Apple throws down the gauntlet with overhauled privacy policy

Et tu, Google?

Apple is making it very clear how it uses your data with a revamp of its privacy policy, posted in full on the company’s website. In the process, Cupertino is also making it plain just how different it is from other tech companies.

Apple affirmed its commitment to customer privacy a year ago, and Tuesday’s update covers everything new in iOS 9 and OS X El Capitan. The company isn’t just issuing platitudes about how great its privacy protections are—it dives into real detail about how its various services use and protect your data.

Here are the highlights.

Beefed-up encryption: iOS 9 makes six-digit passcodes the new default on Touch ID-enabled iPhones. That significantly reduces the chances of someone cracking your passcode by just guessing it.

ios 9 passcode Apple

Six-digit passcodes are harder to crack.

“We’ve been protecting your data for over a decade with SSL and TLS in Safari, FileVault on Mac, and encryption that’s built into iOS,” Apple’s privacy policy reads. “We also refuse to add a backdoor into any of our products because that undermines the protections we’ve built in. And we can’t unlock your device for anyone because you hold the key—your unique password.”

If you don’t use a passcode to secure your device, you might want to think twice. Apple encrypts the data on your device—like the information collected and stored in the iOS Health app—with encryption keys protected by your passcode. iMessages and FaceTime calls are also protected with end-to-end encryption, so it’s impossible for someone else to access your iMessages without your passcode.

Proactive Siri: In iOS 9, Siri is more helpful, providing you with suggestions for apps to use based on your habits and time of day. Apple says those predictive capabilities are stored on your device, not the cloud, which means the same encryption applies.

If Apple needs to pull information from its servers to offer you suggestions, like what time you should leave the house to make it to an appointment on your calendar, then the company will use anonymized rotating identifiers so that locations and searches won’t be traced to you. (You can also turn off proactive features’ access to your location altogether.)

Maps: This is where Apple really goes after Google (without naming names, of course). Google pulls all of your location data when you’re signed in to Google Maps to create a complete picture of who you are and where you go. That information is really useful to advertisers. Apple’s Maps app only knows you as a random number that frequently resets, scrubbing your data altogether.

“Maps is also engineered to separate the data about your trips—including public transit directions—into segments, to keep Apple or anyone else from putting together a complete picture of your travels,” the policy says. “Helping you get from Point A to Point B matters a great deal to us, but knowing the history of all your Point A’s and Point B’s doesn’t.”

Safari content blockers: iOS 9 brings Safari’s content-blocking capabilities to your iPhone, so you can install apps that block ads while you’re browsing the web. Apple says Safari supports content blockers in a way that prevents the content blocker from sending information to developers about your browsing habits.

Apple Music: Apple doesn’t use your streaming picks to advertise to you on any other service.

ios 9 news app Apple

News app: The articles you read in iOS 9’s News app aren’t linked to you specifically, but to an anonymous News-specific identifier that you can reset at any time. News does use iCloud to offer you recommendations across all the devices you read News on, but those are stored on the device and not seen by Apple.

Apple does put ads in the News app and uses your reading activity to determine which ads to show you, but that information cannot be used outside of News to show you ads in any other app—not by Apple, and not by the publishers you read in News. You can also turn on Limit Ad Tracking so Apple can’t target ads to you based on your activity in News.

apple 2014 2015 government requests Apple

The bulk of government information requests Apple gets are about stolen devices.

Government requests: Governments around the world ask Apple for information on a regular basis, usually because someone has reported a stolen device and needs help tracking it down. But 6 percent of government requests are looking for personal user information. Apple can only divulge information about your iCloud account. If a device is protected by a passcode (which it should be, on devices running iOS 8 and iOS 9), Apple can’t comply with search warrants because files on those devices are protected by an encryption key tied to your passcode. That means Apple complied with just 27 percent of the 6 percent of account information requests in the U.S. from July 1, 2014 through June 30, 2015. Apple didn’t say how many total requests it received, but said less than 0.00673 percent of its customers were affected by requests.

“Apple has never worked with any government agency from any country to create a ‘backdoor’ in any of our products or services,” its government information request policy states. “We have also never allowed any government access to our servers. And we never will.”

Now if you want to dive deep into the details of Apple’s security, grab an adult beverage and sink into your sofa for some quality time with the 60-page iOS 9 security white paper.

Join the CSO newsletter!

Error: Please check your email address.

Tags iOS 9OS X El Capitansecurity

More about AppleApple.FaceTimeGoogleNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Caitlin McGarry

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts