On Wednesday, Apple CEO Tim Cook spoke at the International Conference of Data Protection and Privacy Commissioners in Brussels. Cook, who has stated many times that Apple believes privacy is a fundamental human right, called for federal privacy legislation. As transcribed in Ars Technica’s post on the speech, Tim Cook said:
We at Apple are in full support of a comprehensive federal privacy law in the United States. There, and everywhere, it should be rooted in four essential rights: First, the right to have personal data minimized. Companies should challenge themselves to de-identify customer data—or not to collect it in the first place.
Second, the right to knowledge. Users should always know what data is being collected and what it is being collected for. This is the only way to empower users to decide what collection is legitimate and what isn't. Anything less is a sham.
Third, the right to access. Companies should recognize that data belongs to users, and we should all make it easy for users to get a copy of, correct, and delete their personal data. And fourth, the right to security. Security is foundational to trust and all other privacy rights.
Cook also commended the European Union on its General Data Protection Regulation, which went into effect earlier this year.
The importance of privacy to Apple is reflected on its website, during public events, and elsewhere. As the amount of data collected about everyone increases and the methods for creating sophisticated profiles of people with that data become more advanced, providing consumers with the tools to make informed decisions about what they share and control that data has become increasingly important. These aren’t issues that Apple can solve on its own, but as one of the largest global technology companies, it’s heartening to see the company taking a proactive stance on privacy.
Earlier today, Bloomberg published a story claiming that Apple and Amazon discovered tiny, malicious chips on Elemental network servers built by Super Micro. According to the story, the chips were the work of Chinese spies and designed to infiltrate the tech companies’ networks. Shortly after publication, Apple responded in an email statement strongly refuting Bloomberg’s account.
Amazon’s chief information security officer similarly discredited the claims saying in part:
There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count.
A short time ago, Apple elaborated on its initial statement to Bloomberg on its Newsroom website:
In response to Bloomberg’s latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers have ever been found to hold malicious chips.
Topsy is a startup that Apple acquired in 2013.
For over 12 months, Apple says it repeatedly told Bloomberg reporters and editors that they and their sources were incorrect.
We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.
Security and privacy are cornerstones of Apple’s business that it uses to differentiate the company’s products from competitors’, so the fact that the company takes this sort of claim seriously isn’t unusual. This also isn’t the first time Apple has taken Bloomberg to task on the veracity of its reporting. However, the forcefulness of the responses from Apple and Amazon, followed by Apple’s press release on its Newsroom site is something that is unprecedented. It will be interesting to see whether Bloomberg responds.
For the past couple of years, the tech industry has grappled with the consequences of people carrying a tiny computer with them all day long. When it comes to Apple, iOS devices have long had a Do Not Disturb setting and notifications can be adjusted, but over time, it became apparent that the existing tools were not enough.
Screen Time is Apple’s solution to the information gap about how we use our iOS devices. The new feature, which is found in the Settings app in iOS 12, provides a wide array of metrics that give an unforgiving and eye-opening look into exactly how you use your devices each day.
Screen Time is also the means for acting on that information. Users can impose restrictions on when and how they use their devices.
The same tools are available to parents through Apple’s Family Sharing feature. Although Screen Time for kids is complex in some respects and lacking in others, it’s an excellent first step. The feature may require a time investment to master, but it succeeds on two levels. First, by working the same way it does for individuals, which Federico will cover in his iOS 12 review, managing the feature for a child will be familiar to anyone who uses Screen Time themselves. Second, although I’d like to see Apple implement some age-appropriate default settings in places, on balance, I’m satisfied that the complexity of Screen Time is a fair trade-off for the customization that it enables.
Many app developers already provide privacy policies and are transparent about the information they collect from users and how they use it. I’m glad to see privacy policies become a requirement though because for some apps it’s not easy to track down how they use your data and there have been too many instances in the recent past where it’s been discovered that an app has used data in ways that users might not expect.
As first reported by The Wall Street Journal, Facebook has removed its Onavo Protect VPN app from the App Store after Apple said the app violated rules against data gathering. The app was acquired by Facebook in 2013 as part of its purchase of an Israeli company.
Onavo collected user data using network traffic to provide market intelligence to Facebook about the popularity and use of apps outside its own apps. TechCrunch reported on Onavo's data collection practices back in February. In June during WWDC, Apple introduced new App Review Guidelines addressing data harvasting, which struck some as a direct response to Onavo.
In a statement to The Verge, Facebook said:
“We’ve always been clear when people download Onavo about the information that is collected and how it is used,” said a Facebook spokesperson in a statement given to The Verge. “As a developer on Apple’s platform, we follow the rules they’ve put in place.”
