Monday, May 20, 2024

Apple is sneaking around its own privacy policy – and will inevitably regret it

An unacknowledged shift that lets companies follow a much looser interpretation of its controversial privacy policy.

Apple has a complicated relationship with privacy. It loves to tout its efforts, especially as a differentiator with Google. But actually, delivering privacy? That’s a different story.

Apple has a rather complicated relationship with privacy, which it always points to as a differentiator with Google. But delivering on it is a different tale. 

Much of this involves the definition of privacy. Fortunately for Apple’s marketing people, “privacy” is the ultimate undefinable term because every user views it differently. If you ask a 60-year-old man in Chicago what he considers to be private, you’ll get a very different answer than if you asked a 19-year-old woman in Los Angeles. Outside the US, privacy definitions vary even more. Germans and Canadians truly value privacy, but even they don’t agree on what they personally consider private.

What brings this up is a recent move by Apple to allow app developers to collect tons of data from Apple users, despite the company’s privacy policy that allows users to block tracking or data sharing.

Apple has allowed app developers to collect data from its 1bn iPhone users for targeted advertising, in an unacknowledged shift that lets companies follow a much looser interpretation of its controversial privacy policy.

Last May 2021, Apple communicated its privacy changes to the wider public, launching an advert that featured a harassed man whose daily activities were closely monitored by an ever-growing group of strangers. When his iPhone prompted him to ‘Ask App Not to Track,’ he clicked it and they vanished.

Apple’s message to potential customers was clear — if you choose an iPhone, you are choosing privacy

Recommended:  ‘CosMiss’ vulnerability found in Microsoft Azure developer tool

But seven months later, companies including Snap and Facebook have been allowed to keep sharing user-level signals from iPhones, as long as that data is anonymized and aggregated rather than tied to specific user profiles. 

Ah, yes, the always-popular “it’s not really private if it’s anonymized/aggregated” line. Let’s explore that a bit. 

First, let’s start by looking at anonymization/aggregation in theory. If it works perfectly (which it often doesn’t and that’s pretty much the point), no user will see any ad that reflects a specific purchase they made or piece of content they looked at/listened to/watched.

Or will it?

apple privacy
apple privacy

Privacy fears are overwhelmingly about perception. If users think their privacy has been violated, they act and feel angry. Even if the data was truly anonymized, the user will be just as furious. Example: A user buys something embarrassing and is immediately seeing ads for very related products. They feel violated. That might still be anonymized. An advertiser might ask to send ads to anyone who looks at that embarrassing product. 

Done properly, an approach where data is anonymized/aggregated could still let a user feel that the advertiser knows what they did — when, in fact, the advertiser might never know the user’s name. And if a user winds up feeling violated, I’m not sure whether the anonymous approach will help the Apple brand — or the brands that use that anonymized data.

More importantly, it’s not what users bought into. It undermines the intent and feel of what Apple promised. If Apple wants to attract users interested in privacy, it shouldn’t share data in any way. It can, of course, but it may get punished by users. 

Recommended:  Anonymous Claims Data Leak to Force Nestlé Out of Russia

Let’s get back to that FT piece. “Apple declined to answer specific questions for this article but described privacy as its North Star, implying it was setting a general destination rather than defining a narrow pathway for developers. Cory Munchbach, chief operating officer at customer data platform BlueConic, said Apple had to stand back from a strict reading of its rules because the disruption to the mobile ads ecosystem would be too great. ‘Apple can’t put themselves in a situation where they are basically gutting their top-performing apps from a user-consumption perspective,’ she said. ‘That would ultimately hurt iOS.’ For anyone interpreting Apple’s rules strictly, these solutions break the privacy rules set out to iOS users.”

In other words, the industry has moved to a place where sharing data — albeit anonymized and aggregated — is the norm. I agree that it is now indeed become the norm, but Apple is going to regret going along with the crowd. Its privacy argument has been that Google sells ads, so it will leverage your data, whereas Apple sells hardware and software and doesn’t need to leverage user data.

It’s a powerful argument. Many users have bought Apple devices explicitly because of the company’s privacy approaches, including pushing back on law enforcement requests to access user data. Going this aggregated/anonymized route will kill that argument for Apple.

Read more related cybersecurity articles here

ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates