
Apple Launches Portal for U.S. Users to Download Their Data - uptown
https://www.bloomberg.com/news/articles/2018-10-17/apple-launches-portal-for-u-s-users-to-download-their-data
======
8fingerlouie
I've been an Apple customer for the past decade or so, starting with the white
13" macbook, and the first iPhone. I've heard the argument many times that
Apple is just as bad as Google/Facebook when it comes to collecting data.

I checked my data when the GDPR came into effect, and was pleasantly surprised
to find only information i "expected". It has my complete purchase history
over every Apple product I've ever _registered_ as well as iTunes/AppStore, it
has every service/repair call/appointment I've ever made. It then goes on to
list everything I've uploaded to iCloud.

There were no unpleasant surprises. No records of phone calls, no text
messages (I don't use iMessage in iCloud), and absolutely no data i wasn't
expecting them to have.

Google/Facebook have become greedy, and i expect a backlash will happen
eventually (if not already) where people are fed up with them siphoning every
little detail of their lives.

~~~
jrnichols
Did you ever grab your Facebook data? When I did, I was astonished to find out
just how much they had collected and stored. Numbers I hadn't seen in _years_
even, and a lot from back in the days I had a Blackberry and there was
seemingly no option for "don't eat up my contact list." at all. It was
frightening and eye opening at the same time.

~~~
8fingerlouie
I grabbed my Facebook data when the GDPR came into effect. Besides what I've
"willingly" shared they don't have much data on me. No phone calls, no text
messages, no locations, no contacts.

I attribute this to always having used iOS, and me always having been rather
conservative with what permissions I give out to apps. I never give out
address book permissions, location updates is allowed if _I_ have use for it
within the app, etc. I've never used Google apps on my iPhone.

Mostly though, it's probably due to iOS. It has always had better/finer
privacy settings, and where Android used to require permissions up front, iOS
asked for them when you actually used the feature within the app.

The option to disable background updates also helps a great deal. Can't very
well siphon my entire location history if you only receive location updates
for 6 minutes per day.

------
snailmailman
Since I dont see a link in the article, the page is
[https://privacy.apple.com/](https://privacy.apple.com/)

Although im in the U.S. and i dont see the option to download my data. Perhaps
it hasn't rolled out to everyone? or am i looking in the wrong place?

~~~
chomp
In this article ([https://techcrunch.com/2018/10/17/how-to-download-your-
apple...](https://techcrunch.com/2018/10/17/how-to-download-your-apple-data/))
they say:

>If the “obtain your data” option isn’t immediately available, it may still
take time to roll out to all customers.

Time to sit and wait!

~~~
stevenwoo
I just asked to download my notes and the ETA is one week according to the web
page.

------
mirkules
I'm surprised that nobody mentioned how big of a target this is for the
criminal enterprise. Gaining unauthorized access to someone's account through
this portal would be a gold mine, even better than iCloud alone.

~~~
irrational
I just tried it. Someone would need my apple id, my password, access to one of
my apple devices (I had to enter a code that appeared on one of my devices),
and access to my email. If someone already has all of that, I'm hosed no
matter what.

~~~
technofiend
There's still a hole in Apple's user ID mapping that doesn't recognize
first.last@gmail.com and firstlast@gmail.com are the same person and the
e-mails go to the same place.

If you accidentally approve creating an Apple ID that's some variation on your
e-mail it opens up your account to human phishing attacks. Just call apple
support and raise hell until someone makes a mistake.

The RFC mentions dot-atoms in address elements are _locally interpreted_.
There's no rule specifying if x.y.z or xyz are equivalent or not. The issue
for me is that an Apple ID looks just like an e-mail address. x.y.z@gmail.com
and xyz@gmail.com are equivalent to Gmail but not to Apple. From that I
believe it creates an opportunity for confusion.

~~~
pathseeker
That's not a hole. Those are different email addresses according to the email
standard.

How exactly would this attack even work that you have in mind? And wouldn't it
even be easier to conduct this so-called attach on an email host that actually
treats first.last@domain.com as a different email from firstlast@domain.com
since it wouldn't even require the 'victim' to click anything in their email?

The right answer is for Apple to keep treating them as separate emails and
refuse to give people access to accounts with different email addresses. It's
that simple.

~~~
technofiend
>Those are different email addresses according to the email standard.

Not really. It's left open to interpretation from my reading of the relevant
RFC. The spec says the dot-atom form should be used but does not say in what
way it should be used. Google collapses x.y.z@gmail and xyz@gmail.com to the
same thing which is fine they're welcome to do so. However the Apple IDs
x.y.z@gmail.com and xyz@gmail.com are entirely different entities. So we have
a namespace collision in one space but not the other because although an Apple
ID _looks like_ an e-mail address it's not. I'm just saying that can create a
problem.

