Apple sends DSID with iPhone Analytics data, tests show

The Apple logo on an Apple store

Photo: Sukrita Rungroj (Shutterstock)

A new test of how Apple collects usage data from iPhone has found that the company collects personally identifiable information while explicitly promising do not do it.

The privalry politics to govern Apple device analysis says the “none of the information collected identifies you personally.” But an analysis of the data sent to Apple shows that it includes a permanent, unchanging ID number called a Directory Services Identifier, or DSID, according to researchers at software company Mysk. Apple collects the same ID number along with information for yours Apple ID, which means the DSID is directly linked to your full name, phone number, date of birth, email address and more, according to Mysk tests.

According to Apple’s analytics policy, “Personal data is not logged at all, is subject to privacy safeguards such as differential privacy, or is removed from any reports before it is sent to Apple.” But Mysk’s tests show that the DSID, which is directly tied to your name, is sent to Apple in the same packet as all other analytics information.

“Knowing the DSID is like knowing your name. It’s one-on-one for your identity,” said Tommy Mysk, an app developer and security researcher, who ran the test together with his partner Talal Haj Bakry. “All of these detailed analyzes will be linked directly to you. And that’s a problem, because there’s no way to turn it off.

The findings worsen recent discoveries about Apple’s privacy issues and promises. Earlier this month, Mysk discovered that Apple also collects analytics information when you switch off an iPhone setting called “Share iPhone Analytics”, an action that Apple commitments will “turn off Device Analytics sharing altogether”. Days after Gizmodo reported on the Mysk tests, a class action lawsuit was filed against Apple for allegedly misleading his clients on the matter.

Apple did not respond to a request for comment. The company hasn’t said anything publicly about the apparent contradictions in its privacy promises or the recent lawsuit.

Theoretically, Apple could argue that an ID number is not personal information. But the GDPR, the mammoth European privacy law, which sets the standard for data regulation worldwide, defines personal data as any information that “directly or indirectly” identifies an individual, including identification numbers.

“I think people should be upset about this,” Mysk said. “This is not Google. people choose the iPhone because they think this kind of thing isn’t going to happen. Apple has no right to keep tabs on you.

Mysk posted the test information late in a Twitter thread Sunday.

In some cases, this analytical data seemingly includes details about your every move. Mysk tests show that analytics for the Sthours, for example, includes every single thing you did in real time, including what you tapped, what apps you searched for, what ads you saw, and how long you watched a particular app and how you found it. You can see the data, which is sent in real time, in a video on Mysk’s YouTube channel.

The App Store on your iPhone watches your every move

During these tests, the researchers verified their work on two different devices. First they used a prisonBroken iPhone running iOS 14.6, which allowed them to decrypt traffic and examine exactly what data was being sent. Apple introduced a privacy setting in iOS 14.5 that prevents other companies from collecting data called App Tracking Transparencyprompting users to decide whether or not to provide their data to individual apps with the request”Ask the app not to track?

The researchers also looked at a regular iPhone running iOS 16, the latest operating system, which bolstered their findings. The researchers weren’t able to examine exactly what data was sent because the phone’s encryption remained intact, but similarities to tests on the jailbroken phone suggest the patterns they found there maybe the standard on the iPhone. There is little reason to think that prisonthe broken phone would send different data, they said, but in iOS 16 they saw the same apps send similar packets of data to the same Apple web addresses. The data was transmitted simultaneously under the same circumstances and even activating and deactivating the available privacy settings did not change anything.

It is possible that Apple processes the DSID data to protect personally identifiable details when the company receives the information, by separating your personal information from other data. But there’s no way to know, because so far Apple seems unwilling to explain its practices. The company may not use the data if you turn off the related privacy settings, even though you continue to receive it, but that’s not how the company explains what the settings do in its Privacy Policy.

The the results are especially damning given Apple’s years of rebranding itself as a privacy company. Apple’s recent marketing campaigns suggest that the company’s privacy practices should be far better than other tech companies. He emblazoned 40-foot iPhone billboards with the simple slogan “Privacy. This is the iPhone. and ran the ads worldwide for months.

But Apple is making great strides build an advertising empire its own, built on the personal data of its billions of users. Also owned by the company privacy settings can be seen as part of a long game kneeling its advertising competitorsalthough the company vehemently denies that allegation.

For his part, the results come in a personal capacity shock for Tommy Mysk. In the past, “I would always allow the app to share analytics with Apple, because I want to help them,” Mysk said. “But I always thought the data would be sent anonymously.”

    .

Leave a Reply

%d bloggers like this: