Hacker News new | past | comments | ask | show | jobs | submit login
iPhone apps share data with trackers, ad companies and research firms (washingtonpost.com)
369 points by akeck 10 months ago | hide | past | web | favorite | 206 comments

Wow. I'd diligently turned off background location for virtually everything, but I had no idea so many apps did background refresh by default. Your IP address is nearly as good as your GPS coordinates. (Edit: Maybe one's IP address on a cellular connection doesn't matter as much as I thought. I just did a check and it didn't even get my city correct.)

Possibly the most surprising thing is that, unlike all other permissions, iOS didn't ask me directly before enabling background refresh. That's disturbing.

Also, while I sympathized with Apple outsourcing Maps' business info to Yelp, they really should hold their partners to a much higher standard given all of their privacy rhetoric.

For every app that I install I check if the app activated background app refresh. Most of the time it does not make any sense why an app would even need that, other than tracking me. Also disabling it for most apps is one of the best things you can do to extend your battery life.

In Apple's defense it is a hard thing to ask the user whether or not they want to permit "background app refresh". Many users might not understand at all what this means. It is not as easy to understand as "allow app to send you notifications" or "allow app to use your location".

Maybe Apple could force apps to request for each specific use case why they wants to be active in the background. Is it to enable basic functionality of the app or is it to track you? Would be great if the user could choose in which case to allow access and in which case not. Right now it is a blank check you give to each app and it is hard to tell whether the app abuses its permissions or not.

Yep. Still less of a blank check than Android though; it doesn't even distinguish background location from foreground location, last I checked.

Yeah that's a limitation of Android at present, but check out what's coming in Android Q: https://developer.android.com/preview/privacy/device-locatio...

Android is weird! I have to ask for that location permission if I want to connect to Bluetooth printer!

It kind of makes sense, in that it’s possible to use data on what radios you can see (particularly WiFi SSIDs) to work out a user’s location. Still causes no end of hassle from customers complaining about you requesting location permissions to connect to a WiFi device though.

I suspect they do this to be able to configure Bluetooth within regional regulations. In US / China you can transmit with up to 20dBm output power at 2.4 GHz, while in much of the world 10 dBm is max.

The location permission is not needed to use Bluetooth on Android, but apps must request it to be able to scan for nearby access points and beacons (both for wifi and for BT), since this information can be used to infer the device's location. Fun fact: turning off location services without revoking the location permission still allows apps to scan for wifi access points and infer your location with impressive precision. The list of apps that have the scanning permission is hidden somwhere deep in system settings.

Perhaps they could show which apps have used background refresh recently on the notification center/lock screen after you haven't used your phone for a while. "Facebook, Uber and 7 other apps have downloaded content in the background [Learn More]"

iOS already does this for GPS usage. Sounds smart to do the same for background activity.

does it though?

what happens if background refresh is on but location -> never?

It can probably be estimated from cell IP

> Maybe one's IP address on a cellular connection doesn't matter as much as I thought. I just did a check and it didn't even get my city correct.

It all depends on your cell provider. A lot of cellular providers use GCNATs so their whole customer base appears to connect from just a handful of IPs without any proxy headers (which is why doing a ip address geo location on yourself is giving you wrong info).

A few providers will give you a non nated IP on request (and usually for a fee). IPv6 should “fix” the issue.

"Your IP address is nearly as good as your GPS coordinates."

Are you only concerned about transmitting your IP address to other third parties besides Apple? iOS is configured to automatically transmit the user's IP address to various Apple servers on a continual basis, e.g. time-osx.g.aaplimg.com. iOS users cannot change that configuration.

The CNAME for time.apple.com and time.euro.apple.com (but not time.asia.apple.com -> time-ios.g.aaplimg.com).

I don't think there's something stopping you from redirecting 123/udp to your own NTP server. This is another of the problems that are easily solved with a VPN.

"I don't think there's something stopping you from redirecting 123/udp to your own NTP server."

Neither do I. I use local DNS and a router to block traffic to Apple servers.

Of course it would be easier to simply edit the operating system configuration files, if the device manufacturer did not try to prevent device owners from doing so.

> "Possibly the most surprising thing is that, unlike all other permissions, iOS didn't ask me directly before enabling background refresh. That's disturbing."

I believe it says so in the fine print of the terms and condition we do not read. I could be wrong ofcourse.

"Apple outsourcing Maps' business info to Yelp, they really should hold their partners to a much higher standard given all of their privacy rhetoric."

I could not agree more. I cannot stand Yelp and was pretty bummed when they integrated Yelp into Apple Maps.

Yeah, this is really a story about how apps take advantage of people who aren't judicious about what they install, and aren't careful about what background & location data behavior they allow for the apps they have.

My guess is that Apple is already working on a plan to curtail these abuses -- or, rather, working on ways to make it easier for normal people to do so. Obviously if you're reading HD, you understand these issues better, and are more apt to use the tools already in iOS to limit bad behavior.

>they really should hold their partners to a much higher standard given all of their privacy rhetoric.


> I'd diligently turned off background location for virtually everything

First thing I did with my wife's Iphone. I imagine that with that disabled and permissions set correctly , an iphone leaks less than an android.

My understanding is that this is correct.

> there was some startling behavior by a household name: Yelp. It was receiving a message that included my IP address -- once every five minutes.

A message that included your IP address? As in...any message sent over IP?

In the header or in the payload? The second is not typical and a clue something fishy might be going on.

The second is incredibly common almost the default.

Most libraries will just collect as much info as they are able to, put it in JSON and ship it to some server. That includes your IP address.

It doesn’t really matter if it’s common. It’s not acceptable to do that.

It's no different to your IP address coming in the request headers.

Unless you’re behind a nat, home uses a 192. office uses 10. Favorite coffee shop uses 172. You're letting internal details leak and give another factor of correlation

‘collect as much info as they are able to, put it in JSON and ship it to some server.‘ is different from your IP address being known to that server.

Can you provide a source for this? I haven’t noticed this happening, although I believe the information is available in aggregate data. Of course, I also use uBlock etc so quite possible I simply haven’t noticed the trend.

