Russia investigates Apple over Kaspersky kids app block

BACK IN APRIL, Apple was in hot water over claims it was taking a strange new interest in rivals’ kid protection apps after its own Screen Time …

BACK IN APRIL, Apple was in hot water over claims it was taking a strange new interest in rivals’ kid protection apps after its own Screen Time software launched on iPhone. Apple initially denied that it was hobbling others to promote its own app, but eventually softened its absolute ban on Mobile Device Management (MDM) being used in parental-control apps. It was still frowned upon, but accepted in some circumstances.

That, it turns out, isn’t the end of the story. While previously Apple was just dealing with some ticked off app developers, now it has Russia’s anti-monopoly watchdog – the FAS – on its tail.

The FAS says it is looking into why the latest version of Kaspersky Lab’s Safe Kids app has been blocked from the App Store, noting that version 12 of Screen Time seems to offer plenty of feature overlap with Kaspersky’s product.

For its part, Kaspersky noted that the official guidelines allow limited use of MDM, but couldn’t find a way to get the go-ahead from Apple’s app guardians.

When Reutersapproached Apple for comment, the company pointed the news agency back to its statement from April. The one that says certain apps were removed because “they put users’ privacy and security at risk.”

At the end of that post, it’s worth remembering that Apple categorically denied the removal of apps had anything to do with them sharing functionality with home-grown products. “In this app category, and in every category, we are committed to providing a competitive, innovative app ecosystem,” the statement read.

“There are many tremendously successful apps that offer functions and services similar to Apple’s in categories like messaging, maps, email, music, web browsers, photos, note-taking apps, contact managers and payment systems, just to name a few. We are committed to offering a place for these apps to thrive as they improve the user experience for everyone.”

We’ll have to wait and see as to whether the FSA reaches the same conclusion. µ

Further reading

Related Posts:

  • No Related Posts

Why Jeff Williams May Not Be the Next Apple CEO—Data Sheet

“This happens naturally as companies get bigger,” CEO Dara Khosrowshahi wrote to his staff in an email obtained by Bloomberg. That’s one way to …

This is the web version of Data Sheet, Fortune’s daily newsletter on the top tech news. To get it delivered daily to your in-box, sign up here.

A trio of tech snippets—with my take—to start your day:

* Bloomberg Businessweek’s estimable Apple reporter Mark Gurman has a piece in the current issue that calls Chief Operating Officer Jeff Williams the heir apparent to his longtime boss, Tim Cook. It reminded me of the feature I wrote in Fortune in 2008 calling Tim Cook the most likely replacement for Steve Jobs. I quoted an unnamed source in that article—still a prominent Silicon Valley personage—calling Cook’s ascension “laughable.” While old-school Apple aficionados will similarly argue vociferously that Williams shouldn’t succeed Cook, Gurman makes a textured and forceful argument why he will. The reason: Smooth operations and profitable services define Apple today more than nifty products and outside-the-box thinking. If I were placing bets, I’d guess that Apple’s board will not choose the next CEO in the mold of the current one, though, just as Cook couldn’t have been more different than Jobs. Seeing as Cook doesn’t appear to going anywhere, the argument seems to be more parlor game than urgent analysis. Apple reports earnings this afternoon.

* An IBM government-affairs official has published a post supporting changes to the key legislation that allows Facebook, YouTube, and others to avoid being regulated and otherwise legally treated like the publishers that they are. (Policy wonks will recognize the law in question as Section 230 of the Communications Decency Act.) IBM CEO Ginni Rometty has spoken favorably on this topic before, including in a meeting with journalists in San Francisco in February. Breakingviews has a good take on the nuances of IBM’s position.

* We’ll look back one day on the era when travelers paid extra for a service that allowed biometric identification to unlock special access to get through airport security. But for now Clear is a game-changing offering, and my only fear about it is that it will become too popular—because I love it. As mentioned in Monday’s Data Sheet, there were two pieces of great news for coast-to-coast United customers (like me!): discounted memberships for United frequent flyers and the expansion of Clear to Newark.

