The Google Privacy Matrix: Wanna wake up, Neo?

Drawing of GoogleHome Morpheus giving you the choice.

This should have become only one post: Google and our privacy and security. But I realized very soon too late, that such a post would be very, very dangerous. Dangerous for you and dangerous for me. Some of you would be shocked to the point, that you start to hate smartenlight. Some of you would keep asking me for the real stuff.

So, I’ll give you the choice. You need to decide for yourself, to which extent you want to be in control of your own life.

Please come, sit.

I imagine that right now, you are feeling a bit like Alice, tumbling down the rabbit hole, hmmm?

Let me tell you, why you are here. You are here, because you know something. What you know, you can’t explain, but you feel it. You felt it your entire life, that there’s something wrong with the internet. You don’t know what it is, but it’s there. Like a splinter in your mind, driving you mad. It is this feeling that has brought you to me.

Do you know what I’m talking about?

Do you want to know, what it is?

The Google Privacy Matrix is everywhere. It is all around us, even now at this very website. You can see it when you look at your browser, or when you watch YouTube. You can feel it, when you go to work, when you go to church, when you pay your taxes. It is the world, that has been pulled over your eyes, to blind you from the truth.

What truth?

That you are a slave, Neo.

Like everyone else, you were born into bondage, born into a prison that you cannot smell, or taste, or touch.

A prison, for your mind.

Unfortunately, no one can be told, what the Google Privacy Matrix is. You have to see it for yourself.

This is your last chance. After this, there is no turning back.

  • You take the blue pill, the story ends, you wake up in your bed and believe whatever you want to believe.
  • You take the red pill, you stay in Wonderland, and I show you how deep the rabbit hole goes.

Remember: all I’m offering is the truth.

Nothing more.

Yours,

M.

Google and Our Privacy and Security: Red Pill

Drawing of Google and our Security and Privacy

WARNING: If you’ve accidentally arrived here, without the explicit decision to take the “red pill“, please leave now! This post is a fictional story for insiders, who are curious about the potential impact of artificial intelligence.

Have they left?

Let me check in GA! No.

Ok, let’s rephrase:
WARNING: This is going to be the most boooring …

Aaaah, now they’re gone. Just you and me.

How do I know that?

Very easy, I track you.

I know whether you come from Facebook, Instagram, Twitter or any other social media site. I also know, if you have bookmarked this site and came directly.

And when you search for something on Google, Bing or Yahoo and a smartenlight post appears in the results, I know the exact position where the post was located and whether you clicked on it. I even know the keywords you’ve used to find this article.

I know the language you are speaking, the city you are living in, even which type of device and browser you are using. I know, how often you visit me and for how long.

On my dashboard, I can see – in real-time – when you come,
and when you go …

Wait!

Before you leave now, because you think you ended up in your worst privacy nightmare, written by a nerdy idiot, who does not respect other peoples privacy:

It is not me who tracks you,
it is Google.

What?

What I’ve described above is actually the super harmless form of tracking you via Google Analytics in an anonymous way, there is much more out there, everywhere.

The Google Matrix is a system, Neo.

When you’re inside, looking around, what do you see? Managers, teachers, carpenters, lawyers, the very minds of the people we are trying to save. But until we do, these people are still part of that system.

You have to understand, Neo. Most of these people are not ready to be unplugged. And many of them are so dependent on this system, that they will fight to protect it.

Are you listening to me, Neo?

Please relax, we are safe here!

Of course, I don’t know you as “you”, only Google does.
That’s why it’s so difficult for me to reach you …

For me, you just appear as a number in Google Analytics, Neo. And the reason I am interested in those numbers is to be able to improve this site to be able to find you. Sure, it would be much easier, if you just leave a comment with your feedback. But I cannot expect that from you, so I am looking at some numbers, doing some guesswork.

Let me show you …

This is a snapshot of the Google Matrix for this post after going online. Only 63 candidates. You see how difficult it is for me to find you, Neo? You could be anywhere …

Table GA - The Google Matrix Snapshot 2018-05-14
Where are you, Neo? According to the User#, you could be in UK, but according to how long you’ve listened to me, you must be in Austria or Australia…

Welcome to the Google Matrix!

Up to 80% of all the websites out there have implemented Google Analytics. The rest uses one of the other 600 Site Analytics trackers, and many sites use a mix thereof.

I have invested a lot of time to make sure we are safe here, Neo.

They cannot track us. No personalized ads, no social media tracking, no nothing. I do not even track or save your IP on this website because for our European candidates the IP is personal information. And I use Google Analytics in an anonymized way. Google has to set the last part of your IP address to zero, before processing it.

There are not many sites being so cautious, Neo.
You can check that with the Ghostery plugin in a Chrome browser.

And when you surf other sites, don’t be shocked to land on pages with 10, 30, 50, over 100 trackers. This is normal nowadays. They come from advertising and affiliate programs, social media, even adult advertising.

It’s a jungle out there! Ghostery alone knows about 3000 different trackers and will show you what’s going on while making you invisible. Also for me …

For now, please relax, we are safe here.

I hear you, Neo!

Looking at my numbers and doing my guesswork, I see that I could not grab your attention. You have missed the most important parts.

