I had a chat today a while ago with my colleague about the new iPhone. And again when the new Google Pixel came out. Did they innovate? No. Did they do x,y,z, who cares, because that’s not part of the story. We are without a doubt the most concerned about our privacy and security of our devices, and in conjunction our respective lives. A thought came across my mind as we were chatting. He owns a Mac, an iPhone, and I’m sure possibly some other Apple device. How can he care about his privacy whilst using all these devices?

But then realised, who am I to judge when I am running android, which (you guessed it) possibly phones home to google. It got me thinking. Is one company actually worse than the other in this slowly diminishing landscape of variety, and in conjunction of providers for smart phones?

So I started this blog entry with the end goal of finding out:

  • What does default Android send back?
  • What does default iOS send back?

Unfortunately it isn’t so easy to get exacts without doing a serious, in-depth and gruelling networking and code review. I guess you could do a code review of all open source android code, but that wouldn’t help with iOS. So the slightly easier path is finding out what the two companies collect by perusing their privacy policies. I will try to do my best in summarising the fun parts, but I highly suggest you read them yourselves. Because when was the last time that you didn’t click “I Accept” and actually read a Privacy Policy, or a Terms Of Service (TOS) agreement.

Google’s Privacy Policy

  • https://privacy.google.com/your-data.html
  • Google’s Privacy Policy
  • Did you know that google have an archive of all their changes to their privacy policy? And shows the changes between each version? (That is kinda awesome in my book) It’s over —> Here

Full disclosure, I am reading off of the following change log at time: 20160829. If there are any discrepancies please see the changes between the latest version and this version.

The Highlights for Google

Combining of Information

We may combine personal information from one service with information, including personal information, from other Google services – for example to make it easier to share things with people you know. Depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google.

Take this highly plausible scenario:

A user, lets call him Jeff has a Gmail account and frequently uses it in a browser. Google reads all of Jeff’s emails, we already knew that, and its explicitly said they do that in the Privacy Policy. How else can they offer you advertisements and give you Google Now suggestions/calendar events? When Jeff visits a completely different site, maybe goes and reads the news, of which has Google Analytics running on it Google can recognise you by your browser/device fingerprint and will intentionally associate this on their back-end. Does this remind you of anything… maybe this picture will ring a bell again… Image of the addon Lightbeam for firefox which shows a mesh network linking all websites to Google

Sharing is “caring”

Under “Information we share” and “external processing” is the following snippet

We provide personal information to our affiliates or other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.

The word affiliate is defined over here but “trusted businesses” or “persons to process it for us” are not. A trusted business could be your local bank, it could be an external contractor that has to adhere to a confidentiality clause. (It could not be though, I guess we can just hope)

Voice Assisted Typing

If you speak to google, using Google Now or Google Keyboard, your utterance[^1] is synced to google. That’s right, Google “crowd sources” your speech patterns. What I love about this policy is the following quote.

We do not send any utterances to Google unless you have indicated an intent to use the Voice Search function

Which is basically, we won’t spy on you use your voice patterns unless you physically ask. I couldn’t believe it.

Chrome/ChromeOS Privacy Policy

Did you know that their official privacy policy has nothing to do with Chrome? And is completely super-seeded by its own policy. That is over here *cries a little on the inside* But! Any information that is sent to google via chrome, is subject to Google’s privacy policy. If you are using chrome… well… you might want to read the policy, or just be okay with it all, as its too late now, right? Wrong!

Apple’s Privacy Policy

Apple’s Privacy policy is very similar to Google’s. They collect information on how you use their services, your name, your IP, search terms and your clickstream data[^2]. I’m not sure if its how they have worded their privacy policy or that I read Google’s first. But after reading Apple’s, I actually preferred Apple over Google. (Enqueue rage comments)

The Highlights of Apple

Disassociation between Personal and Non-Personal

Apple draws a line between what is classified as your “personal” information and what is “non-personal”. Items of a personal nature include:

  • Name
  • Credit Card
  • Your devices location (but only if you have enabled location services)
  • Address
  • etc, etc?

Basically anything that has a direct correlation between you as a person and your physical location. But they do not explicitly say all the things that are classified as personal, only what they do with that information. They do the normal things, encrypted at rest, only use for marketing, blah blah blah. So what is classified as non-personal then? They define non-personal data as:

We also collect data in a form that does not, on its own, permit direct association with any specific individual.

