Apple is in hot water again, this time for allegedly deceiving its users into thinking their data is more confidential than it really is. An iOS development and security research company has pulled back the curtain on Apple’s misleading data-sharing settings, and its findings have already opened the door to a class action lawsuit.
Mysk, a software startup run by two security researchers, shared earlier this month that recent changes to Apple’s App Store “should raise many privacy concerns.” The updated app allegedly tracks all of a user’s taps for “analytics” purposes and sends that data to Apple. According to the researchers, this data isn’t anonymous; unique identifiers map each tap to a profile. This means a user’s interest in sensitive apps (like those related to pregnancy, LGBTQ interests, religion, medical treatment, and mental health and addiction treatment) is tracked by and visible to Apple. As first reported by Gizmodo, Apple is also said to collect a user’s device ID, internet connection data, keyboard languages, and more during a visit to the app store—and the problem extends to other pre-installed iPhone and iPad apps, like Books and Apple TV.
The recent changes that Apple has made to App Store ads should raise many #privacy concerns. It seems that the #AppStore app on iOS 14.6 sends every tap you make in the app to Apple.👇This data is sent in one request: (data usage & personalized ads are off)#CyberSecurity pic.twitter.com/1pYqdagi4e
— Mysk 🇨🇦🇩🇪 (@mysk_co) November 3, 2022
But this shouldn’t be the case. Apple’s own privacy settings claim to prevent data-sharing like that described above: When a user turns off analytics or app tracking, Apple claims to “disable the sharing of Device Analytics altogether.” The iPhone’s Device Analytics and Privacy page even says personal data isn’t logged at all, is “subject to privacy preserving techniques such as differential privacy,” or is removed from reports prior to receipt by Apple. Still, Mysk’s research appears to reveal that toggling this setting on or off doesn’t make an actual difference when it comes to what data Apple receives or how the user’s device information is treated.
The startup’s findings paved the way for a new privacy-oriented class action lawsuit. The lawsuit, according to Bloomberg Law, alleges that Apple’s data collection practices violate the California Invasion of Privacy Act by illegally recording users’ confidential activity, which lawyers say is a “huge and growing treasure trove of data that Apple amasses and uses for its own profit.” Worse, Apple allegedly deceives its users by making it appear as though they can control which information Apple is or isn’t able to access.
“Consumers reviewing Apple’s privacy controls are left with the reasonable impression that Apple will stop collecting and recording all of their app information or activity if ‘Allow Apps to Request to Track’ and/or ‘Share [Device] Analytics’ settings are turned off. But Apple’s assurances and promises regarding privacy are utterly false,” the lawsuit reads.
The class action suit is bound to be a punch to the gut for Apple’s marketing department, which has historically boasted Apple devices’ supposedly superior security. One of its most popular ad slogans over the last few years has been “Privacy. That’s iPhone.” Hopefully for Apple, whichever judge gets its latest lawsuit has a sense of irony.