Wow, nice, since my app is focused on privacy, this could become a huge marketing bonus.
However, the questionaire seems quite complicated. I ask for the email adress and Apple wants to know if I connect the email address with the identity of a user. However, what does that even mean? I have no identity of a user except the email address.
If you only have an email address and you make zero effort to cross-reference that with other data (using, for example, any datasets you purchased, or a marketing data enhancement system) then you are not connected their email address to their identity.
In contrast, when you provide Facebook an email address, they will explicitly pay a lot of databases to cross-reference your email address and tell Facebook your identity, your salary, and so on.
>If you only have an email address and you make zero effort to cross-reference that with other data (using, for example, any datasets you purchased, or a marketing data enhancement system) then you are not connected their email address to their identity.
That is not my interpretation. As I'm reading it, all data that is routinely collected has to be disclosed, even if it is never cross referenced with any third party datasets.
I think if you create a record on your server for each user (identified by some user ID) and you store the user's email address in that record, then you must disclose that fact.
You have to disclose this, but the problem is the question following this. If you collect the email address, Apple wants to know if you use this to link to the user’s identity. And this is where it’s confusing. Without a definition of "identity", I don’t know if I answer this question properly.
If the same person registers two accounts with two email addresses, but provides the same information for both, would you know that they're the same person?
If the same person registers two accounts with two email addresses, but provides the same mailing address for both, and you send a postal catalog to each of them, would your systems detect the duplication and only send one catalog?
If either Yes, and for some companies it's both Yes, then you are linking their email address to their identity — their personhood, their struct {} of data fields.
If either No, and for many companies it's both No, then you are not linking their email address to their identity.
(Obviously having postal address creates other problems for you, I'm just trying to do my best to analogy here. For definite answers you presumably already have contacted Apple, as Apple is clearly reserving the right to make judgement calls when asked questions about this.)
> If the same person registers two accounts with two email addresses, but provides the same information for both, would you know that they're the same person?
Probably. I find it odd that Apple didn't choose words that are already clear with respect to privacy laws such as GDPR. The GDPR doesn't talk about identity. It defines personal data or personally identifiable information (PII). If you collect this data, you're subject to GDPR compliance.
Apple has a weird phrasing of this. You apparently can collect an email address, but not link it to an identity, which is different from collecting an email address and linking it to an identity. It's unclear to me what they mean by this and what "identity" is supposed to mean.
It's way easier to say: an email address is a piece of data that could identify a person, hence you must treat it carefully and comply with GDPR laws (collect it with consent only, make sure to delete it when you're done, user's right to change PII and user's right to get info about everything they have on you).
I agree with you that "identity" is not well defined in Apple's document.
The way I'm reading it is that "identity" is anything that uniquely identifies each user of your app, i.e. something like a GUID or any generated user ID. It does not necessarily mean that you are able to identify the real-world person behind the user record.
So for instance, if you collect the number of steps each user has taken each day and you store that information on your server associated with a user ID, then you have collected that data and you have linked it to the user's identity, even if you know absolutely nothing else about that user.
What would it mean to collect data without linking it to a user's identity? I think it means collecting aggregate or statistical data. If you transmit the number of steps taken by each user to your server, but you only ever store the average number of steps taken across all your users, then you have collected data without linking it to a user's identity.
For email addresses the distinction between collection and linking to users makes no sense. It's always going to be both or neither.
So that's what I believe. What's important though is what Apple actually means. And I fully agree with you that this document needs clarification.
> when you provide Facebook an email address, they will explicitly pay a lot of databases to cross-reference your email address and tell Facebook your identity, your salary, and so on.
Just do a quick search for "DMPs" or "data management platforms."
Multi-billion dollar industry that's focused on collecting data from many different sources, consolidating, and aligning towards real individuals with a combination of deterministic data and probabilistic assumptions.
Then, they can sell access to that database to various companies, mostly in the ad-tech space.
Source: did consulting work for an ad platform in the RTB space on the DSP side, competitor to Google.
EDIT (more context / sidebar thought): this is also why Apple deserves some credit here for their moves, as they are one of the few companies with enough of a war chest to fight against these multi-BILLION dollar interests. It's the type of advantage I worry about losing if Apple has to open up different app stores on the iPhone: if a developer doesn't want to submit documentation and/or get bad publicity for lack of a privacy label, they'll just go to a different, less strict app store.
