by The Cat
(photo by chaddlane)
After having delved into Microsoft's 1243 pages long "Privacy Guide", we could not forget its concurrent, the stylish and high-end electronics manufacturer Apple.
They start lecturing on how they care about you and your data, and that all Apple customers in the world will be treated equally regarding their privacy rights. This indeed is very nice, because not all countries have strong privacy regulations like the European Union or Canada, but it is also a pragmatic approach, because it is cheaper to keep one single worldwide policy by their legal department than dozens of them.
Apple also has a "Privacy Governance", where it is stated that they are "committed to respecting human rights, including the right to privacy and freedom of information and expression." Unfortunately, despite the nice wording, equality of treatment and respect of human rights is not necessarily what is practiced by Apple, according to a December 2020 joint letter signed by a coalition of 154 activist groups and rights organizations representing Tibetan, Uyghur, Southern Mongolian, Hongkonger, Taiwanese, and Chinese people. They declare that:
... simply writing a policy document does not in and of itself constitute upholding human rights or taking action for social justice. As you are aware, a number of our coalition members have been engaged in dialogue with Apple [...]. The dialogue was entered into in good faith, believing that Apple would act with integrity and openness about developing concrete methods of implementation. This now appears to be far from reality given:
- The Company's lobbying efforts to undermine and make less transparent Apple's responsibilities under the Uyghur Forced Labor Prevention Act, despite statements that Apple is dedicated to the "goal of eradicating forced labor;"
- continued repression of freedom of expression in Hong Kong by banning Apple Store employees from publicly supporting the pro-democracy movement and censoring people choosing pro-freedom and pro-democracy slogans for product engraving; and
- failure to detail mechanisms for implementing the "commitments" laid out in Apple's Human Rights Policy, specifically the adherence to freedom of information and expression, as well as the right to freedom of association, including for Apple workers.
But we won't be deterred by this! Let's start with the bulleted list. They say: "... we may collect a variety of information, including..." What is this "including"? Does it mean that you may collect other stuff than that? And if so, what?
And then the list goes, full of vague expressions like "such as", "relating to", but never telling exactly what they are collecting. On an item named "Fraud Prevention Information," they say they will collect "... data used to help identify and prevent fraud, including a device trust score." But what data? And what is this "device trust score" and how is it calculated? Do I have access, as an Apple customer, to all my devices' "trust score"? And what do they do with it?
Then there is the section "Health Information", where they say they collect "data relating to the health status of an individual, including data related to one's physical or mental health or condition." Mental health? From all users? Or only from those participating in the "Health Research Study"? Why does it seem that Apple avoids using plain, direct words to say what they are doing with your data?
"One bite and all your dreams will come true." (photo by cottonbro)
Further, under the title "Personal Data Apple Receives from Other Sources", on the topic "Apple Partners", they state that: "we may also validate the information you provide – for example, when creating an Apple ID, with a third party for security." The use of "for example" shows that this list is non-exhaustive, and without stating who are those "third parties", nor the way the data is transmitted, how and where it is stored, etc.
With such a frothy speech, there is no useful information we can gather here. Let's try the link to the other page on the "handling of personal data for certain individual services."
Because it is so long, we will comment here just the most important topics:
Apple can read most of your encrypted data in the iCloud
Only some features use end-to-end encryption. Why is this serious? Because, for most data, even when encrypted at Apple's servers, they are the ones who keep your cryptographic keys, and most of the activity from all your devices is stored here. It is like keeping all your valuables in the safe of a bank, but having to leave its keys with the bank. Would you trust them? According to Reuters, Apple dropped plans to let iPhone users fully encrypt backups of their devices in the iCloud after the FBI complained that the move would harm investigations.
Apple evaluates your trust according to your phone calls and emails
To help identify and prevent fraud, information about how you use your device, including the approximate number of phone calls or emails you send and receive, will be used to compute a device trust score when you attempt a purchase. [...] The scores are stored for a fixed time on our servers.
In sum, they will evaluate your "trust" according to your phone calls, emails and more (observe the use of the word including), and will store this score on their servers. Is the data encrypted? And for how long is it stored? We don't know. But we can deduce that they know something about your phone calls and emails, otherwise they wouldn't make such a statement. And it seems you cannot access your own score.
Information about your purchases and downloads are stored for roughly ten years
This regards all purchases and downloads from all Apple online stores: App Store, iTunes, Books, etc. The retention period will vary according to the applicable laws from your region. But despite that, they will retain this data for a longer period if you keep your account with them. "So, if I close my account, all data will be deleted, isn't it?" No! It "... may be retained as business records even after you close your account or stop using the App Store." Great, no? But this is not all! They also keep information about your browsing and searches, and associated with your IP address and Apple ID:
... we use information about your browsing, purchases, searches, and downloads. These records are stored with IP address, a random unique identifier (where that arises), and Apple ID when you are signed in to the App Store or other Apple online stores.
Apple will give a score about you to app developers
Here it is, hidden in the "Sign in with Apple" topic:
For fraud prevention and security reasons, the first time you use Sign in with Apple with a new app, Apple will share a simple binary score with the developer to give them confidence that you are a real person. This score is derived from your recent Apple account activity along with abstracted information about your device and device usage patterns.
As the other topics would only repeat the same platitudes on how they care about you and the same vagueness when it comes to tell what they collect from you, I decided to write them to clarify all my doubts.
Apple Will Not Answer Unpleasant Questions
Using the contact form on their privacy page, I wrote them a message, making basically the questions posed here in this article. I've awaited one day, two days, three days... nothing. Perhaps they didn't receive my message, sometimes those forms don't work right. Let's try again. And... nothing.
"... we'd like to hear from you." Really?
I must tell you that this is not the first time I wrote to a company asking for clarification on their privacy policies. It is the first time I see messages being completely ignored by a corporation. But, apparently, it is not the first time Apple ducks inconvenient questions. Evan Schumann, from Computerworld, in a report about the company's sensitive data retention even when the consumer says no, wrote they didn't directly answer the points he made in an email exchange and declined requests for a phone interview.
Does Apple Care About Privacy More Than Microsoft?
Anyway, they have made some great efforts on de-identification and on processing much of the data inside your own device, instead of doing it on their servers. But they still have access to most of your data stored in the iCloud because it is not encrypted end-to-end, and they still make data collection in several apps an opt-in by default, which is not compliant with the "privacy by default" principle, present in many data privacy regulations.