In 2023, independent researchers Mysk found that Apple's iPhone analytics opt-out toggle does nothing. With analytics turned completely off, their iPhone continued sending detailed usage data to Apple — including which apps were launched, how long they were used, and what features were accessed. Apple was sued in a class action (Elliot v. Apple). The toggle exists. It just doesn't control anything. Apple says its analytics data is anonymised. Researchers Tommy Mysk and Talal Haj Bakry found that every analytics packet includes a "dsId" — a Directory Services Identifier directly linked to the user's name, email address, and phone number. The data isn't anonymous. It's personally identifiable. Apple put a label on it that says "anonymous" while including your name in the envelope.
What they claim: Apple Device Analytics & Privacy policy: "None of the collected information identifies you personally. Personal data is either not logged at all, is subject to privacy preserving techniques such as differential privacy, or is removed from any reports before they're sent to Apple."
What we found: Mysk and Bakry (Nov 2022) discovered analytics packets contain "dsId" — Directory Services Identifier that uniquely maps one-to-one to iCloud account (full name, DOB, email, phone). Tommy Mysk told Gizmodo: "Knowing the DSID is like knowing your name. It's one-to-one to your identity." DSID is permanent and unchangeable. Found in real-time analytics from App Store to Apple servers.
What they claim: Apple's "Privacy. That's iPhone." campaign (Mar 2019): "What happens on your iPhone, stays on your iPhone." Tim Cook has repeatedly called privacy a "fundamental human right."
What we found: Professor Douglas Leith, Trinity College Dublin (Mar 2021): iOS phones home to Apple every 4.5 minutes on average, even idle in pocket. Data: IMEI, hardware serial, SIM serial, phone number, UDID, advertising ID, Bluetooth UniqueChipID, Secure Element ID (Apple Pay), local IP, Wi-Fi MACs of nearby devices, location, cookies. Endpoints include sa.apple.com/grandslam. UDID persists even across factory reset. Leith: "Currently there are few, if any, realistic options for preventing this data sharing." Transmissions occur even with Analytics turned off.
What they claim: Apple CES 2019 billboard: "What happens on your iPhone, stays on your iPhone." Settings > Privacy > Analytics & Improvements provides opt-out toggle.
What we found: Leith (TCD, 2021): iOS transmits telemetry every 4.5 minutes even with Analytics & Improvements disabled. Data includes IMEI, serial, SIM serial, phone number, UDID, ad ID, location, local IP, nearby Wi-Fi MACs, Bluetooth UniqueChipID. iOS also sends nearby devices' MAC addresses with GPS coordinates — Apple tracks people near owner who never consented. Leith sent three emails to Apple's Director of User Privacy; Apple declined to acknowledge receipt.
What they claim: Apple Location Services & Privacy: location data used to "help your device determine its approximate location" with crowd-sourced Wi-Fi data collected anonymously.
What we found: UMD researchers Erik Rye and Dave Levin (IEEE S&P 2024, Black Hat 2024): Apple's WPS API is open, unauthenticated, returns up to 400 BSSIDs per query. Over one year, geolocated over 2 billion Wi-Fi access points worldwide. Tracked devices in Ukraine and Gaza war zones, identified troop movements. Can track individuals who own zero Apple products — any Apple device passing within Wi-Fi range adds their router to database. Apple's only mitigation: "_nomap" SSID suffix, placing burden on router owners.
What they claim: Apple's brand centers on protecting data from government overreach. Privacy page: "We design our products and services to protect [privacy]."
What we found: Apple transparency reports H1 2024: US made 12,812 account requests and 12,043 device requests (42,747 devices), Apple complied with 85% of device requests. China: 1,212 device requests covering 365,980 devices, 95% compliance. UK: 2,550 account requests. Push notification surveillance requests nearly doubled (158 to 277). Apple hosted behind-closed-doors "Global Police Summit" at Cupertino HQ (Oct 2024). Has dedicated law enforcement portal (lep.apple.com) and 24/7 team. For any account without ADP (vast majority), Apple provides photos, email, backups, contacts, calendars.
What they claim: Apple: UWB "does not transmit personal data and cannot be used for tracking without the user's knowledge" and uses "rotating identifiers."
