It was disclosed last week by researchers that multiple Apple apps were collecting user data despite users’ explicit requests that they do not do so, an allegation that has since given rise to a class action lawsuit. However, new information reveals things may be far direr than previously imagined. Two iOS developers (and “occasional security researchers”) who go by the Twitter handle Mysk have apparently found evidence that contradicts Apple’s claim that all user data is anonymous.
They tweeted, “dsId” is a unique ID for each iCloud account that can be seen in Apple’s analytics data. This means that Apple’s analytics can be used to track you down as an individual.
In a six-part thread, including an accompanying video, they show how to consistently extract DSID (Directory Services Identifier) numbers from data:
🚨 New Findings:
Apple’s analytics data include an ID called “dsId”. We were able to verify that “dsId” is the “Directory Services Identifier”, an ID that uniquely identifies an iCloud account. Meaning, Apple’s analytics can personally identify you 👇 pic.twitter.com/3DSUFwX3nV
— Mysk 🇨🇦🇩🇪 (@mysk_co) November 21, 2022
According to the researchers, because the DSID is linked to “your name, email, and any data in your iCloud account,” Apple (and, in theory, third-party advertising partners) can track which apps you use and which ads you see. The inclusion of the DSID in Mysk’s findings is concerning, though it’s possible that Apple isn’t actually using it and is instead maintaining data anonymity.
It also seems to contradict Apple’s Device Analytics & Privacy statement, which says that “None of the collected information identifies you personally.” Moreover, Apple states later in the same document that it “may correlate some usage data about Apple apps across those devices by syncing using end-to-end encryption” but does so “in a manner that does not identify you to Apple.”
Information about your browsing, purchases, searches, and downloads… are stored with IP address, a random unique identifier (where that arises), and Apple ID when you are signed in to the App Store or other Apple online stores,” according to Apple’s separate App Store privacy terms, which The Verge notes are somewhat contradictory and more nebulous.
Mysk claims that turning off ‘Share iPhone Analytics’ has no effect on the data sent to Apple. Unless you don’t use the App Store or the other iOS apps that were used in the study, there doesn’t seem to be any way to prevent this from happening. Despite the allegations having been widely reported since the beginning of the month, Apple has not issued a response.
As the shrugging comments following Gizmodo’s article on this topic attest, many smartphone users have adopted a cynical attitude toward data harvesting in recent years. “All the tech giants are at it,” they reason. “And it doesn’t hurt me directly.” Apple could take a hit from this news, as the company has long portrayed itself as the paragon of privacy protection among tech firms. This is despite the apparent contradiction of an explicit promise not to do this. Apple’s expanding advertising business, which stands to benefit from an influx of detailed user data, could be at odds with that principle.