While many users may not have ever given this much thought, the very nature of a system-wide clipboard means that it’s always been possible for just about any app to read what’s on your clipboard without your knowledge or consent, and in this regard, iOS has been no different from the way things have worked on every other operating system with a system-wide clipboard since the early days of Windows and the classic Mac.
So perhaps the report earlier this year that dozens of apps were scanning your iPhone clipboard shouldn’t have come as a revelation, but it’s one thing to know that apps can do this, it’s quite another to discover how many actually are.
To be clear, there are many valid reasons why third-party apps may want to access your clipboard. Pinterest and Pocket will both helpfully offer to save links they find on your clipboard as soon as you open them, many RSS readers will offer to subscribe you to a feed they find on their clipboard, and even Photoshop for iPad can offer to create a new document for you based on the specs of an image that’s sitting on your clipboard.
On the other hand, it’s also quite open to potential abuse, especially on a mobile device, as researchers demonstrated. For example, a photo sitting on your clipboard could contain location information and other sensitive data, and it wouldn’t be surprising to see apps sniffing for this kind of information, especially considering how many also aggressively collect location data in every possible way.
Further, thanks to Apple’s handoff and continuity features, your clipboard is actually shared between all of your Apple devices, so an app on your iPhone could potentially pick up data that you copied to the clipboard on your Mac or iPad.
The good news is that Apple has introduced a new privacy feature in iOS 14 that will actually let you know when an app is reading your clipboard without your express consent, and it’s already caught TikTok with its hand in the cookie jar, along with dozens of others, including popular apps like LinkedIn and Reddit.
What’s Going on Here?
Although it really shouldn’t come as a big surprise that TikTok could be engaging in nefarious behaviour (although the company claims its aggressive clipboard reading is part of an anti-spam feature that it’s promised to remove), it’s more surprising to find that professional apps like LinkedIn doing this as well.
In fact, LinkedIn appeared to be reading the keyboard just as aggressively as TikTok was, popping up notifications after every single keystroke. In response to the discovery, however, a LinkedIn spokesperson told ZDNet that the behaviour was completely unintentional and was in fact a bug that it will likely soon fix.
Specifically, Erran Berger, LinkedIn’s VP of Engineering, emphasized that they don’t “store or transmit the clipboard contents,” noting that it’s just a result of code that does an “equality check” to compare the clipboard to whatever is typed in a text box.
Should You Be Worried?
As John Gruber correctly points out, it’s easy to be cynical with all of the services out there that are spying on users and assume the worst in all cases, but as the old saying goes, we should “never attribute to malice that which is adequately explained by stupidity.”
In other words, in many cases, it’s much more likely that this is just sloppy programming than diabolical intent on the part of developers. In fact, as Gruber goes on to point out, any developer that actually wanted to do this wouldn’t be making it check the clipboard after every keystroke. There’s just no good reason why anybody should need to do that.
Nonetheless, it’s good that iOS 14 will shine the light on these apps and force developers to address these issues. At this point, however, iOS 14 only notifies you if an app is accessing your clipboard without your knowledge — it doesn’t yet do anything to actually prevent this from happening. We’re hoping that we’ll see this eventually turn into an actual privacy setting, similar to that used for things like photos and contacts so that users will have more options available to protect their personal information.