The detailed analytics data Apple records about what you do in the App Store can be tied directly to your Apple account, according to app development and research team Mysk. In a Twitter thread, Mysk shows that Apple sends what’s known as a “Directory Services Identifier” along with its App Store analytics info and argues that the identifier is also tied to your iCloud account, linking your name, email address, and more.
The thread also notes that the data is still sent even if you turn off device analytics in settings, and that Apple sends your DSID in other apps as well. In the last tweet in the thread, Mysk says: “You just need to know three things: 1- The App Store sends detailed analytics about you to Apple. 2- There’s no way to stop it. 3- Analytics data are directly linked to you.”
Apple didn’t immediately respond to The Verge’s request for comment on whether it’s actually linking personal info to this sort of analytics data, but let’s take a look at what its own privacy policies have to say about the matter. Spoiler alert: it may be surprising but not necessarily damning (at least in terms of Apple breaking its own rules).
In its thread, Mysk points to a line in Apple’s device analytics and privacy document, which reads: “None of the collected information identifies you personally. Personal data is either not logged at all, is subject to privacy preserving techniques such as differential privacy, or is removed from any reports before they’re sent to Apple.” There are a couple of things worth noting about this; one is that later on in the document, Apple does say that it “may correlate some usage data about Apple apps” across devices that are signed into the same iCloud account but that it does so in a way that won’t let the company identify you.
More importantly, though, is that Apple has a separate set of rules about how it tracks you in the App Store (and in Apple News and Stocks, where it also shows ads). And in that document, Apple fully admits that it’s tracking you, personally. I recommend checking out the whole thing, but the first section is enough to show that this is a very different policy than the device analytics one.
Perhaps the most relevant line reads (emphasis mine): “To find ways to improve the stores, we use information about your browsing, purchases, searches, and downloads. These records are stored with IP address, a random unique identifier (where that arises), and Apple ID when you are signed in to the App Store or other Apple online stores.” Apple also lays out some examples of exactly what information it’s collecting: “when you open or close the App Store, what content you search for, the content you view and download, and your interactions with App Store push notifications as well as messages from the App Store within apps.” In other words: the eye of Apple is monitoring pretty much everything you do in the App Store.
The policy also reveals the slightly worrying amount of personal info and data that Apple collects for its app recommendations and advertisements, though it is worth noting that there are controls for those that let you turn off or limit data collection. But that’s doesn’t seem to be the case for the App Store improvement analytics; the full “Improving the Stores” section makes no mention of any settings that would let you keep Apple from seeing that info.
Of course, users might assume that turning off device analytics while they’re setting up their phone would stop this sort of data collection. And who can blame them; Apple touts its privacy chops all the time, and turning that option off is supposed to deprive Apple of “data about how you use your devices and applications.” But what it doesn’t say is that applications themselves can do all sorts of tracking outside that system; hence almost all of Apple’s apps having their own privacy agreements (which you implicitly agree to by using them).
Apple gets a lot of scrutiny around its privacy policies, as it should — you don’t get to make a billboard that says “what happens on your iPhone, stays on your iPhone” and constantly bray about how much you care about privacy without inviting some skepticism. But that scrutiny has increased as Apple has very publicly turned the screws on how other powerful advertising companies can collect user data on its platforms and as it seems set to make ads a bigger part of its business. And while it doesn’t seem like what Mysk turned up doesn’t necessarily seem to break Apple’s rules (though disclaimer: I am neither a lawyer nor do I have access to the full set of data Mysk captured), I do think a lot of its users would be surprised at how much tracking it’s doing, given how much energy the company spends on touting itself as a company that’s all about privacy.