A search for prior HN discussions matching keywords 'facebook' and 'data' provides many interesting discussions and links to review, and I encourage you to take a look if you're interested to learn more. (If you're already familiar, then with apologies, I won't be engaging in discussion about sentence in this thread. It's possible my summary is imprecise or wrong in some manner; it's presented here only to support answering the question asked, and for that purpose it's enough as-is.)
I'm not sure if you have filled out the form, but whether you cross-reference the email address with other data is asked in a separate follow-up question: "Do you or your third-party partners use email addresses for tracking purposes?"
Therefore if you collect email addresses for user account purposes you would probably answer yes to to the first question about whether they are linked to the user's identity, and then no to the second question of whether you use them for tracking purposes.
I would say Apple have made it perfectly clear "You’ll need to identify whether each data type is linked to the user’s identity (via their account, device, or other details) by you and/or your third-party partners.".
In order words :
On side A you have the user's email address OR hashed email address.
On side B, you have other items of identifiable information ("their account", "their device", "other details").
The question is simple. Do you link side A to side B ? Yes or no.
What is "their account"? What is "their device"? How do I get these information from the user? I don't find this simple. If I set up an account with an email address, it's not their identity. It's just an account. They could provide a fake email for all I know.
"What is "their account"? What is "their device"?"
Erm ? Exactly what it says ?
"Their account" is their account on your platform.
"Their device" is a device that they own and that you are collecting information about.
As I said, its simple.
Email.
Are you linking it to _ANYTHING_ else ? Yes or no ?
Are you are collecting an email address (or hash of an email), ON ITS OWN and not doing any further processing.... e.g. for a simple mailing list ?
Or are you collecting an email address (or hash of an email) as part of broader set of data you are collecting from the user ? (e.g. email + name + address etc.)
Or are you collecting an email address (or hash of an email) and then sending it off to Facebook or other API in an attempt to build a picture ?
> "Their account" is their account on your platform.
You mean, the Apple account on my platform? How does it get there? I don't have the Apple account of a user. I just have an email address.
> "Their device" is a device that they own and that you are collecting information about.
I don't collect information about their device. But you still didn't answer the question. What is "their device"? Is it a unique device ID? A fingerprint? What is it?
> Are you linking it to _ANYTHING_ else ? Yes or no ?
I use the email to create an account on my backend. Users can backup data to their account. But nothing ties to "identity". They could fake all of it. I don't care. I send transactional emails, such as a reset password email.
> Or are you collecting an email address (or hash of an email) as part of broader set of data you are collecting from the user ?
Not PII data, just stuff they enter in the app.
> Or are you collecting an email address (or hash of an email) and then sending it off to Facebook or other API in an attempt to build a picture ?
No.
But the details of your questions show, imho, that the concept of identity is non-trivial.
I can summarize it very simply: users sign up for an account, identified by an email adress (I don't care if it's real), as a service for the user to have an online backup and an easy way to sync data between devices or move them to Android. The goal is NOT to personally identify a user. But could a user be identified by the email address alone BY SOME ENTITY? Yes, probably. Do I do it? No. Do I share the data or offload it to a third party for data processing? No. Or does my rented self-managed VPS, where the backend runs, count as third party? I don't think so. But of course, I use a transactional email service to send emails to users. What about that? I do have a GDPR-compliant data processing agreement for that. But not sure what Apple wants from me in this case.
Thing is: It's not trivial and Apple's guide is insufficient. That's all I'm saying.
Edit: And to clarify – if it's complicated, data collecting entities such as Facebook could say "well, we did understand this differently" and simply don't tell the truth about the data they're collecting. I guess that is another point in this whole discussion: What if someone lies about their data collection practices? Any consequences? Are there downsides to lying about it?
> I use the email to create an account on my backend. Users can backup data to their account. But nothing ties to "identity". They could fake all of it. I don't care. I send transactional emails, such as a reset password email.
Then you are collecting emails to identify users. It doesn't matter if the email is fake or not.
In other words, you are explicitly connecting a specific device to a specific account on your backend via that email.
> Then you are collecting emails to identify users.
I use it to authenticate users. I don't use it to "identify" users. I give zero fucks about the identity of users.
> In other words, you are explicitly connecting a specific device to a specific account on your backend via that email.
No, because I don't collect any more data about the device, I don't link anything. Users use the app. They can use multiple devices. I know nothing about the devices and don't care. Users themselves link their account to their device (on their device), but I don't get any information about this.