Let me try again, this is important.

Why this topic, here and now?

If you know this site, you know that it’s about smart home and smart assistants. This intimate area at home is where we expect our security and privacy. But are we also cautious, which companies we invite into our homes?

While checking around Google’s privacy policy I stumbled over some topics I was not aware of. Interesting, but somehow disturbing topics.

Google has become our prime source for information, to such an extent, that we are more open to Google than to anybody else.

We are more open to Google than to our partner, best friend, father, mother, sister, brother, kids, doctor, priest, shrink!

You don’t believe me, Neo?

Ok, then download your data now, I will prove it to you. Make sure to download all of it with the proper Google account (the older – the better). This process might take some time on the Google Matrix end, so initiate it now. At the end of this post, I will tell you what to look for. Remind me, that we will also use this data to efficiently check our Google Home recordings.

Go now, to initiate your takeout. You will receive an e-mail from Google when it’s ready to download.

I will wait for you.

We tell things to Google, that we don’t tell anybody else, Neo.

Seth Stephens-Davidowitz, former Google data analyst, NYT writer and author of “Everybody Lies”, calls Google “Digital Truth Serum” (This is a 16-minute clip on YouTube). The topics in this TED talk range from sex, racism, suicide to Islamophobia. Still, it’s safe to watch, you will understand much better, where our journey goes.

“One in six queries presented to Google has never been asked before”. “Imagine your face and your name above everything you’ve put into that box, and you’re going to realize you trust Google more than any entity in your history.” Scott Galloway, Professor of Marketing at the NYU Stern School of Business, calls Google Our modern man’s God(This is a 1-minute clip on YouTube)

Breath in.

Breath out.

We will now use Google’s privacy policy to our advantage.

How do we get there?

I’ll start with how Google makes money. You need to know this to understand why Google collects all our data.

Next comes a “light privacy version”, an overview Google gives us. I’ve covered this in the blue pill in a happy-blue-pill-way. Here I will highlight, how you can minimize your footprint and what Google does not mention, or only indirectly.

We will look into the services required to have our Google Homes running. Yes, there are some data collection services we cannot turn off if we want to use our assistants. This is actually not good at all, but I’ll help you to keep it clean.

Finally, we will look into what’s planned for Google privacy in the future and wrap up our findings in a conclusion.

Ok, let’s follow the rabbit …

Google privacy overview

“Every day, data makes our services work better for you. That’s why it’s important that we keep it private and safe – and put you in control.”

Google is an advertising company. It collects our data and makes money out of it by showing us personalized ads based on our data.

The more data Google has from us, the better they can personalize their ads and services, and make them useful for us.

Neo, Google is a business, the economic equation looks more like: The more data Google has from us, the more they can charge for their hyper-personalized ads.

A quick glance at the past year earnings shows us that the parent company Alphabet – with CEO Larry Page and President Sergey Brin on top – is divided into Google and “other bets”.

Google made 110 billion revenue in 2017, around 84% from advertising (DoubleClick, AdSense, YouTube) and the rest from the Google Cloud platform, Google Play, Google Home and recently Nest, which they’ve now merged back into Google. The “other bets” ranging from AI developments to self-driving cars still make over a billion a year.

So, Alphabet is mostly an advertising company making a lot of money from personalized ads on our search results, YouTube and other (some 2+ million) sites around the web.

If you are wondering what is being tracked when you have no Google account at all, here are some ideas on shadow profiles through Google Analytics. You’ll furthermore find a hint that in 2016 Google changed their terms of services and quietly dropped the wall between anonymous online ad tracking and our names.

Overview: “Every day, data makes our services work better for you.”

The cute, animated introduction is there to remind us of the benefits we get from giving Google our data. From weather information to Google Translate. Google Maps reminds us when to leave to be in time for our next appointment. And the Search which intelligently gives us just the results we want, in the web and on Youtube.

These are all free Google Services, Neo. They have many more ….

Your Data: “Our commitments to your privacy and security:”

“We want you to understand what data we collect and use.”

They tell us, what they collect. Because they have to.

  • Things you do“: What we search for, the websites we visit, the videos we watch, the Ads we tap, our location, our device information and our IP address and cookie data are being collected.
  • Things you create“: The data we create and store in the cloud, like emails we send and receive on Gmail, the contacts we add, calendar events, photos and videos we upload, docs, sheets, and slides on Drive, is being stored and protected (and analyzed) by Google.
  • Things that make you “you”: Our personal data associated with our Google account: name, email address and password, birthday, gender, phone number, and country.

“How data improves Google services”

Remember, Neo: their promise is always to improve their (free) services for us.

And to be able to do so, for this huge amount of data we are creating, they have to automate this process. So they program machines, to do this job.

When you search for “Africa” and when I search for “Africa”, we get completely different results. This is because the machines are personalizing our results, transforming them to something, which confirms what we already believe. They keep us in our “filter bubbles”, cozy and biased. They don’t show us unbiased results, that’s too dangerous, we might wake up ….

The matrix is full of filter bubbles created by Google, Facebook, Amazon and even Netflix (This is a 9 minute TED talk by Eli Pariser from 2011, who explains this important topic).

