News JVTech Apple in turmoil: iCloud would be a sieve for privacy
Published on 22/11/2022 at 12:40
After having revealed that Apple was tracking its users in some of its applications when the company indicated the opposite, two cybersecurity researchers have just demonstrated that iCloud was not as anonymous as the company initially claimed.
If Apple has presented itself for several years as the guarantor of the privacy of the users of its products, for several weeks, this reputation has been eroding. Many revelations shook the company: we owe them to Tommy Mysk and Talal Haj Bakry, two cybersecurity researchers who have made a point of demonstrating that Apple is not the guardian angel it claims to be.
Thus, at the beginning of November, the two friends revealed that Apple was recovering data from some of its in-house applications such as App Store, Apple Music or even Apple TV, even if the user of the device had deactivated the “Analytics” parameter supposed to cut short any sending of data. A discovery that led to legal proceedings against the company in the United States. What will happen with these new elevations?
iCloud isn’t as anonymous as Apple claims
On its site, Apple states that while “Phone Analytics may include details about hardware and operating system specifications, performance statistics, and data about how you use your devices and applications”, the platform does not collect however, no data allowing the owner of the account in question to be clearly identified. Even when the user knowingly agrees to transmit information to Apple for analytical purposes, the company continues to claim that an encryption makes it possible to anonymize everything.
This is where the new discoveries of Tommy Mysk and Talal Haj Bakry come in. They put their finger on a small file called “DSID”, for “Directory Services Identifier”. “This ID is unique for each iCloud account,” they explain on Twitter.
🚨 New Findings:
Apple’s analytics data include an ID called “dsId”. We were able to verify that “dsId” is the “Directory Services Identifier”, an ID that uniquely identifies an iCloud account. Meaning, Apple’s analytics can personally identify you 👇 pic.twitter.com/3DSUFwX3nV
— Musk 🇨🇦🇩🇪 (@mysk_co) November 21, 2022
“This means that Apple can personally identify you,” summarize the security experts. “Apple uses DSID to uniquely identify Apple ID accounts. The DSID is associated with your name, email address, and all of your iCloud account data. » Supporting evidence, Mysk and Bakry demonstrate that the Cupertino company does not fully play the game about the anonymity of analysis data retrieved via iCloud.
Apple uses DSID to uniquely identify Apple ID accounts. DSID is associated with your name, email, and any data in your iCloud account. This is a screenshot of an API call to iCloud, and DSID it can be clearly seen alongside a user’s personal data: pic.twitter.com/x59lr0AzWf
— Musk 🇨🇦🇩🇪 (@mysk_co) November 21, 2022
In their explanations, security experts indicate that data is sent no matter what, even when the user disables analytics on their device within their settings. As iCloud is the nerve center of an Apple account, the DSID also affects other applications, such as the Apple Store. Mysk then declares:
“You need to know three things: The Apple Store sends detailed analytics about you to Apple, There’s no way to stop this, Analytics data is directly associated with you”
To another weird issue for iCloud
These revelations are not the only ones that tarnish iCloud’s reputation this week. In fact, this Monday of users found they had access to other people’s photos and videos on the storage platform when using the iCloud for Windows app. The phenomenon, reported by MacRumors, would concern a very large number of people.
This again calls into question the way Apple manages the privacy of users of its services. Not only does the American company seem capable of associating data collected for analysis purposes with the accounts of the persons concerned, but it would also be visibly difficult to keep their photos and videos private. For now, Apple has not reacted to these two situations.