Authors: Meenaz Munshi, Anushka Bhansali and Hemant Adarkar
This piece was written for the Data Governance Network Blog.
Last week, Apple Inc. at its much awaited annual World Wide Developer Conference (WWDC) announced a slew of privacy preserving features for the Apple ecosystem. A more granular privacy report, a VPN-like feature for its browser- Safari, and privacy features for its email application were among the key features announced. This comes close at heels of the May 2021 launch of iOS 14.5 which required third party applications to get consent from users for tracking their data. Before this, a December 2020 change in app store policy required all apps listed in the Apple app store to list the data the application collected, what data was linked to the user and whether this could be used to track the user. With these announcements, Apple further cements its privacy conscious image which it is now promoting as its major USP. These developments have nudged Google, which owns the rival Android platform, to announce its own privacy measure, namely, a ‘Privacy Dashboard’, in its new Android 12 to be launched later this year. While these new measures are a welcome move, the privacy implications for users are not really what they seem to be at first glance.
The Identifier for Advertisers (IDFA) is a random device identifier assigned by Apple to a user's device. Advertisers use the same for customized advertising. The changes in IDFA usage outlined in the recent policy changes still permit apps to gather information about users; they just forbid the sharing of that information for advertising purposes. Additionally, Apple's in-house apps that come pre-installed on an iPhone are exempt from these rules. Hence, Apple is making a move that looks privacy preserving while it also tilts the balance of power more firmly in its favour. Apple has used the open-ended phrases such as data ‘may be used’ and ‘we may use’ in the new policy to collect data through the app store and device. Hence, Apple may be able to use personal data for marketing purposes and to track users.
Since the advent of smartphones, Android and iOS, the leading mobile operating systems, have been gaining access to granular data on users. What makes this information more rich is the fact that it not only consists of users' behaviours in the online world but also in the real world through a plethora of sensors like accelerometer, gyroscope, magnetometers, GPS, wifi, bluetooth, etc. not only make life more convenient for users, but also for Apple and Google who can harvest detailed information about the lived experience of users.
Even a basic minimal configuration of both iOS and Android handsets can share data with Apple/Google, on average, every 4.5 minutes even when the phone is idle. For instance, as soon as a SIM is inserted in an iPhone or Android phone, it sends various details like the IMEI number, phone number, hardware and SIM serial numbers, and device IDs to Apple/Google without a user logging into the phone. In addition, Apple gains access to users’ location, local IP address and nearby MAC addresses too. These critical data points help these tech giants track users’ movements better.
According to a recent study by Trinity College Dublin, Google collects 20 times more handset data than Apple. Assuming all Android users have Google Play Services enabled, scaling up the measurements suggests that in the US alone, Apple collects around 5.8GB of handset data every 12 hours while Google collects around 1.3TB of data. In addition to collecting handset data, tech giants collect user data through applications, web browsers, etc. Hence, it takes these tech giants no effort to form a digital persona of users through the enormous data bank they’ve created over the years.
Our privacy conversations will be incomplete unless we acknowledge the overwhelming presence of these prominent players especially in the mobile phone space. What is not widely known cannot be counteracted. The lack of awareness about the extent of data collection along with the ‘privacy preserving’ marketing pivot currently put into motion by these tech giants makes it difficult to gather public support to push back against these intrusions.
At present, users have very few options in countering privacy intrusions when they set up their new handsets. User choice, even if they want to use basic calling services, becomes very limited. One either agrees to share data or forego the use of services or has to switch to using a basic feature phone. An iPhone user has no option to prevent the data sharing when they start their phone as there is no opt out option available even when a user wants a minimal configuration that just allows him to make and receive calls. On the other hand, Pixel users have an option to minimise the data leakage by disabling their network connection during startup and then disabling the various Google components (especially Google Play Services, Google Play store and the Youtube app) before enabling a network connection. However, this reduces functionality significantly – and only the tech savvy will be able to use this workaround, making it far less useful for general mobile users.
Real solutions to this invasion of privacy are possible. While acknowledging the problem makes for a good start, we need to consider options, both regulatory and technical, to address the challenge and provide real privacy-preserving technology options to mobile technology users across the globe.