Tag: Apple
15. February 2022
Tracking in apps enables the app providers to offer users personalized advertising. On the one hand, this causes higher financial revenues for app providers. On the other hand, it leads to approaches regarding data processing which are uncompliant with the GDPR.
For a year now data privacy labels are mandatory and designed to show personal data the app providers access (article in German) and provide to third parties. Although these labels on iPhones underline that data access does not take place, 80% of the analyzed applications that have these labels have access to data by tracking personal information. This is a conclusion of an analysis done by an IT specialist at the University of Oxford.
For example, the “RT News” app, which supposedly does not collect data, actually provides different sets of data to tracking services like Facebook, Google, ComScore and Taboola. However, data transfer activities have to be shown in the privacy labels of apps that may actually contain sensitive information of viewed content.
In particular, apps that access GPS location information are sold by data companies. This constitutes an abuse of data protection because personal data ishandled without being data protection law compliant and provided illegally to third parties.
In a published analysis in the Journal Internet Policy Review, tests of two million Android apps have shown that nearly 90 percent of Google’s Play Store apps share data with third parties directly after launching the app. However, Google indicates that these labels with false information about not tracking personal data come from the app provider. Google therefore evades responsibility for the implementation for these labels. Whereby, Apple asserts that controls of correctness are made.
Putting it into perspective, this issue raises the question whether these privacy labels make the use of apps safer in terms of data protection. One can argue that, if the app developers can simply give themselves these labels under Google, the Apple approach seems more legitimate. It remains to be seen if any actions will be taken in this regard.
30. November 2021
On November 25th, Apple announced in a press release that it has filed a lawsuit against NSO Group Technologies Ltd. (NSO Group) to hold them accountable for their spy software “Pegasus”.
NSO Group is a technology company that supplies surveillance software for governments and government agencies. Applications like Pegasus exploit vulnerabilities in software to infect the target’s devices with Trojans. Pegasus is a spyware that can be secretly installed on cell phones (and other devices) running most iOS and Android versions. Pegasus is not a single exploit, but a series of exploits that exploit many vulnerabilities in the system. Some of the exploits used by Pegasus are zero-click, which means that they can be executed without any interaction from the victim. It is reorted to be able to read text messages, track calls, collect passwords, track location, access the microphone and camera of the targeted device, extract contacts, photos, web browsing history, settings and collect information from apps.
NSO Group is accused of selling its software to authoritarian governments, which use it to monitor journalists and the opposition. Accusations that the company regularly denies. According to an investigation done by a global consortium of journalists of 17 media oganizations, Pegasus has been used to monitor female journalists, human rights activists, lawyers and high-ranking politicians. There are even reports suggesting it is even used by Mexican drug cartels to target and intimidate Mexican journalists. Among the more famous confirmed Pegasus victims are Amazon founder Jeff Bezos and murdered Saudi Arabian journalist Jamal Kashoggi.
Apple wants to prevent “further abuse and harm” to Apple users. The lawsuit also demands unspecified compensation for spying on users.
In the press release Apple states:
NSO Group and its clients devote the immense resources and capabilities of nation-states to conduct highly targeted cyberattacks, allowing them to access the microphone, camera, and other sensitive data on Apple and Android devices. To deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send malicious data to a victim’s device — allowing NSO Group or its clients to deliver and install Pegasus spyware without a victim’s knowledge. Though misused to deliver FORCEDENTRY, Apple servers were not hacked or compromised in the attacks.
Ivan Krstić, head of Apple Security Engineering and Architecture is quoted:
In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place
Apple has announced the lawsuit contains new information about the so-called ForcedEntry exploit for a now-closed vulnerability that NSO Group used to “break into a victim’s Apple device and install the latest version of NSO Group’s Pegasus spyware program,” according to Apple’s press release. The vulnerability was originally discovered by Citizen Lab, a research group at the University of Toronto. Apple says it will support organizations like Citizen Lab and Amnesty Tech in their work, and will donate $10 million and any compensation from the lawsuit to organizations involved in researching and protecting against cyber surveillance. The company will also support Citizen Lab with free technology and technical assistance.
Apple is the second major company to sue NSO Group after WhatsApp Inc. and its parent company Meta Platforms, Inc.(then Facebook, Inc.) filed a complaint against NSO Group in 2019. The allogation of that lawsuit is that NSO Group unlawfully exploited WhatsApp’s systems to monitor users.
In early November 2021, the US Department of Commerce placed NSO Group on its “Entity List”. The justification for this step states that Pegasus was used to monitor government officials, journalists, business people, activists, academics and embassy staff. On the “Entity List,” the U.S. government lists companies, individuals or governments whose activities are contrary to the national security or foreign policy interests of the United States. Trade with these companies is subject to strict restrictions and in some cases is only possible with an exemption from the Department.
31. May 2021
At the end of April, the new iOS update 14.5 was released. With the update comes the new App Tracing Transperency (ATT) feature.