    
    
       An addr-spec is a specific Internet identifier that contains a
       locally interpreted string followed by the at-sign character ("@",
       ASCII value 64) followed by an Internet domain.  The locally
       interpreted string is either a quoted-string or a dot-atom.  If the
       string can be represented as a dot-atom (that is, it contains no
       characters other than atext characters or "." surrounded by atext
       characters), then the dot-atom form SHOULD be used and the quoted-
       string form SHOULD NOT be used.  Comments and folding white space
       SHOULD NOT be used around the "@" in the addr-spec.

~~~
hk__2
> It's left open to interpretation from my reading of the relevant RFC

No. The part of the spec you quoted says that _if_ the local part of the email
address is in the format "atext+ (\\. atext+)*" where atext is "Any character
except controls, [spaces], and specials", then the quoted-string form
shouldn’t be used. In other words, don’t use quotes when you don’t need them.
This has nothing to do with how to "interpret" dots; they are interpreted like
any other char except they can’t occur everywhere in the local part (e.g.
"foo.@bar.com" isn’t valid).

~~~
technofiend
>The _locally interpreted string_ is either a quoted-string or a dot-atom

That's pretty clearly stating (to me) that the dot-atom is locally
interpreted. It doesn't say anything about _how_ to interpret a dot-atom. Just
to use it in preference to the quoted string if the rules you mention apply.

~~~
megous
You're mixing up two different concepts. E-mail address and mailbox. Multiple
e-mail addresses can be used to deliver to the same mailbox. That's what
"local intepretation" means. a.a@b is still a different address than aa@b.

~~~
felipelemos
And in the end is what happens with gmail. You have one mailbox and all
versions of your mailbox with dots in between the characters as alias
automatically.

------
kerng
Google had this for a long time, also Facebook and also Microsoft I believe-
especially after it became a GDPR requirement most companies just rolled it
out worldwide. Bloomberg's quality of research is going down a bit recently.

~~~
kodablah
I am curious (seriously, not sarcastic), which of these 4 companies has rolled
this out worldwide? Surely Apple will never be able to roll this out in China?

~~~
tdb7893
Google has had "Google Takeout" for a fairly long time I think (I heard it
started as someone's 20% project a long time ago but is a legitimate team
there now but that's just hearsay)

~~~
opportune
It would be cool if someone could figure out how to crawl LinkedIn to parse
org charts... I bet you could do that to solve problems like this. Only
question is whether the participation rate in LinkedIn for that workplace is
high enough

~~~
jfim
I don't think LinkedIn has information as to whom someone reports to. It could
somewhat be inferred by looking at the connection graph, but would be
ridiculously noisy (for example I have connections to managers and directors I
have never reported to).

------
pwaivers
Does anyone else think this is really cool? This makes me think even more that
Apple is really a supporter of privacy and a good actor. What do you think?

~~~
ilovecaching
> This makes me think even more that Apple is really a supporter of privacy
> and a good actor.

That's the point... this is a publicity stunt. Corporations don't have
feelings, and the board that drives the company is primarily concerned with
company health and growth above all other things. Leadership may, however, set
a strategy that capitalizes on recent public scrutiny of user privacy concerns
to push the narrative that will sell more iDevices. Humanizing corporations is
a dangerous game, because it plays right into their hand. Don't let them fool
you into it.

~~~
baxtr
I believe that this is a very simplistic view. Of course corporations can’t
have any feelings, but corporations are still led by human beings who can have
truthful views and steer a company such that they do some good. I believe Tim
Cook and most of his top managers have good intentions. At least they have
been very consistent on some topics like privacy, minority rights and the
environment. Is Apple perfect? Of course not. But I have not the feeling they
need to do these things just for publicity reasons

~~~
ilovecaching
Corporations will do "good" things when it aligns with their product goals.
You can be sure that if Tim Cook or anyone at a publicly traded company
started steering a company away from profitability they would be replaced. The
company will always be susceptible to market forces, and the needs of its
shareholders and employees before users or the world, unless regulation steps
in or public opinion would hurt their profitability.

~~~
ovao
While you make a fair point, the commenter is suggesting that Tim Cook is
well-intentioned, and the comment that a company like Apple is suspectible to
market forces is not an indication that Cook is not well-intentioned.

(Not that intentions matter particularly either way.)

