
Is Apple Really Your Privacy Hero? - hyperrail
https://www.bloomberg.com/news/articles/2018-08-08/is-apple-really-your-privacy-hero
======
Bud
This article clumsily papers over the fundamental difference between Apple,
and companies like Facebook and Google: Apple _does not collect or possess
that customer data in the first place_. That is the essence of why, and how,
Apple can manage to be a better steward of your privacy: it doesn't collect
all kinds of data on you. That data is under _your_ control, as a user, which
is how it should be. But that in turn means that you have to be responsible
for who you share that data with.

~~~
ucaetano
There is no difference, other than that Apple tried to chase Google's and
Facebook's ad-based business model wit iAds but failed miserably. The result
was a shift towards privacy to try to drain the profits of those two
companies.

But make no mistake, Apple won't think twice before handing over data to the
government or any other party if it makes business sense, as they did in
China.

~~~
dkonofalski
If that's what you took away from the iAds situation, then you horribly
misunderstood that. iAds was a feature available to developers to help
monetize free apps. Yes, Apple got a cut of that but that's not at all the
same as Google's or Facebook's ad-based model since their ads are targeted.
Apple explicitly did not target based on personal data in iAds.

Also, your China example is also a straw man because Apple's terms in China
explicitly allowed for that before they even sold a single phone there. In the
US, for example, Apple isn't able to provide personal data to authorities. It
can only provide information that doesn't live on-device and that's stored
unencrypted which, as of right now, is nothing unless a user explicitly asks
for it to be stored unencrypted.

~~~
reaperducer
_Apple explicitly did not target based on personal data in iAds._

I don't know if ads on AppleTV to be part of iAds or not, but I was a little
surprised to see this menu on my AppleTV today:

Settings > General > Privacy > Advertising

The choices for this are Limit Ad Tracking, Reset Advertising Identifier, and
About Advertising and Privacy.

Apple has an entire web page showing how to opt-out of targeted advertising on
its devices, including the iPhone:

[https://support.apple.com/en-us/HT202074](https://support.apple.com/en-
us/HT202074)

The most telling one is

Settings > Privacy > Location Services > System Services > Location-Based
Apple Ads

~~~
dpkonofa
First off... iAds is something completely different from what you've just
posted about. iAds was a platform available to developers. It has nothing to
do with Apple providing advertisements to you.

Second, did you read that page at all, then? That's not at all the same as
advertising based on your personal data. That's Apple showing you App Store
promotions based on the searches you're typing in from the App Store and is
completely localized to the App Store and App Store search. It's what allows
you to go to the App Store and have the McDonald's sponsored ad show up when
you visit a McDonald's. The only information being sent is your search term,
anonymously, and the location-based ads are served based on iBeacons. None of
your personal info is ever sent outgoing from your phone.

------
hyperrail
A quick summary: iOS has very coarse-grained controls for app permissions to
the contact list, either allowing all access to data about every contact,
including free-form text notes that could contain arbitrary sensitive
information, or no contact list access at all. The App Store's policies
controlling use of contact list data are too weak without technical
enforcement. (It's also noted that Google has the same problem with Android
and the Play Store, but the author argues that Apple is more hypocritical
because of its public pro-privacy stance.) To correct the problem:

> _the first step is obvious: Restrict [apps] from getting any information
> from users ' lists beyond phone numbers and email addresses. The next step
> is redesigning the controls of the list to allow users to encrypt or decline
> to share certain contacts. The names in a contact list could be benign, or
> they could be revealing—a doctor's patients, a dealmaker's network, a
> journalist's sources._

~~~
dogma1138
While iOS can improve on a lot of things the biggest factor here is that
Apple’s business model does not revolve around their user’s data.

If I’m in all honest i don’t have that many apps on my iPhone and the same
goes for most of the people I know the app craze has I think settled down
quite a bit.

I have 15 apps installed and only 3 have access to my contact list and those
are Protonmail, Signal and WhatsApp which I would allow access too anyhow for
convenience.

Apple can and should improve permission granularity but as far as contacts go
I’m not sure that it’s even a good idea.

All or nothing seems like a good compromise to ensure that apps that you don’t
want to have access to contacts don’t, how many usecases can you see when
you’ll have to go to individual contacts and approve them one by one?

The best thing beyond that that Apple can implement is per field permissions
e.g. I would like ProtonMail to only have access to the contact name and email
fields but not to phone number or address but this level of granularity isn’t
available on any platform afaik.

~~~
05
> only 3 have access to my contact list and those are Protonmail, Signal and
> WhatsApp

Yeah, one of them shares your contacts with Facebook. Might as well given all
15 this permission..

~~~
Skunkleton
I avoid sharing data with FB, but personally I would rather share my contacts
with FB than with some random app developers.

~~~
ionised
Don't worry, FB will share it with random app developers on your behalf.

------
djrogers
> When developers get our information, and that of the acquaintances in our
> contacts list, it’s theirs to use and move around unseen by Apple. It can be
> sold to data brokers, shared with political campaigns, or posted on the
> internet. The new rule forbids that, but Apple does nothing to make it
> technically difficult for developers to harvest the information.