Can confirm companies do this. I have helped build custom analytics solutions for android and iOS where apps dump literally anything and everything they can get data of. Product Managers are so inclined to scrape everything. I was surprised few years back when we could get device battery stats, nearby wifi ssids and even connected audio output device, if any.

Later moved on to other roles.

As an example of how simple it is to get this info, check out the readme on this really popular React Native component: https://github.com/react-native-community/react-native-devic...

I’m not implying it’s a creepy component. This component captures some really useful information, depending on your needs. But yeah, simple stuff.

And to back up an earlier comment in this thread, IP address is part of the user agent payload. That’s exceptionally common data to see, through browsers and apps. It doesn’t take a fancy library to capture that info.

I really wanted to be alarmed by this article, but I left with more questions than answers. And I’m guessing Amplitude is bummed by this press. They actually responded to say they don’t share data with 3rd parties, yet their name is peppered throughout the article, with implications that they are sneaky and nefarious.

They all say that, words are cheap.

On topic: your phone has many sensors and apps will use them. The only way to stop this is to literally disable the sensors. No more GPS, no more WiFi/Bluetooth scanning. Obviously this limits the functionality of your phone but it does work.

If I send a message over a VPN or something similar, does that apply?

Yes, your IP address on the VPN tunnel is sent with every packet.

Does that one give my rough location?

It would give the location of the VPN server you're connected through.

In the US it would give at least the city/metro area.

You mean of the VPN.

OK from https://www.apple.com/privacy/

> At Apple, we believe privacy is a fundamental human right.

> And so much of your personal information — information you have a right to keep private — lives on your Apple devices.

> Your heart rate after a run. Which news stories you read first. Where you bought your last coffee. What websites you visit. Who you call, email, or message.

> Every Apple product is designed from the ground up to protect that information. And to empower you to choose what you share and with whom.

> We’ve proved time and again that great experiences don’t have to come at the expense of your privacy and security. Instead, they can support them.

... and ...

> Your personal data belongs to you, not others.

> Whether you’re taking a photo, asking Siri a question, or getting directions, you can do it knowing that Apple doesn’t gather your personal information to sell to advertisers or other organizations.

So what? I guess that they didn't promise that apps would be doing all that bad stuff.

Which is disgusting.

What can one expect Apple to do, disallow apps that do extensive tracking, causing their users to not be able to use any social media whatsoever?

They don't have any feasible option in that space. It is nice that they do something rather than nothing.

> What can one expect Apple to do

on macOS/Windows/Linux people can inspect apps and malicious apps will be discovered by hackers and reported in the news.

on iOS, Apple build a walled garden where nobody can see what happens under the hood. Zero transparency, and no way to opt-out. A perfect environment for misuse/abuse to go unnoticed.

> on iOS, Apple build a walled garden where nobody can see what happens under the hood. Zero transparency, and no way to opt-out.

You still have visibility on the network traffic. May I suggest to setup a VPN? Run your own resolver and sinkhole tracking domains, apply additional filtering rules, ...


I'm aware of that, but it's like a band-aid; Without an application firewall you can't prevent apps from uploading their tracking data.

Apps change at a rapid pace, and so do many tracker domains/public ips. By the time the user noticed the changes it's already too late and all the collected data has been uploaded. It's just impossible to maintain a 100% block to prevent your private data being uploaded, without an application firewall.

Without controlling the OS nor the applications, it's a tough task, most things are a band-aid.

The possibility of an application firewall evokes me mixed feelings: it'd be great, but I'd have to set what's allowed per app, per phone.

Even at that point I doubt it's possible to assure a 100% rate.

Also, some of this stuff (ie crashlytics) is merely about crash reporting. Sure, as a user, it would be best to be asked, but as a dev I'm glad not to have to cross my fingers and hope users will send me (useful) crash reports ¯\_(ツ)_/¯

Can't you dump out the crash report somewhere and ask if the user wants to submit it when they next open the app?

Sure. I could also roll my own cryptography

Edit: Apple does this, when asking the users' on device setup if they wish to share crash reports, etc with developers. Conclusion ? I don't get 1/10th of the crashs identified via Crashlytics.

They will all, however, come crying and screaming, both in App Store reviews and on Twitter.

the users have no idea what "crash report" means

Best erode their privacy then

I have never seen any personal info in crashlytic's crash reports. It is still blocked by the "vpn" they recommend.

Unfortunately you can't trust random SDKs to not be evil or turn evil in the future.

True. Especially when they're bought by Google (see fabric)

But - same could be said about most mainstream web browsers

- same could be said about whatever latest mobile animation framework everyone just fell in love with

- when it comes to my personal apps, I'll just release what I built for my use. I try to do it well, but if I didn't have a simple way to detect and report crashes from the few users out there, I just wouldn't bother with said crashes unless they affect me. It already isn't worth it, in any way.

- when it comes to clients, they don't pay me to spend time reinventing the wheel, nor to setup some infrastructure that will also later have to be maintained. Heck, it's often hard enough to convince them to let me add tests

Yes, but there are different likelihoods involved.

The SDK mentioned upthread isn't a random animation framework, it's a library for sending user data. Today it sends just crash reports, but it's a small step for them to send more.

> when it comes to clients, they don't pay me to spend time reinventing the wheel, nor to setup some infrastructure that will also later have to be maintained. Heck, it's often hard enough to convince them to let me add tests

Do they pay you for including random unchecked dependencies and potentially turning them into malware vendors or exposing them to legal liability? Think of event-stream fiasco in the JS land.

As a user, if you ask me if you could send crash reports, I might say yes. If you don't ask or at least inform me up-front, and I learn that you send the data, I'll uninstall your app, period. Might even throw in a bad review just to make a point.

I wouldn't call something built by fabric (formerly owned by Twitter, now Google) some "random unchecked" dependency. Nor consider it could turn into malware.

I'll look that event-stream fiasco though. Thanks!

I stand corrected, this is not a random dependency (I only dabble in Android apps from time to time, so I didn't recognize the name; then again, your users won't recognize it either). But I'm sure it has plenty of fly-by-night competitors :).