What we found: iPhone 11 launch (2019): Princeton CITP researchers (Josephson, Dec 2019) found iOS using U1 chip to collect location in background even with Location Services set to "Never" for all apps. Apple offered no explanation initially. iOS 13.3.1 (Feb 2020) added toggle at Settings > Privacy > Location Services > System Services > Networking & Wireless — but UWB remained enabled by default with no prompt. U1 enables centimeter-level indoor positioning (±30cm, 50ms). S.T.O.P. warned UWB beacons could enable physical-world tracking like web cookies.
What they claim: When users select "Ask App Not to Track," Apple states: "Apps that are found to disregard the user's choice will be rejected."
What we found: Lockdown Privacy (founded by ex-Apple engineers): ATT "made no difference in total number of active third-party trackers, and minimal impact on tracking connection attempts." Kochava and AppsFlyer offered workarounds via IP address and User Agent. Eric Seufert (Financial Times): "Anyone opting out is basically having the same level of data collected as before." Workaround settings on third-party dashboards — "zero percent chance of Apple finding out." Study featured in Washington Post.
What they claim: Apple (Jan 2025 Newsroom): "Apple has never used Siri data to build marketing profiles, never made it available for advertising, and never sold it to anyone for any purpose."
What we found: Lopez v. Apple (4:19-cv-04577-JSW, N.D. Cal.): plaintiffs testified under oath that after private conversations near Siri devices — without typing or asking Siri — they received targeted ads for exact products discussed: Air Jordan sneakers, Olive Garden restaurants, brand-name surgical treatment discussed privately with doctor. Apple settled for $95M (final approval Oct 14, 2025, Judge Jeffrey S. White). Apple denied wrongdoing but agreed to delete all pre-Oct 2019 recordings. Plaintiffs' attorneys estimated trial liability at $1.5B.
What they claim: Apple marketed AirTags as safe with anti-stalking protections: "AirTag was designed to help people locate their personal belongings, not to track people or another person's property."
What we found: Motherboard (Vice): 150 police reports from 8 departments; 50 cases women tracked by unknown AirTags, 25 identified male suspects. UK stalking reports using GPS trackers rose 317%. Class action (Lopez v. Apple): AirTags contributed to "multiple murders" — Texas man used AirTag to find and kill car thief (2023), Chicago woman fatally attacked after removing tracker. Northeastern researchers: anti-stalking notifications took 30 min to 9 hours. Researchers demonstrated AirTags reconfigured to bypass alerts entirely.
What they claim: Apple privacy page: "The Apple advertising platform does not track you." Tim Cook: "Privacy is a fundamental human right" — Apple's core marketing differentiator.
What we found: Nov 2022 (Mysk & Bakry): App Store harvests "every single thing you did in real time" — taps, searches, ads viewed, time on each listing. Data tagged with permanent DSID linked to full name, DOB, email, phone. Collection unchanged when "iPhone Analytics," "Personalized Ads," AND "Personalized Recommendations" all toggled off. Three class action lawsuits filed.
What they claim: Apple ATT developer docs: apps must request permission before "tracking your activity across other companies' apps and websites." Framed as universal privacy standard.
What we found: Apple's definition of "tracking" only covers cross-company sharing. Apple combines data across App Store, News, Stocks, Music, TV without ATT prompts — classified as "first-party." Germany's Bundeskartellamt (Feb 2025): "the strict requirements under the ATTF only apply to third-party app providers, not to Apple itself." President Mundt: "doing so may amount to unequal treatment and self-preferencing, which are prohibited." Third-party apps show up to 4 consent dialogues; Apple's own show max 2.
What they claim: Apple's commissioned study (Apr 2022): ATT "does not affect apps' ability to collect and use first-party data" — any company with first-party data benefits equally.
What we found: Apple ad revenue: ~$3.7B (2021) to ~$7.5B (2023) — doubled in two years. Apple Search Ads share of iOS app-install downloads surged from 17% to 58% (Branch/Financial Times). Meta told investors ATT cost $10B in 2022. Apple ad adoption grew to 94.8% (up 4pts), Facebook dropped to 82.8% (down 3pts, InMobi Appsumer). Apple Search Ads projected $13.7B by 2027.