The article seems to really be trying hard to gloss over a lot of details to
make a relatively minor complaint (really? The notes field in your contacts is
your big concern?).

It's perfectly clear when you try to use an app that wants to access your
contacts, and Apple makes it very easy to prevent. And unlike other platforms,
apps are required to still work even if you deny such access.

------
MrPleberson
Apple respects your privacy because Tim Cook says so, and so does their
webpage. Without any audit of the code, you're taking it on faith. And their
privacy statement seemingly has a "nowness" to it, non-committal. There is no
assurance of privacy in the future. For example, Apple could have said ...

"We are committed to never sharing your data with 3rd parties or governments
for the entirety of our existence as a company. This contract can not be
changed, and in doing so we are guilty of blah blah" (not a lawyer)

Questions I have are...

Is there privacy statement a legally binding contract? Is there any legal
recourse for customers if they are have found to violate it?

Is it only applicable to particular countries? Does it change when you go to
different countries?

Could Apple decide that the data they harvest is more valuable then their
privacy claim and retract their so-called privacy commitment? Could
retroactive data then be exploited?

------
tzakrajs
Yup, they really are your privacy hero when comparing with competitors.

~~~
MBCook
That’s what I was thinking.

Does it matter?

They’re no worse than MS (maybe better? Honestly don’t know). They’re way
better than Google. Or Amazon.

If we ignore phones or what Android does natively, TV makers like LG and
Samsung and even Sony have all sorts of stuff on their TVs to spy on you.

My guess is Apple could fall very far and still be one of the best, because
the bar is incredibly low.

------
Tloewald
Yes.

Unlike FB they don’t do secret backdoor deals with phone manufacturers to spy
on you. Also they don’t spy on you. Also they don’t make ALL their money from
advertising creating an unavoidable incentive for violating your privacy (and
wasting your time but that’s beside the point).

Unlike Android they aren’t a Wild West of malware and dodgy phone
manufacturers who do secret deals with everyone to spy on you.

Unlike Google they don’t make almost all their money from advertising (see
above).

Unlike Microsoft they don’t bake ads into their OS despite the fact that they
don’t make much money from it. Also they aren’t trying to compete with Google.
Also hardware Wild West thing.

Unl

~~~
CaptSpify
> Unlike FB they don’t do secret backdoor deals with phone manufacturers to
> spy on you. Also they don’t spy on you.

How do you know this to be true?

~~~
dkonofalski
Apple manufactures all their own devices. They don't have any incentive to do
so nor any way to do so since they're not dealing with 3rd party phone
manufacturers.

~~~
CaptSpify
A) Of course they have incentive to do so. They Also have incentive to hide it
tho.

B) Not dealing with 3rd party manufacturers seems unrelated to the discussion.
Can you expand?

~~~
dkonofalski
A) I disagree. Apple's incentive is in getting people to pay top dollar to
live in the Apple ecosystem. They require a certain level of trust. Selling
out people's data to Facebook does not achieve that end. The risk of getting
caught is far higher than the reward from those analytics.

B) Apple controls the entire supply chain for iPhones. They have no need from
a profit standpoint to try and insert hardware that allows other companies to
do anything to their users. The secret backdoors are almost always the result
of some exchange - FB offers data about users in exchange for the ability to
insert hardware/software into a phone. Since that exchange doesn't exist for
Apple, there's no reason for it.

------
andrepd
>Apple does not collect or possess that customer data in the first place.

I'm genuinely curious. How do you know that?

~~~
dkonofalski
The data is encrypted. The US government has attempted to retrieve customer
data from Apple and they were unable to comply.

------
craigsmansion
There is no fundamental difference. The difference is that at this point in
time, it's more profitable for Apple to not collect and posses data than the
other way around.

That is not a given.

The only future-proof way around this is to be in control of the software (and
hardware) you use, something Apple is not very comfortable with.

~~~
vkou
There is another, more future-proof way around this - legislature similar to
GDPR.

~~~
zyang
Seeing how Do Not Call registry has failed, I have little faith in a GDPR like
legislation being properly enforced. The likes of Google and FB can easily
lobby/bribe their way out of it, or simply just pay the fines and business as
usual. Unfortunately having a company like Apple with the aligned financial
incentives is best defense we have.

~~~
BonesJustice
Even Google can’t count on being able to ‘bribe’ their way out of GDPR
compliance, as complaints can be brought individually. And the fines have to
be large, as a percentage of revenue, or they are useless. GDPR is pretty
strong on this, but I would have liked the ceilings on fines to be even
higher.

I have zero hope that we’ll get anything remotely comparable in the USA,
though.

------
jamesrom
Everyone talks about the 'collecting' of customer data.

Like simply collecting and holding that data is somehow wrong.

Apple doesn't collect the same customer data that Google does, but even if
they did, it's much much more important to talk about how that data is used.

Google are an advertising company. It's in their best interest to use that
data to INFLUENCE you to the whims of the highest bidder.

Google are running a platform whereby they sell their brainwashing services to
anyone willing to pay. That's not an exaggeration.

------
skybrian
That headline is an interesting choice of phrase. Are we expecting big tech
corporations to almost literally be superheroes or villains?

It does seem like many people expect them to fight for justice. Protect the
innocents. Maybe not punch the bad guys, but at least banish them.

This is not what corporate PR is usually going for. But suppose someone
decided, heck yeah, we're going to be a virtual superhero, and just ran with
that?

------
maxxxxx
Apple is a huge company that needs to grow every year and has access to a lot
of data. I think even if Apple is doing well now they easily can change their
data strategy to make more money or be forced by governments.

We should work on a system where it's not possible for a company to accumulate
that much data.

------
Havoc
Hardly. But I trust them marginally more than say Google.

------
IBM
This is a Facebook submarine [1].

[1]
[http://www.paulgraham.com/submarine.html](http://www.paulgraham.com/submarine.html)

