Siri app tracking enabled by default, appears to access user data without express user consent

Privacy in an online world has become a central issue for tech giants following a number of high profile user data and privacy scandals breaking over the past several years. Apple, however, has tried to elevate itself above its competitors by positioning privacy as the cornerstone of its products and services. This includes a page dedicated to privacy outlining the various measures that Apple puts in place to protect a user’s identity and data as well as an overview of the data its first-party apps collect. It is a stance that Apple has also effectively harnessed as a marketing tool.

Despite this, Apple has still managed to find itself embroiled in privacy-related controversies. The most notable being the Siri privacy scandal from 2019 when the company was caught red-handed listening to audio recordings of Siri user requests without their consent. It closely followed in the wake of revelations that both Google and Amazon had been engaging in similar practices. However, rather than cease its own eaves-dropping activities voluntarily, a whistleblowing contractor contacted The Guardian who broke the story. Apple eventually remedied the situation by seeking express user consent during the set up process, but continues the practice for those who expressly give their consent. The episode, however, a blow to its reputation. 

Another privacy-related intervention that Apple took in response to a media exposé about iPhone user privacy arrived after a Washington Post writer revealed his iPhone had 5,400 trackers installed on it sending telemetry back to developers totalling 1.5 GB over a period of a month. The devs were using APIs and tools made available by Apple as well as other methods to profile him across apps and across the web. 

Apple later responded by introducing an App Tracking Transparency feature in iOS 14.5 that forces developers to give users the choice to opt out of app tracking, or to allow it. However, this does not necessarily stop Apple from tracking users through its own apps, as one recent lawsuit highlighted. Apple has published a page on the data its stock apps collect which makes for interesting reading, emphasizing its use of random identifiers that are meant to dissociate individual users from the data that Apple collects and stores.

Following the 2019 Siri privacy scandal, Apple now says on its site that it “doesn’t retain audio of your requests unless you choose to share it with us to improve Siri. However, Apple does implicitly admit on its privacy website to using Siri usage data but that this “data is used only to improve Siri, and we never share or sell it”. This is done without express user consent, but is only “associated with a random identifier”. It doesn’t end here, however, when it comes to Siri and Apple's usage of user data without express consent.

Improving Siri is clearly something that the company is keen to do given that it is widely considered to be lagging the competition. The only way to improve a natural language model such as the one powering Siri is to feed it data. It may come as a shock given Apple’s privacy stance, however, to learn Siri tracking is on by default across all of its apps to help improve Siri's performance. More surprisingly, Apple has also enabled the same tracking across every third-party app installed on an iPhone as well. In our experience, this includes sensitive apps like PayPal, banking apps, health apps and so on. 

The message Apple includes an accompanying which states, “Allow Siri to learn from how you use “[Insert App]” to make suggestions across apps”. That might make sense if a user had expressly “allowed” this to occur, but the switch has already been enabled on the user's behalf. The use of the term “Siri” is also an attempt to personalize the “request” when in fact it is of course Apple doing the data collecting. There will, of course, be users who don’t find this practice questionable and who put their full trust in Apple’s privacy regime. Others, however, may question Apple’s apparent lack of transparency and would rather their data and activity not be used - de-identified or not - without their express permission.

If in the latter camp, the only way to disable this unconsented tracking and data collection is to manually go through the settings of each and every app that you have installed on your iPhone. The preferred solution would be for Apple to make data tracking across apps to help Siri "learn" an "opt in or out" choice at the same time it prompts users whether they want to allow their recorded interactions shared with Siri to be shared with Apple or not. Given that the Siri recording scandal revealed that users had accidentally triggered Siri during intimate contact with a partner, among other sketchy recordings, during the 2019 scandal, opting out altogether might be the safest bet.