iSpy: Apple’s Latest System Update and It’s Privacy Features
This summer, Apple announced the newest version of its operating system, iOS 14.1 These changes highlight the company’s commitment to privacy and provide users with more control over their information.2
Privacy by Design is a concept that, at its core, aims for privacy to become a proactive measure embedded in the design of technology systems and business practices throughout the entire lifecycle of data use.3 It encourages creators to keep the interests of individuals as the top priority and for privacy assurance to be an organization’s default mode of operation.4 While Apple’s new privacy features are in line with the concept of Privacy by Design, this recent update has underscored the need for a uniform standard through a comprehensive federal data protection bill.
Apple Update: What’s New?
Apple’s iOS 14 update brings an array of changes that gives users more control over their information.5 Mobile applications (“apps”) are now required to request permission to access a user’s location. Users now have the option to provide apps with their approximate location, in addition to the previous options of granting or denying access to exact location data.6 Apple has recognized that not every application needs to know a user’s precise location. For example, if someone wants to check the weather or read local news articles, the app only needs to the know what city the user is in to fulfill the request—knowing the precise location of the user serves no critical purpose.7 Users are also able to control the access apps have to their photos and can select the photos they want to share, as opposed to the previous all-or-nothing approach.8 Additionally, a recording indicator will alert users when an app has accessed the device’s camera or microphone.9 Safari, Apple’s browser, blocks all third-party cookies, which means, by default, no advertiser or website is able to follow a user around the internet using commonplace tracking technology.10 Additional features include clipboard access transparency and new access controls for devices in the home and on other local networks.11 These features allow users to decide what they want to give companies and third-parties access to, for how long, and according to the unique desires of each user.
Where Is the Problem?
While Apple’s most controversial update is still aimed at providing users with more control over their data, it places a greater burden on developers and, ultimately, on users. Included in the update is a new option for users to disable tracking between different apps, requiring developers to ask for permission before tracking a user across an app.12 Apple defines “tracking” as “linking user or device data collected from an app with user or device data from other companies’ ‘apps, websites, or offline properties’ for targeted advertising.”13 Tracking is enabled through a number of tools, such as user profiles, digital fingerprinting, or the use of the Identifier for Advertisers (“IDFA”).14 The IDFA is a unique identifier that allows advertisers to precisely track and target users within apps on iOS devices.15 The IDFA allows advertisers to indefinitely track user interaction and use that information to build user profiles that are attached to a device.16 Starting in early 2021, Apple will require developers to affirmatively request access to users’ IDFA’s through Apple’s “AppTrackingTransparency” Framework.17 A user must grant or deny the app permission before they begin downloading or using the app.18 Additionally, Apple’s App Store will require developers to institute a privacy label, comparable to food nutrition labels, that discloses information about their privacy practices, prior to a user downloading that developer’s app.19 If the app uses any third-party code, the developer will need to disclose what data the third-party collects, how the data is used, and whether that data is used to track users across platforms.20
Due to Apple’s transparency measures, users have the power to decide whether they want to grant a developer access to information and whether they trust each app’s practices. Herein lies the problem: the changes to how app developers are able to access information about users are essential, but ultimately place the burden on consumers. The privacy label is a great way for developers’ data collection and use practices to be made transparent. However, this might not provide the average consumer with enough information to make an informed decision. Studies have yielded mixed results: some users do not mind being tracked by advertisers, provided they receive a benefit from it, while others lack trust in these third-party companies and want to control who has access and when.21 The responsibility of protecting consumer information should not fall on individual companies. If this trend continues, the ultimate burden will be placed on consumers to be vigilant about protecting their information and determining which brands, companies, or services to entrust with it. While the privacy features offered by Apple are a great example of Privacy by Design, the rights of consumers to privacy and data protection cannot alone be based on individual company policies.
So, What Now?
Apple’s new privacy features were created with privacy in mind and provide greater transparency for users. The new privacy framework moves closer towards some of the important privacy and data protection laws that have been enacted elsewhere across the globe.22 The European Union’s General Data Protection Regulation (GDPR) is often seen as the gold standard. The GDPR has enshrined the concept of Privacy by Design in Article 25 by requiring companies to implement “appropriate technical and organizational measures” which meet the principles of data protection by design and data protection by default.23.
The United States, in contrast, has yet to pass a comprehensive federal data protection bill which has left states with the job of creating data protection rights for its citizens. California has led the way with the California Consumer Privacy Act. The Act gives California residents greater control over their information and allows them to opt-out of data collection and stop a company from selling their data to third-parties.24 Proposition 24 is on California’s ballot this election and is also in line with some of Apple’s policies.25 It would similarly allow consumers to limit the information collected by businesses, like a ride share user’s race or a weather app user’s exact location.26 New York, Maine, and Nevada are among the states that have passed comprehensive privacy laws, while many states including Washington and Illinois are currently in the legislative process of doing so.27 While state and company-specific efforts are a step in the right direction, there is still a glaring need for comprehensive federal privacy and data protection laws, and the sooner they are enacted, the better. Consumers are faced with a growing number of concerns and choices about their personal information and how companies use their data. In order to ensure uniform policies and compliance, the federal government needs to regulate the industry. This, in conjunction with companies embodying the principles of Privacy by Design, will ensure that individual rights to privacy and data protection are safeguarded.
