critical
In 2023, independent researchers Mysk found that Apple's iPhone analytics opt-out toggle does nothing. With analytics turned completely off, their iPhone continued sending detailed usage data to Apple — including which apps were launched, how long they were used, and what features were accessed. Apple was sued in a class action (Elliot v. Apple). The toggle exists. It just doesn't control anything.
critical
Apple says its analytics data is anonymised. Researchers Tommy Mysk and Talal Haj Bakry found that every analytics packet includes a "dsId" — a Directory Services Identifier directly linked to the user's name, email address, and phone number. The data isn't anonymous. It's personally identifiable. Apple put a label on it that says "anonymous" while including your name in the envelope.
critical
Professor Douglas Leith at Trinity College Dublin discovered your iPhone phones home to Apple every 4.5 minutes — even sitting idle in your pocket with analytics turned off. It sends your serial number, phone number, IMEI, SIM serial, location, and the Wi-Fi addresses of every device near you. Apple's UDID identifier survives a factory reset — you literally cannot erase it. Leith emailed Apple's Director of User Privacy three times. Apple declined to acknowledge receipt. "What happens on your iPhone, stays on your iPhone" — unless Apple wants it, which is every 4.5 minutes.
critical
Apple says what happens on your iPhone stays on your iPhone, but by default your iPhone backs up everything to iCloud — including messages, photos, and health data — where Apple can access it and hand it to police or governments on request. Apple approved 93% of government data requests. The truly private option (Advanced Data Protection) is buried in settings and most people never turn it on.
critical
Apple said Siri was designed to protect your privacy, but for years Apple secretly paid contractors to listen to your Siri recordings — including conversations that were accidentally recorded. Contractors heard private medical appointments, business deals, and intimate moments. Apple had to pay $95 million to settle the lawsuit. They said they stopped, but France's privacy authority opened a new investigation in 2025.
critical
Apple made a big deal about asking apps for permission before tracking you. But Apple's own advertising business doesn't have to ask the same permission. So Apple blocked Facebook and Google from tracking you, then collected similar data itself for its own ads — without the same privacy prompt. Apple's ad business grew after this change. They didn't protect your privacy; they took over the tracking market.
critical
Apple says your AirPods Pro 2 are just headphones that respect your privacy. In reality, they contain always-on microphones that continuously analyse every sound around you — detecting when you speak, classifying background noise, and tracking your head movements. The earbuds process audio 48,000 times per second. This is not disclosed when you buy them or in prominent marketing.
high
To use Spatial Audio, Apple scans the unique shape of your ears using your iPhone's face-scanning camera — creating a biometric map of your body. Apple says this data stays on your device, but the earbuds connect to Apple's metrics and health servers, and there is no way to independently verify the data isn't transmitted.
high
Apple says they don't sell your data and keep it encrypted. But Apple hands over your data to governments in 93% of cases when asked. They even accidentally gave user data to hackers who faked police requests. Your AirPods location data, connection logs, and usage patterns are all accessible to law enforcement.
critical
Apple calls privacy a fundamental human right. A court approved a $95 million settlement because Apple was caught sending recordings of private conversations — picked up by accidental Siri activations on devices including Apple TV — to outside contractors who listened to them. This went on for over ten years before Apple was held accountable.
high
Apple says its advertising does not share data with third parties. But Apple TV has three advertising endpoints baked into its firmware, and the EU is investigating whether Apple blocks other companies from tracking you while giving its own ad business a free pass. Apple's Android TV app also includes a Google advertising tracker, contradicting the "no third parties" claim.
high
Apple says it designs products to protect your information. Three serious vulnerabilities were found in Apple TV — one was being actively exploited by attackers before Apple fixed it, one let apps escape their security sandbox, and one let attackers run code on your TV through a crafted video file. Playing video is the one thing Apple TV is supposed to do safely.
critical
Apple says your health data is encrypted so even they can't read it. But their own law enforcement guidelines show they can hand over iCloud backup data — which can include health records — to police with a court order. Most users don't enable the extra 'Advanced Data Protection' setting that actually makes this end-to-end encrypted. Apple approved 93% of government data requests.
critical
Apple says its Watch has top-tier security with advanced encryption and on-device processing. But government-grade spyware called Pegasus has already been used to break into Apple Watches without the owner even touching their device — just receiving a specially crafted iMessage was enough. More spy-grade vulnerabilities were found being exploited in 2025. If surveillance companies can break in, so might others.
