Last week researchers reported that several Apple apps were harvesting user data even when told not to, a claim that prompted a class-action lawsuit. But a follow-up suggests the situation could be even worse than first thought. The same two iOS devs (and “occasional security researchers”) who post under the Twitter account Mysk now claim to have spotted unique ID numbers in the usage data sent to Apple, seemingly contradicting the company’s claim that all such data is anonymous.
“Apple’s analytics data include an ID called “dsId,” they tweeted, “an ID that uniquely identifies an iCloud account. Meaning Apple’s analytics can personally identify you.”
They demonstrate the appearance of consistent DSID (Directory Services Identifier) numbers in harvested data in a six-part thread, including a video of the process happening in real-time:
The DSID is associated “with your name, email, and any data in your iCloud account,” the researchers write, meaning Apple (and theoretically third-party advertising partners) could tie the apps you click on and the ads you view to you specifically. Of course, it’s possible that Apple isn’t actually looking at the DSID and thus keeping data anonymous, but the fact that it’s included in Mysk’s findings is troubling.
It also seems to be at odds with Apple’s Device Analytics & Privacy statement, which clearly states that “None of the collected information identifies you personally.” And later in the same document, Apple says that while it “may correlate some usage data about Apple apps across those devices by syncing using end-to-end encryption,” it does so “in a manner that does not identify you to Apple.”
As The Verge points out, Apple’s separate App Store privacy terms are somewhat contradictory and vaguer, saying that “information about your browsing, purchases, searches, and downloads… are stored with IP address, a random unique identifier (where that arises), and Apple ID when you are signed in to the App Store or other Apple online stores.”
Once again, the details sent to Apple were unaffected by disabling the ‘Share iPhone Analytics’ option, according to Mysk. There’s no apparent way to stop this from happening, other than choosing not to use the App Store and other iOS apps implicated in the research. Apple has yet to respond to the claims, which first surfaced earlier this month.
In recent years many smartphone users have adopted a cynical mindset when it comes to data harvesting, as can be seen by the shrugging comments following Gizmodo’s write-up of this story: All the tech giants are at it, people tell themselves, and it doesn’t hurt me directly. But aside from the seeming contradiction of an explicit promise not to do this, Apple could be hurt by this revelation because it has portrayed itself for some time now as the quintessential pro-privacy tech company. That principle may now come into conflict with Apple’s growing ads business, which stands to benefit from an influx of detailed user data.