I posted this in another comment, but it makes sense here too:
I find it odd that Apple didn't choose words that are already clear with respect to privacy laws such as GDPR. The GDPR doesn't talk about identity. It defines personal data or personally identifiable information (PII). If you collect this data, you're subject to GDPR compliance.
Apple has a weird phrasing of this. You apparently can collect an email address, but not link it to an identity, which is different from collecting an email address and linking it to an identity. It's unclear to me what they mean by this and what "identity" is supposed to mean.
If you are able to answer "Is email address[or other collected data] ________ associated the user whose database row has primary key _______?" then that is considered being tied to the account, and thus tied to the identity. If you are using email address as a user id, then it is very much tied to the user's account on your service.
For tying to device, this could be based on reading the devices serial number somehow, using the Id for Advertisers, or just generating a unique random identifier at install time, and use that to distinguish records. So if you can answer "What is the race of the user with random install id _______" then for apples purposes you have tied race to device and thus to identity.
Basically unless anonymized nearly all data that you collect will be considered by Apple to be identity tied, unless you don't have user accounts, and don't include some form of device identifier with the data. It is literally impossible to have any form of user account without at least having one thing "tied to user identity". Even if you use "sign in with apple" and do not collect the anonymized email address they provide, you will have at least "user id" (the "sub" token from apple) and probably also "Other User Content".
For example, an otherwise offline game might collect the time taken to beat each level without any device identifying information to allow the developer to understand if levels were harder than expected. In that case you have collection of "Product Interaction" data that is not identity tied.
It sounds like you're being intentionally obtuse here. The guidelines say:
Note: “Personal Information” and “Personal Data”, as defined under relevant privacy laws, are considered linked to the user.
This implies that email addresses are, by definition, considered linked to the user's identity. The fact that someone could submit a fake email address is irrelevant, just as if you collected mailing addresses and someone put in "123 Fake Street", or if you collected phone numbers and someone put in "123-456-7890".
I re-read this section. The "Note" makes sense, but the whole description on Apple's website is weird, especially if you consider that Apple allows you to collect an email address that apparently isn't linked to the user. How is this possible? Apple does have categories of data, such as contact info. If contact info is considered "linked to the user", why offer this granularity in the first place? Read this section, fill in "email address" where it talks about data in general and try to make sense of it:
Anyways, I wasn't intentionally obtuse here, because I mostly think in terms of GDPR compliance, but you're right. I apparently thought of this in a more complicated way than necessary.
If you store the email in a database and associate it with any other data (password, settings, profile information, etc) I would think it qualifies as an account.
My app respects the users privacy. There is no tracking, no analytics, no data sharing with third parties. It’s not a privacy product, if this was unclear.
And yes, part of answering these questions is an honest assessment whether I and Apple agree on what it means to respect a user’s privacy.
Maybe they're looking to get a lot of granularity.
Thinking of, https://haveibeenpwned.com/, you could give an email address and get value from the site, but there's no need for an account.
Assuming you store the email that's certainly more of a privacy/security risk than using it once and throwing it away.
Possibly. The wording is odd. It assumes that I have information about the identity of a user, but the only thing I have is the email address.
If my app asks for more data, which are backed up as a service to the user (no tracking), that is of course connected to the email address of the account. However, there is no effort from my side to find the actual identity of the user.
This whole identity thing is very confusing. Might need to contact Apple developer support.
This is a huge bonus for app/game developers that have always been privacy focused, now it becomes something the business/marketing teams also want on their app.
What a great day for good developers and consumers to have this as backup to helping preserve people's privacy and stop the blatant selling and abuse of private data. Thank you Apple!
> Apple wants to know if I connect the email address with the identity of a user. However, what does that even mean? I have no identity of a user except the email address.
Identity basically means anything that allows you to uniquely identify a user, so the e-mail address would apply.
Another strange one is "Browsing History: Information about content the user has viewed that is not part of the app, such as websites"
Apple requires apps to have a web site for customer support. Almost every web server logs anonymous data about visited pages. So, almost every apps need to have "Browsing History" checked??
Apple seems to want to show privacy labels even for anonymized data which isn't linked to the user. Here's their App Store app showing category "Data Not Linked to You": https://support.apple.com/en-us/HT211971
That page appears to not show what the data is used for. I wonder if it's shown elsewhere, or why apple asks for that if they don't show it anywhere. As a user, that's certainly information I'd be interested in.