In context of data management, being owned by Twitter and Google is not reassuring (as you yourself note upthread).

Well, at least I can be somewhat sure it's properly and safely stored, with a low likelihood of getting out in the open or being sold to some random third-party.

But yeah, the acquisition by Google made me twitch

It would me removing Facebook, Twitter, WhatsApp, Instagram, Google & co. From AppStore. Then you'll land in the same ecosystem of WindowsPhone, which was declared dead form those app makers.

Not if Google did the same.

I expect them to stop lying about protecting users' privacy.

You’re literally the first person I’ve seen complain that Apple allows apps to do too much. Everyone else that I’ve seen complain, wants to be free to install any app without Apple’s permission, and claim end users can be trusted to be responsible for the security and privacy implications.

I do like freedom to do what I like with my devices. But Apple 1) clearly does vet apps, and allows only approved apps to be installed, and 2) makes broad claims about privacy.

If Apple wants to make broad claims about privacy, it should kick all offending apps from its store. But it should also allow users to install whatever apps they like. That puts responsibility on users.

LOL. This is because Apple can do no right on HN.

Maybe it's unfair to call it "lying".

Still, they could say that they totally respect users' privacy. And add that, although they vet all apps in their store, they can't guarantee that those apps will respect users' privacy.

Even for companies who are supposedly privacy-forward, their defaults say otherwise. A brand-new iPhone has all these privacy settings that are off by default, and that are usually confusingly labeled and buried several settings screens deep. Nobody really turns them on outside of a very small bubble.

Once companies have your trust, they can't help but break it if it'll earn them another few bucks. Yelp's a household name and doesn't seem like a bad actor, but that's proven false by this article. Furthermore, while they claim to have your best interests in mind, Apple (and Google) let companies perform this kind of shady behavior on their platforms that they completely control. If they let others get away with this, can you really trust that the "don't upload my photos to your servers" switch really does what it says it does? How do you know your phone isn't recording audio and taking photos to send off to a datacenter in the middle of the night?

(To be fair, a lot of this data that's being sent out probably has something to do with background services designed to make the experience better. Weather Channel might be gathering location in the background for more up-to-the-minute forecasts. For things like cloud storage services, scraping your camera roll and uploading the photos is probably something you ask them to do.)

Care to be more specific? Sharing of location, contacts, photos, calendars, access to your camera, etc are all disabled for 3rd party apps by default, and must be enabled individually for each app.

What are all these privacy settings you are referring to that are off by default?

From what I understand (haven't set up an iPhone from default in a long time) but the 'limit ad tracking' is off by default, allowing apps to have background app refresh privileges is allowed for any app by default (you must manually disable for any offenders unless you want it off for everything), the privacy features in Safari are off by default, and Apple's own data-collection and location-collection is also on by default.

Apple has a giant privacy document goes into great detail as to how that information is anonymized and rendered untraceable[1]. Which privacy features are disabled in safari (or more specifically which features are implemented that are always on)?

As for Limit Ad Tracking I'm honestly not sure what that actually does - given that according to this article apps are vigorously abusing their users irrespective of any user's settings.

[1] https://www.apple.com/privacy/docs/Differential_Privacy_Over...

What you say doesn't jive with TFA, which claims that the "information is [NOT] anonymized and rendered untraceable".

What's the catch with Apple's privacy document? Is it just that they're ignoring issues about what apps do? I mean, they make such a big deal about vetting apps.

Apple is saying apple’s products don’t collect data where possible, it’s not a statement on how 3rd party apps mistreat users

Limit Ad Tracking will zero out the advertising identifier, which is a vendor-specific ID used to track a device.

Settings -> Privacy -> Advertising.

None of that seems buried to me. Took me under 15 seconds to locate the privacy menu.

Also their advertising info/policy is accessible from that menu as well and is written in very clear, easy to understand language.

Location services are not ‘location-collection’ and are off by default.

Is Apple disabling the automatic iCloud sync for the supposed "end-to-end encrypted" iMessages yet?

If not, what is even the point of E2E encryption in iMessage if 99% of the iPhone users' conversations can be retrieved from their iCloud accounts?

And that's not even mentioning the fact that iMessage has a design flaw that allows Apple to include an invisible third-party into people's "end-to-end encrypted conversations." Apple has known about it for like 3 years, but I haven't seen them try to fix it.

Messages in the Cloud is and has always been disabled by default.

So your 99% number is nonsense.

And E2E encryption is to stop MITM attacks which are quite common if you are using untrusted networks e.g. open WiFi networks.

> And E2E encryption is to stop MITM attacks which are quite common if you are using untrusted networks e.g. open WiFi networks.

Those could also be avoided with encrypted (but not E2E encrypted) messages. E2E is supposed to be stronger than that.

Correct. The point of End to End encryption is that nobody else knows the contents of messages under any circumstances other than those in the conversation (usually 2 people).

>Yelp's a household name and doesn't seem like a bad actor

I admit, I lol'd.

Yelp is, from my general community knowledge, one of the worst actors out there - holding companies hostage by refusing to remove fraudulent reviews and trying to capture users within it's own walled garden rather than forwarding them to primary business resources.

Agree. It's one of the groups out there that makes my stomach turn.

>Yelp's a household name and doesn't seem like a bad actor

Everyone should assume their "free" app is being paid for via the use of the data they can glean from it. It's not like people don't know Yelp is a business and has to profit to continue to exist.

Even paid apps are sometimes into this.

Because why settle for $0.99 when you can earn $0.99 + 0.02?

Once a company reaches a certain size all decisions are made by bean counters and for them $1.01 > $0.99 every day of the week.

RadioShack was really ahead of their time, what with trying to collect your phone number and address every time you come in to buy a pack of AA batteries.

Now with smartphones it's all automatic and much harder to say "no" to.

Were they really that demanding? IIRC, the last time I was in one, all they wanted was a ZIP code, which was weird enough at the time.

