Yosemite, Spotlight, and Privacy ⇥

Concerns about the amount of information transmitted to Apple in standard usage of Yosemite first surfaced a few days ago. To be fair, it looks like a lot of stuff that Apple is collecting: an analytics ID, kinds of email addresses, Spotlight searches, and so forth. Sounds pretty scary. But Russell Brandom of the Verge and Michael Tsai have both done a great job of reducing the amount of FUD in these claims. Brandom:

But on closer inspection, many of the claims are less damning than they seem. There’s already a public privacy policy for the new feature, as well as a more technical look at the protections in the most recent iOS security report. That document breaks down five different kinds of information transmitted in a search: the approximate location, the device type, the client app (either Spotlight or Safari), the device’s language settings and the previous three apps called up by the user. More importantly, all that information is grouped under an ephemeral session ID which automatically resets every 15 minutes, making it extremely difficult to trace a string of searches back to a specific user. That also makes the data significantly less useful to marketers, since it can’t track behavior over any meaningful length of time. And most importantly, the data is transmitted over an HTTPS connection, so it can’t be intercepted in transit.

And Tsai:

Cook frames it as Apple not needing your information because it isn’t monetizing it, but there are definitely cases where having more information would help Apple improve the user experience—at the expense of privacy. It is not always possible to maximize both.

Also of note: the fact that this Washington Post article even got published. If it were nearly any other company, an article like that probably wouldn’t be warranted. That’s not because the Post wants to target Apple or anything, but because Facebook, Google, and others collect this kind of information routinely. Apple is one of the few Silicon Valley companies to care to such an extent about user privacy. Any breach of that is considered noteworthy. By contrast, the expectation of most other tech companies is that they will take as much analytics and user data as they can get away with.