(Documentation lists the following purposes: Third-Party Advertising, Developer’s Advertising or Marketing, Analytics, Product Personalization, App Functionality, Other Purposes)
They definitely need a special case for “no data collected”.
It should say something very direct like “This app does NOT collect any data.”. Instead, the App Store listing includes this extremely awkward set of phrases:
“The developer, $DEVELOPER has indicated that the app’s privacy practices may include handling of data as described below:
Data Not Collected
The developer does not collect any data from this app.”
I think the original poster has seen an example of this, and they think apple could go further.
I certainly was surprised to see the sentence:
"Privacy practices may vary, for example, based on the features you use or your age."
I filled in the questions in app store connect recently, and since it is just a simple game without anything remotely privacy invading, I happily answered all the questions in the most "privacy respecting" way. To then see this sentence hinting that the privacy stuff might be different if people use unspecified features, or be particular ages... that is certainly a surprise.
That message comes from the rule where for non-core infrequently-used functionality, an app need not disclose the data collected if it is not used for advertise or tracking, it is clear and obvious what data you are collecting, and you clearly show the user id as a form field.
For example, if your feedback form allows users to optionally enter their email address so you can contact them to request more details if needed, you don't need to specify that you collect email addresses if you never otherwise collect email.
It is not clear if this would also apply if users can optionally upload a profile photo, but profile photos are not a core part of the app (e.g. not a tinder clone). If it does apply it would let you omit the scary sounding 'user photos' option from the privacy list.
My issue is the whole “privacy practices may include handling of data as described below”, which on first read always sounds like “great, this app is handling my data for some reason”, only to be followed by “no data collected”. It’s pointlessly verbose to get that point across.
I suspect all this will become like a california prop 69 warning, where every building has one and you just go inside anyway unsure if you're walking into an asbestos factory or somewhere where they use bleach to clean the toilet.
As a developer, if you do not collect information, compliance is trivial.
Go to AppStoreConnect for your App, see "App Privacy" on the sidebar, "get started", tell it you don't collect data. And you are done.
Edit: Doh! And also notice the blue "Publish" button in the upper right. Press that and get threatened. Then your data is ready. Otherwise when you go to push your update it will tell you to go fill in the App Privacy data.
If someone would like to arrange a back-alley cash deal, I'm happy to provide a binary on a CD-ROM. But if I'm accepting money over the internet, a third party is necessarily going to be involved, because I'm not a bank and I can't process payments myself.
It's kind of a bizarre criticism to say that Mac software is sold via the Mac App Store...
You could provide it for free. By charging for it, you made a choice to reduce your users' privacy. It doesn't make sense to say that you don't collect any information because you require information to be collected from the user. This is simply a statement of fact.
You started this intentionally inflammatory argument with the following unsupported statement:
“ Your app shares a lot of data with a third party”
You then proceeded to move the goalposts so far that now we’re talking about wether or not an app is free?
Listen, if you’re going to start an open-source/libre/data wants to be free argument, that’s your right, but don’t start it with fake accusations of privacy violations.
> You then proceeded to move the goalposts so far that now we’re talking about wether or not an app is free?
I didn't move the goalposts. The goalposts were always about data collection.
> fake accusations of privacy violations.
There is a real privacy violation going on here. The author has simply externalized it from his app's code. My point was that privacy can be violated outside the app itself and in the ecosystem where it is consumed. A publisher who cares about that, like GGP claimed to in the original comment I replied to, would work to mitigate that data collection as well.
To take the argument to the logical next step, it's like saying you can get my app, which doesn't collect any information at all, for free; however, to get it, you have to link your Twitter and Facebook accounts to the store website and share that you downloaded the app on those platforms.
checked it out today when i saw this article. just recently got an apple watch and has been using for health tracking and was very pleased to see that two of my fav apps:
+ Work outdoors
+ Heart Analyzier
collect absolutely no data, everything stays on my watch. considering the plethora of personal information that something like garmin, strava or suunto collect, this is incredible, more people shoudl be cognizant of this.
Will the app store listing for my Sudoku game warn me (as to its credit my iPhone started doing, before I deleted the app in horror) that it pastes from the clipboard on startup?
A bunch of major apps like Discord do/did that too.