I worked at RadioShack in the late 90's. We had to ask for name, address, and phone number. It was just part of the transaction flow on the point of sale. If we got resistance, we could just put it under a "CASH CASH" customer. I vaguely remember telling customers "it's so they can send you our catalog". RadioShack sent out nice heavy catalogs each year, which many people liked. Sometimes if we were busy or just lazy, we'd just do that anyway. While my understanding was that it was primarily for marketing purposes, it was also useful in that we could pull up receipts by phone number (in case you lost yours), verify warranty/extended warranty status, etc.

And then when Radio Shack went bankrupt, it wanted to sell that information.


> The bankrupt chain originally proposed selling the information to raise money and repay creditors. But that sparked a backlash from suppliers including AT&T (T) and Apple (AAPL), as well as the Federal Trade Commission and consumer advocates who argued that the electronics retailer had promised customers it would protect their data.

> Most of the assets, including some limited customer information, were purchased by General Wireless, a subsidiary of RadioShack's largest shareholder, which intends to keep 1,750 of the stores open with the RadioShack name and operate its online business. General Wireless agreed not to sell the customer data it is buying to a third party, and to comply with RadioShack's previous privacy promises.

> RadioShack filed for bankruptcy in February, and the court could have allowed the sale of the data despite the promises that RadioShack had previously made to customers.

(a few paragraphs omitted for brevity)

Yeah, I pretty aggressively avoid giving companies any information, and if required, I now give fake information when possible.


> A security researcher has found customer and employee data belonging to one of Canada's biggest PC hardware retailers on servers put up for sale on Craigslist. The data, believed to go back as far as 15 years, belongs to NCIX, a PC retailer that filed for bankruptcy and closed shop in December 2017.

That bugged me at radio shack I would always tell them my name was Herman Munster 1313 mockingbird lane. This town this state 66666 Phone was *867-5309 I even used this name as my warranty id and received warrantee service using that name. Some of us had strange ideas where this lack of privacy was leading way back in the 90s. Back then I just didn't want any more junk mail or cold calling salesmen calling my house. Comparing then from the stuff that's going on now reminds me of that "Boiling the frog" analogy. I think the froggie should try to jump out while there is still time

Yeah, it definitely felt icky asking all the time.

Phone numbers I'm pretty sure about. It got joked about on Seinfeld https://www.youtube.com/watch?v=WgfaYKoQxzQ

Wikipedia claims that

>Until 2004, RadioShack routinely asked for the name and address of purchasers so they could be added to mailing lists. Name and mailing address were requested for special orders (RadioShack Unlimited parts and accessories, Direc2U items not stocked locally), returns, check payments, RadioShack Answers Plus credit card applications, service plan purchases and carrier activations of cellular telephones.

But that claim isn't sourced.

That is to determine the effectiveness of junk mail.

I always replied with the store's own address and a 555-1212 number.

Apple used to ask for your address when you set up a new Mac, so I always replied with One Infinite Loop in Cupertino and Apple's phone number.


True, but at least with those I can blame the company for violating an implicit agreement. When it’s free, the only logical conclusions to come to is either the company is a charity, or they’re using something you’re providing instead of money (i.e. data) to make money.

That's exactly what GDPR tries to stop.

I think EU even requires you to present earnings from customer data as a separate item.

Yelp is paid by for by their kind of blackmail-heavy abuse of the companies that they list, so the claims that they need to sell user data is kind of nonsense.

Not need, want to make money selling your data. Considering their desperate strong-arming to get you to install their app, I'm not surprised.

That is a valid point. I don't think Yelp are bad people, just that in the context of this story, they're the "bad guys" doing the data collection.

If you count any sort of data collection as "bad", then you'll never help improve the products you use, can't get mad about features you use being removed, and have no right to complain about bugs. Data collection is important for software developers to improve their products, but it can be done in good ways. There's no visibility here on what Yelp is collecting, but I doubt it's that bad.

This is not limited to free apps, many paid apps have involuntary ‘telemetry’ and then it’s just a small step to enable profitable spying and many do so.

They are a bad actor if they are sharing data without disclosing the sharing, retention and who they're sharing it with.


"Limit Ad Tracking", "Location-Based Apple Ads", "Background App Refresh", "Significant Locations" (this one irks me the most)

Don't get me wrong. I feel like Apple is at least trying to do the right thing with regards to privacy. They just aren't there yet (as evidenced by the linked article).

Not that I'm defending Apple, but why is significant locations so bad? I turn it off because I don't need it, but my wife likes it being turned on and as far as I'm aware, the data is encrypted on the device and never leaves.

At the risk of invoking (not from you specifically) the "if you haven't got anything to hide, you have nothing to worry about" argument:

The data can be used against you by the legal system (both civil and criminal), various authorities (like customs agents) and anyone else who has access to your passcode (a jealous spouse for example).

In the West, it's much less of an issue. But imagine you're a gay Chechen, a Chinese dissident, or a Burmese journalist and you find out the hard way your phone has been tracking your every move.

Here's an interesting read from a forensics specialist who calls the data "a proverbial gold mine" and references insurance industry attorneys who use the info -


(Spoiler: To Apple's credit, the investigator is not able to extract any of the encrypted data without the passcode.)

Personally, I've left it on since I agree it's a useful feature. And while I don't think there's any nefarious intent on Apple's part, I am really surprised that it's enabled by default and buried so deeply in the UI.

Understood, it's an interesting take on it. Thanks for the link.

Disabling background app refresh would break a lot of functionality a lot of users want in their apps.

People used to complain endlessly when background app refresh didn't yet exist that it wasn't there.

Kind of amusing reading this article on page that ublock origin reported as loading 38 trackers. Wonder what trackers the washingtonpost ios app itself uses.

This comes up regularly in privacy discussions linking to articles in mainstream online publications.

The editors and the writers of the articles are completely divorced from the decisions driving the technology and profitability of the publisher.

It may be possible for writers to only publish articles in outlets which respect privacy at the expense of popularity but we're probably not hearing about those.

Fair, but as long as nothing changes, let us not stop pointing out the irony merely because things remain crooked. The buck has to stop somewhere, and at the end of the day wapo is profiting from tracking on an article bemoaning tracking. They're free to do so, and being hypocrites doesn't make them wrong, but being not wrong also doesn't make them infallible.