The changes are intended to reduce unauthorized tracking and increase user awareness of digital privacy rights. With the new feature, users will receive push notifications asking for permission for the identifier for advertisers (IDFA) and thus for activity tracking. App developers have been able to use the identifier (IDFA) and other information to create detailed tracks of how users use their devices, including in other apps and on the web. Users must now actively give permission for apps to track their activities and sell their personal data, which includes information such as age, location, spending habits and health information to advertisers. As a result, apps can no longer track behavior across other apps installed on the device without permission. However, activity within an app can still be performed without authorization. The new feature can be enabled or disabled via “Settings” since the update. If apps do not meet the new transparency standards, they will be removed from the App Store, according to Apple.
Apple celebrates the new features as a success for data protection. Criticism from app operators, which are mainly funded by advertising revenue, followed immediately. Assuming that many users will not consent to tracking, they accuse Apple of making it difficult for companies to continue their targeted advertising. Small companies in particular would be affected. But Internet giants like Facebook will also suffer significant losses without personalized advertising.
However, what can be seen as a step in the right direction in terms of data protection, also raises antitrust concerns. This is because Apple does not use the new privacy features for its own apps, but only for third-party apps. German business groups already filed an antitrust complaint against Apple.
13. January 2021
Already announced in Apples Worldwide Developers Conference last June a new privacy feature for Apple’s App Store has now been launched with iOs 14.3 (we reported). Originally iOs 14 should have had these update, but based on critic of app developers and big tech giants the launch has been postponed to give the concerned persons and companies more time to be prepared for the changes.
The update requires the App providers to answer several questions regarding data privacy. The requirement to answer the questions only apply in case an app is uploaded to the App Store for the first time or in case an update is published by the App provider. So at this point, not many apps come up with this additional information. However, Apple’s own apps and for example the Facebook Messenger have already been updated regarding this information.
The process is as follows: In the course of uploading an app or update the provider must answer questions regarding inter alia which categories of personal data are collected by the app or third parties within the app, if the data is used to track the user and with which data sources and other data the obtained data is linked. The inserted information is afterwards displayed in the App Store below the rating of the app.
According to Apple, the goal is that the information in the App Store should make it easier for the user to know what the privacy status of an app is. However, it should be noted that the information is based solely on the (voluntary) information provided by the provider and is not verified by Apple.
9. September 2020
In an update from Apple on Thursday, 3rd of September 2020, it was announced that some of the plans that were supposed to be launched in the new iOS 14 update are being delayed. The new feature of iOS developers having to request permission from app users before collecting their data for ad tracking is being pushed back to the beginning of 2021.
This and other features are seen as a big step towards users’ privacy, which you can read up on in our previous blogpost, but they have been criticised by app developers and big tech giants alike.
The permission feature was supposed to change the way users’ privacy is being accessed, from the current opt-out method to an opt-in one. “When enabled, a system prompt will give users the ability to allow or reject that tracking on an app-by-app basis,” stated Apple.
However, this will be delayed until early next year, due to the fact that the changes would affect a large amount of the platforms’ publishers, which rely strongly on ad tracking revenue. Facebook criticized the changes and announced that some of their tools may lose efficiency, and hence cause problems for smaller app developers. To combat this issue, Apple said: “We want to give developers the time they need to make the necessary changes, and as a result, the requirement to use this tracking permission will go into effect early next year.”
In recent years, Apple has taken its users’ privacy more seriously, launching new adjustments to ensure their right to privacy is being integrated in their devices.
„We believe technology should protect users’ fundamental right to privacy, and that means giving users tools to understand which apps and websites may be sharing their data with other companies for advertising or advertising measurement purposes, as well as the tools to revoke permission for this tracking,” Apple emphasized.
31. August 2020
At its Worldwide Developers Conference 2020 back in June, Apple announced new privacy features coming in a future iOS 14 update for its devices. These updates, coming in the fall, are supposed to include more control of sharing location data and indicators when an app is using the microphone or camera.
The updates mean that it will be further possible to limit how much location information is shared with apps, only allowing it to share approximate data rather than the devices precise location. Apple also introduced labels for app permissions to inform people how much data an app requests, before they even download them. The feature will show people those labels in two categories, on “Data Linked To You” and “Data Used to Track You“. However, this will have to be provided by the app developers themselves, leaving grey areas open.
“For food, you have nutrition labels,” said Erik Neuenschwander, Apple’s user privacy manager. “So we thought it would be great to have something similar for apps. We’re going to require each developer to self-report their practices.”
Further, the privacy updates also incorporate the Safari browser, allowing for a report on privacy while surfing the internet through the use of a “privacy report” button. It will allow the overview of all third-party trackers through one click, and allow the user to block them directly.
Apple also moved from the opt-out standard for apps using the user’s personal data to an opt-in scheme, requiring the active consent of the users in order to allow the use of their data.
While this is a positive development for all Apple users, Facebook states that it sees issues for small developers having to face these new privacy settings.
In a blog post, Facebook said it was making a change to its own apps, which in addition to its flagship app also include WhatsApp and Instagram, that would likely spare them from having to ask iPhone users for data-tracking permissions that many advertising industry insiders believe users will refuse. Facebook also stated it was making changes due to Apple’s new privacy rules that could hurt smaller developers that use a Facebook tool for serving apps in third-party apps.