~~~
badlucklottery
Eh. Without proof that seems like a method of easy dismissal instead of
arguing why it's wrong.

And if it is PR, it's a weird tactic. The article seems to be using FB as
benchmark for "worst offender".

~~~
IBM
This story basically has no meat other than "the permissions API for contacts
isn't granular enough" padded with casting aspersions on Apple, by the
Facebook beat reporter. There are no quotes from anyone in the infosec field
who is familiar with the technical underpinnings of iOS or is otherwise
familiar with Apple's history with privacy (policy, technical, business model,
etc). The entire premise of this story which amounts to "Is Apple really so
virtuous?" is completely unsubstantiated.

So sure, I don't have any definite proof that this was a story planted by
Facebook's PR team. That would require me to have seen the communications
between this reporter and them, but I don't think the hurdle is "beyond a
reasonable doubt" to say this was _A Facebook Production_ given the context
(the running spat between Tim Cook and Mark Zuckerberg, Facebook employees on
Twitter whining about this very thing, etc).

~~~
badlucklottery
>This story basically has no meat other than "the permissions API for contacts
isn't granular enough" padded with casting aspersions on Apple, by the
Facebook beat reporter.

I'm not defending the quality of the article, it's _bad_. And I think if the
reasons you just listed were in your original comment, I would have upvoted it
instead of viewing it as overly dismissive.

>I don't think the hurdle is "beyond a reasonable doubt" to say this was a
Facebook Production given the context

For sure, the bar is low because the stakes are low. But a shitty writer and a
need to inflate word count for the editor yields articles like this as well,
no need for a PR conspiracy. I guess it depends a lot on how you feel about
Hanlon's razor.

~~~
IBM
>I'm not defending the quality of the article, it's bad. And I think if the
reasons you just listed were in your original comment, I would have upvoted it
instead of viewing it as overly dismissive.

That's fair. I should have written a fuller comment off the bat, but everyone
can read my reasoning now.

>For sure, the bar is low because the stakes are low. But a shitty writer and
a need to inflate word count for the editor yields articles like this as well,
no need for a PR conspiracy. I guess it depends a lot on how you feel about
Hanlon's razor.

I actually don't think this is anything particularly nefarious or underhanded.
It's all in the game, as Omar would say. In fact I'm amused by how
transparently bad it is. She brings up some good points (the permissions
should be more granular) but the framing of the story is clearly working in
service of Facebook's agenda. The actual solution that needs to happen isn't
technical at all. It requires new legislation establishing equivalents to Data
Protection Commissioners in the EU and creating a comprehensive, omnibus
policy for them to enforce.

------
jakobdabo
Apple are no better data hoarders.

A personal anecdote - last year I tried to (for the first time) use an iPhone.
First of all, why do we need to "activate" it? What's wrong with just turning
it on and using?

Then comes data collection, they wouldn't allow me to use my smartphone
without a SIM card (I couldn't use my old SIM in that moment because it was
not in the micro format). So, you can't "activate" your iPhone and use it as
wifi-only device, they want your SIM card's data first.

OK, trying again with an old inactive SIM card from the drawer, now they want
my full name, my email, my telephone, my birthday and my address. Why though?
I decided to play their game and entered bogus data and a temporary email
address. Now they want me to confirm the email and the telephone. Just let me
use it already! I managed to confirm the email (the unconfirmed telephone
number was nagging in the notifications area), and hooray, I already could use
some of my phone and get online.

Next comes the iTunes account. If you want to install any app from the store
you must have an iTunes account. Again, full name, telephone, address, zip
code, etc.. In the end it refused to register (maybe some algo detected my
bogus data which I didn't even try to make it look legit) and it just
suggested to contact their support.

This is when I reseted it and decided to return it.

~~~
davymac
“No better”? I’ll disagree there.

“This is when I reseted it and decided to return it” \- I respect this. I’m
honestly very curious what you’ve decided on in its place.

~~~
guitarbill
> I’m honestly very curious what you’ve decided on in its place.

Me too. I'm looking for something with good privacy and good security,
including things like anti-imaging or timely security updates for at least 3
years (don't change my phone very often). Seems like I could either buy Apple,
maybe flash LineageOS (what a pain), or not use a smartphone.