WhatsApp also occasionally tries/tried to access photos for no reason, which I caught thanks to iOS 14's "Would you like to give this app access to more photos?" prompt.
It was iOS that outed them and not Android. This is why I prefer Apple to the other major corps; they're still the lesser evil among the sea of villainy out there.
From what I remember, the old clipboard API didn't distinguish between an app inspecting the clipboard content (dangerous) and merely checking if the clipboard contains data and what its type is (harmless).
The way I understood it, many only apps triggered it because either the old API didn't offer a separate meta data access function, or they didn't know that they should use it.
The types API has been available since iOS 3.0 which, IIRC, was when pasteboard was added to the system. Certainly there are apps which accessed the contents of pasteboard more than they should have because they weren't being punished for it.
By law, all data collection must be opt-in, but that’s usually accomplished through privacy notices that nobody reads. I presume they had to deal with some complexity here as a result. The questionnaire is ambiguous enough as it is.
It's in Apple's financial interest to have people install more apps with IAPs, as Apple currently charges their captive audience 10x the market rate for payment processing inside of apps and makes a lot of money from these purchases.
I wouldn't hold my breath for Apple to develop a filter that lets you find only non-IAP apps.
They made a whole service (Apple Arcade) just to allow users to avoid in-app purchases, ads, and tracking in games. Oh, and loot boxes, too, probably. I don't think they're above letting users do that sort of filtering.
Apple charges about the same price for processing IAPs as the Play store, Steam, PlayStation Network, and Xbox Live. Which storefront are you thinking of that only charges a 3% commission?
All of those are abusive, anticompetitive markets. Every other purchase in an app not under the gatekeeping of those rentseekers pays approximately 1-3% for payment processing.
An example would be in-app purchases in the Amazon app for real-world goods. Those are IAPs too.
Steam isn't acting as a gatekeeper to anything, yet most developers still find their 30% fee acceptable. Clearly Valve is offering some value to them beyond just processing credit card numbers.
Apple must also make money in their own app store from ads, since every time I search for an app the first results are always ads for competing products. So ads and paid placement, unfortunately, would probably be the first monetization strategy for such a solution.
Another option could be referral codes. If I find an app through the search site, the site could show a referral code that the app could accept, granting some benefit to the user. Of course this strategy means that the app makers must do work to participate.
I’d suggest that the privacy screen should be shown on app launch in iOS 15. Apple already does a similar privacy splash screen on launch of their own apps
It would be nice if I can filter apps based on these labels while browsing the App Store. Or even determine which of my existing apps fall under which label(s).
I’m sure this is one of those things that’s on the launch roadmap once you can get developers to actually adopt the badge. Then once there’s a critical mass there’ll be a combination of manual filters and/or automated ranking (ex: if my kid is in the App Store, they only see privacy-friendly apps.)
I just took a look. I find them rather abstract, verbose, and repetitive, like cookie notices. I too think it's a decent start. Personally I would use the labels to look into a certain few sensitive apps, anything health or dating-related.
There are a dozen or so items split between three lists: (1) Data Used to Track You, (2) Data Linked to You, and (3) Data Not Linked to You. The distinction between (1) and (2) is not entirely clear.
The language is ishy-washy: "The following data may be collected and linked to your identity." Is or isn't it? I would like to see firm language: "...data will be collected..."
> Really we need parental advisory ratings like we have for movies to easily know which apps sell data.
I agree. There's value in the App Store privacy labels if you really dive in, but I doubt that many people will scroll to the bottom of an app page to properly read the privacy label.
I think it'd be useful for many users to see a punchy above-the-fold badge that says "Privacy-friendly", "Uses some personal data", or "Uses a lot of personal data" (or terser copy to those effects) and links to the detailed privacy label further down-page.
Your complaints are down to the nature of the "one size fits all" approach in use here.
If an app offers 99% online experiences, and there's one part of the service where you can choose to have something physically shipped to you, they have to say that they collect your physical/mailing address. There's no way for the app to tell you when it does or doesn't do that.
The same is true for many other things - optional 2FA via SMS (phone number), optional search for nearest location (location tracking) etc.
I'm glad there's an exception like that. It will mean that things like a form to contact support won't require an app to list a whole bunch of data that isn't normally collected.
I think perhaps that there needs to be some better way of distinguishing how the categories work. Should anyone be surprised that Amazon needs payment details and an address to send you something?