Google, has recently – seven years later – admitted there’s a problem and is now working on it.

Let me tell you, how data improves Google services for their advertising business:

When Al Bundy wants to show you a shoe advertisement, he can target you based on the data. Google gives him the tool to find you based on:

  • your demographics (age-range and gender),
  • your interests (affinity categories – we’ll see them in a bit,
  • life events like “recently moved” or “got married”, derived from your searches,
  • whether you’ve already searched for similar products,
  • keywords you are searching for, and more)
  • and more
  • and much more

Since we are into Google Home. Each of our interactions with Google Assistant is stored in an activity log, which we can view from here and delete. If you delete your searches, chances are, that you minimize your filter bubble.

Take Control: “You have the controls to manage your privacy.”

Here are the links where you can control your data, make sure you don’t lose them:

  • Control your privacy settings at My Account
  • See what data is in your account at My Activity
  • Manage your privacy settings with the Privacy Checkup
    • Personalize your Google experience
      • “Web & App Activity”, “Device Information” (watch out, these are your contacts, calendars, apps, music and more) and your “Voice and Audio Activity” cannot be paused, if you want to use your Google Home. Make sure you delete this information from time to time, to keep your footprint small. If you are afraid, that the quality of the Google services will degrade for you, remember how they performed on day 1, when Google had no data.

      • Location History“, “YouTube Search History” and “YouTube Watch Historycan be paused, and you can still use your Google Home. Make sure you delete your data following those links. Pausing an activity does not delete the data. It’s not that easy to get out of the matrix.

    • Help people connect with you“: This feature comes from collecting anybody’s else contact data, ANYBODY who has your number. Turn this off, Neo.
    • Choose what Google+ profile information you share with others“: Turn this off.
    • Make ads more relevant to you“: Last but not least, here we are.
      Since you have taken the red pill, I assume you’d like to opt out of this. Note, you cannot get rid of the interests the machines assume you have. Confuse them by telling them that you don’t like what they think you like, just in case.
  • Secure your account with the Security Checkup“: This link helps you to keep your account secure!
  • Decide what data is associated with your account“: Use this link to verify that nothing is linked to you, what should not be linked.
  • Review your basic account information
  • “Take your content anywhere with Download Your Data”: Finally the option for everybody to download our data. I hope you’ve done it already, before deleting your data. That’s why I gave you this link at the very beginning.
  • The last feature, let’s us define up to 10 account trustees, who can download “some” of our content in case something happens to us and our account is left unattended for an amount of time. We can also specify if Google should delete our inactive account and data. What happens with our data when we die? Think about it, Neo!

Your Security: “Your security comes first in everything we do.”

Google secures its services with the world’s most advanced security infrastructures. They do everything to not lose our valuable data.

If somebody asks Google to give out data, they review it and document it here transparency reports.

“Top tips to help you stay secure online”

Here we get helpful quick tips to secure our personal data! These are important, use them to your advantage, Neo!

  • “Strengthen your sign-in”
    • “Create strong passwords”
    • “Use unique passwords for every account”
    • “Keep track of multiple passwords”
    • “Defend against hackers with 2‑Step Verification
  • Protect your devices
  • Avoid phishing attempts
    • “Always validate suspicious URLs or links”
    • “Beware of email scams, fake prizes, and gifts”
    • “Be wary of requests for personal information”
    • “Watch out for impersonators”
    • “Double check files before downloading”
  • Browse the internet securely
    • “Use secure networks”
    • “Look for secure connections before entering sensitive information”

How Ads Work: “We do not sell your personal information to anyone.”

Google does not sell our personal information (name, email, payment information)!

Why should they?

They know everything about us. The blue pill community went all-in. They do not care about their privacy. The promise that Google services will become better and better is just seductive! The fact that Google knows more about us than our partner, best friend, father, mother, sister, brother, kids, doctor, priest, shrink is more than enough to keep the business running.

  • “We use data to make ads relevant”: Google tries to show us useful ads, based on the data we have reviewed. Useful ads, means expensive ads.
  • “Advertisers pay only for ads that people see or tap”
  • “We show advertisers how well their campaigns worked”: The matrix continuously monitors it’s performance, Neo.

“How ads work on Google services and partner sites”

Here the matrix finally reveals how it creates useful ads for us:

  • Google takes our current and past searches into account when displaying useful ads. Have you already received your takeout email?
  • Google uses our watch history and our current and past YouTube searches as a basis to define useful YouTube ads.
  • The ads we see in Gmail are based on the usual data, not the content of our emails. Nobody reads our e-mails to show us ads. Machines and people only read them to identify spam for us.
  • Many sites partner with Google to display ads. These advertisers show ads to certain “types” based on our information and data collected from our online activities, e.g. “25 – 34 year old males who are interested in travel.” Google might also show us ads, based on sites we have visited, e.g. we left red shoes in a shopping cart but decided not to buy them yet.
    OK, it’s time now to go deeper, Neo: programmatic advertising. Almost 80% of the US mobile display ads are purchased programmatically. $ 46 billion will be traded between machines, not humans, in the US alone, this year.
    The moment we open a website, machines start to negotiate our worth. If they find a cookie on our device about the red shoes left in our shopping cart, guess what happens? The ad price goes up because Al Bundy wants to sell us his freaking red shoes.