high
Apple says it processes your health data locally on your device for privacy. But through its Research app, Apple funnels your heart rate, menstrual cycle, sleep, and ECG data to universities and outside researchers. The details of who gets your data are buried in study consent forms, not in the main privacy policy most people read. Apple can also re-identify you from this 'de-identified' data.
critical
Apple forces other companies to ask permission before tracking you, but exempts its own advertising from the same rule. Apple's ad business boomed after ATT because it kept access to data it denied to competitors. The privacy feature doubles as a competitive weapon.
critical
Apple says your data is encrypted and safe. But by default, Apple keeps a copy of the key to your iCloud backups — and they hand that data to police when asked. They even dropped plans to fix this because the FBI objected. Most people never turn on the stronger protection.
critical
Apple gives you a switch to turn off analytics sharing. But researchers proved Apple's own apps ignore that switch completely and keep sending detailed data about everything you do — tied to your identity. Even Google and Microsoft actually stop when you say stop.
critical
Without Advanced Data Protection enabled (which most people haven't), Apple holds the keys to your passwords. Law enforcement sends Apple a warrant, Apple decrypts your Keychain, and hands over every password you've saved. This happened 12,812 times in the US in just the first half of 2024.
critical
Apple was going to encrypt iCloud so even they couldn't read it. The FBI said no, and Apple caved. They waited 4 years, then released it as an opt-in feature buried in settings that most people will never find.
high
Apple's Secure Enclave chip is genuinely strong hardware security. But CVE-2025-24204 let an attacker dump your Keychain passwords without any authorization prompt. The software keeps letting people walk around the hardware.
Shazam
Streaming · 6 contradictions
Serious concerns
high
You open Shazam and tap the button to identify a song. Done? You toggle it off. The button says off. But the microphone is still on. A security researcher found that Shazam never stops accessing your Mac's microphone while the app is running. "OFF" means Shazam stops processing audio. It doesn't mean Shazam stops receiving audio. Your microphone is still active, still streaming sound to the app. You just can't tell because the button says off. The distinction between "receiving audio" and "processing audio" exists in Shazam's code. It doesn't exist in any user's understanding of what "off" means. When you turn something off, you expect it to stop listening. Shazam stops thinking about what it hears. It doesn't stop hearing.
high
You opened Shazam. Before you identified a single song -- before you even tapped anything -- the app sent your device identifiers and advertising ID to Facebook. Privacy International caught this in 2018: the moment Shazam launched, it called home to graph.facebook.com. Not after you used it. On launch. Your advertising ID went to Facebook because you opened a music app. Apple bought Shazam that same year. Apple -- "what happens on your iPhone stays on your iPhone" -- acquired an app that was transmitting user data to Facebook before users could do anything about it. Apple has since cleaned up some trackers, but Exodus Privacy still finds tracker signatures in the Android version. The app that identified your songs also identified you to Facebook.
high
Every song you Shazam is timestamped. If you gave location access, it's geotagged too. Over years, that library tells a story. The bar where you go on Fridays. The gym on Tuesday mornings. The concert last summer. The song playing in the store when you bought your wedding ring. Shazam knows your mood -- sad songs at 2 AM, workout music at 6 AM. It knows your social life -- identifying songs at a party versus alone in your car. With 225 million monthly users, Apple has a real-time map of what music is playing where, when, and who's listening. A song identification app became a behavioral diary that 225 million people write in voluntarily. Apple says the data supports "related Apple products and services." Your musical life, in Apple's service.
critical
Safari sends every URL you visit to Google for 'safe browsing' checks. In China, it sends them to Tencent instead — a company legally required to share data with Chinese intelligence. Apple didn't tell users about the Tencent part.
high
Your Safari browsing history is synced to iCloud where Apple can read it. They confirmed in their law enforcement guide that they'll hand it over with a warrant. The encryption that would actually protect you is opt-in and almost nobody turns it on.
high
Safari blocks trackers for free. But actual privacy — hiding your IP address, hiding your email — costs $0.99-$12.99/month via iCloud+. Apple turned privacy into a subscription service.
iCloud
Cloud Storage · 5 contradictions
Serious concerns
critical
Apple sells privacy but 90% of iCloud users' data is readable by Apple. They dropped encryption when the FBI complained. Your iPhone is encrypted but the cloud backup isn't.
high
Apple's Advanced Data Protection encrypts iCloud so even Apple can't read it — the strongest privacy feature any Big Tech company offers. But fewer than 1 in 10 users turn it on. It's buried behind a recovery key setup, disables iCloud web access, and requires every device on the account to be updated. Apple built the best lock in the industry and then hid the key under three layers of inconvenience.
