify that “dsId” is the “Directory Services Identifier”, an identifier that uniquely identifies an iCloud account. This means Apple’s analytics can identify you personally ? pic.twitter.com/3DSUFwX3nV
— Mysk ???? (@mysk_co) November 21, 2022
“The DSID is associated with the user’s name, email address, and all iCloud account data,” the researchers write, meaning Apple (and theoretically third-party advertising partners) could link apps on clicks the user and the advertisements he views. Of course, it’s possible that Apple doesn’t actually scrutinize the DSID and preserve the anonymity of the data, but the fact that this Directory Services Identifier is included in Mysk’s findings is troubling.
It also seems to go against Apple’s statement on device analytics and privacy, with the company making it clear that none of the information provided can personally identify the user. Later in the same document, Apple indicates that while it may correlate some Apple application usage data on these devices through synchronization using end-to-end encryption, it does so in a way which does not identify the user to Apple. As The Verge points out, Apple’s separate App Store privacy terms requested “browsing, shopping, search, and download information…is transposed with the IP address, a random unique identifier.” (when it exists) and the Apple ID when the user is logged into the App Store or other Apple online stores”, are something somewhat contradictory and more vague.
According to Mysk, again, the information sent to Apple was unaffected by disabling the “Share iPhone Analytics” option (Privacy/Analytics and Improvements). There’s no apparent way to prevent it, other than assuming you don’t use the App Store and other iOS apps involved in the search. Apple has yet to respond to these assumptions, which emerged earlier this month. In recent years, many smartphone users seem disillusioned with data collection, as evidenced by the comments and shrugs sent after this story was published by Gizmodo: “All the tech giants are getting into it, people say to themselves, and that doesn’t affect me directly”. But aside from the seeming contradiction of breaking an explicit promise not to, Apple may be impacted by this revelation because, for some time, it has crafted itself the image of the most privacy-friendly tech company. . This respect for data could now run counter to Apple’s growing advertising business, as the company has the opportunity to take advantage of a large source of detailed user data.