Possibly the most surprising thing is that, unlike all other permissions, iOS didn't ask me directly before enabling background refresh. That's disturbing.
Also, while I sympathized with Apple outsourcing Maps' business info to Yelp, they really should hold their partners to a much higher standard given all of their privacy rhetoric.
In Apple's defense it is a hard thing to ask the user whether or not they want to permit "background app refresh". Many users might not understand at all what this means. It is not as easy to understand as "allow app to send you notifications" or "allow app to use your location".
Maybe Apple could force apps to request for each specific use case why they wants to be active in the background. Is it to enable basic functionality of the app or is it to track you? Would be great if the user could choose in which case to allow access and in which case not. Right now it is a blank check you give to each app and it is hard to tell whether the app abuses its permissions or not.
what happens if background refresh is on but location -> never?
It all depends on your cell provider. A lot of cellular providers use GCNATs so their whole customer base appears to connect from just a handful of IPs without any proxy headers (which is why doing a ip address geo location on yourself is giving you wrong info).
A few providers will give you a non nated IP on request (and usually for a fee). IPv6 should “fix” the issue.
Are you only concerned about transmitting your IP address to other third parties besides Apple? iOS is configured to automatically transmit the user's IP address to various Apple servers on a continual basis, e.g. time-osx.g.aaplimg.com. iOS users cannot change that configuration.
I don't think there's something stopping you from redirecting 123/udp to your own NTP server. This is another of the problems that are easily solved with a VPN.
Neither do I. I use local DNS and a router to block traffic to Apple servers.
Of course it would be easier to simply edit the operating system configuration files, if the device manufacturer did not try to prevent device owners from doing so.
I believe it says so in the fine print of the terms and condition we do not read. I could be wrong ofcourse.
I could not agree more. I cannot stand Yelp and was pretty bummed when they integrated Yelp into Apple Maps.
My guess is that Apple is already working on a plan to curtail these abuses -- or, rather, working on ways to make it easier for normal people to do so. Obviously if you're reading HD, you understand these issues better, and are more apt to use the tools already in iOS to limit bad behavior.
>they really should hold their partners to a much higher standard given all of their privacy rhetoric.
First thing I did with my wife's Iphone. I imagine that with that disabled and permissions set correctly , an iphone leaks less than an android.
A message that included your IP address? As in...any message sent over IP?
Most libraries will just collect as much info as they are able to, put it in JSON and ship it to some server. That includes your IP address.
Later moved on to other roles.
I’m not implying it’s a creepy component. This component captures some really useful information, depending on your needs. But yeah, simple stuff.
And to back up an earlier comment in this thread, IP address is part of the user agent payload. That’s exceptionally common data to see, through browsers and apps. It doesn’t take a fancy library to capture that info.
I really wanted to be alarmed by this article, but I left with more questions than answers. And I’m guessing Amplitude is bummed by this press. They actually responded to say they don’t share data with 3rd parties, yet their name is peppered throughout the article, with implications that they are sneaky and nefarious.
On topic: your phone has many sensors and apps will use them. The only way to stop this is to literally disable the sensors. No more GPS, no more WiFi/Bluetooth scanning. Obviously this limits the functionality of your phone but it does work.
> At Apple, we believe privacy is a fundamental human right.
> And so much of your personal information — information you have a right to keep private — lives on your Apple devices.
> Your heart rate after a run. Which news stories you read first. Where you bought your last coffee. What websites you visit. Who you call, email, or message.
> Every Apple product is designed from the ground up to protect that information. And to empower you to choose what you share and with whom.
> We’ve proved time and again that great experiences don’t have to come at the expense of your privacy and security. Instead, they can support them.
... and ...
> Your personal data belongs to you, not others.
> Whether you’re taking a photo, asking Siri a question, or getting directions, you can do it knowing that Apple doesn’t gather your personal information to sell to advertisers or other organizations.
So what? I guess that they didn't promise that apps would be doing all that bad stuff.
Which is disgusting.
They don't have any feasible option in that space. It is nice that they do something rather than nothing.
on macOS/Windows/Linux people can inspect apps and malicious apps will be discovered by hackers and reported in the news.
on iOS, Apple build a walled garden where nobody can see what happens under the hood. Zero transparency, and no way to opt-out. A perfect environment for misuse/abuse to go unnoticed.
You still have visibility on the network traffic. May I suggest to setup a VPN? Run your own resolver and sinkhole tracking domains, apply additional filtering rules, ...
Apps change at a rapid pace, and so do many tracker domains/public ips.
