15acf4d3 t1_ixj8plv wrote
Reply to comment by xXTheBigBearXx in Apple Device Analytics Contain Identifying iCloud User Data, Claim Security Researchers by RobertaGoldstein
Do you know what API call is? How do you know those API calls with DSID are the purpose of analytics unless you work at Apple and knows how the data is used?
xXTheBigBearXx t1_ixjciu6 wrote
The API calls are irrelevant to the purpose of the analytics??
The point is the analytics contains an identifier, which is linked to the iCloud account as proved by the API call
15acf4d3 t1_ixjg9fz wrote
You (and the two dudes who claimed this) are assuming that DSID is found in the analytics data, which is not true.
The DSID is found in the request body of API calls while two dudes browsing App Store.
But the purpose of those API calls are unknown. And only someone who works at Apple handles these data knows the purpose. It is unknown whether that API calls were for the purpose of tracking user behavior or just simply checking whether the user bought the apps on the current page or the device can run certain apps etc.
To verify whether Apple actually collects data for user analytics, someone needs to investigate their backend services and databases. Not some API calls.
That's why this article and the "analysis" by two dudes are simply clickbaits.
xXTheBigBearXx t1_ixjh4nu wrote
So what your saying is the second screenshot from their Tweets is an API return also, and not analytics then?
15acf4d3 t1_ixjidls wrote
I don't know the true purpose of these request body and the API calls.
No one does except who actually implemented these API calls and who handles the data inside Apple.
Just simply having some kind of user ID in API calls doesn't say anything. If you are using any service that has user account, this happens all the time. Your posts, comments, profile picture on Reddit is associated with some kind of user id. Without user id, how can Reddit remembers your posts, comments?
It's same for App Store. The apps you bought, you subscribed etc is associated with user id.
Having user id in the API calls doesn't mean a service is tracking and analyzing your behavior. That is totally different story that this article and the tweets from two dudes has not proved anything
xXTheBigBearXx t1_ixjiykp wrote
You didn't answer my question..
Did they not tweet an image of some Analytics data, which contains the dsId?
15acf4d3 t1_ixjj7w0 wrote
They claimed it's from "analytics data" But what they actually did is just look at the request body of API calls (probably using something like WireShark)
That's completely different things
15acf4d3 t1_ixjiy4d wrote
To simplify what's going on:
Apple: Did you buy this game? User: Yes here is my user id Apple: Oh I can confirm that there is a transaction record for this game with your user id
???: Apple lied. Apple invaded user privacy.
muffdivemcgruff t1_ixkxz28 wrote
No, the identifier is only return when you are logged into icloud and have credentials.
When uoure not logg in and requesting the data it does not return the identifiers.
xXTheBigBearXx t1_ixlmgnf wrote
Yes, but there shouldn't be an identifier in analytics if you're logged in either. They should be anonymous.
Viewing a single comment thread. View all comments