Adam Lashinsky

On Twitter: @adamlashinsky

Email: adam_lashinsky@fortune.com

NEWSWORTHY

Hand in the cookie jar. A former Amazon software engineer was arrested on Monday in Seattle for hacking into credit card companyCapitol One’s servers and stealing consumer data from tens of millions of credit card applications. Paige A. Thompson, aka the hacker Erratic, was charged with computer fraud and faces up to five years in prison and a $250,000 fine.

Disruption in aisle three. Meanwhile, in another part of the city, Amazon is “quietly exploring” creating another grocery chain alongside Whole Foods that would shake up the industry with a greater focus on pickup and delivery options, The New York Times reports. Amazon declined to comment.

The real world. Now a public company and facing greater pressure to, I don’t know, turn a profit some day, Uber on Monday cut its marketing department by one-third, laying off 400 people. “This happens naturally as companies get bigger,” CEO Dara Khosrowshahi wrote to his staff in an email obtained by Bloomberg.

That’s one way to stop leaks. Google pre-announced that its forthcoming Pixel 4 phone would have a face unlock feature much like current iPhones and will use a form of radar to pick up a user’s control gestures made in midair, above the device.

Fly me to the moon. Researchers at the University of California Berkeley built a solar-powered drone with lighter, more efficient photovoltaiccell technology that could transform the industry. The new thermophotovoltaic cells could eventually power a house with a generator the size of an envelope, the researchers said.

I’ll be your server for this evening. With more companies following a so-called hybrid cloud strategy, seeking to keep some data and apps on local servers, Googleis getting closer to VMware. Google’s cloud service will start supporting VMware Cloud Foundation, used by companies who set up hybrid cloud arrangements. Elsewhere in enterprise computing land, Microsoftacquired startup BlueTalon, which helps companies control data sharing, for an undisclosed sum. And AT&T won a 15-year, $1 billion contract to provide communications services to the Justice Department.

ON THE MOVE

My kids use an expression that was new to me: yeet. It means to leave, to bug out, to fly the coop. So let this be the yeeting edition of On the Move…Jon McNeill, who was hired last year to run Lyft’s operations, is leaving the company. His responsibilities will be distributed to others…the head of the Securities and Exchange Commission‘s cyber unit, Robert Cohen, is stepping down next month…Expedia president Aman Bhutani, who oversees the company’s online travel businesses, is leaving for another opportunity…We do have one joiner. Former Homeland Security Advisor and U.S. cybersecurity chief, Tom Bossert, started at start-upTrinity Cyber as chief strategy officer.

FOOD FOR THOUGHT

As the debate around Facebook’s Libra digital currency proposal stirs, it’s interesting to recall the history of paper money, itself a wild invention that nearly broke the global financial system. John Lanchester has a wide-ranging recounting of the history of money, filled with plenty of interesting digressions, in The New Yorker. The first paper money was used in China in the 13th century, as explorer Marco Polo discovered.

Marco Polo was right to be amazed. The instruments of trade and finance are inventions, in the same way that creations of art and discoveries of science are inventions—products of the human imagination. Paper money, backed by the authority of the state, was an astonishing innovation, one that reshaped the world. That’s hard to remember: we grow used to the ways we pay our bills and are paid for our work, to the dance of numbers in our bank balances and credit-card statements. It’s only at moments when the system buckles that we start to wonder why these things are worth what they seem to be worth. The credit crunch in 2008 triggered a panic when people throughout the financial system wondered whether the numbers on balance sheets meant what they were supposed to mean. As a direct response to the crisis, in October, 2008, Satoshi Nakamoto, whoever he or she or they might be, published the white paper that outlined the idea of Bitcoin, a new form of money based on nothing but the power of cryptography.

