Apple has faced criticism about their commitment to data privacy for many years. Their shaky record has been a concern for experts in the field given the many millions of users who use their products every day. While changes have been made, the question remains, does Apple truly value data privacy? We take a closer look to see just how seriously they treat those concerns today.
What problems have Apple had with data privacy?
Perhaps most notoriously in 2014 hackers breached iCloud security to steal and leak thousands of personal celebrity photos. A hacking script was able to find the right username and password combinations using multiple attempts, with Apple not placing any limitations on the number of queries allowed, so the hackers could keep on trying until they found the right one.
Over the years there have also been a number of privacy issues highlighted by users before Apple were even aware of them. For example, in February 2019 Google researchers informed Apple that hackers could embed malware on iPhones after visiting certain websites – an issue that had existed for two years.
More recently, in November 2020, concerns were raised about the privacy of their new macOS Big Sur. Many users struggled to download and install the operating system, with iMessage and Apple Pay also going down. Perhaps more seriously, users of macOS Catalina and earlier systems experienced performance issues.
Renowned security researcher, Jeffrey Paul, dug deeper into the issues to find that data being sent back to Apple’s OCSP server was not encrypted and could possibly be intercepted by third parties. Apple did quickly respond to this and said that these concerns will be dealt with in the near future.
If you wish to ask the company to delete personal data held on their servers, visit Apple’s Data and Privacy center, sign in and follow the prompts to delete your account.
What data protections do Apple currently have in place?
Only the owner of the device (or if they share the data) has access to an Apple device. This can be done either using a six-digit passcode, Touch ID (fingerprint tech) or Face ID (facial recognition tech).
Data is not sold on
Apple says that any personal information stored on their servers – be it a photo, use of Siri or searching for directions – will not be sold to third parties.
Apple Pay protection
If a debit or credit card is used with Apple Pay, the company says transaction details cannot be tied back to the individual, so no historical record of purchases can be made. Information stored about Apple Pay Cash users is stated as only being stored to fight fraud, support troubleshooting and for regulatory reasons. Any credit card information stored on the device is ‘sealed’ away from other areas.
Apple uses something called ‘Differential Privacy’ which involves the scrambling of data so it is mixed in with that of millions of other users. The goal is to create ‘general patterns’ rather than specific details that can be linked to an individual. Apple says this is used to identify the popularity of certain features like emojis and QuickType suggestions (predictive text) and Safari energy consumption rates.
Apple says that any data sent or stored is encrypted, such as iMessages and FaceTime calls. They also say this applies to security data such as Face ID and Touch ID, which are also encrypted and stored in a Secure Enclave on the device (meaning it is isolated away from the main processor). This is meant to ensure apps and iOS cannot access it and the information is not retained on Apple servers or on iCloud.
What are the concerns about Apple’s data privacy?
Unfortunately, there may still be some cause for concern. In November 2020 an Austrian consumer rights activist called Max Schrems brought a case against Apple claiming that privacy regulations are violated by the use of an iPhone generated ID that allows advertisers to track users.
Of course, Apple faces lawsuits all the time, but Mr. Schrems is perhaps one worth listening to. In July 2020, he was responsible for a landmark ruling against Facebook that restricted the sending of data from EU states back to the US, ensuring data protection authorities complied with GDPR laws.
Mr. Schrems’ complaint against Apple says that the IDFA (Identifier for Advertisers) used on iPhones can be manipulated by advertisers to track advertisers and target them for personalized ads. The IDFA is supposed to improve privacy by preventing companies from using other means of tracking users, with the IDFA able to be reset at any time by the individual.
The argument being made, however, is that generating even a single IDFA breaches GDPR laws, as while the user has control over which apps can access it and whether or not it is reset, they are not aware it has been created in the first place. GDPR laws forbid external tracking without the explicit consent of the individual, an option Mr. Schrems argues is not being provided.
Many of the privacy policies listed in this article were updated by Apple in late 2020. It appears they have started to address many of the long-held concerns about their commitment to privacy with the beefing up of their policies. However, as the latest advertising case suggests, there are still some concerns about the amount of tracking of users being granted to advertisers.
In many respects, choosing to put faith in Apple to keep to their promises is very much down to individuals. There will be those who will continue to believe they cannot be trusted, those who believe the company has changed, and others who will barely give a second thought to the protection of their personal data. Regardless, Apple’s commitment to data privacy will continue to be closely scrutinized and monitored.