Apple's App Store analytics may be able to identify users

Posted:
in iOS
Apple is allegedly able to identify a user in analytics it collects, according to security researchers, via a unique identifier that can be associated with a user's iCloud account.

Privacy. That's iPhone.
Privacy. That's iPhone.


As a privacy-focused company, Apple's introduction of App Tracking Transparency, as well as assurances it would not collect identifiable data on a user's usage habits, is supposed to assure users they won't necessarily be tracked and their data monetized in some way. In details unearthed by two researchers, it seems Apple may be able to do so.

In a series of Monday tweets, iOS developers Mysk continued researching Apple's systems, and discovered an ID in its analytics data referred to as "dsId." It was later determined that this refers to a "Directory Services Identifier," which is linked to an iCloud account.

Each DSID can, in theory, be collated with an existing iCloud account. If the research is accurate, if Apple chose to do this, it has the associated user's name, email, and other details relating to the account.

The identifier is included in all analytics data the App Store sends to Apple, with other apps also doing the same thing. Mysk reckons this means "your detailed behavior when browsing apps on the App Store is sent to Apple, and contains the ID needed to link the data to you."

Mysk points out that Apple's own Device Analytics & Privacy statement states "None of the collected information identifies you personally," which is characterized as "inaccurate."

New Findings:
1/6
Apple's analytics data include an ID called "dsId". We were able to verify that "dsId" is the "Directory Services Identifier", an ID that uniquely identifies an iCloud account. Meaning, Apple's analytics can personally identify you pic.twitter.com/3DSUFwX3nV

-- Mysk (@mysk_co)


Apple has previously and publicly asserted that it isn't in the business of selling user data, and also explained how it uses data in its ad platforms. This includes assertions that its ad platform does not connect user or device data with data collected from third parties for targeted advertising, and that it doesn't share user device or device identification with data collection firms.

Despite claims it doesn't sell data, and that it works to anonymize data that is used by clients of its ad platform, the issue here is that Apple still could potentially use the identifiable data for its own purposes, and that there is evidence that it has the capability of collecting identifiable data.

AppleInsider has reached out to Apple for comment.

On November 12, an attempted class action suit against Apple emerged, alleging that Apple violates the user's right to privacy due to it knowing what users are looking at on the App Strore. That lawsuit was based on research by Mysk, but at the time, the researchers couldn't examine what data was sent in iOS 16 due to the use of encryption.

Read on AppleInsider
«1

Comments

  • Reply 1 of 29
    rob53rob53 Posts: 3,289member
    “May be able to”? Either they can or they can’t. The Twitter statement says they can but can we ever say anything on Twitter us accurate? 
    starof80magman1979lolliverwatto_cobrateejay2012lkruppwilliamlondon
  • Reply 2 of 29
    JP234 said:
    As long as Apple isn't selling that data to third parties, and uses it to improve my user experience, I don't care.
    Agreed 
    magman1979watto_cobrateejay2012
  • Reply 3 of 29
    DAalsethDAalseth Posts: 2,970member
    Able to do something is different than doing it.
    I’m able to rob a bank, that doesn’t mean I should be accused of it. 
    Show me some evidence.
    magman1979lotoneslolliverwatto_cobrateejay2012williamlondonFileMakerFeller
  • Reply 4 of 29
    lkrupplkrupp Posts: 10,557member
    Allegedly, theoretically, could, might? This is nothing but a witch hunt and belongs in the National Enquirer along with the latest alien abduction reports.

    Designed to place doubt in the minds of users pure and simple 
    magman1979lotoneswatto_cobrateejay2012williamlondon
  • Reply 5 of 29
    ... call me surprised ... (not so much : )
    ... is the broader data market for derivative data, per shoshanazuboff.com/book/shoshana/ ...?
    ... also does Apple often limit representations to 'others' when discussing selling personal data and privacy ...?
    Also is 'core ml' potentially part of commodifying privacy while attracting developers...?
    www.wired.com/story/core-ml-privacy-machine-learning-ios/
    edited November 2022 williamlondon
  • Reply 6 of 29
    DAalseth said:
    Able to do something is different than doing it.
    I’m able to rob a bank, that doesn’t mean I should be accused of it. 
    Show me some evidence.
    Except in this case they have already done the legwork so it is more like saying just because someone cased the joint and secured masks, guns and a getaway car it doesn’t mean they are necessarily going to rob a bank.
    muthuk_vanalingamelijahgJanNLwilliamlondonFileMakerFeller
  • Reply 7 of 29
    danoxdanox Posts: 3,280member
    Of course they can, no surprise.
  • Reply 8 of 29
    DAalsethDAalseth Posts: 2,970member
    DAalseth said:
    Able to do something is different than doing it.
    I’m able to rob a bank, that doesn’t mean I should be accused of it. 
    Show me some evidence.
    Except in this case they have already done the legwork so it is more like saying just because someone cased the joint and secured masks, guns and a getaway car it doesn’t mean they are necessarily going to rob a bank.
    Exactly right. No one is guilty until they do the crime. We don’t have preemptive law enforcement. 
    watto_cobraFileMakerFeller
  • Reply 9 of 29
    Last para: "App Strore". How'd that get past the spell checker?
    watto_cobra
  • Reply 10 of 29
    gatorguygatorguy Posts: 24,591member
    JP234 said:
    As long as Apple isn't selling that data to third parties, and uses it to improve my user experience, I don't care.
    Do you care if Google uses "anonymized" analytics to improve your user experience as long as they don't sell the data to third parties (and they don't)? How about Amazon? Microsoft? 
    edited November 2022 grandact73elijahgFileMakerFellerderekmorr
  • Reply 11 of 29
    Is this rocket science? Apple clearly uses this to know what apps you purchased. It’s in the purchased list in App Store. Also apple uses this data to disable spam and robot accounts and detect fraud 
    watto_cobra
  • Reply 12 of 29
    gatorguygatorguy Posts: 24,591member
    Is this rocket science? Apple clearly uses this to know what apps you purchased. It’s in the purchased list in App Store. Also apple uses this data to disable spam and robot accounts and detect fraud 
    That doesn't sound accurate. Apple's own Device Analytics & Privacy statement clearly states that "None of the collected information identifies you personally". You're suggesting that's not true and never was meant to be true?
    edited November 2022
  • Reply 13 of 29
    JP234 said:
    gatorguy said:
    JP234 said:
    As long as Apple isn't selling that data to third parties, and uses it to improve my user experience, I don't care.
    Do you care if Google uses "anonymized" analytics to improve your user experience as long as they don't sell the data to third parties (and they don't)? How about Amazon? Microsoft? 
    As for Apple, Amazon and Microsoft, I'm a shareholder in all 3 companies, so whatever makes them money makes me money. And I'm good with that!
    Apple makes money (from people like me) because Apple' does NOT monetize user data that they possess. So you should be upset if Apple is violating users' privacy, if you care about their stock value.
    elijahg
  • Reply 14 of 29
    omasouomasou Posts: 613member
    Perhaps all the id does is say "hey last time this iPhone, watch, etc" was in the store they bought X, or spent time looking at this display or playing w/this macbook. And like a web site they use the metrics to inform the store design and product placement/interest.