IN CASE YOU MISSED IT

The Top 10 U.S. Cities for Tech JobsBy Anne Fisher

Blockchain Launches ‘Fastest’ Crypto Exchange in the WorldBy Jeff John Roberts

What CEOs, Bankers, and Tech Execs Think About a Coming RecessionBy Robert Hackett

Amazon’s TV Bosses Want to Remind You (Again) Why They Are Not NetflixBy Stacey Wilson Hunt

The Bond Market Is Betting Tesla Is in TroubleBy Erik Sherman

NBA 2K League, Tencent Team up to Bring the Phenomenon of e-Sports Basketball to ChinaBy Lisa Marie Segarra

Here’s What Analysts Expect From Apple’s Upcoming EarningsBy Aaron Pressman

BEFORE YOU GO

It ain’t my fault that I’m out here makin’ news, so goes the super-catchy new tune Juice by Lizzo. The multi-talented singer visited NPR on Monday and spent some time in the network’s “Tiny Desk” studio playing some of her new hits. Worth a listen (many expletives in use, however).

This edition of Data Sheet was curated by Aaron Pressman. Find past issues, and sign up for other Fortune newsletters.

Related Posts:

  • No Related Posts

Your iPhone is leaking personal info to tracking companies

The list of offending apps include: Microsoft OneDrive, Mint, Nike, Doordash, Spotify, Yelp, The Weather Channel, Citizen, and The Washington Post’s …

Ahead of Consumer Electronics Show (CES) in Las Vegas earlier this January, Apple strategically placed a privacy-focused billboard bearing the catchphrase: “What happens on your iPhone, stays on your iPhone.”

It’s a clever spin on the Vegas slogan, and a not-so-subtle dig at its data-hungry competitors. But it is also quite misleading.

As the Washington Post recently discovered, a lot of third-party iOS apps are abusing Background App Refresh to regularly send sensitive personal information to tracking companies. The feature allows apps to refresh their content by running periodically in the background.

What are the app trackers for?

It’s no surprise that third-party apps use trackers to gather all sorts of analytics. But the frequency with which the apps send data back to tracking companies is quite alarming, as is the kind of data shared.

Using Disconnect’s Privacy Pro app, the Washington Post found that apps were sending details like phone number, email, exact location, IP address, and more.

On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.

The list of offending apps include: Microsoft OneDrive, Mint, Nike, Doordash, Spotify, Yelp, The Weather Channel, Citizen, and The Washington Post’s own iOS app.

Citizen was found to be sharing personally identifiable information that was in violation of its published privacy policy (it removed the tracker after the Washington Post contacted them), and Yelp was sending a message containing IP addresses every five minutes, a behavior the company later acknowledged was a bug.

In all, the Washington Post encountered over 5,400 trackers during a week-long testing.

Privacy concerns with app trackers

App trackers aren’t inherently bad. Some are used to diagnose app behavior to improve performance, while others analyze usage patterns to serve targeted ads.

DoorDash’s app, for example, was found using nine different trackers to gather details from your phone — device name, model, ad identifier, memory size, accelerometer data, delivery address, name, email, and cellular phone carrier — to help identify fraud.

It is also using trackers from Facebook and Google for ads, meaning the two companies know everytime you open the app.

To be fair, this behavior is not just about DoorDash alone. Using tracking information to tailor ads is the norm everywhere, but unfortunately not many people are aware that this is happening.

It also raises significant privacy concerns about how long these companies might store such information, and the third-parties they might be sharing this with.

There’s more work to be done

As we continue to spend more time on apps, it is becoming evident that app permissions and privacy policies alone aren’t enough. There needs to be tracking protection controls built into Android and iOS to ensure data collection and sharing practices are more transparent.

For now, it’s impossible to determine what trackers are used and for what purpose without downloading a third-party app like Disconnect’s Privacy Pro (iOS) or Exodus Privacy (Android). Another option is to turn off background app refresh on your iOS device by heading to: Settings > General > Background App Refresh > Off.

At a time when data breaches and privacy violations are so frequent, Apple has built a marketing strategy centred around privacy. It’s not entirely wrong. But it’s also factually incorrect.

