Two security researchers say that, despite what Apple claims, they have found that Apple’s device analytics contain information that can directly link information about how a device is used, its performance, features, and more, to a specific iCloud account.
Security researchers Tommy Mysk and Talal Haj Bakry on Sunday tweeted that they have found that Apple’s device analytics data includes an ID called “dsId,” which stands for Directory Services Identifier.
🚨 New Findings:
Apple’s analytics data include an ID called “dsId”. We were able to verify that “dsId” is the “Directory Services Identifier”, an ID that uniquely identifies an iCloud account. Meaning, Apple’s analytics can personally identify you 👇 pic.twitter.com/3DSUFwX3nV
— Mysk 🇨🇦🇩🇪 (@mysk_co) November 21, 2022
The researchers’ analysis found that the dsId identifier is unique to every iCloud account and can be linked directly to a specific user, including their name, date of birth, email, and associated information stored on iCloud.
This, despite wording on Apple’s device analytics and privacy legal page, which says the company says no information collected from a device for analytics purposes is traceable back to a specific user. “iPhone Analytics may include details about hardware and operating system specifications, performance statistics, and data about how you use your devices and applications. None of the collected information identifies you personally,” claims the company.
Apple says that if a user agrees to send analytics information from multiple devices logged onto the same iCloud account, it may “correlate some usage data about Apple apps across those devices by syncing using end-to-end encryption.” Apple has yet to comment.