------
mark_l_watson
Sorry to be off topic, but if Apple really wanted to provide a complete “home”
for customers inside their walled garden, I would suggest to them to allow
tying a custom domain name to Apple email service. I trust Apple more than
most other companies as I am sure many others do also. Email, calendar, iCloud
storage, and Apple devices would provide a reasonably good one stop shop for
privacy seeking customers.

~~~
eugeniub
Apple is one of the only major email providers that does not encrypt user
email data at rest.

~~~
krrrh
Reference for this?

~~~
eugeniub
The Apple support page at [https://support.apple.com/en-
us/HT202303](https://support.apple.com/en-us/HT202303) shows "No" for on
server encryption for iCloud Mail.

------
JosephHatfield
Note that once you request your data, and indicate the maximum file size you
can handle, the following message is displayed:

Thank you. We are preparing your data.

When your data is ready we will notify you

As a reminder, this process can take up to seven days. To ensure the security
of your data, we use this time to verify that the request was made by you.

You can view and check the status of your request on this site at any time by
visiting privacy.apple.com/account.

------
mh8h
To me the interesting point was how little data Apple keeps, compared to
Facebook or Google.

~~~
ehsankia
I'm curious where you are getting that data from? The article says nothing
about the data contained, and most other people in this thread either don't
have access at all, or are stuck behind a 7 day wait time. Have you managed to
get yours?

Also, what is your metric here? A lot of "journalists" comparing the takeouts
from Facebook or Google use horrible metrics such as byte size, which make
zero sense because these takeouts contain videos from Photos and files you've
uploaded to Drive. It's in no way an indicator of how much "data" these
companies collect.

~~~
akvadrako
What he says is true - this has been available by via support requests or for
EU residents for a while.

------
spdustin
When I went to [https://privacy.apple.com/](https://privacy.apple.com/), I
could only correct the info tied to my Apple ID, or access my purchase
history. No option to download anything. Maybe that's not the right link?

~~~
fastball

      If the “obtain your data” option isn’t immediately available, it may still take time to roll out to all customers.

------
asadhaider
I'm from the UK with an Apple account registered here and it let me request a
copy of all my data, so not just limited to U.S. users it seems.

~~~
masklinn
> not just limited to U.S. users it seems.

'course not, it's GDPR stuff, it was rolled out in the EU back in May
([https://9to5mac.com/2018/05/23/download-all-apple-id-
icloud-...](https://9to5mac.com/2018/05/23/download-all-apple-id-icloud-
data/))

They're doing what they originally pledged: rolling it out globally instead of
limiting it to where they're legally required to.

------
invalidusernam3
Just tried it, it takes a bit of time:

Thank you. We are preparing your data. When your data is ready we will notify
you at XXXXXXXXX@XXX.com

As a reminder, this process can take up to seven days. To ensure the security
of your data, we use this time to verify that the request was made by you.

~~~
Operyl
It seems to be as a measure of safety, not because it takes 7 days. They’re
giving time for the user to notice an unauthorized export attempt.

------
readhn
This is nice. Ok, thanks for letting me have my own data.

What i really, really want is a DELETE button that wipes out all of my
personal data on Apple's servers FOREVER with 0 chance of recovery.

I want to press DELETE and i disappear forever from Facebook, Google, Apple,
Comcast etc. Pewfff like i never existed... THAT would be cool my friends!

Wake me up when that happens.....(not a chance that will ever happen).

~~~
willstrafach
Time to wake up then. When you log in on this page, both temporary
deactivation as well as true deletion are both also offered.

------
craigds
Headline is confusing. To clarify, this applies internationally. The 'U.S.
users' is misleading.

I just did it from NZ.

------
milesward
Privacy to me isn't letting me download my data, it's _not_ letting others
download it. I'm not sure how opening a door keeps others shut more tightly...

~~~
herrkanin
Privacy also includes data transparency and knowing what data they store about
you. The best way to do this is to provide you with all data they do store
about you.

------
crb002
As a digital forensics practitioner this is amazing. Court orders can be
served on users instead of having to rely on Apple. Usually just having
information preserved is enough for both sides to come to a fair settlement.

~~~
rahkiin
You want to use a court order on a user to not provide information it has, but
actively perform actions to obtain new data in order to hand it to law
enforcement?

Is this legal?

------
nreilly
This is available for Australia, Canada, New Zealand and the United States.

------
st3fan
Works in Canada too.

------
tardigras
I think this is an indicator that large centralized companies are starting to
see that users' are valuing privacy and this is them signaling that they are
part of the solution, when in reality this is more of a publicity stunt or a
check box (so they an say, "see, we care about your privacy") than anything.

~~~
r00fus
Or perhaps, more accurately, due to following legal requirements (GDPR) and
then not keeping the feature regional.