“Take control of your Google ads experience”

For  controlling the ads we see, we can 

  • “Control ads based on your preferences”: We’ve looked into this already above.
  • “Remove ads you do not want to see”: We can mute many ads, which are no longer relevant for us, closing them with an (X) on partner websites and apps. This is helpful in case we have already bought the car we were interested in. I am a bit afraid, that this flags something like “this guy recently bought a car” let’s sell him…
  • “Learn what data we use to show you ads”: “Why this Ad” is a feature, which displays the reason, why we see an ad. I’ve never tried this feature, because I am not into ads, but let’s keep it in mind when we stumble over Google ads.

“Safer Internet: We help make the Internet safer for everyone.”

Google develops security technologies, which they share with other companies to improve the whole online world.

Let’s talk for moment about adblockers. These nice plugins, allow us to block out any ads on websites. No, not any, but some. Which not? Those who pay. How to market this: Let’s define good ads and bad ads. Let’s display only good ads. Google is in the lucky position to have their own browser, so let’s build this in.

Let’s close this chapter with a dedicated link called Privacy concerns regarding Google on Wikipedia, just in case you want to go further down the rabbit hole …

A quick peek into your Takeout

Have you received your takeout yet, Neo?
Well, that’s now your very personal thing. Enjoy!

Thanks for reminding me that we have 2 topics open (make sure you are alone when doing this):

  1. Navigate to /Takeout/My Activity/Voice_and_Audio. You will find a folder full of your Google Home/Assistant recordings. Sort the recordings by size. You might find – in my case, a handful of – bigger files. These are most likely erroneously triggered recordings, where you did not say “Ok/Hey Google”. Listen into them, think about your privacy.
  2. Make sure, you’re alone. Navigate to /Takeout/My Activity/Search and open MyActivity.html. Scroll down to the very end, these are your oldest searches. Scroll up until you find something strange. Something you have not expected to find here. Some memory which you have buried deep in the back of your mind. There it is, in front of you, saved into your account and used from the system, to find you.

Examine your takeout carefully and don’t forget to delete the data you do not want to share with Google advertisers.

What’s coming (to some of us?)

Google just updated their privacy policy which goes into effect on May 25th, 2018. That’s the date when the new General Data Protection Regulation kicks in for EU residents. According to Google, the new version is much clearer, though nothing really changes in the way how Google services process our data. You will also find a couple of cute YouTube videos, which explain how Google services use our data. Here’s the original blog post from Google’s EMEA Director for Privacy Legal.

Ads are mentioned and explained earlier in this version. Also, Google Analytics is mentioned, when you scroll down a bit, a bit longer. If you click the comparison to the previous version, you get a 404 Error.

But that should not be a problem since you already understand what to look for.

Conclusion

We went very deep into the rabbit hole in this post.

I hope you are feeling OK? You must feel exhausted, I’ll keep the conclusion short.

Neo, privacy is our human right (UN, US, EU).
It has many dimensions. Whom do we trust more? Governments or big companies? Regulations or the economy? When our data is out there and can be accessed by companies and governments, it can also be hacked by criminals.

You’ve learned now,

  • what data is being collected,
  • how companies make money with it,
  • and how to monitor and minimize your Google Home footprint.

Now that you know, what the the matrix is,
use those privacy policies out there to your advantage.

Our data is worth a lot of money, not that we can sell our data on our own terms.

Take care, Neo!

Yours,

M.

P.S. The comment section below is GDPR compliant. I was just waiting for you to read this and start the party with a good discussion. You’re e-mail address will not be displayed! You’ll need to explicitly double opt-in (confirm your e-mail, so that nobody can spam you) to automatically receive notifications when somebody answers your posts. And I will monitor to keep the machines away. It’s cool and it’s safe! Let me know what you think!

Google and Our Security and Privacy – Blue Pill

Drawing of Google and our Privacy and Security

Welcome! Happy, you took the blue pill! This is going to be so much easier, for both of us. In this post, we are looking into how Google treats our privacy and security.

Before we dive in, a heads-up:

The good news: Google is very transparent what data it collects from us and how they use and secure it. Every bit seems well documented.

The bad news: Google is collecting a lot of data. So this overview will take some time to digest.

The new news: Last night, right before I wanted to click the “publish” button for this post, I received an email from Google with the subject “Improvements to our Privacy Policy and Privacy Controls”. I will cover this in the “Whats coming” section.

Let’s get moving …

Note, below table of contents will help you to quickly orient yourself and navigate through this post.

[toc]

Why this topic, here and now?

Smartenlight is about smart home and smart assistants. This intimate area at home is where we long for security and privacy. But are we also cautious, which companies we invite to our homes?

The topic “privacy” is nowadays all over the media. Companies collecting our data, sometimes even without our consent, companies making money with our data. But also companies, who supposedly do not care about our data, because they simply have a different business model. After checking Apple’s approach to security and privacy, we are looking now into Google’s. Amazon’s will follow.