By the time the user noticed the changes it's already too late and all the collected data has been uploaded. It's just impossible to maintain a 100% block to prevent your private data being uploaded, without an application firewall.
The possibility of an application firewall evokes me mixed feelings: it'd be great, but I'd have to set what's allowed per app, per phone.
Even at that point I doubt it's possible to assure a 100% rate.
Edit: Apple does this, when asking the users' on device setup if they wish to share crash reports, etc with developers. Conclusion ? I don't get 1/10th of the crashs identified via Crashlytics.
They will all, however, come crying and screaming, both in App Store reviews and on Twitter.
- same could be said about most mainstream web browsers
- same could be said about whatever latest mobile animation framework everyone just fell in love with
- when it comes to my personal apps, I'll just release what I built for my use. I try to do it well, but if I didn't have a simple way to detect and report crashes from the few users out there, I just wouldn't bother with said crashes unless they affect me. It already isn't worth it, in any way.
- when it comes to clients, they don't pay me to spend time reinventing the wheel, nor to setup some infrastructure that will also later have to be maintained. Heck, it's often hard enough to convince them to let me add tests
The SDK mentioned upthread isn't a random animation framework, it's a library for sending user data. Today it sends just crash reports, but it's a small step for them to send more.
> when it comes to clients, they don't pay me to spend time reinventing the wheel, nor to setup some infrastructure that will also later have to be maintained. Heck, it's often hard enough to convince them to let me add tests
Do they pay you for including random unchecked dependencies and potentially turning them into malware vendors or exposing them to legal liability? Think of event-stream fiasco in the JS land.
As a user, if you ask me if you could send crash reports, I might say yes. If you don't ask or at least inform me up-front, and I learn that you send the data, I'll uninstall your app, period. Might even throw in a bad review just to make a point.
I'll look that event-stream fiasco though. Thanks!
In context of data management, being owned by Twitter and Google is not reassuring (as you yourself note upthread).
But yeah, the acquisition by Google made me twitch
If Apple wants to make broad claims about privacy, it should kick all offending apps from its store. But it should also allow users to install whatever apps they like. That puts responsibility on users.
Still, they could say that they totally respect users' privacy. And add that, although they vet all apps in their store, they can't guarantee that those apps will respect users' privacy.
Once companies have your trust, they can't help but break it if it'll earn them another few bucks. Yelp's a household name and doesn't seem like a bad actor, but that's proven false by this article. Furthermore, while they claim to have your best interests in mind, Apple (and Google) let companies perform this kind of shady behavior on their platforms that they completely control. If they let others get away with this, can you really trust that the "don't upload my photos to your servers" switch really does what it says it does? How do you know your phone isn't recording audio and taking photos to send off to a datacenter in the middle of the night?
(To be fair, a lot of this data that's being sent out probably has something to do with background services designed to make the experience better. Weather Channel might be gathering location in the background for more up-to-the-minute forecasts. For things like cloud storage services, scraping your camera roll and uploading the photos is probably something you ask them to do.)
What are all these privacy settings you are referring to that are off by default?
As for Limit Ad Tracking I'm honestly not sure what that actually does - given that according to this article apps are vigorously abusing their users irrespective of any user's settings.
What's the catch with Apple's privacy document? Is it just that they're ignoring issues about what apps do? I mean, they make such a big deal about vetting apps.
None of that seems buried to me. Took me under 15 seconds to locate the privacy menu.
Also their advertising info/policy is accessible from that menu as well and is written in very clear, easy to understand language.
If not, what is even the point of E2E encryption in iMessage if 99% of the iPhone users' conversations can be retrieved from their iCloud accounts?
And that's not even mentioning the fact that iMessage has a design flaw that allows Apple to include an invisible third-party into people's "end-to-end encrypted conversations." Apple has known about it for like 3 years, but I haven't seen them try to fix it.
So your 99% number is nonsense.
And E2E encryption is to stop MITM attacks which are quite common if you are using untrusted networks e.g. open WiFi networks.
Those could also be avoided with encrypted (but not E2E encrypted) messages. E2E is supposed to be stronger than that.
I admit, I lol'd.
Yelp is, from my general community knowledge, one of the worst actors out there - holding companies hostage by refusing to remove fraudulent reviews and trying to capture users within it's own walled garden rather than forwarding them to primary business resources.
Everyone should assume their "free" app is being paid for via the use of the data they can glean from it. It's not like people don't know Yelp is a business and has to profit to continue to exist.
Because why settle for $0.99 when you can earn $0.99 + 0.02?
Once a company reaches a certain size all decisions are made by bean counters and for them $1.01 > $0.99 every day of the week.
