Oh, the Places Your Apple ID Will Go

&gt; I may be getting something wildly wrong here, but I am not sure I see the presence of this Apple ID proxy in Apple’s services logs to be a violation of either its own policies or users’ expectations for using internet services in general.<p>I strongly disagree that the iOS App Store should be treated as an &quot;internet service&quot; rather than a part of the device. The iOS App Store only comes on iOS devices, it comes on all iOS devices, and it is the only way to access a crucial feature of the device. It is, for all meaningful purposes, part of the iPhone in the same way iOS is.<p>It would be a bit like Microsoft saying &quot;explorer.exe? Policy A only covers the OS, and that is clearly not part of Windows! - so therefore you are covered by Policy B&quot;. While Apple may be legally in the right, I strongly believe they are morally in the wrong and have betrayed the trust their users put in them to safeguard their privacy.<p>I believe that a casual user of the iPhone would take a look at Apple&#x27;s iPhone privacy policy and expect that to apply to the iOS App Store as well, as for all intents and purposes that is a part of the iPhone.

Some trivia: the &quot;DS&quot; in DSID is &quot;Directory Services&quot;, which is a giant Apple-internal database. Apple employees and contractors have a DSID too. It&#x27;s basically a database of all people that Apple knows, and it&#x27;s very old.

Can someone explain why the App Store doesn&#x27;t show the &quot;Ask App Not To Track&quot; dialog?<p>Why do 3rd party apps have to ask for permission to track, but Apple&#x27;s apps do not?

&gt; I am also shocked by the granularity of information in these storefront analytics. It is relevant to Apple’s recommendation engine if I listened to an album or song and whether I finished it, but it is hard to see what value it has in knowing my track playback to the millisecond.<p>Not surprised. As soon as it was <i>possible</i> to get this kind of information about app usage (thanks, Internet!) of course management wanted <i>everything</i>.<p>Apple has its own privacy teams that work with the teams developing apps. Data collection is treated as a Big Deal and &quot;Privacy&quot; will grill you on every single byte that you want to collect. And any bit of data that might reveal personally-identifiable-information is a nonstarter.<p>As an example, we could not report back error messages from the OS, only error codes. Why? Error code might be &quot;123&quot; but error <i>message</i> could be &quot;Error 123, You just removed hard drive &#x27;Calhoun Data&#x27; without unmounting...&quot;<p>Perhaps the downside of this gatekeeping though is that I feel it causes management to come to the table asking for everything, letting privacy whittle it down. With major app release cycles 6 or 12 months apart, I think management sometimes don&#x27;t know what data they might want - would rather not have to wait perhaps up to a year for the new metric to be included.

I see a lot of very intelligent people here unable to agree upon a matter that seems, in essence, simple enough.<p>That is <i>in itself</i> troubling and partly answers a question.<p>If developers on Hacker News cannot fathom whether Apple deceptively transmitted PII, or whether zealous journalists are over-egging the pudding, then we have another problem.<p>Obfuscation is a form of deception through complexity. It can be hard to tell from the outside whether that complexity is &quot;necessary&quot; and whether its ill effects are deliberate or accidental.<p>Nevertheless, it remains a form of deception if you present a system as simple, with controls that apparently do understandable things as a front for another system that even you, as a developer, no longer understand. This same theme is coming up in AI, social algorithms, moderation&#x2F;censorship of speech. We are muddying the waters in the hope that people believe they are shallow.

This &quot;Directory Services Identifier&quot; is not sent outside of Apple&#x27;s services though right? And only sent to Apple services that need to know the identity of the user?<p>If so I&#x27;m wondering what the issue is here.

Good to see somebody talking sense. Lots of journalists jumped on this, framing Apple as evil.<p>At a high level, the whole thing is no different to a website using a cookie to keep you logged in.

Leaving behind the discussion of whether this is a problem, it is a problem for me. I paid Apple for a device. I don&#x27;t want Apple to use devices to track me or target me with ads or anything else. That is my personal take.<p>But what can you do assuming that you want or need a phone? Android is no better. Class action lawsuits enrich law firms and get users a gift card for $0.20 (sarcasm).<p>I just wonder what would happen if everyone who doesn&#x27;t want this decides to take Apple to small claims court? These companies, Google, Apple, Microsoft, Facebook continue to violate fundamental rights to privacy because they have no reason to stop. There are no significant penalties.<p>Or perhaps we need a bill of rights. Anyone know of such a thing?