What they claim: Apple: ATT's purpose is "to give users choice and transparency" about tracking.
What we found: Mar 31, 2025: France's Autorite de la concurrence fined Apple EUR 150M ($162M) for abusing dominant position through ATT (Apr 2021 — Jul 2023). Found ATT's implementation "neither necessary for nor proportionate with Apple's stated objective of protecting personal data." Double consent for third parties but not Apple. "Penalised smaller publishers in particular." Italy separately fined EUR 98.6M (Dec 2025). Case originated from complaint filed Oct 23, 2020.
What they claim: Apple privacy page: "So much of your personal information — information you have a right to keep private — lives on your Apple devices." Implies meaningful control.
What we found: Leith (TCD): "Currently there are few, if any, realistic options for preventing this data sharing" on iOS. Unlike Android/Pixel where users can prevent "the vast majority" of Google data sharing, no equivalent workaround exists for iPhones. UDID sent to sa.apple.com/grandslam on first startup persists across factory reset. Apple also collects nearby devices' Wi-Fi MACs — gathering data about people near the owner who never consented. Libman v. Apple (5:22-cv-07069) remains partially active in 2026.
What they claim: Tim Cook: "Privacy is a fundamental human right." ATT (iOS 14.5) requires apps to ask permission before tracking.
What we found: 404 Media/Atlas Privacy (2024): Babel Street "Locate X" tool tracks millions of smartphones via app location data. One police officer's iPhone had ~100,000 location hits, all from Macy's app. Atlas demonstrated tracking patients at Florida abortion clinic, jurors in NJ trial, synagogue/mosque attendees, schoolchildren. Data broker Gravy Analytics collects 17 billion location signals daily from ~1 billion phones. ATT reduces but doesn't eliminate: ~25% of iPhones still trackable. FBI signed $27M contract for 5,000 Locate X licenses.
What they claim: Tim Cook (2018 EU privacy conference): Apple's privacy stance "comes from a values point of view, not from a commercial interest point of view."
What we found: Court docs: Google paid Apple $20B in 2022 alone to remain default search engine in Safari. Google's business model is tracking-based advertising — the practice Apple claims to oppose with ATT. Apple profits from the most privacy-invasive search engine while claiming moral superiority. Circular arrangement: Apple restricts competitors' ad data via ATT, profits from Google's tracking revenue via default deal, Google's dominance (reinforced by Safari default) generates the tracking data Apple claims to protect against.
What they claim: Apple markets Siri and Apple Intelligence as privacy-first with Private Cloud Compute ensuring user data is not stored or made accessible to Apple. Apple's January 2026 partnership with Google to power the rebuilt Siri states that privacy standards are maintained and no user data is shared with Google.
What we found: Apple has not disclosed where conversations with the Gemini-powered rebuilt Siri will be stored, or whether Google's cloud infrastructure handles any processing. Apple's own privacy model now relies on Google's cloud, yet Google's core business model is collecting data for targeted advertising — a structural conflict Apple has never addressed publicly. Healthcare providers cannot use Apple Intelligence for patient data: Apple offers no HIPAA Business Associate Agreements for Apple Intelligence or Siri, meaning any patient discussion routed to Private Cloud Compute or ChatGPT constitutes a HIPAA violation.
What they claim: Apple's privacy marketing implies comprehensive protection of user communications and activity.
What we found: Governments request push notification token data to identify users and link them to apps. Tokens reveal which apps used, when notifications received. Until Dec 2023, Apple complied based on mere subpoenas (no judge required). H1 2023: 88% compliance with US push-token requests. After Dec 2023 policy change requiring judge's order, compliance dropped to 28%. Apple was handing over this data on subpoena for years — only changed after Senator Wyden publicly exposed the practice.
What they claim: Apple privacy page: "Privacy is a fundamental human right. It's also one of our core values. Which is why we design our products and services to protect it." Markets iCloud as having robust encryption.
What we found: Under Standard Data Protection (default for all users), only 14 of 25+ iCloud categories are E2E encrypted. Most sensitive categories — iCloud Backup, Photos, iCloud Drive, Notes, Reminders, Voice Memos — use "in transit & at rest" encryption where Apple holds decryption keys. E2E requires manually enabling Advanced Data Protection — estimated under 10% adoption. Apple has never published ADP adoption figures.