I think it's phrased "may be collected" because often data will only be collected under certain circumstances, either because the user chooses to fill in optional fields or because they use a specific feature requiring that data.
It's impossible to download free apps on iOS (via the App Store) without giving Apple an email address, phone number, and street address.
Additionally, opening the App Store app on iOS sends your IP (coarse location) and device serial number to Apple. Logging in to download associates that serial with your email, street address, and phone number.
Every iOS device, and now every mac, connects to the Apple push server with a certificate tied to its serial number, and of course sends the client IP (and thus coarse device location).
Apple has your travel history, and the travel history of every iOS device by serial number. As of Big Sur, they have it for each and every mac, too.
On the mac, you can't install a VPN app without providing your identification to Apple, because the NetworkExtension app entitlements to do that are only given out for App Store apps. This is why windows users can download wireguard from the wireguard website, but mac users cannot. App Store only!
I am not really that convinced that Apple cares that much about protecting consumer privacy.
Apple having that information doesn't mean they don't care about protecting consumer privacy...they still have to KYC (Know Your Customer).
The reason you can trust Apple (for now) about protecting consumer privacy is that they aren't selling it to unknown third-parties make MORE money off of you. If Apple has your data its going to ONLY be used by Apple and only in ways you understand (at least that's the marketing push)
This is false. KYC regulations do not apply to app stores, only banking and financial services: regulated industries.
Furthermore, nothing requires Apple restrict App Store downloads of free apps to logged in/registered users only. This is a hoop they make people jump through so that there is less friction at time of purchase of a paid app or (more importantly) a "free" app's IAP. It's a signupwall hustle.
> The reason you can trust Apple (for now) about protecting consumer privacy is that they aren't selling it to unknown third-parties make MORE money off of you.
Apple sent the data of over 30,000 users to the US government last year without a warrant or probable cause, per Apple's own transparency report (look under the FISA orders category—this is the stuff that Ed Snowden disclosed under the internal/classified codename PRISM).
Data brokers can't cause federal prosecutors to harass me because I said something they didn't like. The federal government can.
“Apple sent the data of over 30,000 users to the US government last year without a warrant or probable cause”
When you say ‘the data’ - what do you mean?
Taken at face value it sounds like you are saying all of the data Apple has relating to this user, but that doesn’t sound right to me. Is it all of the data? If not, what data was actually provided?
When you say: “without a warrant or probable cause”, you make it sound as though Apple wasn’t legally compelled to do this.
I think it is safe to assume that when Apple complies with a FISA demand for user data from the US military intelligence community, they are expected to produce 100% of the data that they have for the requested user.
I made no such claim about Apple not being compelled.
I did strongly imply, however, that being aware of this gaping privacy issue that is pointed at them, gun to the head style, that it is massively irresponsible for them to collect as much user data as they do, pretending it will be safe, when in reality they function as a repository of a tremendous amount user data that is available to the government at any time without a warrant.
It is fair to say that as a result of these laws they are part of the vertically integrated surveillance state.
They know this, and the fact that they continue to collect and store as much data about their users and their users activity and travel as they do makes them complicit in the surveillance.
If Apple cared about the privacy of their users, they wouldn't have failed to fix their encryption backdoor (iCloud Backup), and they wouldn't be building a giant trove of activity history for every single Apple user that can be accessed on demand without a warrant. They also wouldn't have put special iCloud servers where the CCP can easily spy on them.
"Compelled by law" is a dodge. They didn't have to create the circumstance where they had the data in the first place.
On a side note: would you please stop cross-examining so many of my comments? It feels like you've singled me out for harassment. Your comment history doesn't indicate you do this to anyone else. In this instance you seem to be arguing against something I didn't even say. Please stop.
1. My understanding is that FISA requests data using warrants. So your statement that Apple divulges this information without a ‘warrant’ would be false if this is correct.
2. You once again repeat the outright lie that Apple is collecting a person’s travel history.
All you are actually referring to is that they receive TCP connections and so know people’s IP addresses. Just like anyone else who operates any web service.
In an earlier comment on this thread, you more honestly state that IP addresses can be used to infer coarse location data. This is correct.
As we have discussed before, it’s a lie to claim that Apple is recording people’s travel history, because you have no evidence that these recordings are in fact being made. Only that they could be.
It’s entirely possible that they never actually do perform geolocation on the log data, and that they scrub or anonymize IP addresses before storing them longer term. They state that they use such practices in general.
