While reading this piece, you’ll likely notice a theme or pattern: Apple is two-faced.  They say one thing, but do another. Apple will do or claim certain things for marketing value, and you’ll believe it.  In actuality, however, their “values” do not line up with their actions.

If you look into Apple’s privacy practices, you’ll first be pointed to apple.com/privacy, a marketing page with misleading claims.  For example, Apple claims iMessage messages are only seen by you and the recipient, however, this is not true.

iMessage uses encryption, which can be used to secure data along its journey from user to server.  Specifically, iMessage uses a technology called “end-to-end” (E2E) encryption.  In a nutshell, “end-to-end” technology encrypts transmitted data using special keys held only by the device that is sending the data and the device that is receiving the data.

A different approach would be to simply encrypt the data in transit using something like TLS, the encryption protocol that protects data sent between a client and a server.  Most of the time, TLS will protect your data from a hacker in a hood on the coffee shop Wi-fi.

However, the data will be fully viewable by the server, since the data decryption keys which are used to read the data are held on the server.  iMessage encryption keys are backed up to iCloud, which does not feature E2E, rendering this technology useless (see here and here).

Now that you know how iCloud and iMessage encryption is handled, consider the truth of this statement by Apple.  “For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe. We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.”

This is a sneaky lie that shows how their marketing campaigns are used to mislead the public.  There are many situations involving Apple’s implementation, or lack thereof, of encryption that are highly questionable.

The iMessage example on apple.com/privacy is one of many examples that show the statements made by Apple in an attempt to make the public think positively about their privacy practices, despite the fact that they’re mostly misleading.

In the footer on Apple’s site, apple.com/privacy is listed under the “Apple Values” category, above the actual privacy policy, so most people will click on that first.  Apple’s actual and legal privacy policy is split up among dozens of different subpages.  It can be found here.

Throughout their legal privacy policy, Apple uses clever and vague wording to downplay the privacy violations and be as least specific as possible.

For example, Apple claims to “collect only the personal data that we need.”  What’s considered needed, and what will they do with it?  Who knows.  Third parties can certainly make use of personal data, though, “Apple may share personal data with service providers who act on our behalf, our partners, or others at your direction.”

Again, Apple doesn’t make it clear who these “service providers” are and what they may do with your data.

Apple frequently uses the term “personal data”, so let’s define that.  According to Apple, personal data is “any data that relates to an identified or identifiable individual or that is linked or linkable to them.”  Sure, that’s fair.

So I guess the advertising ID, a unique identifier present on every Apple device to track users is considered personal data too?  I mean, it is a unique ID that is built around your interests, so it’d only make sense.  No, not according to Apple.  Apple describes the Advertising ID as “a non personal identifier served by the operating system on your device, to track you across apps and websites owned by other companies.”  This definition essentially invalidates the term “personal data” as used by Apple.

Apple says, “We may collect, use, transfer, and disclose non-personal information for any purpose” in the privacy policies of Apple News, Apple TV App, Apple Music, Stocks, and Apple App Store.  Apple is essentially giving themselves permission to do anything they want with your data.  Again, the word non-personal was used, which doesn’t really mean anything.

Apple’s recent iOS privacy labels are a good thing in terms of protecting privacy with third party apps.  However, it’s not from Apple’s good conscience.  Apple doesn’t care that Facebook lost money by losing access to user data to track, they’re simply unaffected.  Apple gained tremendous marketing value from the move, so it was a clear win for them.  If that wasn’t the case, it’s likely that the feature wouldn’t have been implemented.  It’s also worth noting that Apple does not include privacy labels for its own apps directly on the App Store.

They’re located here, on a page buried on Apple’s site.

Apple works hard to maintain its public image.  When the FBI came knocking in 2014 asking Apple to unlock a phone, Apple very publicly gave them the finger.  Apple made sure to say how they cared about privacy and the rights of their users in response to the incident.

The FBI requested for Apple to implement a backdoor into iOS, and Apple complained.  However, when the FBI complained about Apple’s plan to implement E2E in iCloud backups, stating that it would harm investigations, Apple obliged and cancelled the feature.

On the other hand, Google, who manages the iOS competitor Android, was able to implement the feature with no issues.  The epicenter of Apple’s data is iCloud.  Everything is stored in iCloud, everything is backed up to iCloud, your Apple data is iCloud.  If Apple, the FBI, or anybody gained access to your iCloud data, they’d essentially have everything.  The fact that the FBI sources stated that investigations would be harmed by the implementation of E2E proves that Apple does in fact hand over sensitive data, as sensitive data is likely what is of actual value in an FBI investigation.

The cancellation of iCloud’s E2E was entirely voluntary.  If Apple truly cared about privacy and lived up to their public standards, they’d implement the feature anyways.  But they didn’t, and that’s what matters here.  Overall, Apple is on friendly terms with the feds.  In the first half of 2020, Apple complied with around 90% of US government requests, up 36% from the second half of 2019.  Apple’s stated values and its actions are completely opposite from each other.

Consider the potential consequences and similarities to American authorities.

Apple has a long relationship with China.  It’s widely accepted that China is perhaps the largest surveillance state in the world.  Digital privacy isn’t exactly one of their renowned values.

In 2017, Apple moved the user data of Chinese users to Chinese servers, run by a company called Guizhou-Cloud Big Data (GCBD), a company owned by the Chinese government (CCP).  iCloud encryption keys are all stored in those CCP-run data centers.  If the CCP wishes to see the data of a particular user, companies must oblige.  Apple itself cannot legally aid CCP officials, so they needed to have another company manage their data so everything would be alright back home in the US.  Apple constantly caves into the data demands of the CCP.

Apple’s encryption in China is essentially useless.  Everything is stored on iCloud, iCloud data is stored on CCP-owned servers, and according to two Apple employees from a NYT investigation,  “The Chinese government must approve any encryption technology that Apple uses in China.”

Apple’s system of encryption in China is different from the systems used in the rest of the world, contradicting what Apple CEO Tim Cook mentioned in an interview.  When Apple’s hardware used to decrypt iCloud data wasn’t approved by the CCP, Apple made a new device adhering to CCP standards.

Apple claims that user privacy is not impacted in China and that people will get what they expect, but this is clearly far from the truth, and Apple is lying to our faces.  In May of 2021, Apple released a statement addressing their role in China.  Here are a few snippets from that:

“We have never compromised the security of our users or their data in China or anywhere we operate.”

“We comply with the law, but we make no compromises on user security.”

The actions taken above by Apple represent massive compromises in user security; it’s as bad as it gets.  In addition, Apple constantly removes countless numbers of apps and services in its Chinese App Store due to CCP requests.  Apps that enhance user privacy, such as proxies and VPNs, which tunnel traffic to another location to evade censorship and enhance privacy, are strictly prohibited.

The values that Apple claims to follow does not match up with their actions.  Apple simply says things for marketing points.  Next time you hear Apple claim to care about your privacy, don’t blindly believe what they say, think different.