Under the pseudonym Musk For some time now, a team of security researchers has been drawing attention to data protection incidents that are questionable in terms of Apple’s evaluation of user data.
Clear promise: a data connection does not take place
Most recently, in early November, they criticized the excessive user tracking with which Apple tracks App Store visitors every step of the way, documenting nearly all interactions with its internal software warehouse.
Track users in the App Store
What was mainly criticized at the time: The extensive data collection also took place from users who had actively objected to the use of their own data for the display of personalized advertisements. According to the security researchers at the time, Apple started collecting detailed data from App Store visitors when iOS 14.6 was released.
There’s a flavor to this, of course: Apple only introduced the so-called “App Tracking Transparency” query with the release of iOS 14.5, which has required third-party carriers with a similar data hunger to ask for permission to collect data ever since. As a platform operator, Apple appears to be completely exempt from these requirements and relies on users’ consent to their own data collection.
Linked to iCloud accounts
And it is precisely this data collection that turns out to be somewhat more extensive than previously assumed. Mysk’s security researchers now want to know that Apple links the collected analytics data to its users’ personal iCloud accounts and thus draws conclusions about individual user accounts.
🚨 New findings:
Apple’s analytics data includes an ID called “dsId”. We were able to verify that “dsId” is the “Directory Services Identifier”, an identifier that uniquely identifies an iCloud account. This means that Apple’s analytics can identify you personally 👇 pic.twitter.com/3DSUFwX3nV
— Musk 🇨🇦🇩🇪 (@mysk_co) November 21, 2022
If the new findings, which the developers are trying to prove with several screenshots of the recorded data traffic, are correct, it would contradict Apple’s assurance that analytics data is only compiled in such a way that no conclusions can be drawn about personally identifiable data. At Mysk you will find:
This means that your detailed behavior when browsing apps in the App Store is sent to Apple and includes the ID needed to associate the data with you. We’ve shown the extensive details that the App Store sends to Apple in this video, and they’re all tied to you.