Hopefully, this awareness will inspire us, to also check the privacy policies of all the smart home devices at our homes.

How do we get there?

We will look into Google’s “light privacy version”, an overview Google gives us. This expands into a quite lengthy overview, which goes deeper and deeper since Google is very transparent about the “what” and “why” they collect our data, and also thorough in giving us tips to protect our privacy.

We will highlight the services required to have our Google Homes working and what Google has planned for the 25th of May 2018, when the new General Data Protection Regulation (GDPR) kicks in.

Finally, we will wrap up our findings in a conclusion.

Sounds long? It is. But since it’s such an important part of being online and using our Google Homes, I will try my best to keep you awake.

Google privacy overview

“Every day, data makes our services work better for you. That’s why it’s important that we keep it private and safe – and put you in control.”

Most of the Google services are free. The data Google collects is used to improve the Google services for us.

Overview: “Every day, data makes our services work better for you.”

The cute, animated introduction is there to remind us of the benefits we get from giving Google our data:

  • Data gives you answers to your questions — just when you need them.” We will always know, whether we should take our umbrellas with us. Good to know!
  • It helps you find the right words to say, in any language.” – Google Translate helps us to communicate in languages we don’t speak. It’s an amazing technology, which can connect people, who otherwise would not be able to communicate with each other.
  • “And gets you from A to B…to C, right on time.” Google maps give us transport information taking real-time traffic into account. A perfectly helpful feature, we would not like to miss.
  • It helps you discover that video that makes you laugh out loud — or your new favorite song.” Youtube Search and Google Play Music! No other platform can offer us this depth of personalization. Remember, our Google Music post? Google knows when we get to the gym and will play workout music automagically! Google is even so smart, that we can merely describe an album cover and it will find and play it.
  • And helps find everyone you care about in every photo you take.” Google has amazing AI technologies, which help us to organize our memories. The photos of us, our kids, or pets, well sorted!
  • It’s personal. That’s why we protect your data.” Google uses the most advanced technologies to protect our data.

Your Data: “Our commitments to your privacy and security:”

“We want you to understand what data we collect and use.”

Google understands it as their responsibility to make clear what data they collect from us, and how they use it to improve their services.

  • Things you do“: What we search for, the websites we visit, the videos we watch, the Ads we tap, our location, our device information and our IP address and cookie data are being collected.
  • Things you create“: The data we create and store in the cloud, like emails we send and receive on Gmail, the contacts we add, calendar events, photos and videos we upload, docs, sheets, and slides on Drive, are being stored and protected by Google.
  • Things that make you “you”: Our personal data associated with our Google account: name, email address and password, birthday, gender, phone number, and country.

“How data improves Google services”

Google lists some examples, how they use our data.

  • How Google Maps gets you places faster“: Google tracks our phones location data and combines it with people around us to give us real-time traffic information. They do this anonymously for Google maps.
  • How Google autocompletes your searches“: Google is smart enough to correct our typos and suggest autocompletes that take our search history and interests into account. So we get better results, faster!
  • How YouTube finds videos you want to watch“: Google knows whats trending, they know our preferences, so they show us the best suggestions.
  • How Chrome completes forms for you“: Google saves us time when we fill out forms, by storing our data.
  • How Google Search helps you find your own information“: Photos, appointments, hotel reservations, what you have, Google connects all services to make it easier to find our own information, even in Google Search!
  • How your Google Assistant can help you get things done“: Now this one’s interesting, since we are into Google Home. Each of our interactions with Google Assistant is transparently stored in an activity log, which we can view from here.

Take Control: “You have the controls to manage your privacy.”

We are in the driver’s seat when it comes to our data. Here are the links which enable us to control our information stored at Google.

  • Control your privacy settings at My Account“: Here is where we can control, protect and secure the personal information in our Google account and decide, which type of data we give Google to improve their services for us.
  • See what data is in your account at My Activity“: our activity log shows us additionally to Google Assistant interactions, what we have searched, viewed and watched using their services.
  • Browse the web in private with incognito mode“: A cool feature where we can privately surf the web, without having Chrome remember our search history. There were cases, where media reported, that they found their Incognito history in the takeout (your takeout is coming in a bit), I cannot confirm this, my account is quite slim, though.
  • Manage your privacy settings with the Privacy Checkup“: This is a helpful link, where Google provides us a step by step walkthrough for all our settings.
    • Personalize your Google experience“: Here’s where we will review our activity controls, mentioned before:
      1. “Web & App Activity”: Our Searches and other Google activity. Required to be turned on for Google Home!

      2. “Location History”: Want to see on Google Maps where on this planet you have been? Check it out! Brings memories back to life …

      3. “Device Information”: Our device information, that is stored at Google. Required to be turned on for Google Home! 

      4. “Voice & Audio Activity”: Google collects the audio when we use Google Assistant on a device or Google Home to improve the speech recognition for us. Here’s the link to review what Google has heard.  Required to be turned on for Google Home!

      5. “YouTube Search History”: This improves the recommendations in Youtube and other Google services.

      6. “YouTube Watch History”: This is a setting for us to find the recently watched YouTube videos easier.

