Oh, the Places Your Apple ID Will Go(pxlnv.com) |
Oh, the Places Your Apple ID Will Go(pxlnv.com) |
I strongly disagree that the iOS App Store should be treated as an "internet service" rather than a part of the device. The iOS App Store only comes on iOS devices, it comes on all iOS devices, and it is the only way to access a crucial feature of the device. It is, for all meaningful purposes, part of the iPhone in the same way iOS is.
It would be a bit like Microsoft saying "explorer.exe? Policy A only covers the OS, and that is clearly not part of Windows! - so therefore you are covered by Policy B". While Apple may be legally in the right, I strongly believe they are morally in the wrong and have betrayed the trust their users put in them to safeguard their privacy.
I believe that a casual user of the iPhone would take a look at Apple's iPhone privacy policy and expect that to apply to the iOS App Store as well, as for all intents and purposes that is a part of the iPhone.
This made me remember a long time ago when I ran Windows I used to disable explorer.exe by editing a certain registry key.
Not sure if this still works today, but it did back then. This reduced distraction as only one window could be maxmized at a time. Also made the OS feel more stable and snappier. In any event it was one less memory-consuming process running.
I was too used to the Windows 3.1 desktop environment...
If an app store is a glorified web browser and apple is maintaining content that is loaded into it, it's almost the definition of an internet service no?
The point is not that the App Store isn't an online service (although I would argue that it more "relies on" an online service), but that its role as part of the OS supersedes that.
I can't go back and edit my comment now, but to make it more clear I probably should have written something like:
> I strongly disagree that the iOS App Store should be treated as ___only___ an "internet service" rather than...
Contrary to explorer.exe, App Store is an internet service in the sense that it requires sending requests to backend for pretty much any user action. There is zero functionality without a data connection.
It's a package manager and tracker designed in such a way that it only talks to Apple's backend.
It's still the system package manager though.
It's also on the web, e.g.: https://apps.apple.com/us/app/facebook/id284882215
Which means apps, for example, show up on Google searches.
It’s entire purpose is to look up data and download stuff across the internet. How can it not be an internet service? How much use could it be if it was cut off from internet connectivity, what would you even do in it?
Of how much use is an iPhone without the App Store? You can still use the preinstalled apps, but your expectation as a consumer is that you can install new apps. This expectation is broken without the App Store.
Apple is basically loopholing all the shitty ad-tech engagement surveillance bs that plagues the rest of the industry through the app store, pretending like it's any other app. Of course they can, but a lot of the hard-line privacy stuff goes down the drain with the hypocrisy.
What bothers me is that Apple really doesn't have to move in this direction, at all. They've been uniquely positioned to basically do things that nobody else can, because they sell so much expensive hardware. Instead, all mega corps seem to blend together and follow the same playbook. It's sad.
The main issue here is that Apple has been collecting personal data for years through its own apps without informed consent, which is in breach of GDPR. You need to ask for express consent to collect personal data in the form of non-essential user analytics, having a privacy policy and a toggle in settings to opt out of data collection is not enough, and it does not matter if the data collection is done by a website, app or an operating system.
It was particularly frustrating to see people argue that it's just an older version of iOS, when the reality is that one needs to hack an iPhone to see how this data is being syphoned off, and that jailbreaks for new iOS versions can be prohibitively expensive to achieve. Despite that, researchers pointed out that they see similar encrypted packets being sent with a recent iOS version.
I think it's worrying that consumers can't inspect the traffic of a device they own, and this is also an area that should be regulated so that our rights are respected.
Yet another glaring indicator identifying our species as not mature enough to manage our own society. If this occurs everywhere, no matter what, then it is us, our constitution, our chemistry, our maturity as a species that is at fault.
That's a pretty extreme description of what's happening here. I agree that they should not be doing this, and that App Store analytics should be opt-in like the rest of the device analytics, however, they are not correlating your unique identifier with other web properties — i.e. when you visit through Safari. I also doubt they are selling that data to third parties, allowing ads to target you on the basis of it, or using it to build a profile against other application analytics.
In fact, it seems like the article says: they do no clever stuff with it whatsoever. They should remove it in a future update
Why do 3rd party apps have to ask for permission to track, but Apple's apps do not?
Not surprised. As soon as it was possible to get this kind of information about app usage (thanks, Internet!) of course management wanted everything.
Apple has its own privacy teams that work with the teams developing apps. Data collection is treated as a Big Deal and "Privacy" will grill you on every single byte that you want to collect. And any bit of data that might reveal personally-identifiable-information is a nonstarter.