Overall, Apple’s new privacy rules are a welcomed changes for its users, handing them further control over their own personal data.
17. April 2020
Apple and Google two of the biggest internet giants announced that they will partner on the development of a COVD-19 contact tracing technology.
According to a statement, both of them published on their blogs, aim of the partnership is to develop an App respectively a technical tool which should support the protection of people and to help combat the virus. Furthermore, the tracing technology should help governments and health agencies reduce the spread of the virus.
Apple and Google want to develop a Bluetooth technology which can be used on iOS and Android devices as well as that it can be implemented in Apps of other providers via an API (Application Programming Interface) – which should be published in May.
The tracing technology, using the Bluetooth function and encryption, is designed to detect the distance between two devices in order to identify potentially vulnerable people who have been in close contact with a person tested positive for corona. Therefore, the devices should exchange temporarily ID numbers. In case, one person is tested positive he or she should change the status in the used app in order to inform all persons to which the data subject had contact in the past two weeks.
Both, Apple and Google, ensure that they take data protection requirements seriously. According to the provided information the data should firstly be stored on the respective devices and deleted automatically after two weeks. The data should only be uploaded to a server after change of status to tested positive and obtaining consent of the data subject. The exchanged ID numbers are planned to be uploaded to a list anonymously. In order to increase trust, it is planned to publish the software source codes. This would allow everyone to understand how the data is handled. In addition, this is to ensure that no data will be used for advertising purposes.
14. October 2019
Apple wants to evaluate Siri-recordings again in the future. After it became public that Apple automatically saved the audio recordings of Siri entries and had some of them evaluated by employees of external companies, the company stopped this procedure. Although Apple stated that only less than 0.2 % of the queries were actually evaluated, the system received around 10 billion queries per month (as of 2018).
In the future, audio recordings from the Siri language assistant will be stored and evaluated again. This time, however, only after the user has consented. This procedure will be tested with the latest beta versions of the Apple IOS software for iPhone and iPad.
Apple itself hopes that many users will agree and thus contribute to the improvement of Siri. A later opt-out is possible at any time, but for each device individually. In addition, only apple’s own employees, who are – according to Apple -subject to strict confidentiality obligations ,will evaluate the recordings. Recordings that have been generated by an unintentional activation of Siri will be completely deleted.
In addition, a delete function for Siri-recordings is to be introduced. Users can then choose in their settings to delete all data recorded by Siri. If this deletion is requested within 24 hours of a Siri request, the respective recordings and transcripts will not be released for evaluation.
However, even if the user does not opt-in to the evaluation of his Siri recordings, a computer-generated transcript will continue to be created and kept by Apple for a certain period of time. Although these transcripts are to be anonymized and linked to a random ID, they still could be evaluated according to Apple.
27. August 2019
While other browser developers are critical of tracking, Google wants to introduce new standards to continue enabling personalized advertising. With the implementation of the “Privacy Sandbox” and the introduction of a new identity management system, the developer of the Chrome browser wants to bring browsers to an uniform level in processing of user data and protect the privacy of users more effectively.
The suggestions are the first steps of the privacy initiative announced by Google in May. Google has published five ideas. For example, browsers are to manage a “Privacy Budget” that gives websites limited access to user data so that users can be sorted into an advertising target group without being personally identified. Google also plans to set up central identity service providers that offer limited access to user data via an application programming interface (API) and inform users about the information they have passed on.
Measures like Apple’s, which have introduced Intelligent Tracking Protection, are not in Google’s interest, as Google generates much of its revenue from personalized advertising. In a blog post, Google also said that blocking cookies promotes non-transparent techniques such as fingerprinting. Moreover, without the ability to display personalized advertising, the future of publishers would be jeopardized. Their costs are covered by advertising. Recent studies have shown, that the financing of publishers decreases by an average of 52% if advertising loses relevance due to the removal of cookies.
Based on these ideas, the discussion among developers about the future of web browsers and how to deal with users’ privacy should now begin. Google’s long-term goal is a standardization process to which all major browser developers should adhere. So far, Google has had only limited success with similar initiatives.
12. February 2019
After TechCrunch initiated investigations that revealed that numerous apps were recording screen usage, Apple called on app developers to remove or at least disclose the screen recording code.
TechCrunch’s investigation revealed that many large companies commission Glassbox, a customer experience analytics firm, to be able to view their users’ screens and thus follow and track keyboard entries and understand in which way the user uses the app. It turned out that during the replay of the session some fields that should have been masked were not masked, so that certain sensitive data, like passport numbers and credit card numbers, could be seen. Furthermore, none of the apps examined informed their users that the screen was being recorded while using the app. Therefore, no specific consent was obtained nor was any reference made to screen recording in the apps’ privacy policy.
Based on these findings, Apple immediately asked the app developers to remove or properly disclose the analytics code that enables them to record screen usage. Apples App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity. In addition, Apple expressly prohibits the covert recording without the consent of the app users.
According to TechCrunch, Apple has already pointed out to some app developers that they have broken Apple’s rules. One was even explicitly asked to remove the code from the app, pointing to the Apple Store Guidelines. The developer was given less than a day to do so. Otherwise, Apple would remove the app from the App Store.