Earlier this month, a twitter thread by software company Mysk gained traction, raising privacy concerns about Apple’s data collection from iPhones.
It subsequently spawned numerous articles on tech and tabloid news sites. Shortly after, a class action lawsuit was filed against Apple by an iPhone 13 user, citing the findings listed in the thread as grounds for action. Mysk’s findings allege specific apps – the App Store, Apple Music, Apple TV, Books, and Stocks – send significant amounts of data to Apple even though the test iPhone was set to disallow tracking, analytics, and personalised ads. Mysk asserts that the “App Store app collects detailed usage data about how you use the app and explore new apps.”
In a recent follow up, Mysk posted more information alleging that the App Store app specifically sends information to Apple which is uniquely tagged to each user, claiming that “Apple’s analytics can personally identify you.” They further point out that this contradicts Apple’s promise of anonymity when collecting data.
Articles and reports of Mysk’s findings have led with headlines such as “Apple found tracking personal information even when it says it’s not”, “Apple is tracking you even when they claim they aren’t“ and “Beware! Apple may be tracking your iPhone through App Store.” Similarly, the class action lawsuit claims that “through its pervasive and unlawful data tracking and collection business, Apple knows even the most intimate and potentially embarrassing aspects of the user’s app usage.”
Are Mysk’s findings accurate and indicative of illegal data collection? Do they breach Apple’s policies and promises? We took a closer look at Apple’s policy documents to better understand the different ways data is collected from iPhones. Our research shows that there is a distinction to be made between Apple’s App Tracking Transparency (ATT) and Apple’s own collection of data from iPhones, which is toggled separately under Device Analytics. As Apple’s own privacy policy shows, the two are defined and regulated differently with separate policies governing the collection and use of data. Mysk’s specifically findings relate to Apple’s collection of analytics from its own apps rather than third party apps.
We found that although Apple’s policy states that the Analytics toggle will “disable the sharing of Device Analytics altogether,” the App Store (along with several other apps such as the Stocks app) have separate privacy policies which lay out different terms of use. These policies can be found on separate pages, as well as on an interactive page on the Apple website.
The App Store app policy lays out how information is collected for different purposes – from advertising to security to purchases – and how certain preferences can be toggled on or off. However a significant departure from the regular Device Analytics policy the lack of an option for disabling improvement analytics collected in the app. This has also been confirmed in reporting by the Verge. The policy further states that personal information in the form of “identifiers such as your device’s hardware ID and IP address are logged by Apple along with your Apple ID,” in order to provide services and feature of the App Store.
This suggests that while Mysk’s findings on the type and amounts of data might be accurate, claims that Apple is tracking or collecting data in breach of its policies are not. A lack of clarity in language and a misunderstanding of Apple’s privacy policies contributed to misleading and inaccurate reporting.
We also examined Mysk’s claims and methodologies to see how accurate and credible their findings are. Mysk is a software company, and the research was carried out by 2 security researchers, Tommy Mysk and Talal Haj Bakry. Based on information provided by Mysk to Gizmodo and by their own posts on twitter and YouTube, the findings were derived from running analysis on a jailbroken iPhone 13, which gave them the ability to decrypt information being sent from the phone to Apple. Similar tests were run on a non-jailbroken iPhone, but results were uncertain due to the iPhone’s encryption of the data being sent from the apps. However, these results were only run on iOS 14.5, rather than the latest version, iOS 16, which calls into question how updated the results are. According to Mysk, tests run on a regular iPhone running iOS 16 showed “similar” encrypted results but could not be examined directly.
While these exact findings have not been replicated by other researchers at the time of publication, existing research published this year by the University of Oxford’s Computer Science department also mentions the use of ID tracking by the App Store app alongside Apple’s extensive collection of data. While this study used similar techniques on the same iOS system, they too could not confirm that the same results would occur in later iOS versions. Nevertheless, Mysk’s findings seem to correspond to Apple’s own disclosures within the various relevant privacy policies, which suggest they could possibly accurately depict how data is sent from iPhones to Apple.
While not proving any illegal activity, Mysk’s findings do contribute information and perspective to ongoing conversations surrounding data collection, tracking, and how far users are aware of it. Potentially misleading assertions of privacy by Apple in their advertising – leading to confusion and misunderstanding for users – has also been raised Mysk in their latest update, acknowledging the existence of separate policies and stating that “while this is technically correct, we believe it’s misleading on Apple’s part, who claim “Privacy is a fundamental human right,” to have very different privacy policies…”