And if someone finally founds a privacy respecting publisher, what better place for them to advertise than a comment lamenting a competitor's failing? Let's keep that door open :)

To your point, as I said in a thread yesterday, I get these trackers and I'm logged in to WaPo. I pay them $100/year and they still track me.

How can we make them stop? It's going to take our legislature, because this free market thing isn't going to do it.

I’m wondering if a writer could get away with pointing this irony in their article. Could be a powerful gesture acknowledging the status quo and their own position.

Interestingly, Apple News does respect privacy. The privacy approaches of Siri, Apple News, Apple Music, etc. ought not be overlooked.

I don't really blame an author for publishing in an environment they don't control.

But the reason this comes up so often is because online news sites are not being included in the conversation. We're seeing a lot of articles being written about Facebook and Google, and very few articles written about general tracking techniques that exist outside of those companies that are universal to most news organizations.

And that is something a reporter can choose to talk about or inform themselves about if they want to.

To draw attention to an organization that's at least trying to do better, the NYT's recent privacy project has released at least one article (out of many, but baby steps) talking about its own data collection policies[0]. Also highly to the NYT's credit, they have an article up recommending UBlock Origin as a way to reclaim some privacy control[1]. That's a bold move that takes some character, because adblocking actually affects the NYT -- whether or not you leave Facebook doesn't. The NYT hasn't gotten rid of its trackers, but it's not ignoring the fact that they exist.

What people are noticing and complaining about is that this type of self-awareness is abnormal, even though most tech writers could be pursing some of these topics or writing about them if they chose to. If you're a reporter and you want to talk about privacy, I think it's a question of basic due diligence to try and get a handle on the entire scope of the problem and to write articles that reflect that entire scope. Of course you can't control what your employer does -- but you shouldn't ignore it.

To me it's not a question of hypocrisy, it's a question of accurately informing people that the problem is a lot bigger than what we're currently talking about, and that addressing privacy problems is going to take more work than just splitting up Facebook -- it's going to require restructuring the entire ad industry, and possibly rethinking how we pay for web content in general. That's a really important conversation we should be having right now, and for the most part, we're not having it.

[0]: https://www.nytimes.com/2019/04/10/opinion/sulzberger-new-yo...

[1]: https://www.nytimes.com/2019/05/06/opinion/7-simple-ways-to-...

I guarantee those same writers are given metrics to understand the respond to their articles e.g. demographics, engagement etc.

That's not really relevant to the OP's point: the writers and editors don't get to choose what tracking is attached to their story. If they specifically chose to implement tracking in order to receive this demographic information (which I really doubt individual writers get, incidentally) then you might have a point, but as it is, they have no control. So they're not being hypocritical in writing these stories.

It would be more sporting if they also examined their own tracking systems in the article.

> the writers of the articles are completely divorced from the decisions driving the technology and profitability of the publisher

Except that they are paid by those profits and in many cases, have incentives and quotas for pageviews, clicks and social shares.

I work in ad sales at a medium size publisher, AMA.

However, why isn’t the Washington Post reporting, or at least providing disclosure that they are doing the “bad thing” they are reporting others are doing?

For example, financial writers generally disclose if they have a position in a stock they are discussing.

If a reporter wanted to be completely transparent, they’d write “yes, and even this publication doesn’t respect user privacy.” But of course they won’t do that. Interestingly, trackers for Washington Post via Apple News are non-existent. It’s actually better for privacy to read WaPo via Apple News than on their own app/website. Yet, not a mention of their own pot/kettle blackness. How about privacy using Amazon devices? Or the relatively strong privacy with HomePod vs. Alexa? Since Bezos owns the Washington Post, there is certainly room for skepticism when it comes to WaPo reporting on a space in which their ownership has a vested interest.

To be fair they actually listed themselves as an offender:

>IPhone apps I discovered tracking me by passing information to third parties — just while I was asleep — include Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post and IBM’s the Weather Channel.

>The Post said its trackers were used to make sure ads work.

I think they understand that they are hypocritical in a sense, but the article is more focused around Apple's new privacy campaign, which does feel a bit disingenuous from Apple.

I imagine this is because the journos and editors aren’t fully aware of the marketing department using google tag manager to bloat the site with all kinds of bullshit without engineering oversight. They can shove whatever they they want on the page just by copying and pasting snippets.

Hence why QuantCast or whatever blocks your view with a confirmation banner in the most intrusive way, every time you load up a site in the EU.

“We value your privacy,” indeed...

You know, that phrase, “we value your privacy”, is actually pretty accurate when viewed in the right light.

If they aren’t aware of the tracking happening on their own stories, how could they possibly be qualified to report on the tracking behaviors of others? They can’t possibly be that naïve.

So... shouldn't publish this article at all? or publish in the website of Peoria Weekly?

I used to run disconnect pro on my s8, which I believe is the app mentioned in this article. I recall that it tried to send a message to google play services every 2 minutes 24/7, no matter what.

It creeped me out, so I’ve switched to an iPhone recently.

Aside: I hope the librem does well it’s first release

I don't have a problem with Tracking when I am using the App. That is fair ( to a certain extent )

What really annoys me is Background App Refresh, how much data is being sent that is causing Battery Drain and Data Cost on Mobile?

May be we should have Background Apps that only allow them to receive data? Or do we have to turn off Background App Refresh completely.

I have a problem.

Why should facebook or google know everything about every different app I use?

If I have a bunch of apps all of which use facebook analytics then facebook knows the collection of apps I am using, and presumably my account information. That would also allow them to link those apps to my browsing if I ever use the web page version of those apps.

An app - especially one I've paid for - has no justification for then providing my device and account information to an arbitrary third party, especially when many of them are well known as abusers of consumer privacy.

If you're using Android the easiest way is to simply go into 'App info' and then hit 'Force stop'. That turns the app off entirely until the next time you actually use the app. Clicking the app's launcher normally starts the app back up.

My strategy is no background refresh and judicious application of “no cellular data” for each app.

All current popular protocols work by both sending and receiving data, even when you only want to receive data. So there is no reasonable way to have a receive-only mode.

I believe there are other ways of waking up apps, I suspect notifications and location services/bluetooth can do it.

