Apple has published new white papers outlining technical details of how some of the privacy features in its most recent operating systems work.
The company posted four new white papers that cover Apple’s photo app, its Safari web browser, the location-based services on its mobile devices and the 'Sign in with Apple' service for signing into third-party apps introduced this year. We have summarized some information included in the white papers.
Safari Privacy Overview
Safari is the built-in browser on Mac, iPhone, iPad, and Apple Watch. Apple says that the browser Safari is built to ensure websites keep working as expected while blocking unwanted cross-site tracking.
Key privacy features like Intelligent Tracking Prevention (ITP) and fingerprinting defense are turned on by default.
Apple claims that Safari minimizes the amount of data passed to third parties like search engines, and it provides many other features to help protect privacy like Private Browsing and secure password management.
Intelligent Tracking Prevention uses the latest in machine learning and on-device intelligence to fight this cross-site tracking. It works by separating the third-party content used to track you from other browsing data, "so what you look at on the web remains your business — not an advertiser’s," according to Apple.
Social widgets embedded on websites, such as like buttons, share buttons, and comment fields, can be used to track you even if you don’t click them or use them. Apple says that Safari blocks this tracking by default, and it prevents social widgets from accessing your identity unless you grant them permission.
Safari also works to prevent advertisers and websites from using the unique combination of characteristics of your device to create a “fingerprint” to track you. These characteristics include the device and browser configuration, and fonts and plug-ins you have installed. To combat fingerprinting, Apple says that Safari presents a simplified version of the system configuration so more devices look identical to trackers, making it harder to single yours out. This protection is on by default, so there are no extra steps for you to take.
When you turn on Private Browsing, Safari won’t add the sites you visit to your history, remember your searches, or save any information from forms you fill out online.
The Photos app is powered by on-device technologies that surface a user’s best shots and enhance their photos and videos. With iOS 13 and iPadOS, Photos introduces a new Photos tab that helps users organize and rediscover their significant moments; new photo and video editing controls; and new capabilities in Portrait Lighting that let users control the intensity of light just like a photographer in a studio.
Apple says that the Photos app puts users in control of their privacy. Using on-Device processing and on-device intelligence, the user’s photos never leave their device to be analyzed. All the analysis, including scene classification and the knowledge graph in Photos, is performed on photos and videos on the user’s device, and the results of this analysis data are not available to third parties or Apple.
When a photo is shared from a user’s device, the user has transparency and control. Photos offers sharing controls that allow users to stay in control of what they share, whether with another Apple user or to third-party apps using Photo Picker inside an app or through the Share Sheet in Photos. For example, when sharing a photo with the Share Sheet in Photos, the user can control which metadata, like the Live Photos video or location information, is shared along with the photo. The user can remove the location of the photo or video and choose whether to include All Photos Data, like edit history and depth data, when sharing the image.
Apple also protects user photo data if the user chooses to back up their photo library to iCloud Photos, so that every photo and video they take is kept in one place and accessible across their Apple devices. When syncing photos and videos to iCloud Photos, each file is broken into multiple pieces and encrypted by iCloud using 128-bit AES encryption. A key is then derived from the contents of each piece. This key utilizes SHA-256 encryption. Apple stores the keys needed to decrypt the file, along with the file’s metadata, in the user’s iCloud account. The encrypted pieces of the file are stored, without any user-identifying information or the keys, using both Apple and third-party storage services. Unlike other photo services, Apple says it minimizes the data that leaves a user’s device to only what’s needed to provide the service. Apple says that it doesn’t access user photos and doesn’t use them for advertising or for research and development. Additionally, on-device analysis, like the user’s knowledge graph, isn’t synced or shared with Apple.
Your location reveals some of the most sensitive information about you. Where you live and work, shop and eat, where you travel, and even where you receive medical care—all can be inferred by tracking your location data. Although it is sensitive, this data helps developers build relevant, personalized software experiences that help you navigate, facilitate the discovery of nearby people, businesses, and events, and more through mapping and other applications.
To help protect users from the misuse of their location data, Apple says it builds software that empowers users to stay in charge of whom they share their location data with, when they share it, and for how long.
Apple says that the following privacy principles are integrated into Location Services:
- Process data on device where possible
- Minimize the amount of data collected by Apple and shared with third parties. •Provide transparency and control around data that is shared.
- Protect the user’s identity when sharing sensitive information with Apple. •Implement security best practices to protect user data.
Apple says that personalized features are created using data on your device. And data that is sent from your device to the Maps service is associated with random identifiers so Apple doesn’t have a profile of your movements and searches.