    • Help people connect with you“: We can decide here, whether we want to help people who have our number in their contacts to contact us across Google Services. There’s a separate setting where we can let them find our name, photo and other information. Much easier to keep in touch!
    • Choose what Google+ profile information you share with others“: If we are using Google+, we can specify here in detail which profile tabs are displayed to visitors and edit what others see about us.
    • Make ads more relevant to you“: You remember, Google finances the free service they offer us, with useful ads. Here we can fine-tune which ads we are interested in.
  • “Secure your account with the Security Checkup”: Now that we have configured our privacy settings, it’s time to check our security. Google’s security checkup displays us:
    • Our devices: If we see a device we don’t recognize, we can change our password from here and sign out from all devices, other from the one we are looking at this page.
    • Recent security activity: If there’s a sign in from a new device or change of some sensitive settings, we will get notifications from Google.
    • Sign-in & recovery: We see the different verification methods: usually our phone number, recovery email, and security question.
    • Third-party access: These are the apps which have access to our data. Google can categorize apps into different risk levels, according to the data they access.
  • “Decide what data is associated with your account”: This is another detailed view, which scrolls here to our activities.
  • “Control ads based on your preferences”: This scrolls down on above page to Ads Settings and leads from there to the actual Ads settings page, we’ve already reviewed before.
  • “See what data is in your account at My Activity”: this time jumping directly to our activity overview, which we have seen before.
  • “Review your basic account information”: jumping to the personal information section.
  • “Take your content anywhere with Download Your Data”: Here we can even download our data. I’ve done it, it takes depending on size hours or days. As mentioned earlier this is a copy of our data found in our activities, which we have already reviewed.

Your Security: “Your security comes first in everything we do.”

Google secures its services with the world’s most advanced security infrastructures.

  • “Encryption keeps your data private while in transit”: Our data is protected with multiple layers of security.
  • “Our cloud infrastructure protects your data 24/7”: Multiple, custom designed data centers who distribute our data in a way, that even in the case of fire or disaster, it will safely shift to secure locations.
  • “Threat detection helps protect our services”: Google continuously monitors its services to protect them from spam, malware, and viruses.
  • “We do not give governments direct access to your data”: Google never gives “Backdoor” access to our data. Period. No government agencies, worldwide, has direct access to our personal data. A team reviews all data requests and Google documents everything in their transparency reports.

“Security is built into all of our services

  • “Gmail encryption keeps emails private”: Google mail has supported encrypted connections since day one. Bad guys have a tough time to read our e-mails.
  • “Gmail spam protection filters out suspicious emails”: Sophisticated AI keeps 99,9% of spam out of our inboxes!
  • “Chrome automatically updates your browser security”: Chrome keeps it’s security technology automatically up to date, so in case some new threat occurs we are automatically safe.
  • “Google Play keeps potentially harmful apps off your phone”: Sophisticated AI detects malicious apps before they even reach the Play Store. If the AI is not sure about the safety of an app, member of the Android Security Team step in and check it.
  • “Google blocks malicious and misleading ads”: Every year a team of smart AI algorithms and live reviewers filters nearly a billion of bad ads, which would spoil our online experience.

“Top tips to help you stay secure online”

Here we get helpful quick tips to secure our personal data!

  • “Strengthen your sign-in”
    • “Create strong passwords”: We can make our passwords stronger by making them at least 8 characters long. When we create answers for security questions, we can use fake answers, which are harder to guess.
    • “Use unique passwords for every account”: We should not use the same password for different online services!
    • “Keep track of multiple passwords”: A password manager is a helpful tool. Google provides “Smart Lock” for free.
    • “Defend against hackers with 2‑Step Verification: 2FA is, as we’ve already seen in the Apple privacy post, a very helpful technology to keep others out of our account.
  • Protect your devices
    • “Keep your software up-to-date”: We need to make sure, that all our software is up to date. Vulnerabilities can be quickly exploited, the latest versions usually have a fix.
    • “Use a screen lock”: We should Auto-Lock our screens on all our devices!
    • “Lock down your phone if you lose it”: In case we lose our phones, we can remotely find and lock it from here: “Find your Phone”.
    • “Keep potentially harmful apps off your phone”: We have seen that Google scans apps before they reach the Play Store. Additionally, we should be careful with other app sources and give access to sensitive data only to apps we trust.
  • Avoid phishing attempts
    • “Always validate suspicious URLs or links”: We should never click on suspicious links and double check URLs so that we do not enter our sensitive data on a fake site!
    • “Beware of email scams, fake prizes, and gifts”: If it is too good to be true, there’s a high probability that it’s fake. Don’t believe those messages and never click on links or enter personal data!
    • “Be wary of requests for personal information”: Legit sites would never send us messages and ask us our passwords or financial information. We should always log in at the original sites with our original accounts rather than replying to same potentially fake messages or clicking those links.
    • “Watch out for impersonators”: If we get e-mails from people we know, and the content looks weird, eg they urgently request money, their account might be hacked. We should only reply or click on links once we verify that e-mail is legit.
    • “Double check files before downloading”: Even documents and PDFs can contain malware. We should open them through Chrome or Google Drive, which check the content and display a warning if something is wrong.
  • Browse the internet securely
    • “Use secure networks”: We need to be careful with public and free WiFi since our activity could be monitored. Chrome indicates in the address bar, whether a site is secure (e.g. https).
    • “Look for secure connections before entering sensitive information”: We need to make sure that Chrome displays a green, fully locked icon in the address bar before we enter any sensitive information in the web.