As an example, we could not report back error messages from the OS, only error codes. Why? Error code might be "123" but error message could be "Error 123, You just removed hard drive 'Calhoun Data' without unmounting..."
Perhaps the downside of this gatekeeping though is that I feel it causes management to come to the table asking for everything, letting privacy whittle it down. With major app release cycles 6 or 12 months apart, I think management sometimes don't know what data they might want - would rather not have to wait perhaps up to a year for the new metric to be included.
I find this optimistic view hard to reconcile with the article. It seems collecting personally identifying data is the default mode. For example:
> I have a spreadsheet of the nearly nine hundred times me and my DSID ignored Apple’s attempts to upsell me on Apple One
That is in itself troubling and partly answers a question.
If developers on Hacker News cannot fathom whether Apple deceptively transmitted PII, or whether zealous journalists are over-egging the pudding, then we have another problem.
Obfuscation is a form of deception through complexity. It can be hard to tell from the outside whether that complexity is "necessary" and whether its ill effects are deliberate or accidental.
Nevertheless, it remains a form of deception if you present a system as simple, with controls that apparently do understandable things as a front for another system that even you, as a developer, no longer understand. This same theme is coming up in AI, social algorithms, moderation/censorship of speech. We are muddying the waters in the hope that people believe they are shallow.
If so I'm wondering what the issue is here.
Wait ... I'm also not sure what the issue is.
Fundamentally this is only a problem because Apple is too big and controls the App Store, iCloud and all the rest of your device. This is a reasonable artifact of an unreasonable situation.
I also think Apple is too big but I'm more concerned about Big Pharma, Big Oil, Big Banks, Ad Tech, Growing Fascism, ... Big Apple is a worry way down on my list.
Because that identifier is also used in some iCloud API requests, I also spotted the same value in activity logs for third-party applications using things in my iCloud account, as well as in metadata for local copies of documents I downloaded from my drive at iCloud.com.
If the journalists or whomever wants to claim the DSID is leaky, then they need to show a POC with an app actually obtaining that DSID, and not only in a system logger that only saves files sandboxed locally, or sends to Apple.
At a high level, the whole thing is no different to a website using a cookie to keep you logged in.
But what can you do assuming that you want or need a phone? Android is no better. Class action lawsuits enrich law firms and get users a gift card for $0.20 (sarcasm).
I just wonder what would happen if everyone who doesn't want this decides to take Apple to small claims court? These companies, Google, Apple, Microsoft, Facebook continue to violate fundamental rights to privacy because they have no reason to stop. There are no significant penalties.
Or perhaps we need a bill of rights. Anyone know of such a thing?
Complaining after that fact seems pointless. If you had administrative rights, you wouldn't have as many issues with being tracked. Being able to freely modify the software running the device and accessing its hardware in the same manner would paint a different landscape.
GrapheneOS, Calyx, and LineageOS would like a word..
You don't have to use an app store that violates your privacy on Android. You don't have to send your location to Google every time you get your GPS location, unlike how iOS sends all your GPS lookups to Apple. Android is far better. The key difference is user control.
(I know there're also many issues with this approach, so take it with a grain of salt)
Apple sends DSID with iPhone analytics data, tests show - https://news.ycombinator.com/item?id=33695937 - Nov 2022 (111 comments)
Proposed class action alleges that Apple tracks users despite privacy assurances - https://news.ycombinator.com/item?id=33593455 - Nov 2022 (191 comments)
App Store on iOS 14.6 sends every tap you make in the app to Apple - https://news.ycombinator.com/item?id=33520775 - Nov 2022 (190 comments)
What is the value in anonymizing your voluntary engagement within a single corporate entity?
As long as that entity provides me with an accurate reporting of access when I request it?
Why for example would I want to make it any more difficult for my doctor at a hospital and the hospital pharmacy to share my confidential health information to ensure I get the right treatment?
Because up to a certain point it isn't voluntary
> Why for example would I want to make it any more difficult for my doctor at a hospital and the hospital pharmacy to share my confidential health information to ensure I get the right treatment?
Because principle of least privilege. This is one example, another could be the doctor sharing health data with an internal hospital logging service, which is utilizing some cloud service, which is utilizing some other cloud service, etc
[A] https://observer.com/2019/05/tim-cook-apple-data-privacy-cru...
If the Apple ID is shared to another 3rd party by Apple, then it is not just being used for providing the product/service. So it would be required to get permission under GDPR.
Apple sells a service which is iPhone+iOS+App Store. While it is technically possible to separate, Apple doesn't. It's all required. So the Apple ID is required for doing that.