Many features, like finding your parked car, are created using data on your device. This helps minimize the amount of data sent to Apple servers.
Maps keeps your personal data in sync across all your devices using end-to-end encryption. Your Significant Locations and collections are encrypted end-to-end so Apple cannot read them. And when you share your ETA with other Maps users, Apple can’t see your location.
Maps doesn’t have a sign-in. The data that Maps collects while you use the app — like search terms, navigation routing, and traffic information — is associated with random identifiers, not your Apple ID. These identifiers reset themselves as you use the app to ensure the best possible experience and to improve Maps.
Maps goes even further to obscure your location on Apple servers when you search using a process called “fuzzing.” Because your location can give away your identity, Maps converts the precise location where your search originated to a less-exact one after 24 hours. Apple doesn’t retain a history of what you’ve searched for or where you’ve been.
Maps extensions that are used in ride-booking and reservation apps run in their own sandboxes and share permissions with their parent apps. For ride-booking apps, Maps shares only your starting point and destination with the extension. And when you reserve a table at a restaurant, the extension knows only the point of interest you tapped.
Location permissions help you control the location data that you pass to apps using controls. You can choose to grant an app access to your location once or anytime you use it.
You can also receive notifications when an app is using your location in the background, so you can decide whether to update your permission. Background tracking notifications now include a map that shows you the places where an app used your location in the background.
Starting in iOS 13 and iPadOS 13, API changes limit the kinds of apps that can see the names of Wi-Fi networks you connect to, which makes it harder for apps to determine your location without your consent. To protect you against apps using Bluetooth to determine your location without your consent, iOS now includes controls so that an app must ask before accessing Bluetooth for any other purpose than playing audio. And Bluetooth settings allow you to change whether an app has access at any time.
In addition, macOS, iOS, and iPadOS let you decide if you want to include the location when you share a photo, whether you’re sharing it with a friend or with an app.
Sign in with Apple
Sign in with Apple is a new service from Apple that allows users to sign in to apps and websites quickly using the Apple IDs they already have. It’s an alternative to other single sign-on solutions and provides users with the convenience of one-tap sign-in combined with security and improved privacy and control over their personal information.
The persistent identity provided by a social login can be combined with data from tracking pixels and other analytics inside of apps that track the user’s browsing habits, clicks, searches, and more, without their knowledge. This collected data amounts to a comprehensive profile of the user’s behavior and preferences that may be shared not only with the app the user is engaging with, but also with the company the user has trusted with their identity. And of course, personal data collected in this way can leak, be stolen, and be vulnerable to misuse by any third parties that gain access to it.
Apple says that 'Sign in with Apple' has been built from the ground up to limit the amount of information that users are required to share, and to provide them with the peace of mind that Apple will not track them as they interact with their apps.
The iPhone maker says it does not participate in tracking or profiling users and does not seek to profit from users’ personal data. Apple will not track users as they engage with their favorite apps and websites, or gather insights about developer’s businesses in the process.
When a user engages with a new app using Sign in with Apple, Apple generates a unique token for the user/developer pair and stores the email address that the user shares with the developer. This allows Apple to manage secure authentication anytime the user needs to sign in, and allows the user to view and manage their relevant account details. Any subsequent visits to an app can be handled on device without sharing any additional information with Apple.
Developers can call a local refresh API (getCredentialsState) to confirm that the user is still securely signed in to iCloud on the device and allow the user to continue using the app seamlessly without ever reaching out to Apple’s servers or sharing any additional information. If an explicit sign-in is required to continue using an app—for example, to sign into a financial services app with a limited session length—the developer will call an authentication request API (ASAuthorizationAppleIDRequest) that returns a token from Apple’s servers to allow the user to quickly sign in again. In this case, Apple says it receives basic information about the sign-in event, including the IP address and the Apple ID being used, but deletes this information after a maximum of 30 days.
When signing in using a non-Apple web browser or an app running on another platform, Apple is not able to provide an equivalent to the local refresh API. Therefore, developers will need to make a fresh authentication request each time the user needs to sign in. The same token will be returned from Apple’s servers and the same 30-day data deletion policy applies. This is the extent of information that Apple collects regarding users’ activity as they use Sign in with Apple. Apple says it does not provide any tracking tools to developers or receive data from any analytics or advertising tools that might be employed by any particular app.
If you don’t want to share your email address with a particular app or website, you can choose to hide it. You can also choose to have Apple create a unique email address that forwards to your real address.
Sign in with Apple also requires your Apple ID to be protected with two-factor authentication.