What they claim: Apple: "iMessage conversations take place over an encrypted channel so they can't be read without the encryption key." Markets as core privacy advantage over SMS.
What we found: When iCloud Backup enabled (the default), backup contains iMessage encryption key and full message history. Apple holds key to decrypt backups under Standard Data Protection. Law enforcement obtains warrant, Apple hands over backup including complete iMessage history in readable form. ElcomSoft confirmed: "If you have iCloud backups enabled, the encryption key for iMessages will be stored in the backup." Apple's Legal Process Guidelines (Oct 2025) confirm they provide iCloud backup content including Messages.
What they claim: Apple positions itself as champion of privacy that stands up to government pressure, citing San Bernardino (2016) FBI refusal. Tim Cook called it a matter of principle.
What we found: Jan 2020 Reuters exclusive (Joseph Menn): Apple had internal project (code-named Plesio and KeyDrop, ~10 engineers) for full E2E iCloud backup encryption. After FBI's cybercrime agents and operational technology division privately objected, Apple dropped it. Former employee: "Legal killed it, for reasons you can imagine." Another source: "They decided they weren't going to poke the bear anymore." Apple then marketed privacy for two more years before offering ADP in Dec 2022 — opt-in only with low adoption. Four-year gap where Apple could have offered E2E but chose not to.
What they claim: Apple: "We have never built a backdoor or master key to any of our products or services and we never will." Also: "We have never compromised the security of our users or their data in China or anywhere we operate."
What we found: 2018: Apple transferred all Chinese iCloud data and encryption keys to GCBD (Guizhou-Cloud Big Data), solely owned by Guizhou Big Data Development and Management Bureau — a Chinese government entity. Apple ceded legal ownership. iCloud terms changed to: "Apple and GCBD will have access to all data that you store on this service." Chinese domestic law gives government virtually unfettered access (per Amnesty International). Apple initially pushed to keep keys in US but moved them to China within a year. Apple confirmed providing iCloud contents in nine separate cases.
What they claim: Steve Jobs, Phil Schiller, Scott Forstall (Apr 2011 Q&A): "Apple is not tracking the location of your iPhone. Apple has never done so and has no plans to ever do so."
What we found: Researchers Pete Warden and Alasdair Allan demonstrated iPhones stored up to a year of Wi-Fi and cell tower location data in unencrypted consolidated.db, synced to iTunes backups. Apple admitted bug failed to delete old data. Data sent to Apple even with Location Services disabled. Senator Al Franken sent formal letter to Jobs. US law enforcement confirmed they already used consolidated.db in criminal prosecutions leading to convictions. Investigations opened in Europe and South Korea.
What they claim: Apple promotes its App Store as a curated, fair marketplace for developers
What we found: The EU fined Apple €500 million in April 2025 for breaching the Digital Markets Act — specifically the anti-steering obligation that prevented developers from telling customers about cheaper purchasing options outside the App Store. Apple appealed in July 2025. Meanwhile, the Ninth Circuit affirmed Apple committed civil contempt for willfully violating court orders by maintaining a 27% commission on external purchases.
What they claim: Apple markets Advanced Data Protection as "Apple's highest level of cloud data security" protecting "the majority of your iCloud data" with E2E encryption.
What we found: iCloud Mail is never E2E encrypted, even with ADP enabled. Apple confirms: "the need to interoperate with the global email, contacts, and calendar systems." Uses only TLS — Apple can read all iCloud Mail at rest. Contacts and Calendars also permanently excluded. Apple can always scan email, calendar events, and contacts regardless of any settings. Apple's own docs: "Some metadata and usage information remains under standard data protection, even when ADP is enabled."
What they claim: Apple: "We have never built a backdoor or master key to any of our products or services and we never will."
What we found: Feb 2025: UK issued secret "technical capability notice" under Investigatory Powers Act 2016, ordering Apple to provide backdoor to all ADP-encrypted iCloud data — globally. Rather than fight in court, Apple removed ADP entirely for UK users (Feb 21, 2025). All UK iCloud users lost E2E encryption for backups, photos, notes. Data reverted to Standard Data Protection where Apple holds keys. UK government eventually backed down (Aug 2025), but the episode showed Apple will withdraw privacy protections from an entire country rather than fight.
