It’s widely believed that iPhones are among the most secure smartphones you can buy — and that’s largely true. But what if your iPhone was collecting more personal data about you than you were led to believe? According to security researchers Tommy Mysk and Tala Haj Bakry, that’s exactly what’s happening.
Late in the evening on November 20, Mysk and Bakry published a series of tweets digging into something called “Directory Servicers Identifier” — or “DSID” for short. When you set up your iPhone for the first time, Apple asks if you want to share analytics data with the company to “help Apple improve and develop its products and services.” You’re then given a DSID if you agree to this, and upon doing so, Apple states that “none of the collected information identifies you personally.” According to Mysk and Bakry, however, that may not be entirely accurate.
The security researchers claim that the DSID Apple assigned to users’ iCloud accounts does contain personally identifiable information — including people’s names, emails, and “any data in your iCloud account.” One of the tweets shows a screenshot of an application programming interface (API) connecting to iCloud with someone’s DSID “clearly seen alongside a user’s personal data.”
This news comes just days after a Gizmodo report where Mysk also claimed that Apple is collecting this analytic data even when users decline to share it during their device’s setup process. That revelation quickly led to Apple being hit with a class-action lawsuit in California, though it remains to be seen if the company will be faced with similar backlash for this latest purported finding.
3/6
Apple uses DSID to uniquely identify Apple ID accounts. DSID is associated with your name, email, and any data in your iCloud account. This is a screenshot of an API call to iCloud, and DSID it can be clearly seen alongside a user's personal data: pic.twitter.com/x59lr0AzWf— Mysk 🇨🇦🇩🇪 (@mysk_co) November 21, 2022
While Apple has yet to comment on this discovery, Apple’s legal page detailing its analytics collection very clearly states the following: “iPhone Analytics may include details about hardware and operating system specifications, performance statistics, and data about how you use your devices and applications. None of the collected information identifies you personally.”
Obviously, that doesn’t line up with Mysk’s discovery of the DSID easily being linked to people’s names, emails, and App Store activity.
Apple has been a loud and public supporter of user privacy for years, though the company rarely comments on instances like this where its privacy claims are called into question. Apple may clear the air about what’s going on here, or we could be left in silence to figure things out for ourselves.