How Ads Work: “We do not sell your personal information to anyone.”

We have already seen, that much of Google’s business is based on ads. These ads help to keep the Google services free. Google does not sell our personal information (name, email, payment information)!

  • “We use data to make ads relevant”: Google tries to show us useful ads, based on the data we have reviewed. If we are signed in, this feature works across our devices.
  • “Advertisers pay only for ads that people see or tap”: When advertisers run their ad campaigns, they pay Google based on how the ads perform, never our personal info.
  • “We show advertisers how well their campaigns worked”: The performance reports, which advertisers receive, never contain any personal information. Our personal information is always kept protected and private.

“How ads work on Google services and partner sites”

Google uses data to show us useful ads.

  • “How Search ads work”: Google takes our current and past searches into account when displaying useful ads.
  • “How YouTube ads work”: Google uses our watch history and our current and past YouTube searches as a basis to define useful YouTube ads. These Youtube ads help to support the YouTube creators. We can skip many ads if we do not want to watch them.
  • “How Gmail ads work”: The ads we see in Gmail are based on the usual data, not the content of our emails. Nobody reads our e-mails to show us ads.
  • “How ads work on Google partner sites”: Many sites partner with Google to display ads. These advertisers show ads to certain “types” based on our information and data collected from our online activities, e.g. “25 – 34 year old males who are interested in travel.” Google might also show us ads, based on sites we have visited, e.g. we left red shoes in a shopping cart but decided not to buy them yet. No personal information, like name, e-mail or billing information is shared!

“Take control of your Google ads experience”

Again, we are in the driver’s seat when it comes to controlling the ads we see.

  • “Control ads based on your preferences”: In our ad settings we can fine-tune our interests to improve which ads are useful for us.
  • “Remove ads you do not want to see”: We can mute many ads, which are no longer relevant for us, closing them with an (X) on partner websites and apps. This is helpful in case we have already bought the car we were interested in.
  • “Learn what data we use to show you ads”: “Why this Ad” is a feature, which displays the reason, why you see an ad. This data is never shared with advertisers.

“Safer Internet: We help make the Internet safer for everyone.”

Google develops security technologies, which they share with other companies to improve the whole online world.

  • “Safe Browsing protects more than just Chrome users”: Google shares it’s Safe Browsing technology also with Apple Safari and Mozilla Firefox. Website owners are notified if their sites have security flaws.
  • “We use HTTPS to keep you safer while you browse the Internet”: Google ranks sites which use HTTPS – like smartenlight – higher, in their search results. HTTPS keeps your communication to a website encrypted.
  • “We create security rewards to uncover vulnerabilities”: Google invites independent researchers to find vulnerabilities in Google products.
  • “We make our security tools available to developers”: Google shares their security tools with other developers.
  • “We share data about our practices to foster a safer Internet”: Google publishes its transparency report which contains not only government requests for user data, but also copyright removals and statistics on security initiatives listed above.

What’s coming (to some of us?)

Finally the new news! Google just updated their privacy policy which goes into effect on May 25th, 2018. That’s the date when the new General Data Protection Regulation kicks in for EU residents. According to Google, the new version is much clearer, though nothing really changes in the way how Google services process our data. You will also find a couple of cute YouTube videos, which explain how Google services use our data. Here’s the original blog post from Google’s EMEA Director for Privacy Legal.

Conclusion

If you ended up here without reading the entire post, congratulations! You took the light blue pill, like the majority of us internet citizens do. The internet could not exist without us.

If you seriously skimmed through the whole post, thanks for valuing my write-up. I gave my best to summarize the overview and structure of Google’s current privacy information. This would take 3-4 times your time, if you do it directly on Google’s site and I still recommend to check it out – especially the updated version – and to run the Security and Privacy Checkups.

If you feel there’s something strange with Google’s current privacy structure, like for instance, the interesting parts come somewhere towards the end rather than in the beginning, you might be a “red pill” candidate. Re-consider, whether you picked the right pill. The updated privacy policy highlights some “features” which were not mentioned before. I will address this in the red pill post.

Google is an advertising company. Ads finance the free services we can use. Google collects a lot of our data and transparently informs us, what they collect and how they use it. We are in control, what data we give to Google. Our data is safe at Google.

You took the blue pill, there’s nothing more I can tell you here.

Everything is cool and life goes on as usual. Have fun!

Yours,

M.

Apple and Your Security and Privacy

Drawing of Siri in Data Eden, standing inferno of the tree of knowledge

Imagine you are at the coolest place ever. Sunshine, all kind of delicious fruits, peaceful animals, chill music, a summer breeze, romantic sunsets, just paradise …

Are you there?
Cool.

Then, one day, the gardener tells you: “Of every tree of the garden thou mayest freely eat: but of the tree of the knowledge, thou shalt not eat of it: for in the day that thou eatest thereof thou shalt surely die.”