    I've never had anyone walk up to me suggesting a product or received a message from Apple trying to sell me something.

    There is a lot of useful metrics that can be collected and used, using de-identified and/or aggregate data.

    Creepy is sitting in a restaurant, opening Instagram and seeing a post from the restaurant that I'm in.

    Creepy is watching my Sony/Google TV (configured to block everything) and browsing the internet and being served ads related to what I'm watching.

    Lastly what a company "can do" and what a company "does do" are completely different. Thanks to the article, advertisers will now probably attempt to use the ID to join the data.
    edited November 2022
  • Reply 15 of 29
    gatorguy said:
    JP234 said:
    As long as Apple isn't selling that data to third parties, and uses it to improve my user experience, I don't care.
    Do you care if Google uses "anonymized" analytics to improve your user experience as long as they don't sell the data to third parties (and they don't)? How about Amazon? Microsoft? 
    It is both hilarious and pathetic you attempting to equate Apple and Google and their practices. Your posts should be on the Wiki page for logical fallacies as a perfect example of False Equivalency.
    williamlondon
  • Reply 16 of 29
    DAalseth said:
    DAalseth said:
    Able to do something is different than doing it.
    I’m able to rob a bank, that doesn’t mean I should be accused of it. 
    Show me some evidence.
    Except in this case they have already done the legwork so it is more like saying just because someone cased the joint and secured masks, guns and a getaway car it doesn’t mean they are necessarily going to rob a bank.
    Exactly right. No one is guilty until they do the crime. We don’t have preemptive law enforcement. 
    Conspiracy to commit a crime.
    FileMakerFeller
  • Reply 17 of 29
    dewmedewme Posts: 5,676member
    DAalseth said:
    Able to do something is different than doing it.
    I’m able to rob a bank, that doesn’t mean I should be accused of it. 
    Show me some evidence.
    Except in this case they have already done the legwork so it is more like saying just because someone cased the joint and secured masks, guns and a getaway car it doesn’t mean they are necessarily going to rob a bank.
    There’s a difference between finding a gun and finding a smoking gun. If they can provide evidence of the latter then Apple has some explaining to do. But we’re not there yet and may never be there. 
    FileMakerFeller
  • Reply 18 of 29
    What does my bank know about me? A lot, since everything I buy shows up on my debit/credit card. If they see my income building in a savings account they might send me an offer to invest in a retirement plan (for example).

    Do I have a problem with that? Obviously not since it’s part of the service I’m getting.

    Now if the bank makes my data available to someone else, THEN it’s a major problem. I expect companies I do business with to know some things about me. I don’t expect them to consolidate their knowledge of me to build a detailed profile to target me.

    I’m convinced when the dust clears this will be nothing more than data Apple gets through my normal dealings with them.


    I’m still waiting to see Apple serve me an advertisement in The App Store that’s in any way targeted (based on existing Apps I have installed or my web browsing habits). Or to see a ad in Facebook related to my search history in The App Store. If that ever happens I’ll be pissed.
    williamlondondewmeFileMakerFeller
  • Reply 19 of 29
    So, this ID can only be tied to a user's interactions with the App Store? I was contemplating whether this is anti-competitive, but if so it is only subtly so. If I browse for products using the Amazon app, or Instacart, or really any other shopping app, then my browsing activity is also subject to analysis by the company behind that app. The difference here is that I can usually browse those other apps without logging in, to see what products they have before deciding to create a login, though apps are hardly required to allow such browsing without logging in first. 

    Actual products purchased on the App Store or Apple Store apps are clearly associated with your Apple ID, and unambiguously so (and it really can't be any other way). 

    You can ask an app not to track you, certainly, but this only informs the company behind the app that they shouldn't provide or sell the tracking that they do on your specific account to third parties. If Apple isn't providing or selling the data they accumulate to third parties, then this question doesn't even apply in their case. 
    williamlondon
  • Reply 20 of 29
    Quite the editorial decision to make the top story with "may" in the headline.
    dewmeCheeseFreeze
Sign In or Register to comment.