I can’t prove that they use these practices with this data, so it would be a lie to say I know they don’t record people’s travel history, just as it is a lie every time you say they do.
Please either provide evidence or stop repeating this lie.
As far your comment that “Compelled
By law is a dodge”.
It’s not a dodge - either they are compelled by law, or they are not.
You didn’t actually answer that question, I note. Not answering a question seems more obviously like a dodge!
You gave the impression that they are not compelled by law, but I don’t think that is true.
Also, this raises the question, what is being dodged?
If Apple were giving out information about users without being compelled by law, then that would be a strong indicator that they didn’t care about privacy, but I don’t think this is true.
As to ‘building a giant trove of activity history” about users - Aside from your lie about Apple recording people’s travel history, what ‘Activity History’ are you referring to here?
It’s true that there could be a more sophisticated E2E mechanism to place most user data beyond Apple’s ability to provide it when compelled.
It’s also true that iCloud backups are not secure.
Users who have reason to be concerned about this should not opt-in to these backups.
Apple should definitely provide a way for backups to be E2E encrypted.
There is an unproven assertion that they haven’t done this due to pressure from the FBI. This may be true.
It’s also true that your complaint about holding user data applies to almost every single YC company, and almost every single web service* .
Perhaps you have some examples of companies that handle things the way I think we’d both like? I can’t think of a good one.
There are obvious usability issues and technical challenges that need to be overcome in order to apply E2E to all data at rest.
Even when they do roll it out, I expect it to be opt-in and progressive, much as FDE was rolled out slowly over many years. Users will need to make decisions to sacrifice things like the web versions of apps.
The risk of data loss if handled incorrectly is much higher than the chance of innocently being one of the 30,000 people you say are targeted by FISA.
This is not to downplay the concern. I think it’s very important that this problem be solved and I think Apple should be one of the leaders in solving it.
Again, if you have an example of someone who has already solved all of these problems, that would be helpful
Let’s not pretend this is trivial to do at scale.
The fact that they haven’t solved problems that nobody else has solved either, is really evidence of very little.
Also you say it’s safe to assume that FISA warrants require all data a provider has on a user. Is it? Do we have any evidence of that? I’m sure some requests are blanket requests, but do we know that they all are? Many could be superficial requests to eliminate or include people from one pool or another.
> My understanding is that FISA requests data using warrants.
Your understanding is wrong. The classified (and, statistically speaking, rubber stamp) FISA court issues demands under the authority claimed by FISA Amendments Act (FAA) section 702, which is designed to target foreign surveillance subjects and thus under current public understandings would not require a warrant ("because foreign"). FISA surveillance orders are not warrants and do not require probable cause and are not subjected to any unclassified oversight.
However, the FISA court has a special, secret interpretation of the FISA Amendments Act (FAA) that they believe entitles them to use it to spy on everyone without a warrant as soon as the data enters or leaves the US, even if the communication is by and between solely US persons. Edward Snowden gave this as the reason he came forward about the PRISM program (PRISM being the internal, classified NSA codename for FAA702 data collection).
The large tech companies process so many of these warrantless FISA spying orders each year that they have special interfaces for the FBI/IC to request and download the data. This is what was meant by the reporting that said "direct from the servers" [of tech companies].
They don't have root on the machines, but they have programmatic access to download data for any user without a warrant. It may or may not require an approval click on the service provider side, but, in any case, that doesn't much matter.
> It’s entirely possible that they never actually do perform geolocation on the log data, and that they scrub or anonymize IP addresses before storing them longer term. They state that they use such practices in general.
It doesn't matter whether they run geolocation on the IP logs; logging the IPs is collecting a coarse tracklog regardless of whether they store it as such or not.
Second try: Please stop calling me a liar, and I'd appreciate it if you'd stop replying to every single one of my comments on this topic to cross-examine me, which is explicitly against the site rules. I'm not going to engage with you any further; I request the same from you.
Thanks for explaining the FISA part. I deliberately didn’t claim certainty on whether these legally compelled requests counted as warrants because I didn’t know for sure.
> It doesn't matter whether they run geolocation on the IP logs; logging the IPs is collecting a tracklog regardless of whether they store it as such or not.
The weasel words here are ‘as such’.
If they substitute the IP address with an anonymous identifier after ingestion, without having first performed geolocation then they have not recorded the location data, and they do not have a record of the location data.