Especially when my wireless bill has a data limit. One month theScore app somehow used 5gb of background data.

Anybody know of an easy way to block all Facebook SDK usage from iOS? The simplest that comes to mind would be through a custom DNS server, but even if you don't log in using FB SDK on apps they still ping back in someway or another to generate your shadow profile.

I hate that Apple's walled garden forbids us to use a proper firewall on iOS...

Anyways, a not so easy alternative is to install a Vpn Server like Algo and block all Facebook ips with ipset on the Vpn server.

You can obtain all Facebook ips from their ASN number:

  whois -h whois.radb.net '!gAS32934' | tr ' ' '\n' | awk '!/[[:alpha:]]/' > facebookips.txt


You may hate that you can't do that, but do you really hate that scam companies can't install their own spying firewalls?

Because they would. A lot.

Thanks a lot for this command. Maybe I can use it blackhole all of that using my pi-hole server at home since I don't use any products or services from Facebook or its subsidiaries.

At home I block all Facebook with pihole. Not 100% protection but it’s a start.

Is there any link to the actual research data, used methodology, etc., to support these claims?

Not that I don't believe the claims (I'm biased to think that it may be possible), but just want to know if I can run the study myself, or be ran by someone more capable than me on security matters; sharing results.

Or should I think this article was crafted for us to download just another app (Privacy Pro SmartVPN)?

Yeah, this is why I actually read the privacy policy on every app I install now. I've done this for the past 6mo or so. At this point I basically don't purchase apps that store any of my information on their servers (unless of course it's fundamentally required for the service, such as Spotify or the like).

I'm a bit confused. Shouldn't there be equal concern for apps that _share_ data with third-parties? The first-party app doesn't need to store any of the information in that case; they just hand it off in-transit.

And have you had any luck with installing apps with such criteria? I'm on a similar boat, and primarily use F-Droid apps.

Oh, yeah of course sharing data with 3rd parties is even more "nope" than just storing it themselves.

The last app I looked at to consider purchasing, "Clear Todos", which was highly-reputed at some point? Their Privacy Policy link in App Store actually hits a 404 error page. To say the least, I almost never purchase anything from App Store these days. It's a pretty dire landscape, but I'm tired of "being the product", and I am willing to give up a lot of stuff to lessen how often my information is used/stored/profited from.

> unless of course it's fundamentally required for the service, such as Spotify or the like

Spotify does not need to track what you listen to, in order to stream music to you!

Oh yeah, for sure. Though they do need to store the "Library" I've saved, and the playlists I've created (for example).

Not really. You could do that locally. All they need to do is stream what you request.

What do you do about the mobile apps which don't store your data themselves, but share it with various third parties?

For the past month of so I’ve been trying to determine what’s been enabling my iPhones Bluetooth or WiFi function - something is intentionally doing this. For example, if I turn off WiFi or Bluetooth at bedtime I find it enabled in the morning! If I go somewhere the WiFi or Bluetooth may enable. WTF? (No I’m not having a senior moment here...) “What in my iOS environment has recent changed?” I deliberately don’t upgrade my iOS apps because of new or unusual improvements I discover. Or better yet what recent Apps have been asking for Bluetooth access? MyRadar and Walkmeter have requested access to Bluetooth “for location accuracy.” Really now? My walking location is going to improve their weather or my walking location? Or maybe I need to uninstall Washington Post or New York Times Apps to find the pattern here.

So what's the news here? That apps are sending information to tracking services? How is this iPhone specific?

Well, to be fair, Apple is pushing privacy as differentiator quite hard. So, it is ok if they get scrutinized more for things that don’t run well on their platform. I just checked: ALL my iPhone apps have background sync on. For what?

It isn't. It's a good article in the sense that it points out bad app behavior, but a bad one in that it suggests this is an iPhone problem, not a mobile problem.

Apple claims to be pro privacy, it's one of their last differentiators. But if this falls, it's an overpriced cheap Android IMO

I don't know if there is much of a solution aside from blocking the domains not owned by an app publisher or not approved by apple (an ad tracker list, for instance).

The best way to avoid being tracked is to use apps that you pay for, not apps that are free and make money with your data. You can also bookmark websites to your home screen instead of downloading apps, that way you don't grant apps the extra privileges. Finally, you can disable background app refresh.

> The best way to avoid being tracked is to use apps that you pay for, not apps that are free and make money with your data.

Nearly all apps, paid or not, use 3rd party analytics tools to improve their engagement. If the app requires sensitive data to function, like your contacts, it's also available to the analytics tool. Even the app's developer might not be aware of what the tools they're using are collecting.

If the app developer is not aware of what the code they ship is collecting from their customers, the app developer should not be including that code.

More over: why are you using an analytics system that involves sending your user's data to an arbitrary third party? Someone who is using your app has agreed to a relationship with you, not with facebook, or google, or what have you.

> why are you using an analytics system that involves sending your user's data to an arbitrary third party

Self-hosted analytics frameworks exist, but unfortunately aren't as popular because of the setup involved.

Yes, but there seems to be a failure to recognize that you're transferring the cost of setup onto your users, often (almost always) without their knowledge, and definitely not any kind of meaningful consent.

Personally I'm of the opinion that if you charged a user for your app, and then require that data be provided to an arbitrary third party, then that user should be allowed to get a refund for your product. Similarly if you ship an update that invades a user's privacy then they should be entitled to a refund - you just rob them of functionality (the ability to use your app).

I'm not convinced that the ones you pay for aren't tracking you too. As a non-app example, I pay for the Washington Post and uBlock Origin shows that I'm still food for doubleclick et al- even when I'm logged in.

https://i.imgur.com/wbqIOFI.jpg Just took that screenshot, it's sending about ten analytics requests EVERY MINUTE. I pay $30 a year for it. But hey, they may as well get a few cents more.

Oh just noticed the same. In my case it was the Mixcloud app. Thought it's better to uninstall so my block stats don't get to messy.


Apple actually does this already. You need to submit a list of domains your app is allowed to talk to and explain why they're needed.

I guess the next step is for Apple to stop allowing analytics URLs to work without an opt in prompt.