What they claim: Apple markets Apple Intelligence as privacy-first: "Many of the models that power Apple Intelligence run entirely on device." Private Cloud Compute: "user's data is not stored or made accessible to Apple."
What we found: Lumia Security's "AppleStorm" (Black Hat USA 2025, disclosed to Apple Feb 2025): Siri automatically scans for installed apps related to queries, transmits to Apple servers. Location accompanies every request regardless of relevance. Audio metadata (songs, podcasts, videos) sent without visibility. Messages dictated via Siri to WhatsApp and iMessage transmitted to Apple servers — undermining E2E encryption. Disabling "Learn from this App" didn't stop transmission. Apple acknowledged Mar 2025 but deflected to "third-party services."
What they claim: Apple: Find My uses "end-to-end encryption so that Apple cannot see the location of any offline device" and ensures "finder anonymity" and "untrackability."
What we found: TU Darmstadt (Heinrich et al., PETS 2021): reverse-engineered Find My, demonstrated location correlation attack with ~10m accuracy in urban areas and unauthorized access to 7 days of history enabling deanonymization. CVE-2020-9986 allowed access to decryption keys. Researchers built custom trackers participating in Find My without triggering anti-stalking alerts. Network: ~1 billion devices as passive relays. iPhones with U1/U2 chip broadcast Find My beacons even when powered off (since iOS 15).
What they claim: Apple: Significant Locations "are encrypted and cannot be read by Apple" and "stays on your device."
What we found: ElcomSoft and Cellebrite can extract Significant Locations via physical acquisition. Stored at /private/var/mobile/Library/Caches/com.apple.routined/ with granular timestamps, precise GPS, Place IDs. iOS 11+ extended retention from 45 to 120+ days. Cache.sqlite contained 40,000+ coordinate data points covering just one week. Forensic researcher Sarah Edwards (mac4n6.com) demonstrated extraction via APOLLO framework. Law enforcement uses GrayKey/Cellebrite with warrant and passcode.
What they claim: Apple Device Analytics & Privacy page: "You may choose to disable the sharing of this information at any time." Toggle description says disabling it will "disable the sharing of Device Analytics altogether."
What we found: Nov 2022: Researchers Tommy Mysk and Talal Haj Bakry demonstrated Apple's own apps (App Store, Apple Music, Apple TV, Books, Stocks) continued sending detailed real-time analytics to Apple even when "Share iPhone Analytics" toggled off AND "Allow Apps to Request to Track" disabled. Mysk: "Opting-out or switching the personalization options off did not reduce the amount of detailed analytics." Tested on jailbroken iOS 14.6 and standard iOS 16. By comparison, Google Chrome and Microsoft Edge actually stopped when disabled.
What they claim: Apple marketed Siri as privacy-respecting, stating it only listens when deliberately invoked. Privacy page: "Siri is designed to do as much learning as possible offline, right on your device."
What we found: Jul 2019 (Guardian): Apple employed ~300 contractors at GlobeTech (Cork, Ireland) listening to ~1,000 Siri recordings per shift. Whistleblower Thomas Le Bonniec: 1,300 recordings/day. Regularly heard medical info, drug deals, sexual encounters. Recordings accompanied by location, contacts, app data. Accidental activations from zippers, watch raises. $95M settlement (Lopez v. Apple, approved Sep 2025) covered Sep 2014 — Dec 2024. Apple required to delete all pre-Oct 2019 recordings. 85.2 million users eligible.
What they claim: Apple marketed the iPhone 16 lineup with enhanced Siri AI capabilities as a core selling point at WWDC 2024 and in the iPhone 16 launch campaign. Apple Intelligence was presented as shipping with the device, including Siri understanding personal context from emails, messages, and taking multi-step actions across apps.