Now with smartphones it's all automatic and much harder to say "no" to.
> The bankrupt chain originally proposed selling the information to raise money and repay creditors. But that sparked a backlash from suppliers including AT&T (T) and Apple (AAPL), as well as the Federal Trade Commission and consumer advocates who argued that the electronics retailer had promised customers it would protect their data.
> Most of the assets, including some limited customer information, were purchased by General Wireless, a subsidiary of RadioShack's largest shareholder, which intends to keep 1,750 of the stores open with the RadioShack name and operate its online business. General Wireless agreed not to sell the customer data it is buying to a third party, and to comply with RadioShack's previous privacy promises.
> RadioShack filed for bankruptcy in February, and the court could have allowed the sale of the data despite the promises that RadioShack had previously made to customers.
(a few paragraphs omitted for brevity)
> A security researcher has found customer and employee data belonging to one of Canada's biggest PC hardware retailers on servers put up for sale on Craigslist. The data, believed to go back as far as 15 years, belongs to NCIX, a PC retailer that filed for bankruptcy and closed shop in December 2017.
Wikipedia claims that
>Until 2004, RadioShack routinely asked for the name and address of purchasers so they could be added to mailing lists. Name and mailing address were requested for special orders (RadioShack Unlimited parts and accessories, Direc2U items not stocked locally), returns, check payments, RadioShack Answers Plus credit card applications, service plan purchases and carrier activations of cellular telephones.
But that claim isn't sourced.
Apple used to ask for your address when you set up a new Mac, so I always replied with One Infinite Loop in Cupertino and Apple's phone number.
I think EU even requires you to present earnings from customer data as a separate item.
If you count any sort of data collection as "bad", then you'll never help improve the products you use, can't get mad about features you use being removed, and have no right to complain about bugs. Data collection is important for software developers to improve their products, but it can be done in good ways. There's no visibility here on what Yelp is collecting, but I doubt it's that bad.
Don't get me wrong. I feel like Apple is at least trying to do the right thing with regards to privacy. They just aren't there yet (as evidenced by the linked article).
The data can be used against you by the legal system (both civil and criminal), various authorities (like customs agents) and anyone else who has access to your passcode (a jealous spouse for example).
In the West, it's much less of an issue. But imagine you're a gay Chechen, a Chinese dissident, or a Burmese journalist and you find out the hard way your phone has been tracking your every move.
Here's an interesting read from a forensics specialist who calls the data "a proverbial gold mine" and references insurance industry attorneys who use the info -
(Spoiler: To Apple's credit, the investigator is not able to extract any of the encrypted data without the passcode.)
Personally, I've left it on since I agree it's a useful feature. And while I don't think there's any nefarious intent on Apple's part, I am really surprised that it's enabled by default and buried so deeply in the UI.
People used to complain endlessly when background app refresh didn't yet exist that it wasn't there.
The editors and the writers of the articles are completely divorced from the decisions driving the technology and profitability of the publisher.
It may be possible for writers to only publish articles in outlets which respect privacy at the expense of popularity but we're probably not hearing about those.
And if someone finally founds a privacy respecting publisher, what better place for them to advertise than a comment lamenting a competitor's failing? Let's keep that door open :)
How can we make them stop? It's going to take our legislature, because this free market thing isn't going to do it.
But the reason this comes up so often is because online news sites are not being included in the conversation. We're seeing a lot of articles being written about Facebook and Google, and very few articles written about general tracking techniques that exist outside of those companies that are universal to most news organizations.
And that is something a reporter can choose to talk about or inform themselves about if they want to.
To draw attention to an organization that's at least trying to do better, the NYT's recent privacy project has released at least one article (out of many, but baby steps) talking about its own data collection policies. Also highly to the NYT's credit, they have an article up recommending UBlock Origin as a way to reclaim some privacy control. That's a bold move that takes some character, because adblocking actually affects the NYT -- whether or not you leave Facebook doesn't. The NYT hasn't gotten rid of its trackers, but it's not ignoring the fact that they exist.
What people are noticing and complaining about is that this type of self-awareness is abnormal, even though most tech writers could be pursing some of these topics or writing about them if they chose to. If you're a reporter and you want to talk about privacy, I think it's a question of basic due diligence to try and get a handle on the entire scope of the problem and to write articles that reflect that entire scope. Of course you can't control what your employer does -- but you shouldn't ignore it.