All of these issues with UIDs make me believe that we should maybe transition to Probabilistic Data Structures and group users randomly together, e.g. based on HyperLogLog abstracted UIDs. Only the user device itself would have the full ID, the service would get an abstracted, probabilistic version of it, which can (and will) collide with other abstracted IDs. Thus, the service could never be 100% sure who exactly a single user is - out of a group of (e.g.) 12 people that happen to yield the same probabilistic representation.<p>(I know there&#x27;re also many issues with this approach, so take it with a grain of salt)

Recent and related:<p><i>Apple sends DSID with iPhone analytics data, tests show</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33695937" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33695937</a> - Nov 2022 (111 comments)<p><i>Proposed class action alleges that Apple tracks users despite privacy assurances</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33593455" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33593455</a> - Nov 2022 (191 comments)<p><i>App Store on iOS 14.6 sends every tap you make in the app to Apple</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33520775" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33520775</a> - Nov 2022 (190 comments)

Allegedly it’s fine because they’re collecting information for internal use and not sharing with third parties, but really the industry is trying to redefine tracking as cross service&#x2F;site tracking. Well I think they should set the same bar internally

The irony of Tim Cook only a few years ago claiming they don&#x27;t want your data [1] &quot;We treasure your data. We wanna help you keep it private and keep it safe.&quot;<p>[A] <a href="https:&#x2F;&#x2F;observer.com&#x2F;2019&#x2F;05&#x2F;tim-cook-apple-data-privacy-crusade&#x2F;" rel="nofollow">https:&#x2F;&#x2F;observer.com&#x2F;2019&#x2F;05&#x2F;tim-cook-apple-data-privacy-cru...</a>

The use of tracking is acceptable under the GDPR if it is necessary for providing the product&#x2F;service. The Apple ID, being necessary for determining the applications you have bought&#x2F;are installing would be considered necessary. Permission to have it is not required.<p>If the Apple ID is <i>shared</i> to another 3rd party by Apple, then it is not just being used for providing the product&#x2F;service. So it would be required to get permission under GDPR.<p>Apple sells a service which is iPhone+iOS+App Store. While it is <i>technically</i> possible to separate, Apple doesn&#x27;t. It&#x27;s all required. So the Apple ID is required for doing that.<p>The fact that the Apple ID can be associated to an individual and their PII is something that theoretically could be isolated, but Apple are not required by law or regulation to do so as long as their use of the ID stays unshared and &quot;necessary&quot;.

Isn’t this a misunderstanding of what PII is? An evil entity, given this couldn’t unmake me the way they could with a name, e-mail, or even IP

This isn&#x27;t really all that surprising<p>Anyone who uses Apple&#x2F;Google&#x2F;Microsoft&#x2F;other products <i>as intended</i> will have no privacy. By <i>as intended</i>, I mean using chrome while logged into a google account, using MacOS while logged into an apple account (and using all of apple&#x27;s internal applications), using android with a google account, etc<p>I wouldn&#x27;t be surprised if the usage data, health data, from e.g. iOS+services goes straight to data brokers. I can&#x27;t prove this, but it wouldn&#x27;t surprise me. Even if it didn&#x27;t, there&#x27;s no guarantee of how the data will be used internally (or whether it&#x27;s given to law enforcement, for example)<p>If someone uses these products as intended and has even the slightest expectation of privacy (e.g. believing any of the vague BS in the TOS), they&#x27;re probably not the sharpest knife in the drawer (or at the very least, grossly misinformed)

<i>Apple’s analytics data include an ID called “dsId”. We were able to verify that “dsId” is the “Directory Services Identifier”, an ID that uniquely identifies an iCloud account. Meaning, Apple’s analytics can personally identify you. Apple states in their Device Analytics &amp; Privacy statement that the collected data does not identify you personally.</i><p>Even if legal, this is obviously a very bad look for a company that claimed they were all about privacy and took actions against competitors to protect users&#x27; privacy.

Well, I’m not surprised. All the megacorps seem to be crap at privacy because privacy interferes with their lucre. So, Apple is just another Google, Microsoft, Meta, Amazon, etc. I know that they advertised otherwise, but that’s a matter for court and truth in advertising laws; personally I’ve always assumed that every phone is a passive surveillance device.

Reason x why I&#x27;m rooting for Zack and his metaverse bet! I love the iPhone &amp; Mac but I dislike apples approach to &quot;privacy&quot; feels hypocritical

That&#x27;s why I turned all this junk OFF on all my apple devices. Why would I help them better their software? Hire more test engineers.

I really don&#x27;t get the outrage.<p>I assumed that by stepping into Apple&#x27;s walled garden, they would know and store:<p>- where my devices are<p>- what I&#x27;m doing with them (i.e. apps downloaded and started, which features I use yadda yadda yadda<p>- any app I download and use will independently log all my taps and interactions within that app<p>- and since I use iCloud: where all my data is<p>What would make you think otherwise?