Apple reimagines the iPhone experience with iOS 14, Apple: Newsroom (June 22, 2020), https://www.apple.com/newsroom/2020/06/apple-reimagines-the-iphone-experience-with-ios-14/ [https://perma.cc/M6GT-2HWJ].↩
Ann Cavoukian, Privacy by Design: The Seven Foundational Principles, Info. & Privacy Commissioner of Ont. (Aug. 2009), https://www.ipc.on.ca/wp-content/upload s/resources/7foundationalprinciples.pdf [https://perma.cc/VD5R-S9MX].↩
Apple reimagines the iPhone experience with iOS 14, supra note 1.↩
Jason Cross, Seven Ways iOS 14 Will Help Protect Your Privacy, Macworld (Aug. 13, 2020, 3:15 AM PDT), https://www.macworld.com/article/3570226/how-ios-14-will-help-protect-your-privacy.html [https://perma.cc/FGC6-B3C2].↩
Photos Tech Brief, Apple (Sept. 2019), https://www.apple.com/ios/photos/pdf/Photos_Tech_Brief_Sept_2019.pdf [https://perma.cc/VV3E-7UVV].↩
Cross, supra note 7.↩
Nick Statt, Apple Updates Safari’s Anti-Tracking Tech with Full Third-Party Cookie Blocking, The Verge (Mar. 24, 2020, 3:07 pm), https://www.theverge.com/2020/3/24/21192830/apple-safari-intelligent-tracking-privacy-full-third-party-cookie-blocking [https://perma.cc/C2CP-FVPV].↩
Dean Takahashi, The DeanBeat: What’s at Stake in Apple’s Potentially Apocalyptic IDFA Changes, VentureBeat (Oct. 9, 2020 8:00 am), https://venturebeat.com/2020/10/09/the-deanbeat-whats-at-stake-in-apples-potentially-apocalyptic-idfa-changes [https://perma.cc/CA9Z-8GBQ].↩
Chance Miller, Apple Doubles Down on iOS 14 Tracking Privacy as Facebook Panics, 9to5Mac (Aug. 11, 2020, 9:55 am), https://9to5mac.com/2020/08/11/apple-ios-14-privacy-tracking-facebook [https://perma.cc/TS8F-7JS7].↩
David O. Klein, App Law and Future Changes to iOS Privacy, Klein Moynihan Turco LLP (Aug. 28, 2020), https://kleinmoynihan.com/app-law-and-future-changes-to-ios-privacy [https://perma.cc/M9ND-QRXM].↩
Owen Ray, What is IDFA and Why Apple Killed it: Everything Marketers Need to Know, Invoca (Sept. 14, 2020), https://www.invoca.com/blog/what-is-idfa-and-why-apple-killed-it-everything-marketers-need-to-know [https://perma.cc/EPJ8-7V8Q]. Companies use tracking to create advertisements targeting certain audiences based on information collected, like the user’s location, device type, usage time, and other behavioral measures like browsing habits and interactions with the app or website. See generally Sara Morrison, Apple is Finally Making It Easy to Hide From Trackers, Vox (June 22, 2020, 5:22 PM), https://www.vox.com/recode/2020/6/22/21299398/apple-ios14-big-sur-privacy-wwdc-2020 [https://perma.cc/MAL5-3W32].↩
Ray, supra note 15.↩
Céline Guillou, Apple’s iOS 14 Transformative Privacy Announcements, Hopkins & Carley: The Privacy Hacker (July 6, 2020), https://www.theprivacyhacker.com/2020/07/apples-ios-14-transformative-privacy-announcements/#page=1 [https://perma.cc/H3ND-S5QN].↩
Klein, supra note 13.↩
Id.; see also Guillou, supra note 17.↩
Greg Sterling, Apple IDFA Consent: Roughly 60% of Consumers Open to Allowing Tracking, Search Engine Land (Sept. 11, 2020, 4:49 pm), https://searchengineland.com/apple-idfa-consent-roughly-60-of-consumers-open-to-persuasion-to-allow-tracking-340390 [https://perma.cc/9CH3-EQQY]; see also Brooke Auxier & Lee Rainie, Key Takeaways on Americans’ Views About Privacy, Surveillance and Data-Sharing, Pew Res. Ctr. (Nov. 15, 2019), https://www.pewresearch.org/fact-tank/2019/11/15/key-takeaways-on-americans-views-about-privacy-surveillance-and-data-sharing [https://perma.cc/4KYA-4QYF].↩
Klein, supra note 13.↩
Regulation (EU) 2016/67 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Direct 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1, art. 25, recital 78.↩
California Consumer Privacy Act (CCPA), State of California Department of Justice, Office of the Attorney General, https://oag.ca.gov/privacy/ccpa [https://perma.cc/SC3J-S52R ] (last visited Oct. 9, 2020).↩
Maria Dinzeo, California Voters Get Say on Data Privacy Law. But Is It Tough Enough?, Courthouse News Serv. (Oct. 7, 2020), https://www.courthousenews.com/california-voters-get-say-on-data-privacy-law-but-is-it-tough-enough [https://perma.cc/7UTL-E5XA].↩
Mitchell Noordyke, US State Comprehensive Privacy Law Comparison, IAPP (July 6, 2020), https://iapp.org/resources/article/state-comparison-table [https://perma.cc/P3M7-M3MN].↩