The eternal promise of privacy: are iPhones as secure as Apple claims?

"Privacy.

That's Apple."

The famous slogan of the Cupertino company could falter.

Two researchers from

company Mysk say Apple collects personal information from iPhone usage data while explicitly promising not to.

Based on its findings, the company knows the detailed behavior of users in its own apps and can identify them.

EL PAÍS has contacted Apple, which, for the moment, claims to have nothing to say about it.

Tommy Mysk and Talal Haj Bakry, independent Mysk researchers, have conducted an analysis of Apple

and the usage data they send to the company's servers.

“We focused on the App Store because users have no other alternative to download and install apps on iOS,” says Mysk, who says other apps like Apple Books, the iTunes Store, Apple Music and Apple TV send similar data to the tech giant.

Among this information, would be "what a user does in these applications, what he sees, when he does it and for how long."

For example, according to Mysk, App Store usage data includes how many milliseconds a person spends reading the privacy section of a particular app.

All these data can be useful for developers to improve their applications.

But Mysk insists that it is normal for them to ask users for permission to collect them and also to anonymize them, so that a user cannot be personally identified.

On a web page about iPhone analysis, Apple indicates that none of the information collected identifies the user.

“Personal data is not logged, is subject to privacy protection techniques (such as differential privacy), or is removed from reports before it is sent to Apple,” she notes.

However, Mysk claims that the data sent to the company includes a permanent and immutable identification number called a directory services identifier, or DSID.

This number "can identify a user personally" as it "is associated with their name, email, and any data in their iCloud account."

It's not clear exactly what Apple does with it or if it uses any techniques to separate personally identifiable information from other information.

The researchers conducted these tests using a

iPhone (a process that allows you to remove some of the limitations imposed by Apple) running the iOS 14.6 operating system to decrypt the traffic and examine what data was being sent to Apple.

They also made them with a mobile with iOS 16, the latest operating system.

Although in this case they could not decrypt the data, they assure that they detected a similar pattern of network traffic, so they consider it "very likely that the App Store application is sending the same data."

A dead end?

From Mysk they ensure that Apple collects this information even when an iPhone configuration called “Share iPhone analysis” is deactivated.

All despite the fact that, with this action, the company promises to "disable the sharing of device analysis data completely."

“The policy is ambiguous and gives users the impression that turning off device analytics would also turn off usage data and app analytics,” Mysk criticizes.

The researchers say there is nothing users can do to prevent Apple apps from collecting usage data and linking it to their identity.

Samuel Parra, a lawyer specializing in technological law, stresses that they could react to this possible attack on their privacy by filing a claim with organizations such as the Spanish Agency for Data Protection.

In fact, this situation has led one user, Elliot Libman, to file a class action lawsuit against Apple in federal court in California, "on his behalf and on behalf of everyone else in a similar situation."

A potential crisis of confidence

Apple often boasts that privacy is one of its priorities and one of the characteristics that differentiate it from the competition.

But then where do these tests leave the company?

“First of all, and from the perspective of Apple as a brand that apparently is committed to privacy, it would mean a bankruptcy in the trust of its customers,” says Samuel Parra, a lawyer specializing in technology law.

In addition, the information that Apple supposedly collects without the consent or knowledge of the users "would allow the creation of very precise profiles regarding tastes, preferences, political ideology or even health."

Something that, as Parra points out, could be used to manipulate said preferences.

For example, to try to get users to change their minds in a specific political context.

“What happened with Cambridge Analytica showed us that if we know the user, it is perfectly possible to shape them according to the interests of the highest bidder, even in matters of political ideology,” she says.

The findings of these researchers could affect Apple's reputation in the future, according to Álvaro Orts Ferrer, a privacy expert lawyer and director of Orts Consultores: "If what the Mysk company indicates is true and in the event that Apple insures in its policies that do not collect personal data, we would find ourselves not only facing a breach of the conditions established between Apple and the user, and with it, a legal breach, but also considerable reputational damage would be produced”.

Something in which Parra agrees: "Will we believe similar messages from the apple brand again?"

This situation could also transcend Apple itself.

“Large corporations could be sending a not very reassuring message to society: whatever you do, we are watching you.

Because it gives me the feeling that if someone can spy on us, they will," says the expert.

Mysk, for its part, considers that "a company that believes that privacy is a fundamental human right should describe its 'many' privacy statements in a much clearer way."

Furthermore, he points out that the company collects too much user data and should provide an option to prevent it.

“Their privacy statements sound more like they were written by Google, Meta, or TikTok,” he concludes.

You can follow