What Apple is really implying with the ad campaign is that the company treats your personal data with more respect than its rivals. It will not eavesdrop on your conversations. Apple’s Safari browser won’t track you as you browse the web. And Apple won’t use your identifiable information to serve ads.

However, iPhones leak all sorts of data, often without your knowledge. “What happens on your iPhone stays on your iPhone” is likely to be the case only if you choose to live in an Apple-centric universe, surrounded by its ecosystem of apps and services.

And as we have just learnt, it’s simply an improbable scenario.

Read next: Creepy programmer builds AI algorithm to ‘expose’ adult actresses

Related Posts:

  • No Related Posts

While you’re sleeping, your iPhone stays busy harvesting data

A more typical example is DoorDash, the food-delivery service. Launch that app, and you’re sending data to nine third-party trackers – though you’d …

WASHINGTON (WASHINGTON POST) – It’s 3am Do you know what your iPhone is doing?

Mine has been alarmingly busy. Even though the screen is off and I’m snoring, apps are beaming out lots of information about me to companies I’ve never heard of. Your iPhone probably is doing the same – and Apple could be doing more to stop it.

On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11.43pm, a company called Amplitude learned my phone number, email and exact location. At 3.58am, another called Appboy got a digital fingerprint of my phone. At 6.25am, a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.

And all night long, there was some startling behaviour by a household name: Yelp. It was receiving a message that included my IP address – once every five minutes.

Our data has a secret life in many of the devices we use every day, from talking Alexa speakers to smart TVs. But we’ve got a giant blind spot when it comes to the data companies probing our phones.

You might assume you can count on Apple to sweat all the privacy details. After all, it touted in a recent ad, “What happens on your iPhone stays on your iPhone.”

My investigation suggests otherwise.

iPhone apps I discovered tracking me by passing information to third parties – just while I was asleep – include Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post and IBM’s The Weather Channel. One app, the crime-alert service Citizen, shared personally identifiable information in violation of its published privacy policy.

And your iPhone doesn’t feed data trackers only while you sleep. In a single week, I encountered over 5,400 trackers, mostly in apps, not including the incessant Yelp traffic. According to privacy firm Disconnect, which helped test my iPhone, those unwanted trackers would have spewed out 1.5 gigabytes of data over the span of a month. That’s half of an entire basic wireless service plan from AT&T.

“This is your data, why should it even leave your phone? Why should it be collected by someone when you don’t know what they’re going to do with it?” says Patrick Jackson, a former National Security Agency researcher who is chief technology officer for Disconnect. He hooked my iPhone into special software so we could examine the traffic.

“I know the value of data, and I don’t want mine in any hands where it doesn’t need to be.”

In a world of data brokers, Jackson is the data breaker. He developed an app called Privacy Pro that identifies and blocks many trackers. If you’re a little bit techie, I recommend trying the free iOS version to glimpse the secret life of your iPhone.

DATA TRANSPARENCY

Yes, trackers are a problem on phones running Google’s Android, too. Google won’t even let Disconnect’s tracker-protection software into its Play Store. (Google’s rules prohibit apps that might interfere with another app displaying ads.) Part of Jackson’s objection to trackers is that many feed the personal data economy, used to target us for marketing and political messaging. Facebook’s fiascos have made us all more aware of how our data can be passed along, stolen and misused – but Cambridge Analytica was just the beginning.

Jackson’s biggest concern is transparency: If we don’t know where our data is going, how can we ever hope to keep it private?

App trackers are like the cookies on websites that slow load times, waste battery life and cause creepy ads to follow you around the Internet. Except in apps, there’s little notice trackers are lurking and you can’t choose a different browser to block them.

Why do trackers activate in the middle of the night? Some app makers have them call home at times the phone is plugged in, or think they won’t interfere with other functions. These late-night encounters happen on the iPhone if you have allowed “background app refresh,” which is Apple’s default.

With Yelp, the company says the behaviour I uncovered wasn’t a tracker but rather an “unintended issue” that’s been acting like a tracker. Yelp thinks my discovery affects 1 per cent of its users, particularly those who’ve made reservations through Apple Maps. At best, it is shoddy software that sent Yelp data it didn’t need. At worst, Yelp was amassing a data trove that could be used to map people’s travels, even when they weren’t using its app.