> You need to submit a list of domains your app is allowed to talk to

No, that's only if you're not using TLS for those domains. Which almost all are at this point.

Then you just create a proxy on your ‘required’ home site so it sends the snooped data through your site to the analyzing server.

For the desktop web Duckduckgo has a plugin that shows you all the trackers that are on a webpage and lets you block them. They also have a mobile web app that you can use as your default web search on mobile. https://duckduckgo.com/app

This makes me wonder, what is the difference between apps and websites, really?

Apps are harder to tweak to where they don’t track you.

As an iOS developer, it’s insane to me that this isn’t common knowledge.

App companies claim that the "data it collects for clients is kept private and not sold" If you believe that, I can get you a great price for the scrap iron from the Eiffel Tower.

And don’t forget, we pay Apple and Google for the privilege of being tracked and having our “data” shared. Smile: the surveillance is nearly complete!

What is a legitimate use of background app refresh? I just turned it off expecting not to receive notifications, but that’s not the case.

The Major League Baseball app is a good example. It has a widget that can show scores. It can only do this if background refresh is on though so that it can keep the scores current when the app is not being actively used.

For most apps and use cases, background refresh isn’t necessary because when you want see data in an app, you open the app and it can refresh it then.

Personally, I have background refresh off for everything. It helps save battery too.

Thank you. I’m surprised it’s not off by default. It’s off now!

Privacy is not gone. We could set up laws and enforce them. We already do this for medical data (HIPAA). There's no reason we can't do this for other categories of personal data, such as what you buy and where you go. Europe does this with its GDPR. It can be done, but we need a government that doesn't prioritize interests of corporation-people over those of human people.

But isn't GDPR already here? And these apps are still tracking us with unbridled enthusiasm.

Could someone please post an archive link?

Please Apple do something about this, so I can stop sabotaging my career as an iOS developer by regularly arguing against tracking to my superiors.

I'll reproduce my comment [0] here from a similar article earlier this year [1].

Note: I ended up setting up that pi-hole, and I see it blocking a ton of DNS lookups for these types of companies across my family's devices.

> I think many people would be surprised by the amount of analytics data leaving their phone _all the time_. I recently was doing some work where I had my iPhone proxied through mitmproxy on my laptop, and was blown away by just how much data was being sent. Some apps were sending a request to one or more analytics firms every single time I touched a UI control. I would set up a pi-hole and VPN to block this stuff, but I'm sure the app developers will just start tunneling the requests through their own hosts. Maybe some day one of these open source phones will actually be viable.

[0] https://news.ycombinator.com/item?id=19109243

[1] https://news.ycombinator.com/item?id=19109027

For an open-source phone to work, the devs will need to be paid.

Open source as charity has run out of steam; to survive, open source must be profitable.

The way to do it is to have a license under which all uses personal, educational, hobbyist, etc. are completely free and open source, but as soon as someone wants to sell something with your code in it, you get a cut.

Not entirely unlike a transaction processor like Visa or MasterCard.

It should be viral, so that all commercial software made with software under the license must also be licensed under the license, and the corporation’s commercial code must be available for inspection upon (legal?) inquiry, though the corporation may restrict the ability for others to use their code in other corporations’ commercial applications.

Lock-in is achieved when it’s cheaper and easier for these freeloading corporate entities to pay up (the devs) than it is to try to rewrite everything.

I use DNS-Cloak on iOS to setup a local dns proxy as “vpn” which can do most things you mentioned. Might be relevant?


If the app is made by a company that doesn't have its own analytics platform I would expect it's sending your information to at least 3 different sources.

Smaller apps might not do it at all, or maybe just one, but anything that's been around long enough will inevitably have up to about 5 different analytics platforms. It's the thing I feel the "ickiest" about being an iOS developer. I've successfully fought against putting in stuff like Session Replay (and Apple has since banned it) so that makes me feel a tiny bit better.

Same here, I also started to work on a project to consolidate pi-hole into a single binary using Rust. I want to run it on my laptop and on my routers at home as well.

Just download a Host file[1] and you can have system level ad blocking on your laptop.

As for running an adblock on your router, if your router supports openwrt, openwrt has an adblock addon[2] that is easily configurable.

Unfortunately, you will lose out on the statistics that Pi-hole collects.

[1] https://github.com/StevenBlack/hosts

[2] https://github.com/openwrt/packages/tree/master/net/adblock/...

Can you go into a little bit more detail about the reasoning behind this? I’m running a Pi-hole on raspberry pi as the single DNS server behind my whole home’s router. This means it blocks everything outbound in my house. Only thing it doesn’t block is when I’m on LTE/random WiFi access points, for which I’m considering routing all of my mobile devices via VPN through another instance of Pi-hole running on a digital ocean droplet. Beyond that what do running multiple instances of pi-hole do? Do you have multiple routers at home?

I travel a lot. I want to run something on my laptop so I do not need to VPN yet I have no ads.

That makes perfect sense. I'd like something similar especially if I'm overseas and don't want my requests going all the way to the USA and back and don't want to deal with the overhead of spinning up instances of my pi-hole in different countries. Do you have a link to the project?

It is private at the moment because not ready yet for prime time. You can reach out to me via email and I will add you to the repo. Use the email in my profile page please.


I'm reminded of the rule of thumb "if someone assures you that they're honest, they are probably lying".

So does this also applies to Apple with their promises around being honest about protecting user privacy?

This is gonna be a black egg on Tim Cook's face given how often they keep touting privacy of the iOS system.

'What happens on your iPhone stays on your iPhone'; everything except SMS, MMS, email, phone calls, video calls and web browsing. Makes more sense for a place like Las Vegas.


You mean everything that involves sending data to other people involves ... sending things to other people?

Or do you propose the SMS, MMS, email, phone calls, video calls, and web browsing should not actually be available?

Exactly, the primary purpose of the iPhone is to send things to other people.

... people with to whom I choose to send things. I do not choose (or rather, I wish I could choose not to) send a ton of detailed information about my phone. my location, etc. to a bunch of unknown companies and people. I feel like I must be misunderstanding your point?

I think I'm misunderstanding your point.

