I had a chat
today a while ago with my colleague about the new iPhone. And again when the new Google Pixel came out. Did they innovate? No. Did they do x,y,z, who cares, because that's not part of the story. We are without a doubt the most concerned about our privacy and security of our devices, and in conjunction our respective lives. A thought came across my mind as we were chatting. He owns a Mac, an iPhone, and I'm sure possibly some other Apple device. How can he care about his privacy whilst using all these devices?
But then realised, who am I to judge when I am running android, which (you guessed it) possibly phones home to google. It got me thinking. Is one company actually worse than the other in this slowly diminishing landscape of variety, and in conjunction of providers for smart phones?
So I started this blog entry with the end goal of finding out:
- What does default Android send back?
- What does default iOS send back?
Full disclosure, I am reading off of the following change log at time: 20160829. If there are any discrepancies please see the changes between the latest version and this version.
The Highlights for Google
Combining of Information
We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know. Depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google.
Take this highly plausible scenario:
Sharing is "caring"
Under "Information we share" and "external processing" is the following snippet
The word affiliate is defined over here but "trusted businesses" or "persons to process it for us" are not. A trusted business could be your local bank, it could be an external contractor that has to adhere to a confidentiality clause. (It could not be though, I guess we can just hope)
Voice Assisted Typing
If you speak to google, using Google Now or Google Keyboard, your utterance[^1] is synced to google. That's right, Google "crowd sources" your speech patterns. What I love about this policy is the following quote.
We do not send any utterances to Google unless you have indicated an intent to use the Voice Search function
Which is basically, we won't
spy on you use your voice patterns unless you physically ask. I couldn't believe it.
- Apple's Approach to Privacy - Defines how each service operates on a high level.
The Highlights of Apple
Disassociation between Personal and Non-Personal
Apple draws a line between what is classified as your "personal" information and what is "non-personal". Items of a personal nature include:
- Credit Card
- Your devices location (but only if you have enabled location services)
- etc, etc?
Basically anything that has a direct correlation between you as a person and your physical location. But they do not explicitly say all the things that are classified as personal, only what they do with that information. They do the normal things, encrypted at rest, only use for marketing, blah blah blah. So what is classified as non-personal then? They define non-personal data as:
We also collect data in a form that does not, on its own, permit direct association with any specific individual.
I guess that clears up what is "personal, and non-personal them". Then in the next sentence they continue with:
We may collect, use, transfer, and disclose non-personal information for any purpose
Any purpose at all your "non-personal" information can be disclosed to any party. Ugh, now they are back on Google's level. But its okay its just "non-personal" information yeah?
We may collect information such as occupation, language, zip code, area code, unique device identifier, referrer URL, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.
So they can use your occupation and zip code to serve you targeted advertising, and this is classified as non-personal. They also classify a "Unique Device Identifier" as non-personal.
The following snippet is from the Siri section of the "Approach to Privacy" document. I guess technically its not a snippet its a whole bloody paragraph, but it highlights what apple is doing correctly. Yeah you read right! I believe this is possibly the best approach that we could expect from a massive company.
To help them recognize your pronunciation and provide better responses, certain information such as your name, contacts, and songs in your music library is sent to Apple servers using encrypted protocols. That said, Siri and Dictation do not associate this information with your Apple ID, but rather with your device through a random identifier. Apple Watch uses the Siri identifier from your iPhone. You can reset that identifier at any time by turning Siri and Dictation off and back on, effectively restarting your relationship with Siri and Dictation. When you turn Siri and Dictation off, Apple will delete the User Data associated with your Siri identifier, and the learning process will start all over again.
All of their other applications are executed in the same fashion. The News, Maps, and Spotlight applications all do client side generations of a profile. Here is a quote from the spotlight application:
It also protects your privacy by only associating your location with a random rotating identifier that refreshes every 15 minutes.
Now that's cool.
How Unique is your "Unique Device Identifier"?
I don't have an answer to this question, as it is meant to be rhetorical and thought provoking. If you could link a Unique Device Identifier to the "Personal Data" you would basically have a complete over arching view of someone’s life and how they interact, what they search for and who they are. Scary stuff.
What Can I do?
If you are an avid user of Google's services, make sure you do a Privacy Checkup and make sure you are not sharing any of your interests with Google that you are not happy with. Google gives you a fair amount of options to opt out of parts of its services, such as specialised advertising when you are logged in and logged out.
You can do the same with Apple. You can opt-in your AppleID so that all 3rd party services cannot give you targeted advertisements. You can do that by following this link which will help you Learn how to limit interest-based ads provided by Apple on your iPhone, iPad, iPod touch, and Apple TV, and how to turn off location-based ads provided by Apple on your iPhone, iPad, and iPod touch
But, and its a huge butt as well. You should consider:
- Changing to firefox as your default browser
- For your computers, phone and tablets as well!
- Installing uBlock Origin for your browsers (you can also install it on your phone! (Android only for now)) to block analytic services.
- Start blocking Google's analytic services, (which happens by default if using uBlock Origin)
- Change to DuckDuckGo as your default search engine of choice.
- Enable the Do Not Track setting in your browser.
Findings (aka tl;dr)
tl;dr Apple is not as bad as Google, in regards to your privacy.
Both companies collect what all companies collect. As much information as they possibly can about their user base and they hoard that information to improve their services. Apple is clearly the winner out of the two as instead of linking as much as possible to a user, it aggregates across services and keeps specific information about you on your clients device, to improve the client. I believe this is exactly what you should want from applications on our devices. I'd be happy for a device to learn and provide more accurate information, such as news stories or calendar invites, but only if it is done by the client application itself.
My one example is Google reading our emails. This is done by Google's servers. If you moved this reading and parsing of emails to an email client application such as K9-Mail (an open source Android email client). When you get a new email, I'd be quite happy for it to pop-up add ask me to add a new calendar event or task that has a deadline. The concept is amazing which is why Pixel phones and the Google Assistant is being lapped up by everyone. As soon as you put all that data mining ability in a client application it would cause the application to increase in size and possibly give the option for people to reverse the application, open source it and remove the edge that Google has on the market in regards to email services and it's assistant.
So it seems I am on the wrong side of the fence. Is Apple currently "less evil" than Google in regards to the information it collects and your privacy? Possibly, but only due to the fact that Google gets as much raw data as possible and links it against all your other information. Apple not only aggregates non-personal data, and (apparently) uses the anonymized results to improve services, but also have applications that do client side recommendations which don't correlate to your personal identifiable information. This is directly compared to Google collection of application usages.
Please voice your concerns and thoughts in the comments section. I'm eager to hear what everyone thinks about your favourite companies now.
- Utterance definition: It is a continuous piece of speech beginning and ending with a clear pause.
- Clickstream is the recording of the parts of the screen a computer user clicks on while web browsing or using another software application
Subscribe to Slowbro's Blog
Get the latest posts delivered right to your inbox