Apple's App Store analytics may be able to identify users
Apple is allegedly able to identify a user in analytics it collects, according to security researchers, via a unique identifier that can be associated with a user's iCloud account.
Privacy. That's iPhone.
As a privacy-focused company, Apple's introduction of App Tracking Transparency, as well as assurances it would not collect identifiable data on a user's usage habits, is supposed to assure users they won't necessarily be tracked and their data monetized in some way. In details unearthed by two researchers, it seems Apple may be able to do so.
In a series of Monday tweets, iOS developers Mysk continued researching Apple's systems, and discovered an ID in its analytics data referred to as "dsId." It was later determined that this refers to a "Directory Services Identifier," which is linked to an iCloud account.
Each DSID can, in theory, be collated with an existing iCloud account. If the research is accurate, if Apple chose to do this, it has the associated user's name, email, and other details relating to the account.
The identifier is included in all analytics data the App Store sends to Apple, with other apps also doing the same thing. Mysk reckons this means "your detailed behavior when browsing apps on the App Store is sent to Apple, and contains the ID needed to link the data to you."
Mysk points out that Apple's own Device Analytics & Privacy statement states "None of the collected information identifies you personally," which is characterized as "inaccurate."
Apple has previously and publicly asserted that it isn't in the business of selling user data, and also explained how it uses data in its ad platforms. This includes assertions that its ad platform does not connect user or device data with data collected from third parties for targeted advertising, and that it doesn't share user device or device identification with data collection firms.
Despite claims it doesn't sell data, and that it works to anonymize data that is used by clients of its ad platform, the issue here is that Apple still could potentially use the identifiable data for its own purposes, and that there is evidence that it has the capability of collecting identifiable data.
AppleInsider has reached out to Apple for comment.
On November 12, an attempted class action suit against Apple emerged, alleging that Apple violates the user's right to privacy due to it knowing what users are looking at on the App Strore. That lawsuit was based on research by Mysk, but at the time, the researchers couldn't examine what data was sent in iOS 16 due to the use of encryption.
Read on AppleInsider
Privacy. That's iPhone.
As a privacy-focused company, Apple's introduction of App Tracking Transparency, as well as assurances it would not collect identifiable data on a user's usage habits, is supposed to assure users they won't necessarily be tracked and their data monetized in some way. In details unearthed by two researchers, it seems Apple may be able to do so.
In a series of Monday tweets, iOS developers Mysk continued researching Apple's systems, and discovered an ID in its analytics data referred to as "dsId." It was later determined that this refers to a "Directory Services Identifier," which is linked to an iCloud account.
Each DSID can, in theory, be collated with an existing iCloud account. If the research is accurate, if Apple chose to do this, it has the associated user's name, email, and other details relating to the account.
The identifier is included in all analytics data the App Store sends to Apple, with other apps also doing the same thing. Mysk reckons this means "your detailed behavior when browsing apps on the App Store is sent to Apple, and contains the ID needed to link the data to you."
Mysk points out that Apple's own Device Analytics & Privacy statement states "None of the collected information identifies you personally," which is characterized as "inaccurate."
New Findings:
1/6
Apple's analytics data include an ID called "dsId". We were able to verify that "dsId" is the "Directory Services Identifier", an ID that uniquely identifies an iCloud account. Meaning, Apple's analytics can personally identify you pic.twitter.com/3DSUFwX3nV-- Mysk (@mysk_co)
Apple has previously and publicly asserted that it isn't in the business of selling user data, and also explained how it uses data in its ad platforms. This includes assertions that its ad platform does not connect user or device data with data collected from third parties for targeted advertising, and that it doesn't share user device or device identification with data collection firms.
Despite claims it doesn't sell data, and that it works to anonymize data that is used by clients of its ad platform, the issue here is that Apple still could potentially use the identifiable data for its own purposes, and that there is evidence that it has the capability of collecting identifiable data.
AppleInsider has reached out to Apple for comment.
On November 12, an attempted class action suit against Apple emerged, alleging that Apple violates the user's right to privacy due to it knowing what users are looking at on the App Strore. That lawsuit was based on research by Mysk, but at the time, the researchers couldn't examine what data was sent in iOS 16 due to the use of encryption.
Read on AppleInsider
Comments
I’m able to rob a bank, that doesn’t mean I should be accused of it.
Designed to place doubt in the minds of users pure and simple
... is the broader data market for derivative data, per shoshanazuboff.com/book/shoshana/ ...?
... also does Apple often limit representations to 'others' when discussing selling personal data and privacy ...?
Also is 'core ml' potentially part of commodifying privacy while attracting developers...?
www.wired.com/story/core-ml-privacy-machine-learning-ios/
I've never had anyone walk up to me suggesting a product or received a message from Apple trying to sell me something.
There is a lot of useful metrics that can be collected and used, using de-identified and/or aggregate data.
Creepy is sitting in a restaurant, opening Instagram and seeing a post from the restaurant that I'm in.
Creepy is watching my Sony/Google TV (configured to block everything) and browsing the internet and being served ads related to what I'm watching.
Lastly what a company "can do" and what a company "does do" are completely different. Thanks to the article, advertisers will now probably attempt to use the ID to join the data.
Do I have a problem with that? Obviously not since it’s part of the service I’m getting.
Now if the bank makes my data available to someone else, THEN it’s a major problem. I expect companies I do business with to know some things about me. I don’t expect them to consolidate their knowledge of me to build a detailed profile to target me.
I’m convinced when the dust clears this will be nothing more than data Apple gets through my normal dealings with them.
I’m still waiting to see Apple serve me an advertisement in The App Store that’s in any way targeted (based on existing Apps I have installed or my web browsing habits). Or to see a ad in Facebook related to my search history in The App Store. If that ever happens I’ll be pissed.
Actual products purchased on the App Store or Apple Store apps are clearly associated with your Apple ID, and unambiguously so (and it really can't be any other way).
You can ask an app not to track you, certainly, but this only informs the company behind the app that they shouldn't provide or sell the tracking that they do on your specific account to third parties. If Apple isn't providing or selling the data they accumulate to third parties, then this question doesn't even apply in their case.