Apple's App Store analytics may be able to identify users
AppleInsider may earn an affiliate commission on purchases made through links on our site.
Apple is allegedly able to identify a user in analytics it collects, according to security researchers, via a unique identifier that can be associated with a user's iCloud account.
As a privacy-focused company, Apple's introduction of App Tracking Transparency, as well as assurances it would not collect identifiable data on a user's usage habits, is supposed to assure users they won't necessarily be tracked and their data monetized in some way. In details unearthed by two researchers, it seems Apple may be able to do so.
In a series of Monday tweets, iOS developers Mysk continued researching Apple's systems, and discovered an ID in its analytics data referred to as "dsId." It was later determined that this refers to a "Directory Services Identifier," which is linked to an iCloud account.
Each DSID can, in theory, be collated with an existing iCloud account. If the research is accurate, if Apple chose to do this, it has the associated user's name, email, and other details relating to the account.
The identifier is included in all analytics data the App Store sends to Apple, with other apps also doing the same thing. Mysk reckons this means "your detailed behavior when browsing apps on the App Store is sent to Apple, and contains the ID needed to link the data to you."
Mysk points out that Apple's own Device Analytics & Privacy statement states "None of the collected information identifies you personally," which is characterized as "inaccurate."
New Findings:— Mysk (@mysk_co) November 21, 2022
Apple's analytics data include an ID called "dsId". We were able to verify that "dsId" is the "Directory Services Identifier", an ID that uniquely identifies an iCloud account. Meaning, Apple's analytics can personally identify you pic.twitter.com/3DSUFwX3nV
Apple has previously and publicly asserted that it isn't in the business of selling user data, and also explained how it uses data in its ad platforms. This includes assertions that its ad platform does not connect user or device data with data collected from third parties for targeted advertising, and that it doesn't share user device or device identification with data collection firms.
Despite claims it doesn't sell data, and that it works to anonymize data that is used by clients of its ad platform, the issue here is that Apple still could potentially use the identifiable data for its own purposes, and that there is evidence that it has the capability of collecting identifiable data.
AppleInsider has reached out to Apple for comment.
On November 12, an attempted class action suit against Apple emerged, alleging that Apple violates the user's right to privacy due to it knowing what users are looking at on the App Strore. That lawsuit was based on research by Mysk, but at the time, the researchers couldn't examine what data was sent in iOS 16 due to the use of encryption.