A more typical example is DoorDash, the food-delivery service. Launch that app, and you’re sending data to nine third-party trackers – though you’d have no way to know it.

App makers often use trackers because they’re shortcuts to research or revenue. They run the gamut from innocuous to insidious. Some are like consultants that app makers pay to analyse what people tap on and look at. Other trackers pay the app makers, squeezing value out of our data to target ads.

In the case of DoorDash, one tracker called Siftscience gets a fingerprint of your phone (device name, model, ad identifier and memory size) and even accelerometer motion data to help identify fraud. Three more trackers help DoorDash monitor app performance – including one called Segment that routes onward data including your delivery address, name, email and cell carrier.

DoorDash’s other five trackers, including Facebook and Google Ad Services, help it understand the effectiveness of its marketing. Their presence means Facebook and Google know every time you open DoorDash.

The delivery company tells me it doesn’t allow trackers to sell or share our data, which is great. But its privacy policy throws its hands up in the air: “DoorDash is not responsible for the privacy practices of these entities,” it says.

All but one of DoorDash’s nine trackers made Jackson’s naughty list for Disconnect, which also powers the Firefox browser’s private browsing mode. To him, any third party that collects and retains our data is suspect unless it also has pro-consumer privacy policies like limiting data retention time and anonymising data.

Microsoft, Nike and The Weather Channel told me they were using the trackers I uncovered to improve performance. Mint, owned by Intuit, said it uses an Adobe marketing tracker to help figure out how to advertise to Mint users. The Post said its trackers were used to make sure ads work. Spotify pointed me to its privacy policy.

Privacy policies don’t necessarily provide protection. Citizen, the app for location-based crime reports, published that it wouldn’t share “your name or other personally identifying information.” Yet when I ran my test, I found it repeatedly sent my phone number, email and exact GPS coordinates to the tracker Amplitude.

After I contacted Citizen, it updated its app and removed the Amplitude tracker. (Amplitude, for its part, says data it collects for clients is kept private and not sold.)

“We will do a better job of making sure our privacy policy is clear about the specific types of data we share with providers like these,” Citizen spokesman J. Peter Donald said. “We do not sell user data. We never have and never will.”

The problem is, the more places personal data flies, the harder it becomes to hold companies accountable for bad behaviour – including inevitable breaches.

As Jackson kept reminding me: “This is your data.”

What disappoints me is that the data free-for-all I discovered is happening on an iPhone. Isn’t Apple supposed to be better at privacy?

“At Apple we do a great deal to help users keep their data private,” the company says in a statement. “Apple hardware and software are designed to provide advanced security and privacy at every level of the system.”

In some areas, Apple is ahead. Most of Apple’s own apps and services take care to either encrypt data or, even better, to not collect it in the first place. Apple offers a privacy setting called “Limit Ad Tracking” (sadly off by default) which makes it a little bit harder for companies to track you across apps, by way of a unique identifier for every iPhone.

And with iOS 12, Apple took shots at the data economy by improving the “intelligent tracking prevention” in its Safari web browser.

APPLE ‘TURNS A BLIND EYE’

Yet these days, we spend more time in apps. Apple is strict about requiring apps to get permission to access certain parts of the iPhone, including your camera, microphone, location, health information, photos and contacts. (You can check and change those permissions under privacy settings.) But Apple turns more of a blind eye to what apps do with data we provide them or they generate about us – witness the sorts of tracking I found by looking under the covers for a few days.

“For the data and services that apps create on their own, our App Store Guidelines require developers to have clearly posted privacy policies and to ask users for permission to collect data before doing so. When we learn that apps have not followed our Guidelines in these areas, we either make apps change their practice or keep those apps from being on the store,” Apple says.

Yet very few apps I found using third-party trackers disclosed the names of those companies or how they protect my data. And what good is burying this information in privacy policies, anyway? What we need is accountability.