I guess that clears up what is “personal, and non-personal them”. Then in the next sentence they continue with:

We may collect, use, transfer, and disclose non-personal information for any purpose

Any purpose at all your “non-personal” information can be disclosed to any party. Ugh, now they are back on Google’s level. But its okay its just “non-personal” information yeah?

We may collect information such as occupation, language, zip code, area code, unique device identifier, referrer URL, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.

So they can use your occupation and zip code to serve you targeted advertising, and this is classified as non-personal. They also classify a “Unique Device Identifier” as non-personal.

Application Usages

The following snippet is from the Siri section of the “Approach to Privacy” document. I guess technically its not a snippet its a whole bloody paragraph, but it highlights what apple is doing correctly. Yeah you read right! I believe this is possibly the best approach that we could expect from a massive company.

To help them recognize your pronunciation and provide better responses, certain information such as your name, contacts, and songs in your music library is sent to Apple servers using encrypted protocols. That said, Siri and Dictation do not associate this information with your Apple ID, but rather with your device through a random identifier. Apple Watch uses the Siri identifier from your iPhone. You can reset that identifier at any time by turning Siri and Dictation off and back on, effectively restarting your relationship with Siri and Dictation. When you turn Siri and Dictation off, Apple will delete the User Data associated with your Siri identifier, and the learning process will start all over again.

All of their other applications are executed in the same fashion. The News, Maps, and Spotlight applications all do client side generations of a profile. Here is a quote from the spotlight application:

It also protects your privacy by only associating your location with a random rotating identifier that refreshes every 15 minutes.

Now that’s cool.

How Unique is your “Unique Device Identifier”?

I don’t have an answer to this question, as it is meant to be rhetorical and thought provoking. If you could link a Unique Device Identifier to the “Personal Data” you would basically have a complete over arching view of someone’s life and how they interact, what they search for and who they are. Scary stuff.

What Can I do?

If you are an avid user of Google’s services, make sure you do a Privacy Checkup and make sure you are not sharing any of your interests with Google that you are not happy with. Google gives you a fair amount of options to opt out of parts of its services, such as specialised advertising when you are logged in and logged out.

You can do the same with Apple. You can opt-in your AppleID so that all 3rd party services cannot give you targeted advertisements. You can do that by following this link which will help you Learn how to limit interest-based ads provided by Apple on your iPhone, iPad, iPod touch, and Apple TV, and how to turn off location-based ads provided by Apple on your iPhone, iPad, and iPod touch

But, and its a huge butt as well. You should consider:

  • Changing to firefox as your default browser
  • For your computers, phone and tablets as well!
  • Installing uBlock Origin for your browsers (you can also install it on your phone! (Android only for now)) to block analytic services.
  • Start blocking Google’s analytic services, (which happens by default if using uBlock Origin)
  • Change to DuckDuckGo as your default search engine of choice.
  • Enable the Do Not Track setting in your browser.

Findings (aka tl;dr)

tl;dr Apple is not as bad as Google, in regards to your privacy.

Both companies collect what all companies collect. As much information as they possibly can about their user base and they hoard that information to improve their services. Apple is clearly the winner out of the two as instead of linking as much as possible to a user, it aggregates across services and keeps specific information about you on your clients device, to improve the client. I believe this is exactly what you should want from applications on our devices. I’d be happy for a device to learn and provide more accurate information, such as news stories or calendar invites, but only if it is done by the client application itself.

My one example is Google reading our emails. This is done by Google’s servers. If you moved this reading and parsing of emails to an email client application such as K9-Mail (an open source Android email client). When you get a new email, I’d be quite happy for it to pop-up add ask me to add a new calendar event or task that has a deadline. The concept is amazing which is why Pixel phones and the Google Assistant is being lapped up by everyone. As soon as you put all that data mining ability in a client application it would cause the application to increase in size and possibly give the option for people to reverse the application, open source it and remove the edge that Google has on the market in regards to email services and it’s assistant.

So it seems I am on the wrong side of the fence. Is Apple currently “less evil” than Google in regards to the information it collects and your privacy? Possibly, but only due to the fact that Google gets as much raw data as possible and links it against all your other information. Apple not only aggregates non-personal data, and (apparently) uses the anonymized results to improve services, but also have applications that do client side recommendations which don’t correlate to your personal identifiable information. This is directly compared to Google collection of application usages.

Please voice your concerns and thoughts in the comments section. I’m eager to hear what everyone thinks about your favourite companies now.

  1. Utterance definition: It is a continuous piece of speech beginning and ending with a clear pause.
  2. Clickstream is the recording of the parts of the screen a computer user clicks on while web browsing or using another software application