Where’s the beef? Privacy as a core theme at Apple's WWDC

Profile picture for user kmarko By Kurt Marko June 12, 2019
Summary:
Is Apple on the side of the angels when it comes to your privacy?

security settings

We are witnessing an epochal clash of business models between the technology titans that will shape how people adopt, consume and control new technology-centric products and services for years to come.

While the proximate battleground is among purveyors of mass-market products like phones, apps, content and online services, the ramifications of consumer decisions will extend to many business and enterprise products and services through a combination of changed cultural values and expectations, some of which to be expressed through the strong arm of governmental regulation. 

The fight is over privacy, specifically the ‘ownership’ and rights to personal data used in the conduct of online commerce and social activity. On one side we have Internet-era mega-techs, notably Google and Facebook along with their real customers in the ad-tech industry that have made a wildly lucrative business out of so-called surveillance capitalism, namely the mass accumulation, correlation and monetization of minute details about users of their services and their actions.

On the other side is Apple, smaller companies like DuckDuckGo, Brave and some independent privacy advocates like the Electronic Freedom Foundation (EFF) and the Electronic Privacy Information Center (EPIC) that see the escalating dangers of continued, pervasive exploitation of individuals’ personal information. What started as a friendly philosophical difference in how to handle customer data has escalated over the past year as the data miners have made at least verbal concessions and mea culpas while Apple has turned privacy into a fundamental, long-term business strategy. 

Like most conflicts, no one's motives and actions are entirely vile or pure. For example, Google incorporates some of the best security technology and practices in the industry into its cloud infrastructure (GCP) and application (G Suite) services. Likewise, Apple’s hands aren’t completely clean given that it makes billions a year by configuring Google as the default search engine on its mobile and Mac browser. However, with Apple’s growth shifting from iPhone refreshes to services, the company has doubled-down on its commitment to privacy. At last week’s annual Worldwide Developer Conference (WWDC), Apple backed up its strong words with concrete actions and in the process paved a path that will test the viability of user privacy as a competitive differentiator and business model.

Apple’s premier new privacy feature is a single sign-on service for third-party sites that could substitute for similar services from Facebook and Google, often used by websites and apps that require unique logins. Sign in with Apple ID applies the existing Apple ID two-factor authentication scheme to thwart identity thieves and can use device biometrics, either Face ID or Touch ID, for re-authentication. Unlike competing login services, Apple limits data collection to the user name and email address, provides a private email relay that lets users mask their actual address and does not track user activity as they interact with third-party apps or sites. Another feature, Game Center Player Identifiers`, similarly limits the scope of private information users share to a particular game or team ID for multiplayer titles. 

Apple Sign in is designed for the many people who have become uncomfortable with the amount of data collection, aggregation and sharing done by Google and Facebook and  poses a direct threat to a significant way these companies monetize that data through selling targeted ads that can use activity logs correlated from dozens or hundreds of sites to create eerily accurate personal and demographic profile. As the Cambridge Analytica incident demonstrated, third-parties have also used the Facebook APIs and a user’s credentials to collect data about their social connections. While Google doesn't sell user data in the same way, it does allow third-party sites or apps to get the name, email address and profile picture from a Google account.

Other recently-introduced privacy enhancements include:

  • Changes in how iOS, MacOS and WatchOS handle Wi-Fi and Bluetooth beacons for location-based services (LBS) to prevent applications from triangulating signal strength of nearby transmitters to precisely locate a device. Apple also is simplifying the process for users to set and monitor LBS, including an option for users to map the locations a particular app has tracked them. 
  • Significant improvement to the Find My feature that allows users to locate lost or stolen devices. The updated service sends background Bluetooth signals from any nearby Apple devices, even those that are offline, i.e. in sleep mode, to track device locations. However, to thwart those that might try to independently access and misuse the data, it’s sent to iCloud in an encrypted form that can only be unlocked by the device owner, not Apple or anyone else. As Apple SVP of Software, Craig Federighi put it in this WWDC presentation, “Now what’s amazing is that this whole interaction is end-to-end encrypted and anonymous. It uses just tiny bits of data that piggyback on existing network traffic so there’s no need to worry about your battery life, your data usage, or your privacy." For a detailed description of the innovative encryption technique, see this excellent description from Wired
  • A new HomeKit API called Secure Video that enables on-device video processing for motion, feature identification and data encryption and optionally sending select video snippets to iCloud for later review and archival. Apple also added APIs for routers that allows them to automatically firewall all Home Kit devices on a separate network segment.