Maybe this is what will force companies to understand that stored user data is
both an asset and a liability.

------
deanmoriarty
Does anyone know if it would support exporting iOS backups saved in iCloud?

~~~
thetinguy
It does not.

------
canuckintime
So how to request Apple not collect this data?

~~~
bilbo0s
You have to tell your iphone to stop sending it.

Depending on your iphone's settings, and what data you don't want Apple
collecting, that could mean anything from turning off iCloud to not using
iTunes and the App Store.

Basically, any app is likely giving Apple data on you. (Well I take that back.
Apps will give _some_ company data on you. But they won't necessarily give it
to Apple. Obviously for full and complete privacy you would need to turn off
any google, facebook and amazon stuff as well. Also any ancillary apps, like
mileage meters, or health and wellness type stuff. A lot of games too now I
think about it.)

~~~
balladeer
> health and wellness type stuff

This is very crucial and I really don't see any alternative services to the
ones like Strava and RunKeeper for iOS.

Even an app that does the job w/o any social features would do (in fact I
never use the social feature aspect of these apps)

~~~
zchrykng
Have you looked at apps by David Smith? Pedometer++, Workouts++, etc. They
integrate with Apple's Health app, but don't sync anything on their own. And
Apple's health app is encrypted to your device.

~~~
balladeer
Thanks. I installed Workouts++. I will try to use it to record my runs and how
activity data is presented. Though I am not yet sure I can use it w/o an Apple
watch.

------
pytyper2
Can I request they destroy it?

~~~
mh8h
You can request to delete your account. Not all of your data can be destroyed,
due to legal reasons. For example, anything related to financial transactions
(e.g. app purchases, subscriptions, etc) can't be deleted.

------
blazespin
Game.changing. apple is elitist, no doubt, but in a good way.

~~~
welder
Apple's late, others already had this for years. Sure they're elitist in that
they convince everyone this is revolutionary game changing one of a kind when
it's normal.

------
sjroot
The only link in the article takes me to Bloomberg's page about Apple, which
is useless to me as someone who is interested in visiting this privacy portal.

If you are going to take a few minutes and write about a launch or release
like this, please take the extra few seconds to include a link for your
readers. Make your content _useful_.

Relevant: [https://privacy.apple.com/](https://privacy.apple.com/)

~~~
jonathanberger
I still don't get why reporters or publications seem to refuse to link to the
most obvious and central key piece of material to an article.

Article on a new law being passed... no link to the raw text of the law.
Article about a new scientific study that has come out... ofcourse, no link to
the study. Famous person issues a statement or makes a speech... sure, we'll
give you a few quotes but no link to the full text.

It's like, come on!

~~~
function_seven
This relates to my other peeve: trying to find the original video when
something goes viral. Let's say I hear that Alice was seen telling Carol
secrets about Bob. I go to Google/DDG/Youtube and search "Carol Alice secrets
Bob" and get several dozen video results. ALL of them are other people trying
to repackage the original video with their own commentary. News sites,
bloggers, etc.

How do I locate the OG footage?

~~~
jxramos
I remember putting a feature request that Google append to the video
description the original source. But then you devolve into the whole
authenticity realm like with Twitter verified badges.

~~~
function_seven
Oh for sure. I know it can be tricky to make that decision. Having some
advanced search tools would help me do it on my own. What if I could see the
results, and tell Google to show me the earliest video that has a runtime
between x:xx and y:yy and is visually similar to a chosen result? With at
least 50,000 views?

Maybe filter out all results posted by media orgs. Or show only those results
that don't have cuts in them (almost all original footage is a continuous shot
of a situation, with no titles, cuts to reporters or anchors, or
introductions)

I think I'm headed down a rabbit trail of leveraging ContentID smarts for
better searching and filtering.

~~~
doh
That's exactly what we built internally. Not only a capability to identify the
original video, but which portions of it are being shared the most, what's the
most popular video, etc.

Technical challenge is one thing, but getting people to choose some random
search engine over Google is incredibly hard, as Google spends billions of
dollars to divert all the traffic to themselves.

------
Sumter
what about the other regions user

------
rocky1138
What's to stop law enforcement circumventing the phone and just going this
route to get user data for court cases? Or, is there stuff on the phone that
won't be included here?

~~~
klodolph
This doesn’t download data from the phone at all. This only downloads data
that was already stored with Apple.

This doesn’t make any additional information available to law enforcement.

~~~
kzrdude
Potentially gives law enforcement an easier way to get the information?
Instead of compelling Apple to give it out (they can afford lawyers), they can
try compelling individuals instead.

~~~
pkaye
If the police can compel individuals to give up their passwords then none of
this matters.