high
Apple promised end-to-end encryption for iCloud — then caved to the FBI in 2020 and delayed it by two years. Apple joined the NSA's PRISM program in 2012. In 2023, Apple complied with 82% of government data requests. The iPhone itself is well-encrypted — but if you back up to iCloud without Advanced Data Protection (which most people don't enable), your backup is readable by Apple, by police, and by anyone who compromises Apple.
high
Apple News is pre-installed on your iPhone. You didn't download it. It's already there. And it tracks everything you read: which articles, how long you spend, what topics you follow, what you search for. What you read reveals who you are with uncomfortable precision. Read articles about divorce? Apple knows. Cancer research? Apple knows. Bankruptcy? Immigration? Addiction? Apple knows. One hundred twenty-five million Americans' reading habits, tracked by a company building a $10 billion advertising business. Apple says "Privacy. That's iPhone." Apple News says "We know your political views, health fears, and financial anxieties based on what you read this morning." Both statements come from the same company.
high
Apple News decides what 125 million Americans read first thing in the morning. Not an algorithm alone -- human editors at Apple choose the top stories. Which stories lead. Which get buried. Which sources are "trusted." Apple has more editorial influence over American news consumption than any newspaper, any TV network, any social media platform. But Apple isn't regulated as a media company. It isn't held to journalistic standards. It has no editorial board, no ombudsman, no corrections policy. Apple shapes what a quarter of American adults read about politics, health, economics, and culture -- with no editorial accountability. The most powerful news editor in America works at a technology company that says it doesn't do news.
high
Apple says it supports journalism. Apple takes 30% of every subscription dollar. Publishers who join Apple News+ lose their reader relationship -- Apple owns the data, controls the algorithm, and decides the revenue split. Readers who would have subscribed directly for $10/month switch to Apple News+ for $12.99 and the publisher gets pennies. Small publishers report Apple News+ cannibalises their direct subscriptions. The EU fined Apple €1.8 billion for this exact commission structure in music streaming. In news, the same model applies: Apple controls the platform, takes the cut, and owns the relationship. Supporting journalism by extracting 30% of its revenue and controlling its audience.
AirTag
Trackers · 5 contradictions
Fail
critical
Lauren Hughes and dozens of other women went to court to tell Apple what it already knew: a $29 device small enough to slip into a purse had become the stalker's tool of choice. The class action survived Apple's attempt to throw it out. The judge said if the product's design caused the harm, Apple has to prove its benefits outweigh the risk of enabling round-the-clock surveillance of domestic violence victims. Apple still hasn't settled.
critical
Apple launched AirTag in April 2021 knowing nearly three-quarters of the world's smartphone users had zero way to detect one hidden in their bag. For two full years, every Android user was invisible to Apple's "safeguards." A woman with an Android phone being stalked would hear nothing, see nothing — unless the AirTag's speaker chirped after three days, which stalkers quickly learned to disable by ripping out the speaker. Apple called this "privacy by design."
high
The same feature that helps you find keys in a couch cushion helps a stalker find their victim in a parking lot — down to the centimeter. Police saw tracking-device reports explode after AirTag launched. London's Metropolitan Police logged a 70% increase. Domestic violence shelters started teaching women how to sweep their cars for tiny white discs. Apple built the world's most precise consumer tracking network and acted surprised when abusers used it for precisely that.
critical
"What happens on your iPhone stays on your iPhone" was Apple's billboard while it paid contractors to listen to your Siri recordings. The whistleblower described hearing drug deals, doctor-patient conversations, and people having sex — captured by accidental activations. The recordings came with your location and contacts. Apple never told anyone humans were listening. It took a whistleblower going to The Guardian. Cost: a $95 million settlement — roughly 9 cents per affected device.
critical
The sound of a zipper. That's all it took to activate Siri and start recording. For five years, Apple collected these accidental recordings and sent them to contractors without telling anyone. When the whistleblower blew the lid off, Apple killed the program within a week — the speed tells you they knew how bad it was. The settlement covered a full decade of devices. Up to $20 per device. For years of eavesdropping, Apple valued your privacy at the cost of a pizza.
high
Tim Cook went on stage and said "privacy is a fundamental human right." He said it at conferences, in op-eds, on billboards. Meanwhile, hundreds of contractors worked shifts listening to 1,000 Siri recordings each — catching couples in bed, patients discussing diagnoses, people conducting private business. And while Cook positioned Apple as the anti-Google, Apple's ad business quietly grew from $2 billion to over $7 billion. Privacy is a fundamental human right — and apparently a fantastic marketing strategy.