Building on a theme

The privacy announcements at WWDC come on top of existing iOS and device security and privacy features such as on-device encryption with local keys for both data and messaging apps (iMessage, FaceTime), ApplePay, which substitutes encrypted virtual tokens for credit card numbers when making a transaction, and other techniques to anonymize data such as app analytics to protect an individual’s identity. 

Protecting user privacy has become both a core value and strategy at Apple, so It’s not surprising that when CBS recently interviewed Apple CEO Tim Cook, privacy was the lead topic. As in his Brussels speech to the EU privacy commission, Cook was unequivocal when he responded to a question about why he makes such a big deal about privacy, saying (emphasis added),

Because I think it's one of the most important issues of the century. We see privacy as a fundamental human right. And we're very worried that the place that we're all in right now is a place that has dire consequences. And you can see some of those that have played out over the last several years, and the awareness is building. But basically we want to give tools to users to protect their privacy. I mean, there is extraordinary amounts of detailed information about people, that I don't think should really exist, that are out there today. You know, we're not really taking a shot at anybody. We focus on the user. And the user wants the ability to go across numerous properties on the web without being under surveillance. We're moving privacy protections forward. And I actually think it's a very reasonable request for people to make.

In comments to Engadget about the new sign-in service, Florian Schaub, assistant professor at the University of Michigan School of Information, nails the critical tension between Apple and the two online tech giants as rooted in their core business models (emphasis added),

Apple is and has been using privacy as a differentiating factor given that their business model centers around selling devices and now service subscriptions to its customers, as well as profiting from content provided through their platforms. Facebook and Google's business models, on the other hand, are largely based on being very good at targeting ads to people, which requires tracking people's online and app behavior. Having their single sign-on buttons on more webpages gives Facebook and Google more data points about which apps and services you use and how often.

My take

Many question Apple’s motives and purity in the privacy debate, but unlike Facebook, which features bold privacy statements and manifestos from Mark Zuckerberg with no significant follow through, Apple continues delivering concrete improvements. Indeed, given previous hollow gestures from Zuckerberg, such as the Clear History tool that still hasn’t been delivered more than a year after its announcement, Facebook seems to view privacy proclamations as a PR tool stunt, not a business philosophy. 

In contrast, Apple has made privacy a competitive differentiator that it hopes will win customers that have become first aware of, then alarmed at, the unrestrained collection and crass abuse of their personal information. As such, it presents an intriguing case study in whether there is a genuine business strategy in protecting the privacy of customer (and employee) data and, if so, how much money and convenience people are willing to forgo in return for privacy controls and protections.

My personal bias, which might be described as pragmatic privacy protection, i.e. opting for the most secure, private product or configuration, but willing to make compromises where necessary to meet higher goals, leads to optimism that privacy and security can sell in many situations. Consumer products and services like those provided by Apple are the ultimate test and Apple might end up mostly catering to a well-heeled and security-savvy elite. Indeed, consumer survey data isn’t promising, showing that more than half won’t spend 5 minutes managing their privacy settings.

privacy

Nonetheless, I believe the case is much stronger in enterprise markets where most companies have been burned by security breaches, making them keenly aware of the ramifications, and are under some form of regulatory data and privacy protection mandates. If true, enterprise buyers will (and should) carefully evaluate the security and data privacy technology and policies used by their suppliers and favor those that combine robust implementations with a security-minded ethos that backs up words with actions. For the benefit of employees, customers and shareholders, we can only hope.