Getting more deeply involved in app data practices is complicated for Apple. Today’s technology frequently is built on third-party services, so Apple couldn’t simply ban all connections to outside servers. And some companies are so big they don’t even need the help of outsiders to track us.

The result shouldn’t be to increase Apple’s power.

“I would like to make sure they’re not stifling innovation,” says Andres Arrieta, the director of consumer privacy engineering at the Electronic Frontier Foundation.

If Apple becomes the Internet’s privacy police, it could shut down rivals.

Jackson suggests Apple could also add controls into iOS like the ones built into Privacy Pro to give everyone more visibility.

Or perhaps Apple could require apps to label when they’re using third-party trackers. If I opened the DoorDash app and saw nine tracker notices, it might make think twice about using it.

Related Posts:

  • No Related Posts

Apps Are Using Background App Refresh to Send Data to Tracking Companies

Apps that were found passing data along included Microsoft OneDrive, Mint, Nike, Spotify, The Weather Channel, DoorDash, Yelp, Citizen, and even …
When Background App Refresh is enabled, some iOS apps are using the feature to regularly send data to tracking companies, according to a privacy experiment from The Washington Post that explores the relationship between apps and tracking companies.

The Washington Post‘s Geoffrey Fowler teamed up with privacy firm Disconnect and used specialized software to see what his iPhone was doing and when. And while it’s no surprise that apps are using trackers and sharing user data, the frequency with which apps took advantage of background refresh to send data off to tracking companies is surprising, as is some of the data shared.


Fowler found that apps were sending data like phone number, email, location, IP address, and more.

On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.

Apps that were found passing data along included Microsoft OneDrive, Mint, Nike, Spotify, The Weather Channel, DoorDash, Yelp, Citizen, and even The Washington Post’s own iOS app. Citizen shared personally identifiable information that violated its privacy policy (the tracker was later removed), and Yelp was sending data every five minutes, something the company later said was a bug.

During the course of a week of testing, Fowler ran into 5,400 trackers, mostly found within apps, which Disconnect told him would likely send 1.5 gigabytes of data over the course of a month.

Trackers within apps, for those unfamiliar, serve different purposes. Some analyze user behavior to let apps streamline advertising campaigns, combat fraud, or create targeted ads. Delivery app DoorDash, for example, was found using a whopping nine trackers in its apps, sharing data like device name, ad identifier, accelerometer data, delivery address, name, email, and cellular phone carrier.

DoorDash also has trackers from Facebook and Google Ad Services, which means Facebook and DoorDash are notified whenever you’re using the DoorDash service. DoorDash is not alone in sending tracking data, nor are the apps listed above – using tracking information is standard practice – but most people aren’t aware that it’s happening.

Not all data collection is bad, such as when it’s anonymized and stored for a limited period of time, but some trackers are collecting specific user information and don’t provide clear information on how long that data is stored nor who it’s shared with.

As Fowler points out, there is no way to know which apps are using trackers and when that data is being sent from your iPhone, nor does Apple have tools in place that give iPhone users a way to see which apps are using trackers and for what purpose. Apple was contacted for comment, but provided a standardized privacy response.

“At Apple we do a great deal to help users keep their data private,” the company says in a statement. “Apple hardware and software are designed to provide advanced security and privacy at every level of the system.”

“For the data and services that apps create on their own, our App Store Guidelines require developers to have clearly posted privacy policies and to ask users for permission to collect data before doing so. When we learn that apps have not followed our Guidelines in these areas, we either make apps change their practice or keep those apps from being on the store,” Apple says.

Fowler suggests Apple could require apps to label when they’re using third-party trackers, while privacy company Disconnect suggests greater privacy controls in iOS to give users more control over their data.

iOS users concerned about the data apps are sending, especially at night and without user knowledge, can turn off Background App Refresh in the Settings app and can use a VPN like Disconnect’s Privacy Pro to limit the data apps are able to send to third-party sources.

Related Posts:

  • No Related Posts