Two iOS security researchers have found that Apple Inc.’s claim of protecting iPhone user privacy from tracking is not all it’s cracked up to be.
As detailed by researchers Tommy Mysk and Tala Haj Bakry on Twitter, Apple is using a marker called “Direct Services Identifier” to track users. When users set up their iPhone, Apple asks them if they want to share analytical data with the company to help “develop its products and services.” Users who agree are then assigned a DSID with Apple claiming that “none of the collected information identifies you personally.” One problem, though – that statement is not accurate.
The researchers found that the DSID assigned to a user’s iCloud account does contain personally identifiable information, including their names, emails and any data in their iCloud account. To prove their theory, they demonstrated that Apple uses the DSID to uniquely identify DSID accounts with personal information directly alongside the number.
Apple uses DSID to uniquely identify Apple ID accounts. DSID is associated with your name, email, and any data in your iCloud account. This is a screenshot of an API call to iCloud, and DSID it can be clearly seen alongside a user’s personal data: pic.twitter.com/x59lr0AzWf
— Mysk 🇨🇦🇩🇪 (@mysk_co) November 21, 2022
The same supposedly anonymous DISD is also linked to the Apple App Store, meaning that detailed behavioral information – the same information Apple claims is private, is also shared back to Apple and is personally identifiable.
“Knowing the DSID is like knowing your name. It’s one-to-one to your identity,” Mysk told Gizmodo. “All these detailed analytics are going to be linked directly to you. And that’s a problem because there’s no way to switch it off.”
The finding comes after it had previously found that Apple is tracking users even when tracking is turned off. Mysk and Bakry found that switching off analytics tracking and implementing other privacy settings had no obvious effect on Apple’s data collection – tracking remained irrespective of privacy settings.
The recent changes that Apple has made to App Store ads should raise many #privacy concerns. It seems that the #AppStore app on iOS 14.6 sends every tap you make in the app to Apple.👇This data is sent in one request: (data usage & personalized ads are off)#CyberSecurity pic.twitter.com/1pYqdagi4e
— Mysk 🇨🇦🇩🇪 (@mysk_co) November 3, 2022
There is some arguable irony in Apple being found to be tracking users even when users opt-out. Aside from its regular marketing messages about privacy – Apple is in a dispute with Meta Platforms Inc. over some of the same data.
Changes implemented in iOS 14 were heavily criticized by Meta – then known as Facebook, late last year, with the claim that the privacy changes were about “profit, not privacy.” The fact that Apple has seemingly excluded itself from the same rules and continues to extract data from users – even when they opt out but doesn’t allow third-party apps to access similar data when users opt in, screams anti-competitive.
Apple’s legal standing will ultimately be tested in court – the earlier finding by Mysk and Bakry that Apple was tracking users even when they had turned off tracking is subject to a class action lawsuit.