Your iPhone Could Be Sending Personal Data to Thousands of Different Trackers Behind Your Back

So far, it seems that 2019 has been the year of ferreting out egregious privacy violations on the part of iOS apps. At the beginning of the year, Facebook was caught flagrantly violating Apple’s Enterprise Developer program to release an extremely invasive “research” app to users, and in an admission that should have surprised no one, Google revealed that it had been doing the same thing for years. This resulted in the discovery of many more violations of Apple’s Enterprise program, along with revelations that popular health apps were sharing intensely sensitive personal info with Facebook and another set of apps were secretly recording your screen activity.

Of course, with all of these revelations, it’s no big surprise that many journalists and researchers are now actively looking for more examples of how apps are invading user privacy, and in a new report from The Washington Post, technology columnist Geoffrey Fowler outlined how he discovered that his typical iPhone contained over 5,400 trackers sending data back to various companies over the course of a week of analysis.

Most significantly, Fowler noted that while he was sleeping, his iPhone was busy “beaming out lots of information” about him, much of which went to companies he had never heard of, although in many cases it was being transmitted by apps that were extremely common and popular.

iPhone apps I discovered tracking me by passing information to third parties — just while I was asleep — include Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post and IBM’s the Weather Channel. One app, the crime-alert service Citizen, shared personally identifiable information in violation of its published privacy policy.

Geoffrey Fowler, writing for The Washington Post

Fowler cites some examples of the information he saw going out including a persistent connection to Yelp that was broadcasting his IP address every five minutes, data sent to a company called “Amplitude” that contained his phone number, email address, and exact location, and a tracker called “Demdex” that not only got sent a unique phone identifier, but a list of other trackers to pair up with.

How Bad Is This?

While the number of trackers that Fowler discovered seems alarming, it may not be as serious as it sounds. As 9to5Mac’s Ben Lovejoy points out, it’s very important to keep these numbers in context as a great deal of app tracking is both legitimate and innocuous. Many apps are simply sending out very basic — and usually anonymous — analytics to help developers learn how users are interacting with their apps, while others have an understandably legitimate need for more personal tracking data — an Uber or Lyft car will need to know where you are, for example, although of course that should only be when you’re actually requesting a vehicle.

While there is much breathless reporting of data being sent to companies like Google and Facebook, the vast majority of it is innocuous. It’s simply developers using app analytics services provided by these companies, and they are learning things like which app features people do and don’t use.

Ben Lovejoy, writing for 9to5Mac

It’s also worth mentioning that the transmission of an IP address, such as in the provided example of what Yelp was doing, isn’t as sinister as it sounds either; every single piece of data that leaves your iPhone will include your IP address by necessity. That’s just the way the internet works. There’s been a great deal of debate recently about how this data should be logged — Europe’s new GDPR laws now consider it “personal info” and limit its storage — but there’s absolutely no way to prevent your public IP address from being transmitted from your iPhone.

Lovejoy also points out that the consultant that Fowler worked with for his study may have at least a slightly skewed perspective on the issue. Patrick Jackson, a former researcher for the National Security Agency, is now the Chief Technology Officer for Disconnect, a firm that develops the app Privacy Pro that makes money from identifying and blocking trackers.

On the flip side, however, the sheer amount of tracking that’s going on and data being sent out means that there’s a ton of room for even inadvertent abuse. The scandals earlier this year concerning screen recording and personal health data both appeared to be the result of negligent developers dealing with complex code rather than any deliberate attempts at invasive data collection, and it’s really not surprising when you consider that a recent report revealed that many developers don’t even know how much tracking software is being used in their apps or what it’s doing, since much of it is provided by advertisers in the form of drop-in code packages. The real problem is that we just don’t know.

Ignorance Is Not Bliss

It’s not really about how many app trackers are on your iPhone as it is about how blissfully unaware most people are of this technology, how it works, and what data it could be sending out about them.

Fowler makes the very good point that there’s virtually no transparency in the process and there are no consumer protection laws. Further, Apple’s strong stance on privacy has lulled many into a false sense of security — expecting that Apple is going to take care of all of the privacy details and protect users from this sort of thing. After all, Apple has been loudly proclaiming “What happens on your iPhone stays on your iPhone.”

But does it? Apparently not according to the investigations by Fowler and others. While Apple does a great job of protecting user privacy when it comes to its own apps and services, collecting as little data as possible, anonymizing and encrypting what data is does collect, and adding advanced features to limit ad tracking in its Safari web browser, its done almost nothing at all to proactively prevent the tracking that’s occurring within the apps that are available on its App Store.

To be fair, Apple has strong policies in its App Store Guidelines that require third-pay apps to have clearly posted policies and request permission before collecting data, and Apple is quick to respond when violations are discovered, but it’s a reactive process, rather than a proactive one, as it would be a herculean task for Apple to dig through all of the apps that are submitted to the App Store to look for and identify trackers, and how they are used, and how they line up with the developers’ privacy policies — especially when many of the developers themselves don’t even know.

If anything, this report reveals how ridiculously pervasive the problem has become. The real question is whether Pandora has gotten too far out of the box for anything to realistically be done to solve the issue, or whether there’s still room for companies like Apple, or government regulators, to do more to at least ensure that users know where their data is going and how it’s being used.