iPhones Harvest and Transmit Massive Amounts of Data While You Sleep

iPhones are surprisingly active in the middle of the night, according to a report by Washington Post Technology writer, Geoffrey Fowler.

Fowler tracked his iPhone’s activity recently, finding that dozens of companies were receiving information at all hours.

On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.

And all night long, there was some startling behavior by a household name: Yelp. It was receiving a message that included my IP address -— once every five minutes. –WaPo

Also not lost on Fowler was the irony of a January Apple advertisement which claimed “What happens on your iPhone stays on your iPhone.”

iPhone apps passing information in the middle of the night include Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post and IBM’s the Weather Channel. “One app, the crime-alert service Citizen, shared personally identifiable information in violation of its published privacy policy,” Fowler notes.

With the help of privacy firm Disconnect, Fowler encountered over 5,400 trackers in just one week – mostly within apps, that send his information to third party companies. Over the course of a month, the unwanted trackers were on track to upload 1.5 gigabytes of data.

“This is your data. Why should it even leave your phone? Why should it be collected by someone when you don’t know what they’re going to do with it?” said former NSA researcher Patrick Jackson who is currently Disconnect’s chief technology officer. Jackson used special software to analyze Fowler’s iPhone.

“I know the value of data, and I don’t want mine in any hands where it doesn’t need to be,” he said.

In a world of data brokers, Jackson is the data breaker. He developed an app called Privacy Pro that identifies and blocks many trackers. If you’re a little bit techie, I recommend trying the free iOS version to glimpse the secret life of your iPhone.

Yes, trackers are a problem on phones running Google’s Android, too. Google won’t even let Disconnect’s tracker-protection software into its Play Store. (Google’s rules prohibit apps that might interfere with another app displaying ads.)

Part of Jackson’s objection to trackers is that many feed the personal data economy, used to target us for marketing and political messaging. Facebook’s fiascos have made us all more aware of how our data can be passed along, stolen and misused — but Cambridge Analytica was just the beginning.

Jackson’s biggest concern is transparency: If we don’t know where our data is going, how can we ever hope to keep it private? –WaPo

App Trackers are akin to the cookies used on websites that monitor and report your activity around the internet. In apps, however, there’s virtually no notice that this is happening, and they’re difficult to block.

So why do the trackers activate in the middle of the night? Some appmakers set them to harvest data whenever the phone is plugged in, or they think it won’t interfere with other functions. According to Fowler, “These late-night encounters happen on the iPhone if you have allowed “background app refresh,” which is Apple’s default.”

In the case of Yelp, the company said their app’s behavior wasn’t actually a tracker, rather, an “unintended issue” that’s been mimicking a tracker. According to the company, Fowler’s discovery only affects 1% of its iOS users, especially those who have made reservations through Apple Maps. “At best, it is shoddy software that sent Yelp data it didn’t need. At worst, Yelp was amassing a data trove that could be used to map people’s travels, even when they weren’t using its app,” notes Fowler.

Popular food delivery app DoorDash is another harvesting offender – which uses a tracker called Sift Science to get a ‘fingerprint’ of your phone – including device name, model, ad identifier and memory size, as well as an accelerometer motion reading to help identify fraud (so they say). Three other trackers used by DoorDash monitor the app’s performance, including one called Segment which routes data such as the delivery address, name, email and cell carrier of the phone’s owner.

DoorDash’s other five trackers, including Facebook and Google Ad Services, help it understand the effectiveness of its marketing. Their presence means Facebook and Google know every time you open DoorDash.

The delivery company tells me it doesn’t allow trackers to sell or share our data, which is great. But its privacy policy throws its hands up in the air: “DoorDash is not responsible for the privacy practices of these entities,” it says.

All but one of DoorDash’s nine trackers made Jackson’s naughty list for Disconnect, which also powers the Firefox browser’s private browsing mode. To him, any third party that collects and retains our data is suspect unless it also has pro-consumer privacy policies like limiting data retention time and anonymizing data. –WaPo

Some of the other companies mentioned, including Microsoft, Nike and the Weather Channel, insist that their trackers are to improve performance. The Intuit-owned Mint, says it uses Adobe’s marketing tracker to better advertise to Mint users. The Washington Post (awkward) told their employee that the trackers “were used to make sure ads worked.” Spotify simply directed Fowler to their privacy policy.

Citizen, the app for location-based crime reporting, said in their privacy policy that they wouldn’t share “your name or other personally identifying information.” When Fowler ran his test, however, he found that “it repeatedly sent my phone number, email and exact GPS coordinates to the tracker Amplitude.” 

It was only after Citizen was contacted about this that they removed the Amplitude tracker.

“We will do a better job of making sure our privacy policy is clear about the specific types of data we share with providers like these,” said Citizen spokesman J. Peter Donald, who added “We do not sell user data. We never have and never will.”

What does Apple have to say about all of this?

Fowler was disappointed at the orgy of data harvesting happening at all hours, and asked “isn’t Apple supposed to be better at privacy?”

“At Apple we do a great deal to help users keep their data private,” Apple said in a statement. “Apple hardware and software are designed to provide advanced security and privacy at every level of the system.”

“For the data and services that apps create on their own, our App Store Guidelines require developers to have clearly posted privacy policies and to ask users for permission to collect data before doing so. When we learn that apps have not followed our Guidelines in these areas, we either make apps change their practice or keep those apps from being on the store,” said Apple.

Except that Fowler found that very few apps using third-party trackers were actually disclosing the names of those companies, or how they protect his data.

Getting more deeply involved in app data practices is complicated for Apple. Today’s technology frequently is built on third-party services, so Apple couldn’t simply ban all connections to outside servers. And some companies are so big they don’t even need the help of outsiders to track us.

The result shouldn’t be to increase Apple’s power. “I would like to make sure they’re not stifling innovation,” says Andrés Arrieta, the director of consumer privacy engineering at the Electronic Frontier Foundation. If Apple becomes the Internet’s privacy police, it could shut down rivals. –WaPo

Disconnect’s Jackson suggested that Apple might consider adding controls built into the iOS which would give people more visibility, or require apps to clearly disclose when they’re using third-party trackers.

” If I opened the DoorDash app and saw nine tracker notices, it might make me think twice about using it,” concludes Fowler. Indeed.