The fact that the Apple ID can be associated to an individual and their PII is something that theoretically could be isolated, but Apple are not required by law or regulation to do so as long as their use of the ID stays unshared and "necessary".
If you gave me this ID number, I could use it to locate your information in breached db dump, or if it is used in API requests, impersonate you.
You're suggesting it's an authorization token - which it obviously is not.
IP counts as metadata. It uniquely identifies you as an entity but does not reveal other details except geographic location. If IP addresses are PII, then any use of the internet is violating your privacy. Perhaps unplug your modem, turn off cell service on all devices and read a book instead.
Anyone who uses Apple/Google/Microsoft/other products as intended will have no privacy. By as intended, I mean using chrome while logged into a google account, using MacOS while logged into an apple account (and using all of apple's internal applications), using android with a google account, etc
I wouldn't be surprised if the usage data, health data, from e.g. iOS+services goes straight to data brokers. I can't prove this, but it wouldn't surprise me. Even if it didn't, there's no guarantee of how the data will be used internally (or whether it's given to law enforcement, for example)
If someone uses these products as intended and has even the slightest expectation of privacy (e.g. believing any of the vague BS in the TOS), they're probably not the sharpest knife in the drawer (or at the very least, grossly misinformed)
Even if legal, this is obviously a very bad look for a company that claimed they were all about privacy and took actions against competitors to protect users' privacy.
Apple's software clearly demonstrates that they do not place a high value on user privacy. iPhones and Macs phone home constantly with all sorts of information even if you never use iCloud or the App Store or Apple's service offerings. It's ridiculous.
These companies' privacy concerns are a marketing gimmick, and the situation is so out of control we have to be thankful even for those crumbs.
My friend you need to open a window and see the rest of the world that exists outside that binary choice...
Because you too benefit from the software you use getting better.
I assumed that by stepping into Apple's walled garden, they would know and store:
- where my devices are
- what I'm doing with them (i.e. apps downloaded and started, which features I use yadda yadda yadda
- any app I download and use will independently log all my taps and interactions within that app
- and since I use iCloud: where all my data is
What would make you think otherwise?
My that definition, Apple, as a first party, is not tracking you (and likewise, I can monitor you over my apps but not allow anyone else access to that data)
UPDATE: It was from AppStore Connect itself, when you fill out the privacy data form.
Also here: https://support.apple.com/en-gb/HT211970 "data from the app that is linked with your data collected from other companies’ apps, websites or offline properties, and used for ads or shared with a data broker."
For example, a Weather app collaborating with an ad sales company to provide them tracking data would violate "Ask App Not To Track," but Facebook tracking you within the Facebook app does not because it's all internal.
The reason for this is just about the practicality of enforcement: You cannot enforce companies not doing internal tracking because they still have to collect data for their business, so how do you distinguish it.
Apple doesn’t share user data and identifiers with third parties except as necessary to provide specific services, so it doesn’t track. It does record telemetry though, most of that is in a non personally identifying way, but some of it can be traced to a user.
Obviously identifying information necessary to provide a service is different. If I buy an app off the App Store, they need to identify who bought it. The edge cases are things like, do they need to know I searched for fitness apps on the App Store and associate that with my ID. Amazon does on their web site so they can show ads related to my recent searches, but it’s not strictly necessary for providing the service.
When Apple is offering first-party services that compete with Netflix, Spotify, etc. my privacy concern is that someone is tracking and aggregating data on what I watch and listen to.
As a user I don't really care if that's two separate corporations sharing unique identifiers or two departments in the same umbrella corporation, it's still a privacy concern.
Now if this is actually enforced or not is a different matter.
I don't think there's anything wrong in transmitting an ID to a web service, but I'm not actually sure what Apple claimed about privacy.
I mean, people on HN will argue that it's wrong to block ads, a point of view that only makes sense to me through the lens of the above quote.
But, yes, it's a big problem because people that don't factor in the inherent biases of those making the arguments will take on those biases without the salary that makes it make sense. Is that like a Stand Alone Complex?
My personal view, which I presume is the same as many others, is that these things keep being a "if there is smoke, there's fire" situation. Yes, this could be abused, but is it?
Meanwhile, in full "what aboutism" mode, I know Google does crappy shit with my data, I know Meta is full blown flaming evil. I know Ad Tech has the entire world ablaze with privacy abuse.
Meanwhile, people keep pointing to smoke from Apple and screaming that I just can't see what they think they see ...
I've never seen this attitude here. Not once. Do you have any examples?
In other words cookies let them tell you the _same_ person 104898 that was already here in March, welcome back!, and not any other person e.g. 298472, but without telling them your actual name etc.
