Apple Tells Lawmakers iPhones Don’t Spy on Users

iPhone-X-1

For the past few months, as stories have broken about the myriad ways that companies like Facebook have shared user data with third parties, a new set of questions has arisen about just how invasive these companies are. Various hardware manufacturers and software developers have examined the issue or even testified to Congress about how their platforms work and what data they collect. Apple has become the latest to respond to these concerns, and like the other firms, it insists it does not record or spy on its users.

In July, Representatives Greg Walden, Marsha Blackburn, Greg Harper, and Robert Latta, asked Apple CEO Tim Cook to provide information on whether phones could collect “non-triggered” speech picked up incidentally while listening for a command like “Siri.” Similar questions have been put to companies like Google and Amazon. Here’s Reuters, quoting Apple’s response:

In a letter to Walden, an Oregon Republican who chairs the House Energy and Commerce Committee, Apple said iPhones do not record audio while listening for Siri wakeup commands and Siri does not share spoken words. Apple said it requires users to explicitly approve microphone access and that apps must display a clear signal that they are listening.

441208-tim-cook

Apple CEO Tim Cook

Apple also noted, however, that “Apple does not and cannot monitor what developers do with the customer data they have collected, or prevent the onward transfer of that data, nor do we have the ability to ensure a developer’s compliance with their own privacy policies or local law,” Apple wrote.

And that sentence, right there, summarizes the tremendous difficulty of finding out what’s happening inside devices, whether or not they’re being used properly, or if you’re being taken advantage of. Earlier this year, a major study of Android devices found that while none of them spied on users by listening in on microphones, some apps would take screenshots and send them to the developer without ever warning the end user that this had taken place. Here’s Christo Wilson, a computer science professor who worked on the research team from Northeastern University. This investigation focused on Android but found no intrinsic reason these vulnerabilities and methods wouldn’t work on iOS as well:

There were no audio leaks at all—not a single app activated the microphone. Then we started seeing things we didn’t expect. Apps were automatically taking screenshots of themselves and sending them to third parties. In one case, the app took video of the screen activity and sent that information to a third party.

The problem here isn’t with Apple’s testimony, which makes reasonable claims regarding Apple’s own behavior. It’s that Apple is as much as acknowledging that the same capabilities that make phones useful and flexible also create scenarios in which user data can be exfiltrated without the user’s consent or knowledge. What is troubling is the way companies, who created these devices in the first place, now wash their hands of any responsibility to ensure that the data they gather is used appropriately and in accordance with user wishes.

There is no practical way for end users to “take responsibility” for their own privacy in these scenarios. The APIs that run on the phones are designed to allow them to perform certain actions without user consent or user notification. In many cases, they perform these actions without disclosing that they do so in any EULA or ToS. The low-level hooks that allow you to watch everything going on inside a PC, right down to the process level, do not exist in the smartphone industry.

We’re glad Apple doesn’t record or attempt to mine user data in some of the ways that have been alleged over the past few years. But the company that practically invented the modern full-screen phone has less interest in inventing ways for its users to enjoy its products without putting their personal data at risk in such fashion — or in stepping up to monitor its own app developers. You’d think a firm with a $1T valuation might have some capacity to address such issues. So far, none has materialized.

Now Read: iOS Camera Permission Lets Apps Take Photos Without Telling You, Yes Google Play is Tracking You, and New Android Malware Secretly Records Audio