If you send a message to someone, or open a website, then necessarily you interact with a directory service (a telephone company, the message client's directory, DNS, etc).

For iMessage, apple's servers then route the message to the appropriate account, and their various documentation on this says they don't record anything more than necessary (I assume each account has a glorified mailbox in which the encrypted messages are stored - there is no part of iMessage that can be decrypted by someone other than the recipient, except the destination - in an ideal world the sender would be stripped once its in the mailbox).

If you load a webpage over https then no party in the middle knows what resources you pulled - alas they know the host because DNS queries aren't encrypted, and even if they were the IP addresses aren't, so with enough data it might be possible to infer destination for pages in hosting sites.

None of these include your location information - beyond IP based inferences.

The only people who have your location without explicitly asking is the carrier, and only because they can see you bouncing around towers

Metadata makes it an impossible wish. The act of sending or receiving anything provides companies the detailed information(phone, location, etc.) that you're trying to keep secret. Carriers like Verizon/AT&T/T-Mobile also sell users location data outright.

This is a good piece in the sense that it will get Apple to do something I've wanted for a long time, which is to ban all the third party frameworks that developers are shipping in their apps.

They should either provide their own first party frameworks or select a handful of vetted partners that are allowed to provide those services to developers.

A couple of points. How realistic is that though? How would they even know where the code came from in a compiled binary? Also, a platform vendor controlling what code I can or can't use sounds like a totalitarian regime to me.

IMHO a better idea would be to create privacy jails for apps and then users can decide if they want to stick certain apps inside jails where they don't get access to your IP, GPS data, accelerometer, camera, contacts, etc. Jails would be better than the annoying popups for permissions as they currently do it.

>IMHO a better idea would be to create privacy jails for apps and then users can decide if they want to stick certain apps inside jails where they don't get access to your IP, GPS data, accelerometer, camera, contacts, etc. Jails would be better than the annoying popups for permissions as they currently do it.

Nah that's a Do-Not-Track-esque cop out to preserve the ad and analytics industries. It's also extremely un-Apple.

"Totalitarian" doesn't mean anything in this context because we're talking about computers and not governments.

Privacy should be by default and not shift the burden to users or cost them in terms of user experience. Apple has the power to do that.

Well, totalitarian in this context means shackling developers with micro-management of basic functions of software development. Apple has a large enough megaphone that I don't feel the need to care about whats best for them. They can do that themselves just fine. I'm only interested in it as a developer and as a user. As a developer I don't want an OS vendor telling me what code I write or which library I use. As a user, I want to be able to run an app inside a privacy jail that completely blocks access to my IP or GPS data - if I want to.

>Privacy should be by default and not shift the burden to users or cost them in terms of user experience. Apple has the power to do that.

You can have every single app run in a privacy jail by-default. Let the user opt-out on a per-app basis if they choose to. Apple could also simply just run a ad-blocker or a tracking scripts blocker as a system level feature. I admit that these kinds of measures are very 'controlling' if not totalitarian of their users. Should Microsoft allow users to install Chrome if the browser acts basically like a giant keylogger? Should we let users make the choice? Or let a benevolent dictator dictate what apps a user should be protected from. Reasonable people can come out of both sides of the privacy debate.

>Well, totalitarian in this context means shackling developers with micro-management of basic functions of software development.

This might be an interesting philosophical/religious debate about computers to some, but it's also one we had in 2008 when the App Store launched. It's clear after 11 years that Apple was right and the rest of the world simply does not share that religion. Conversely they sure do like the practical benefits from Apple's micromanagement.

>You can have every single app run in a privacy jail by-default. Let the user opt-out on a per-app basis if they choose to. Apple could also simply just run a ad-blocker or a tracking scripts blocker as a system level feature.

Apps already run in a sandbox and are private by default. The user has to give consent before an app gets location or contacts data. An ad blocker for apps is silly because it's an unnecessary hack when they control the App Store policies.

The difference with giving permission to an app you downloaded is that you have a first party relationship with that app. You don't have a first party relationship with any of the SDKs that developers package into their app. They disclose it in their privacy policies that no one reads, but that's certainly not informed consent.

Well, all I can say is thanks for explaining your position, but I don't agree with your points.

Not sure about iOS but on Android these types of countermeasures have been available for a few years. See for example Orlis, ART, xprivacy, libradar and AdDroid for some pointers.

(TBH, this should not be needed in the first place if Google did their job)

Yeah iOS doesn't allow those kinds of apps. That's one thing I'm jealous of from Android.

Well, Android has both the most and the least secure phones out there :)

I'm sorry, what? Ban all frameworks? That's absurd. How would they even know? You could just copy and paste the source code from a third-party framework into your own codebase.

It wasn’t enforceable but frameworks used to be banned on iOS. Note by the way that most third party frameworks of course don’t give you the source code.

This makes no sense whatsoever.

If you ban third parties framework then all that is going to happen is that those third party companies will just give you an API and standard schema and ask you to post the data to them. The value is in the dashboards not in the SDK.

And then what you want Apple to block all HTTP POST requests too ?

Banning third party tracking frameworks means banning Fabric, Facebook, Twitter and other major SDKs. I'm skeptical Apple would take such a drastic step. Taking on the responsibility of providing these functions through a first party API is also a massive undertaking, which I'm not sure Apple would agree to.

It would be absolutely beautiful if they did - they could even just cut some CDN network a check every month to host common assets in a privacy aware manner or do it themselves. It really wouldn't cost all that much.

Web 4.0 integrated everywhere always-web is not at all consumer friendly - advertisers need to be downgraded to something that's suffered or rejected instead of supported.

If Apple had a better app portfolio they could just get rid of third party apps entirely and have people use progressive web apps in place of app store apps. Right now most apps have websites that provide almost the exact same experience as the native app without as many privileges. Uber is a great example https://m.uber.com/looking

People are perfectly capable of writing their own first party analytics framework. Or at least the part that uploads the data.

I really doubt it will cause any sort of action, third party advertising is so deeply ingrained into iOS that there's some wonderfully terrible built in support - I remember helping to hook up an advertising ID share with a third party a bit ago in my employment history.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact