Malcolm Owen
Apple is allegedly able to identify a user in analytics it collects, according to security researchers, via a unique identifier that can be associated with a user's iCloud account.
As a privacy-focused company, Apple's introduction of App Tracking Transparency, as well as assurances it would not collect identifiable data on a user's usage habits, is supposed to assure users they won't necessarily be tracked and their data monetized in some way. In details unearthed by two researchers, it seems Apple may be able to do so.
In a series of Monday tweets, iOS developers Mysk continued researching Apple's systems, and discovered an ID in its analytics data referred to as "dsId." It was later determined that this refers to a "Directory Services Identifier," which is linked to an iCloud account.
Each DSID can, in theory, be collated with an existing iCloud account. If the research is accurate, if Apple chose to do this, it has the associated user's name, email, and other details relating to the account.
The identifier is included in all analytics data the App Store sends to Apple, with other apps also doing the same thing. Mysk reckons this means "your detailed behavior when browsing apps on the App Store is sent to Apple, and contains the ID needed to link the data to you."
Mysk points out that Apple's own Device Analytics & Privacy statement states "None of the collected information identifies you personally," which is characterized as "inaccurate."
New Findings:
— Mysk (@mysk_co) November 21, 2022
1/6
Apple's analytics data include an ID called "dsId". We were able to verify that "dsId" is the "Directory Services Identifier", an ID that uniquely identifies an iCloud account. Meaning, Apple's analytics can personally identify you pic.twitter.com/3DSUFwX3nV
Apple has previously and publicly asserted that it isn't in the business of selling user data, and also explained how it uses data in its ad platforms. This includes assertions that its ad platform does not connect user or device data with data collected from third parties for targeted advertising, and that it doesn't share user device or device identification with data collection firms.
Despite claims it doesn't sell data, and that it works to anonymize data that is used by clients of its ad platform, the issue here is that Apple still could potentially use the identifiable data for its own purposes, and that there is evidence that it has the capability of collecting identifiable data.
AppleInsider has reached out to Apple for comment.
On November 12, an attempted class action suit against Apple emerged, alleging that Apple violates the user's right to privacy due to it knowing what users are looking at on the App Strore. That lawsuit was based on research by Mysk, but at the time, the researchers couldn't examine what data was sent in iOS 16 due to the use of encryption.
Sponsored Content
Wesley Hilliard
AppleInsider Staff
Andrew Orr
Amber Neely
William Gallagher
29 Comments
“May be able to”? Either they can or they can’t. The Twitter statement says they can but can we ever say anything on Twitter us accurate?
Able to do something is different than doing it.
I’m able to rob a bank, that doesn’t mean I should be accused of it.
Allegedly, theoretically, could, might? This is nothing but a witch hunt and belongs in the National Enquirer along with the latest alien abduction reports.
Designed to place doubt in the minds of users pure and simple
... call me surprised ... (not so much : )
... is the broader data market for derivative data, per shoshanazuboff.com/book/shoshana/ ...?
... also does Apple often limit representations to 'others' when discussing selling personal data and privacy ...?
Also is 'core ml' potentially part of commodifying privacy while attracting developers...?
www.wired.com/story/core-ml-privacy-machine-learning-ios/