To me it's not a question of hypocrisy, it's a question of accurately informing people that the problem is a lot bigger than what we're currently talking about, and that addressing privacy problems is going to take more work than just splitting up Facebook -- it's going to require restructuring the entire ad industry, and possibly rethinking how we pay for web content in general. That's a really important conversation we should be having right now, and for the most part, we're not having it.
Except that they are paid by those profits and in many cases, have incentives and quotas for pageviews, clicks and social shares.
For example, financial writers generally disclose if they have a position in a stock they are discussing.
If a reporter wanted to be completely transparent, they’d write “yes, and even this publication doesn’t respect user privacy.” But of course they won’t do that. Interestingly, trackers for Washington Post via Apple News are non-existent. It’s actually better for privacy to read WaPo via Apple News than on their own app/website. Yet, not a mention of their own pot/kettle blackness. How about privacy using Amazon devices? Or the relatively strong privacy with HomePod vs. Alexa? Since Bezos owns the Washington Post, there is certainly room for skepticism when it comes to WaPo reporting on a space in which their ownership has a vested interest.
>IPhone apps I discovered tracking me by passing information to third parties — just while I was asleep — include Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post and IBM’s the Weather Channel.
>The Post said its trackers were used to make sure ads work.
I think they understand that they are hypocritical in a sense, but the article is more focused around Apple's new privacy campaign, which does feel a bit disingenuous from Apple.
Hence why QuantCast or whatever blocks your view with a confirmation banner in the most intrusive way, every time you load up a site in the EU.
“We value your privacy,” indeed...
It creeped me out, so I’ve switched to an iPhone recently.
Aside: I hope the librem does well it’s first release
What really annoys me is Background App Refresh, how much data is being sent that is causing Battery Drain and Data Cost on Mobile?
May be we should have Background Apps that only allow them to receive data? Or do we have to turn off Background App Refresh completely.
Why should facebook or google know everything about every different app I use?
If I have a bunch of apps all of which use facebook analytics then facebook knows the collection of apps I am using, and presumably my account information. That would also allow them to link those apps to my browsing if I ever use the web page version of those apps.
An app - especially one I've paid for - has no justification for then providing my device and account information to an arbitrary third party, especially when many of them are well known as abusers of consumer privacy.
Anyways, a not so easy alternative is to install a Vpn Server like Algo and block all Facebook ips with ipset on the Vpn server.
You can obtain all Facebook ips from their ASN number:
whois -h whois.radb.net '!gAS32934' | tr ' ' '\n' | awk '!/[[:alpha:]]/' > facebookips.txt
Because they would. A lot.
Not that I don't believe the claims (I'm biased to think that it may be possible), but just want to know if I can run the study myself, or be ran by someone more capable than me on security matters; sharing results.
Or should I think this article was crafted for us to download just another app (Privacy Pro SmartVPN)?
And have you had any luck with installing apps with such criteria? I'm on a similar boat, and primarily use F-Droid apps.
Spotify does not need to track what you listen to, in order to stream music to you!
The best way to avoid being tracked is to use apps that you pay for, not apps that are free and make money with your data. You can also bookmark websites to your home screen instead of downloading apps, that way you don't grant apps the extra privileges. Finally, you can disable background app refresh.
Nearly all apps, paid or not, use 3rd party analytics tools to improve their engagement. If the app requires sensitive data to function, like your contacts, it's also available to the analytics tool. Even the app's developer might not be aware of what the tools they're using are collecting.
More over: why are you using an analytics system that involves sending your user's data to an arbitrary third party? Someone who is using your app has agreed to a relationship with you, not with facebook, or google, or what have you.
Self-hosted analytics frameworks exist, but unfortunately aren't as popular because of the setup involved.
Personally I'm of the opinion that if you charged a user for your app, and then require that data be provided to an arbitrary third party, then that user should be allowed to get a refund for your product. Similarly if you ship an update that invades a user's privacy then they should be entitled to a refund - you just rob them of functionality (the ability to use your app).
I guess the next step is for Apple to stop allowing analytics URLs to work without an opt in prompt.
No, that's only if you're not using TLS for those domains. Which almost all are at this point.
For most apps and use cases, background refresh isn’t necessary because when you want see data in an app, you open the app and it can refresh it then.
Personally, I have background refresh off for everything. It helps save battery too.
Note: I ended up setting up that pi-hole, and I see it blocking a ton of DNS lookups for these types of companies across my family's devices.
> I think many people would be surprised by the amount of analytics data leaving their phone _all the time_. I recently was doing some work where I had my iPhone proxied through mitmproxy on my laptop, and was blown away by just how much data was being sent. Some apps were sending a request to one or more analytics firms every single time I touched a UI control. I would set up a pi-hole and VPN to block this stuff, but I'm sure the app developers will just start tunneling the requests through their own hosts. Maybe some day one of these open source phones will actually be viable.