It’s good to see Apple enforce App Review guidelines against companies of all sizes, though a little disappointing that it has taken so long.
Today, Apple unveiled a new data and privacy website to comply with the European Union’s GDPR legislation that goes into effect on May 25th. The site allows users to copy and correct personally identifiable information associated with their Apple IDs and deactivate or delete their accounts. Although the new copy and deactivation options are only available in the EU, they will be rolling out throughout the remainder of the year to the rest of the world.
Mark Gurman and Stephanie Bodoni report for Bloomberg on an upcoming change that will make it easier for some users to access the personal data Apple stores on them:
The iPhone maker said it will update its web page for managing Apple IDs in coming months to let users download a copy of all their data stored with the company. The site will also let customers correct personal information, temporarily deactivate their account, and completely delete it. The new privacy controls are designed to comply with the European Union’s General Data Protection Regulation, which kicks in May 25, the Cupertino, California-based company said.
Apple’s new web-based privacy options will be released for users in Europe in early May, while the features will come to other countries later.
The report also notes that you could previously receive copies of your data, delete your account, and more by contacting Apple directly. So these options will not be entirely new, they'll just be available on the web for the first time.
It's unclear which countries outside Europe will receive these features. Hopefully in light of the recent Facebook data debacle, Apple will find it important to make these options available to all its users, regardless of where those users reside.
DuckDuckGo, the popular search engine for privacy-conscious users, today launched major updates to its browser extension and mobile apps in an effort to grant users data protection no matter where they are on the web.
The browser extension – available for Safari, Chrome, and Firefox – joins the revamped DuckDuckGo app on iOS and Android in providing a set of privacy features that affect your full browsing experience. In addition to the existing private search feature DuckDuckGo is known for, the extension and app now offer built-in tracker network blocking, smarter encryption, and a Privacy Grade rating for sites you visit.
DuckDuckGo's privacy features work seamlessly in the background for those using the extension or mobile app. Any hidden trackers detected by DuckDuckGo will be blocked, and users will be able to see a full list of exactly what has been blocked. If a site offers an encrypted version but doesn't automatically send all users to it, DuckDuckGo will perform that routing itself.
The Privacy Grade ratings are an interesting feature designed to give users a quick, easy understanding of each site's privacy practices. Each site receives its grade based on several factors – whether it offers an encrypted connection, what, if any, tracker networks are detected, including major tracker networks, and whether the site has published privacy practices that DuckDuckGo has vetted. Based on all of this information, each site contains a unique privacy grade ranging from A to F. The site will also receive an 'enhanced grade' where applicable, meaning the grade for the site after DuckDuckGo has deployed its blocking technology. Sites can only receive a perfect 'A' grade if no trackers were detected and the site's privacy policies have been reviewed by DuckDuckGo.
I've been using DuckDuckGo as my primary search engine for nearly a year, and have had a great experience with it. It will be interesting to see what difference, if any, DuckDuckGo's vetting and grading of sites will make in shaping future privacy practices.
Alex Hern, reporting for The Guardian on the results of Safari's new Intelligent Tracking Prevention (ITP), launched last year with iOS 11 and macOS High Sierra (via John Gruber):
Internet advertising firms are losing hundreds of millions of dollars following the introduction of a new privacy feature from Apple that prevents users from being tracked around the web.
Advertising technology firm Criteo, one of the largest in the industry, says that the Intelligent Tracking Prevention (ITP) feature for Safari, which holds 15% of the global browser market, is likely to cut its 2018 revenue by more than a fifth compared to projections made before ITP was announced.
Here's how Apple officially describes ITP in Safari 11's documentation:
Added Intelligent Tracking Prevention, which updates the default cookie and website data policy to isolate and remove cookies and website data for sites with the ability to track users across-site.
This isn't the first time ad companies have complained about Apple's protection of user privacy in Safari and stance against invasive cross-site tracking. In September, six trade groups claimed Apple was "sabotaging" the industry with a "unilateral and heavy-handed approach", to which Apple responded:
“Ad tracking technology has become so pervasive that it is possible for ad tracking companies to recreate the majority of a person’s web browsing history,” according to an Apple spokesperson. “This information is collected without permission and is used for ad re-targeting, which is how ads follow people around the Internet.”
"Unilateral" is exactly right: Apple should only care for the interests of users buying their devices, not those of third-party ad companies creepily tracking them around the web.
Cross-site tracking and ad targeting has gotten so out of hand over the past couple of years, it's become a regular comment from friends who don't follow tech news – "Why am I seeing an ad for something I was checking out two days ago on another site?" is a question I hear frequently despite the existence of third-party ad blockers and Apple's own ITP in Safari. Personally, I think the more Apple can advance ITP, the better it is for the privacy of all iOS users.