high
Apple built Private Cloud Compute — AI servers that process your data and delete it. They publish the code for verification. This is genuinely better than what Google or Microsoft do. Then they added ChatGPT. When Siri can't answer, it asks: "Want me to send this to ChatGPT?" Your query leaves Apple's infrastructure and goes to OpenAI — a company 27% owned by Microsoft, now also running on Amazon's cloud. Apple asks permission first. But the default is there. The nudge exists. And every time you say yes, your data leaves the ecosystem Apple spent years building walls around.
high
Apple Intelligence is only on iPhone 15 Pro and newer. If you have an older iPhone, you don't get on-device AI — you get pushed toward ChatGPT and Google, which have weaker privacy. Privacy is now a hardware paywall. And the AI that does run on-device hallucinates. Apple's notification summaries invented fake news headlines and attributed them to the BBC. The BBC complained publicly. Apple's privacy-first AI fabricated journalism and put a real news organisation's name on it. On-device processing doesn't matter if the output is false. Private lies are still lies.
high
App Tracking Transparency asked every app: "Allow this app to track you?" Users said no. Facebook lost $10 billion in ad revenue. Meta called it devastating. But Apple's own apps never show that prompt. Apple tracks you across the App Store, News, Stocks, and Maps without asking. Apple Search Ads grew to $7-10 billion a year. ATT wasn't just a privacy feature. It was a business strategy that kneecapped competitors' advertising while growing Apple's own. The privacy wall is real. It has a door in the back that only Apple can use.
high
Apple says privacy is a human right. Apple Music collects your listening history, search queries, playlist names, skip behaviour, and Siri voice commands -- and connects all of it to your Apple ID. Your Apple ID links your music to your purchases, your location, your photos, your messages, your health data, and every app on your phone. Spotify knows what you listen to. Apple knows what you listen to, where you listen, what you bought afterward, and what you said to Siri about it. Apple's advertising business is growing past $10 billion. The privacy company is building an ad business. Your listening habits feed it. "Privacy. That's iPhone" -- unless you count the advertising division.
high
You made a playlist called "3 AM thoughts." Apple knows. You played sad songs for two weeks straight. Apple knows. You switched to breakup anthems. Apple knows. You started playing lullabies. Apple knows you had a baby before you told anyone. Music is emotional data. Research links listening patterns to depression, anxiety, grief, and major life changes. Apple Music tracks every song, every skip, every repeat, every playlist name -- and connects it to your real name, your credit card, your home address, and your daily location. Spotify sells this data to advertisers. Apple says it doesn't. But Apple's advertising division is growing past $10 billion, and your emotional life is in the dataset.
high
Apple Music pays artists more per stream than Spotify. Apple also charges Spotify a 30% tax on every subscription sold through the iPhone. Apple Music doesn't pay that tax because Apple owns both the store and the service. The European Commission fined Apple €1.8 billion in March 2024 for preventing Spotify from telling iPhone users they could subscribe more cheaply on the web. Apple pays artists better while making the competition more expensive. The per-stream rate is real. The monopoly that enables it is also real. Apple didn't build a better music service. Apple built a toll booth and parked its own service on the free side.
critical
The Vision Pro tracks your eyes 60 times per second. Apple says the data stays on-device. Then researchers proved they could watch your Persona avatar in a FaceTime call and reconstruct what you typed — passwords at 92% accuracy. Your eyes betray your keystrokes. Apple patched that specific attack, but the underlying reality cannot be patched: eye tracking encodes what you think, what you want, and what you're about to do. It reveals which word you paused on, which product you lingered over, which face you looked at longest. No other Apple device has ever recorded where your attention goes 60 times per second. This one does.
high
Vision Pro has 12 cameras and 5 sensors strapped to your face. It builds a 3D model of your room — furniture, walls, doorways, objects, people. It scans your face to create a digital replica. It tracks your hands. It watches your eyes. Apple says most of this stays on-device, and that's probably true today. But you're wearing the most sophisticated sensor array ever built for consumers. It knows the layout of your home, the expressions on your face, where your eyes go, and what your hands do. The question isn't what Apple does with this data now. The question is what any company would do with this data ever.
high
Most people will never wear a Vision Pro. At $3,499, Apple sold it to early adopters and developers, then cut production in half and discontinued it within a year. But that's not the point. Vision Pro normalised eye tracking, room mapping, face scanning, and hand tracking as consumer technology. ARKit is already on every iPhone. LiDAR is on iPad Pro. Eye tracking is coming to AirPods and future glasses. The Vision Pro privacy precedents — what's acceptable to track, what stays on-device, what apps can access — will define the rules for devices that cost $200, not $3,500. The expensive prototype sets the cheap future.