Apple Inc. has positioned itself as the champion of privacy. Even as Facebook Inc. and Google track our moves around the internet for advertisers’ benefit, Apple has trumpeted its noble decision to avoid that business model. When Facebook became embroiled in a scandal over data leaked by an app developer, Apple Chief Executive Officer Tim Cook said he wouldn’t ever be in such a situation. He framed Apple’s stance as a moral one. Privacy is a human right, he said. “We never move off of our values,” he told NPR in June.
The campaign is working, as evidenced by media reports depicting Apple as hero to Facebook’s villain. But that marketing coup masks an underlying problem: The world’s most valuable company—its market value crossed the $1 trillion mark on Aug. 2—has some of the same security problems as the other tech giants when it comes to apps. It has, in effect, abdicated responsibility for possible misuse of data, leaving it in the hands of the independent developers who create the products available in its App Store.
Bloomberg News recently reported that for years iPhone app developers have been allowed to store and sell data from users who allow access to their contact lists, which, in addition to phone numbers, may include other people’s photos and home addresses. According to some security experts, the Notes section—where people sometimes list Social Security numbers for their spouses or children or the entry codes for their apartment buildings—is particularly sensitive. In July, Apple added a rule to its contract with app makers banning the storage and sale of such data. It was done with little fanfare, probably because it won’t make much of a difference.
When developers get our information, and that of the acquaintances in our contacts list, it’s theirs to use and move around unseen by Apple. It can be sold to data brokers, shared with political campaigns, or posted on the internet. The new rule forbids that, but Apple does nothing to make it technically difficult for developers to harvest the information.
This is the kind of situation that landed Facebook CEO Mark Zuckerberg in 10 hours of congressional testimony in April. In that case, the maker of a personality quiz app gathered the profile information not only of Facebook users, but also of those users’ friends, then shared it with Cambridge Analytica, the consulting company that worked to help elect Donald Trump. As many as 87 million people were affected, even though only 270,000 used the quiz app. Senators interrogated Zuckerberg about why the company didn’t have a means of knowing where the data went. “Once it’s out of our system, it is a lot harder for us to have a full understanding of what’s happening,” he said.
Apple has the ingredients for a Cambridge Analytica-type blowup, but it’s successfully convinced the public that it has its users’ best interests at heart with its existing, unenforceable policies. Indeed, Bloomberg’s report about the app makers’ data access elicited positive commentary from lawmakers and privacy advocates about the potential benefit of Apple’s rule—and little mention of the 10 years of minimal oversight that preceded it. The office of Democratic Senator Mark Warner of Virginia, one of Facebook’s loudest congressional critics, said Cook and his company “should be applauded—for this and for other user-empowering moves Apple has made that will give consumers better control over how their data is used.”
But Apple doesn’t have control.
The company’s main argument for why it’s a better steward of customers’ privacy is that it has no interest in collecting personal data across its browser or developer network. It simply doesn’t need to, because it doesn’t make its money off advertising. The public wholeheartedly agrees with this “hear no evil, see no evil” strategy because of popular discomfort over the quiet surveillance of private online habits by all the other multibillion-dollar corporations.
Apple’s argument holds when it comes to tracking phone messages or the articles users read. Certain data are indeed safer from third parties when stored on a device. But when it comes to the app developer network, that’s like a parent—in this case, Apple—claiming the developer kids are well-supervised. They’re not. Once Apple reviews and approves independent apps, it can’t see how the data they collect is used.