Open source as charity has run out of steam; to survive, open source must be profitable.
The way to do it is to have a license under which all uses personal, educational, hobbyist, etc. are completely free and open source, but as soon as someone wants to sell something with your code in it, you get a cut.
Not entirely unlike a transaction processor like Visa or MasterCard.
It should be viral, so that all commercial software made with software under the license must also be licensed under the license, and the corporation’s commercial code must be available for inspection upon (legal?) inquiry, though the corporation may restrict the ability for others to use their code in other corporations’ commercial applications.
Lock-in is achieved when it’s cheaper and easier for these freeloading corporate entities to pay up (the devs) than it is to try to rewrite everything.
Smaller apps might not do it at all, or maybe just one, but anything that's been around long enough will inevitably have up to about 5 different analytics platforms. It's the thing I feel the "ickiest" about being an iOS developer. I've successfully fought against putting in stuff like Session Replay (and Apple has since banned it) so that makes me feel a tiny bit better.
As for running an adblock on your router, if your router supports openwrt, openwrt has an adblock addon that is easily configurable.
Unfortunately, you will lose out on the statistics that Pi-hole collects.
You mean everything that involves sending data to other people involves ... sending things to other people?
Or do you propose the SMS, MMS, email, phone calls, video calls, and web browsing should not actually be available?
If you send a message to someone, or open a website, then necessarily you interact with a directory service (a telephone company, the message client's directory, DNS, etc).
For iMessage, apple's servers then route the message to the appropriate account, and their various documentation on this says they don't record anything more than necessary (I assume each account has a glorified mailbox in which the encrypted messages are stored - there is no part of iMessage that can be decrypted by someone other than the recipient, except the destination - in an ideal world the sender would be stripped once its in the mailbox).
If you load a webpage over https then no party in the middle knows what resources you pulled - alas they know the host because DNS queries aren't encrypted, and even if they were the IP addresses aren't, so with enough data it might be possible to infer destination for pages in hosting sites.
None of these include your location information - beyond IP based inferences.
The only people who have your location without explicitly asking is the carrier, and only because they can see you bouncing around towers
They should either provide their own first party frameworks or select a handful of vetted partners that are allowed to provide those services to developers.
IMHO a better idea would be to create privacy jails for apps and then users can decide if they want to stick certain apps inside jails where they don't get access to your IP, GPS data, accelerometer, camera, contacts, etc. Jails would be better than the annoying popups for permissions as they currently do it.
Nah that's a Do-Not-Track-esque cop out to preserve the ad and analytics industries. It's also extremely un-Apple.
"Totalitarian" doesn't mean anything in this context because we're talking about computers and not governments.
You can have every single app run in a privacy jail by-default. Let the user opt-out on a per-app basis if they choose to. Apple could also simply just run a ad-blocker or a tracking scripts blocker as a system level feature. I admit that these kinds of measures are very 'controlling' if not totalitarian of their users. Should Microsoft allow users to install Chrome if the browser acts basically like a giant keylogger? Should we let users make the choice? Or let a benevolent dictator dictate what apps a user should be protected from. Reasonable people can come out of both sides of the privacy debate.
This might be an interesting philosophical/religious debate about computers to some, but it's also one we had in 2008 when the App Store launched. It's clear after 11 years that Apple was right and the rest of the world simply does not share that religion. Conversely they sure do like the practical benefits from Apple's micromanagement.
>You can have every single app run in a privacy jail by-default. Let the user opt-out on a per-app basis if they choose to. Apple could also simply just run a ad-blocker or a tracking scripts blocker as a system level feature.
Apps already run in a sandbox and are private by default. The user has to give consent before an app gets location or contacts data. An ad blocker for apps is silly because it's an unnecessary hack when they control the App Store policies.
The difference with giving permission to an app you downloaded is that you have a first party relationship with that app. You don't have a first party relationship with any of the SDKs that developers package into their app. They disclose it in their privacy policies that no one reads, but that's certainly not informed consent.
(TBH, this should not be needed in the first place if Google did their job)
If you ban third parties framework then all that is going to happen is that those third party companies will just give you an API and standard schema and ask you to post the data to them. The value is in the dashboards not in the SDK.
And then what you want Apple to block all HTTP POST requests too ?
Web 4.0 integrated everywhere always-web is not at all consumer friendly - advertisers need to be downgraded to something that's suffered or rejected instead of supported.