I realize you don’t want to be critiqued, but it’s clear that you don’t have any evidence that Apple is actually storing location data on people.
You only have an explanation as to how they could potentially be storing it.
On almost every post regarding Apple, you insert alarming sounding statements like “Apple is recording your travel history”.
You must know that you don’t actually know this for sure, and yet you persist in inserting this falsehood over and over again.
Liar is a strong term, but if you had actual evidence for the claim you are making, you’d have presented it by now.
When you make the claim as if it was a truth, when you know you really don’t know for sure, I think it’s fair to say you are lying.
Perhaps the first time it could have been that you were just mistaken or making incorrect assumptions, but at this point it seems deliberate.
It’s true that I’ve challenged you on this a couple of times. It’s simply not true that I have replied to every one of your comments on this topic.
As I pointed out earlier, elsewhere on this thread you pointed out that IP addresses can leak coarse location data. I didn’t respond to that.
As for ‘cross-examining’ you, I agree that is against the site guidelines, however I don’t see myself as doing that to you in general. The site needs to have some way of distinguishing between cross-examination and challenging outright lies.
It would seem weird to tolerate polemics which veer into misinformation as comments, and yet not allow this to be challenged.
I’m curious why it’s so important to insert this particular idea about Apple into the conversation?
It seems especially weird when we’re taking about cellphones, whose location is of course logged by cell companies and is definitely accessible to both law enforcement and other government agencies.
One thing I'm confused by with this: an APNS token is, technically, a device identifier... so should every app that uses push notifications be electing under Device ID?
If so, I would _really_ appreciate it if there was some language stating "for push notifications only" or something, because as it sounds right now it comes across like something else.
That's a nice start for Apple. But for now it indeed looks like a cookie request on any website nowadays.
The real question is whether Apple is going to verify the information provided by the app developers. Will Apple do some kind of information flow control (IFC) through taint tracking on the app code, to make sure that the user name or location is not collected as the app description says?
Yep. I love this. If it encourages devs to think twice about incorporating some library from Facebook just for easy login or something then I’ll be happy. In fact I’m going to be looking at these labels and making buying/subscribing decisions from them.
App makers should not be allowed to collect data. Only Apple should be allowed to. And Apple should be opaque about it while running contradictory advertising about privacy and security.
Btw is it gaslighting when Apple claims privacy but gives your information away to organizations like the US and Chinese government?
Nowhere does this change disallow app makers from collecting data, they just need to be transparant about it. Apple should be held to their own standards just as much.
To your second point, which big company nowadays doesn't? Not saying that it's a thing we should accept but why bring it up here?
Also, pleas don't use gaslighting when you mean marketing, imo it takes away from the severity of gaslighting.
Apple doesn't have much choice when it comes to governments. They have resisted data collection efforts where they have legal ground to do so. If you want them to stop handing anything over to your government, you need to fix that with legislation.
They didn't; the title means "these are now live (present) on the app store", as opposed to "these now live on the app store, instead of the place they were living before"
This is so late to the game. I've been inspecting the traffic of iOS apps for a long time now, and have written to the developers asking them to remove these tracking beacons / analytics scripts.
I created a wireless hotspot in Linux, connected my iDevice to it, and then opened Wireshark and was able to see all the traffic of the iDevice. I would encourage everyone to inspect the traffic of apps to gauge their privacy score.
A mass market solution is "late to the game" because some hobbyist can do it himself with lots of time and expertise? This sounds like the infamous "who needs dropbox when you can just do it yourself using FTP + curlftpfs + SVN/CVS?" comment on HN.
This is LONG overdue and I hope it at least shows users as much info per app as Google Play does where you can inspect the permissions the app requests/requires (though the distinction between request and require would be nice). It would also be nice to have persistent search filters in the app store search like "don't show me any apps which request access to my contacts or location"... though I suspect it will take people dying because their stalkers found them through an app's location info for this to happen.
> This is LONG overdue and I hope it at least shows users as much info per app as Google Play does where you can inspect the permissions the app requests/requires
This is not that feature at all - iOS has had the ability to show/control permissions since they have had permissions, and an app cannot require unrelated permissions to function.
This is about data that is collected, and how it's used - not app permissions.
However, the questionaire seems quite complicated. I ask for the email adress and Apple wants to know if I connect the email address with the identity of a user. However, what does that even mean? I have no identity of a user except the email address.