In contrast, a PII identifier is a unique ID that is linked to personal attributes in real life like a person's name ("John Doe"), address ("6400 Boulevard Court, Beverly Hills, CA"), e-mail address ("john.doe@acm.org") or credit card number ("VISA 4879 5223 6537 9935").
So, this is indeed different from visiting a Website that places a cookie.
I'm curious where that number came from. It passes the Luhn check so it probably isn't just some random number, and has the right first few digits for Visa but doesn't match any of the Visa test card numbers that I happen to know.
Looking up the issuing bank from the first 6 digits gives inconsistent results. Half of the several BIN lookup sites I tried just say it is from the US. The other half say it is from Blom bank in the country of Lebanon.
Googling it gives me a small number of sites about "unlimited credit card numbers that work 2022" which seem quite shady but I can't quit figure out what the heck that are actually trying to accomplish.
Here are those sites: https://www.financegab.com/credit-card/unlimited-credit-card... and https://paisabank.org/unlimited-credit-card-numbers-that-wor...
From GDPR Recital 30: "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
So your Apple ID becomes PII for a specific site at the precise instant you share any other PII to that site, that they are able to link to the Apple ID.
The huge block is 17./8 and is easily identified.
"These are not device analytics, they are services analytics."
"These Are Not the Droids You Are Looking For"
I doubt this vulnerability exists, but these IDs (and any IDs by any company) should be guarded just like any other PII for exactly this sort of reason.
My bet is, that is a honeypot card.
Oh and by now we are the first result on google for it too :D
It's the difference between Wal-Mart recording you with camaras in their stores, and recording you with camaras in all stores... and at the public park, and in your home, and....
FWIW I think a whole hell of a lot more than what Apple calls "tracking" ought to simply be illegal, but they've been pretty clear about what they mean by the term, and their definition does make sense, and that is one of the worse behaviors among the spyware industry (which is basically all software, at this point, which, WTF, how did norms change so incredibly fast?)
My memory also tells me that most of the pro-ad stances on HN have been cagey; justification within a certain set of privacy-respecting or customer-service-improvement ideals.
Ultimately their business model - we don't need to log/track/whatever your behaviour to show you advertising because we make our money off hardware - was a big differentiator for them compared to all the other tech companies. If they remove that, then they're removing one of the main reasons I stay with them.
And that's really the point - at some time soon they will stop being the "iPhone company" and they'll become "just another company" and this is just them preparing for that day.
I want you to take that sentence and throw it away and instead have a mental paradigm shift.
"Where there is fuel there is risk".
One day when you have a lot of time look up the USCSB (United States Chemical Saftey Board) channel on youtube and look at the decade of very well done videos on deadly industrial disasters they have done. People will ignore risk for years accepting the danger because it's "always been that way", they will turn off alarms because they are annoying, they will bypass safety controls because they slow the task down.
I don't care how dangerous FB/Google/whoever is, Apple is its on seperate factory capable of blowing up in it's own spectacular fashion, and much like a gasoline refinery they are building up a massive amount of fuel that is at risk of a spark.
That's good point of view. I'm quite glad that the EU is finally tackling this stuff seriously and would LOVE to see strict regulations about what data you can track (as little as possible) AND what you can share (nothing at all, preferably).
Content based advertising should be good enough, if everyone has the same playing field.
Knowing an IP address can distinguish user A from user B, but unless you know something else about A vs. B, what's the point?
Knowing an IP address is useless information, until you have a database linking IP addresses to geolocation. Knowing my address is useless information, until you have a map. Knowing my name is useless, until you have Google. Knowing my user id is useless, until you have a leaked database (or other vulnerability).
These are all PII, because they're useless until you have some other information, and then they deanonymize you.
It is possible to create websites completely without cookie banners. You just have to not track your customers unnecessarily.
And what affect did have? Did the 99 section 11 chapter law have any deleterious affect on adTech? Did it make browsing better or worse?
We see the effect that of an effective strategy, when Apple made tracking opt in, publicly traded companies like FB admitted that it caused billions in lost revenue.
The only thing the GDPR did was give us cookie banners.
Users uninstall apps directly from the homescreen (springboard), without going through the App Store app.
Also of course Apple keeps a record of installed apps. If you drop your phone in the ocean and go to the Apple Store to buy a new one, your installed apps are reinstalled.
Apple for over 40 years has sold integrated software and hardware and for over 20 has sold hardware + integrated online services (iPod+ iTunes) and now you are shocked that when you buy an Apple device you also buy into their ecosystem?
Exactly how is anything on the iPhone suppose to work without an account? Push notifications?
Most Android apps are also dependent on Google services and a Google account.
