Apple Says Your iPhone's Usage Data is Anonymous, but New Tests Say That's Not True

The Apple logo on an Apple store
The Apple logo on an Apple store

A new test of how Apple gathers usage data from iPhones has found that the company collects personally identifiable information while explicitly promising not to.

The privacy policy governing Apple’s device analytics says the “none of the collected information identifies you personally.” But an analysis of the data sent to Apple shows it includes a permanent, unchangeable ID number called a Directory Services Identifier, or DSID, according to researchers from the software company Mysk. Apple collects that same ID number along with information for your Apple ID, which means the DSID is directly tied to your full name, phone number, birth date, email address and more, according to Mysk’s tests.

Read more

According to Apple’s analytics policy, “Personal data is either not logged at all, is subject to privacy preserving techniques such as differential privacy, or is removed from any reports before they’re sent to Apple.” But Mysk’s tests show that show that the DSID, which is directly tied to your name, is sent to Apple in the same packet as all the other analytics information.

“Knowing the DSID is like knowing your name. It’s one-to-one to your identity,” said Tommy Mysk, an app developer and security researcher, who ran the test along with his partner Talal Haj Bakry. “All these detailed analytics are going to be linked directly to you. And that’s a problem, because there’s no way to switch it off.”

The findings worsen recent discoveries about Apple’s privacy problems and promises. Earlier this month, Mysk discovered that Apple collects analytics information even when you switch off an iPhone setting called “Share iPhone Analytics,” an action that Apple pledges will “disable the sharing of Device Analytics altogether.” Days after Gizmodo reported on Mysk’s tests, a class action lawsuit was filed against Apple for allegedly deceiving its customers over the issue.

Apple didn’t respond to a request for comment. The company hasn’t said anything publicly about the apparent contradictions in its privacy promises, or the recent lawsuit.

Theoretically, Apple might argue that an ID number isn’t personal information. But the GDPR, the mammoth European privacy law which set the standard for data regulation world wide, defines personal data as any information that “directly or indirectly” identifies a person, including ID numbers.

“I think people should be upset about this,” Mysk said. “This isn’t Google. people opt for iPhone because they think these kinds of things aren’t going to happen. Apple doesn’t have the right to keep an eye on you.”

Mysk published information about the test in a Twitter thread late Sunday.

In some cases, this analytics data apparently includes details about your every move. Mysk’s tests show that analytics for the App Store, for example, includes every single thing you did in real time, including what you tapped on, which apps you search for, what ads you saw, and how long you looked at a given app and how you found it. You can see the data, which is sent in real time, in a video on the Mysk YouTube channel.

The App Store on your iPhone is watching your every move

Over the course of these tests, the researchers checked their work on two different devices. First, they used a jailbroken iPhone running iOS 14.6, which allowed them to decrypt the traffic and examine exactly what data was being sent. Apple introduced a privacy setting in iOS 14.5 that prevents other companies from harvesting data called App Tracking Transparency, cuing users to decide whether or not to give their data to individual apps with the prompt “Ask app not to track?

The researchers also examined a regular iPhone running iOS 16, the latest operating system, which bolstered their findings. The researchers couldn’t examine exactly what data was sent because the phone’s encryption remained intact, but the similarities to the tests on the jailbroken phone suggest the patterns they found there may be the standard on the iPhone. There is little reason to think that the jailbroken phone would send different data, they said, but On iOS 16, they saw the same apps sending similar packets of data to the same Apple web addresses. The data was transmitted at the same times under the same circumstances, and turning the available privacy settings on and off likewise didn’t change anything.

It’s possible that Apple processes DSID data to shelter personally identifying details when the company receives the information, separating your personal information from other data. But there’s no way to know, because so far Apple seems unwilling to explain its practices. The company may not use the data if you turn the related privacy settings off, despite still receiving it, but that’s not how the company explains what the settings do in its privacy policy.

The findings are especially damning given the years Apple spent rebranding itself as a privacy company. Apple’s recent marketing campaigns suggest the company’s privacy practices are supposed to be far better than other tech companies. It emblazoned 40-foot billboards of the iPhone with the simple slogan “Privacy. That’s iPhone.” and ran the ads across the world for months.

But Apple is making strides to build an advertising empire of its own, built on the personal data of its billions of users. Even the company’s own privacy settings can be seen as part of a long game to kneecap its advertising competitors, though the company vehemently denies that accusation.

For his part, the findings come as a personal shock to Tommy Mysk. In the past, “I would always allow the app to share analytics with Apple, because I want to help them,” Mysk said. “But I always assumed the data was going to be sent out in an anonymous way.”

More from Gizmodo

Sign up for Gizmodo's Newsletter. For the latest news, Facebook, Twitter and Instagram.

Click here to read the full article.