What we found: As of May 2026 — nearly two years after the WWDC announcement — those Siri AI features remain unavailable to consumers. A $250 million class action settlement was proposed in May 2026 covering purchasers of iPhone 15 Pro, 15 Pro Max, and all iPhone 16 models from June 2024 to March 2025. Plaintiffs alleged Apple saturated television, the internet, and other media to cultivate consumer expectations for features that did not ship. A separate shareholder lawsuit led by South Korea's National Pension Service — the world's third-largest pension fund — alleges Apple's AI delays caused billions of dollars in investor losses.
What they claim: Apple VP Bud Tribble: "Ultimately, privacy is about living in a world where you can trust that your decisions about how your personal information is shared and used are being respected."
What we found: Mysk (Nov 2022): App Store app collects every tap, search query, ad viewed, time spent on each listing, how you found it, screen resolution, keyboard languages, connection type, device model — all in real time. Stocks app sent watched stocks, searches, timestamps, articles to stocks-analytics-events.apple.com/analyticseventsv2/async. All tagged with DSID linking to iCloud identity. None affected by toggling off personalized ads, recommendations, or analytics sharing.
What they claim: Apple introduced App Store privacy "nutrition labels" (Dec 2020) to "help you understand how apps handle your data" — presented as authoritative privacy disclosures.
What we found: Privacy labels entirely self-reported with no verification by Apple. NSF-published study of 474,669 apps: 97% claiming "Data Not Collected" had privacy policies indicating otherwise. CMU CyLab: 9 of 12 developers made errors. Longitudinal study (arXiv:2206.02658): after two years, only 6% updated labels. Apple's own apps use separate privacy documents with different language from labels. Functionally an honor system with no enforcement.
What they claim: Apple privacy docs: "After six months, your request history is dissociated from the random identifier." Positioned as privacy safeguard.
What we found: After dissociation, Apple retained voice recordings up to additional 18 months (total: two years). "Small subset" kept beyond two years indefinitely for "ongoing improvement." When sued in Lopez v. Apple, Judge Jeffrey S. White sanctioned Apple (Jun 2024) for spoliation — company continued deleting Siri recordings under auto-deletion policy after litigation filed, destroying central evidence. Court noted Apple was "well aware" of obligation. Sanctions: barred from using absence of deleted data in defense, adverse jury instruction.
What they claim: Apple (Aug 2019 Newsroom): "We are committed to delivering a great Siri experience while protecting user privacy." Announced grading now opt-in only, employees only, no retention.
What we found: Despite 2019 fixes, escalating legal consequences: France prosecutors opened criminal investigation (Oct 2025) following complaint by Ligue des Droits de l'Homme — first criminal probe into voice assistant data by French authorities. Ireland's DPC closed case in 2022 without penalties. Jan 2026: Cook County judge certified Zaluda v. Apple BIPA class action for ~3 million Illinois Siri users, potential damages $1,000-$5,000 per violation — potentially hundreds of billions. The 2019 fix didn't undo a decade of data already collected.
What they claim: Apple ATT prompt: "Allow [App] to track your activity across other companies' apps and websites?" Presented as informed choice.
What we found: ATT uses deliberately loaded language — "track" carries negative connotations, no context about what user receives (free apps from ads). Internal Apple docs (Epic v. Apple trial): "'external website' sounds scary, so execs will love it." Result: ~75% denied tracking (Adjust data). Meanwhile Apple's own "Personalized Ads" was enabled by default until iOS 15 and buried in Settings. iOS 15 setup prompt for Apple's own ads used neutral language — not the fear-inducing framing imposed on competitors.
What they claim: Apple's App Store Review Guidelines (2.5.2) prohibit apps from downloading, installing, or executing code that changes their functionality. Apple describes this rule as protecting user privacy and security. Apple's own Xcode 26 integrates AI coding agents built with Anthropic and OpenAI.
What we found: In March 2026, Apple blocked updates for Replit (valued at $9 billion) and Vibecode, then pulled the app Anything from the App Store — twice — for the same AI code-execution capability Apple endorses in its own Xcode. When Anything removed the feature Apple objected to, Apple rejected it again for minimum functionality. Apple's enforcement was selective: its own Anthropic-partnered AI coding tool is not subject to App Store Review at all, while third-party equivalents are blocked. Revenue motive is clear — vibe-coded web apps bypass the App Store's 30% commission entirely.