This isn't anything new, we've known that Apple does this for years. If data sharing is within one umbrella corporation it's technically easier to subpeona and investigate, but that also means they have that much larger of a pile of cash to defend themselves with.
Consider another aggregious Apple policy, mobile browsers. They have had a much more oppressive browser policy than Microsoft ever did and they have done this openly since iOS 2 when the app store first launched. They've never been held accountable though - they get away with it even though Gates was dragged in front of Congress multiple times for simply shipping his OS with a pre-installed browser. Why? And if that obvious issue goes unpunished why should I expect anything better with regards to their data collection practices, simply because one parent Corp is owning all the data?
I can't go back and edit my comment now, but to make it more clear I probably should have written something like:
> I strongly disagree that the iOS App Store should be treated as ___only___ an "internet service" rather than...
> [...] Additionally, "cooperative banks build up counter-cyclical buffers that function well in case of a crisis," and are less likely to lead members and clients towards a debt trap (p. 216). This is explained by their more democratic governance that reduces perverse incentives and subsequent contributions to economic bubbles.
> The cooperative banking sector had 20% market share of the European banking sector, but accounted for only 7 per cent of all the write-downs and losses between the third quarter of 2007 and first quarter of 2011. Cooperative banks were also over-represented in lending to small and medium-sized businesses in all of the 10 countries included in the report.
> [...] in France and Spain, worker cooperatives and social cooperatives "have been more resilient than conventional enterprises during the economic crisis".
> Public trust in credit unions stands at 60%, compared to 30% for big banks and small businesses are five times less likely to be dissatisfied with a credit union than with a big bank.
In other words, this behaviour doesn't happen everywhere. It's specific to certain types of businesses.
Paragraphs from here: https://en.wikipedia.org/wiki/Cooperative#Economic_stability
All organizations seek to accrue power and revenue - even “non profits”.
I saw it from one of the local credit unions I worked at in college…
1. First it was a credit union for a few large companies
2. Then it redid its charter to become a “regional credit union”
3. Then it said “fuck it we are bank”
Meet the old boss..
It is common and entirely ordinary to observe everyday people unable to delay their immediate need for gratification. It is also entirely ordinary and normal to observe friends, family and coworkers who routinely cut corners (take process shortcuts) and engage in process deceptions because they simply do not care about the consequences. Likewise it is entirely ordinary for one's employer to other their own employees to the degree they treat them with equal severity as one might find in the times of legal slavery (not exaggerating at all.) It is common and ordinary for spouses to other their own spouse, causing a legacy of failed marriages.
What is not ordinary is to meet persons that do not take short cuts, do not cheat on their employees, their spouses, or in reality: themselves. The majority that do not cheat are those not trusted and not provided the opportunities. The majority, if given too much trust, will rape their environment blind given time and the lack of repercussion: and that is immaturity at scale in our society, and it is the natural state of society. Trust is for fools.
There are lots of places that run iOS on private networks with no internet access or Apple ID.
The author of the article wrote that all he had to do was request his data from Apple.
You observation has nothing to do with what is being discussed, we have a right to inspect the network activity of our devices.
I remember you posting in threads criticizing Apple, almost always coming to their defense. You've been doing this for years.
This is a provably false claim based on the authors own experience.
Guess what? You also have no idea what your phone is sending the carrier or any other service provider.
But as far as you knowing who I am because of my posting history, “but for me it was Tuesday”
And after several attempts to pretend that US laws like the Patriot Act that remove non-US citizen rights were compatible with the EU Charter of Fundamental Rights have been struck down by the Court of Justice of the EU (after the US has been caught violating these rights) it's starting to be hard to imagine what kind of agreement can possibly happen between the USA and the EU that would make US companies legal again...
I will reiterate my point. It is impossible to operate the internet or any other network where a server must distinguish between two or more client without some kind of identifier for session management. Just think about it.
The GDPR never mentions "personally identifiable data" as that is a US term. In the GDPR, it only says "personal data" which is the exact same thing according to the GDPR.
Ah, so now you play the fatalist backdoor card. Well, the good news is that we do know some of what your iPhone sends back home. We know that every time you launch an app, both Apple and Akamai receive data about what app you opened and when. We know that Apple has private API entitlements for circumventing your VPN rules. We know that Apple actively and directly works with the NSA and CCP to enable domestic surveillance capabilities.
So, you're right! Hacking your device only gives you a small window into the horrors of your software vendor. If we could totally decrypt all of Apple's traffic alongside the SIM's baseband transmissions, nobody would every say 'privacy' and 'iPhone' in the same sentence again.