What would you do?

A) Would you avoid the tree and the potentially yummy, but poisonous apples?
B) Would you shake the apple tree and sell the apples?
C) Or maybe your rebel inside just cannot resist? You take one curious bite, then many, and deal with the consequences (if you get caught).

That was easy. Remember, he said, “thou shalt surely die”.
Let’s leave the tree alone.

But then, an evil voice whispers: “Ye shall not surely die. It’s just that your eyes will open because you will know EVERYTHING …”.

Let’s assume for a moment, that you always wanted to know everything. Limitless. So much data, pardon so many apples. Right there, in front of you! Imagine, you would know everything! Healthy bonus: you wouldn’t die.

What would you do now?

Relax!
We’re turning tables.
We take it easy and let Apple answer the question.

In this post:

  • the gardener is you and me
  • our garden is the technology paradise (Apple ecosystem) we are living in.
  • It is full of cool gadgets and services, which we love buying from Apple, and we’re having fun and all,
  • but there is this one forbidden tree, with big juicy apples, full of our deepest secrets.
  • So we tell Apple: all cool, have fun in our tech paradise, but leave our apples alone!
  • And we might get pretty angry and kick Apple out of our little paradise if they betray us. Well, at least some of us would …

Here’s a table of contents, for easier orientation and navigation in this longer post:

[toc]

How does Apple deal with our Apples?

Privacy is a Human Right

Here’s what Tim Cook, Apple CEO, says about privacy, from a recent interview with MSNBC (transcribed on recode): “The truth is we could make a ton of money if we monetized our customer. If our customer was our product, we could make a ton of money. We’ve elected not to do that. (applause) Because we don’t … our products are iPhones and iPads and Macs and HomePods and the Watch, etc., and if we can convince you to buy one, we’ll make a little bit of money, right? But you are not our product. You are our customer. You are a jewel. (laughter) We care about the user experience. And we’re not going to traffic in your personal life. I think it’s an evasion of privacy. I think it’s – privacy to us is a human right.”

Right, the UN, US, EU, and others define privacy as a human right. But then, why is Tim so pushy? Well, this was around the Facebook/Mark Zuckerberg hearing and Tim has a history of positioning Apple (vs Facebook, Google, and Amazon) as the one company which “takes privacy extremely seriously”.

This goes back to Steve Jobs, who already in 2010 stated: “Privacy means that people know what they’re signing up for. In plain English and repeatedly. That’s what it means. I am an optimist. I believe people are smart, and some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them, if they get tired of your asking them. Let them know precisely what you’re gonna do with their data.” By the way, Mark has been spotted in the audience back then.

Facebook will delay the release of its own smart speaker, “due to the public outcry over the current data sharing scandal”.

Why this topic, here and now?

This site is about smart home and our smart assistants. It’s this intimate area at home, where we expect security and privacy. Consequently, we should be careful, which companies we invite.

Since Apple obviously uses it’s privacy features as a marketing tool, I found their “plain English” privacy version a bit blurry. Superficial articles I found online are misleading. So, being a technical guy, with 2 decades of speech recognition on my back, I had to dig deeper. Surprise, despite Apple’s infamous secrecy, it’s amazing how much detailed information we can obtain directly from Apple.

Given the recent public attention the topic “privacy” received, I will let this post be the first one in the security category. Hopefully, it inspires us to check the privacy policies of the smart home device vendors at our homes. (And yes, I’ll also write about security cams and stuff.)

How do we get there?

We’ll start with an intro, basically the “light” plain English version of Apple’s privacy page, which gives a brief overview of “what” is covered. After that, we will look into the “how”, the more detailed privacy information Apple provides us. This covers:

  • the safeguards Apple has built in to protect our privacy,
  • how Apple personalizes our experience (without sacrificing our privacy),
  • how Apple supports privacy in apps,
  • recommendations from Apple, about what we can do to protect our privacy.

We will then briefly check the non-plain English legal definition of Apple’s privacy policy. And because we are so curious how Siri and HomeKit are technically secured, we will dig into the Apple’s security guide for iOS and find some interesting facts.

Finally, we will look into whats planned for Apple privacy in the near future and wrap up our findings in the conclusion.

I know this sounds like a lot, if not too much. But bear with me, it’s an important topic and it is our human right. We pay Apple a lot for our devices and it’s good to see what they give us in return to protect our privacy.

Apple Privacy: In Plain English

Apple has extended its privacy page and I encourage you, to check it out yourselves. We find following well laid out introduction sections, in plain English, structured as follows:

“Apple products are designed to do amazing things. And designed to protect your privacy.”

Apple gives us a couple of examples of our personal data and explains that it’s safe on its devices because they are designed from the ground up to protect our tree. Nice.

    1. “Only you can access your device”: The six-digit passcode, Touch ID, Face ID and an alphanumeric passcode. Obviously, biometric access makes it more convenient to unlock your phone, and it’s much safer than to leave your phone unlocked.
    2. “Your personal data belongs to you, not others”: Photos, Siri, Directions. Apple doesn’t gather your personal information to sell to advertisers or other organizations. Well, good to know, but we would not have expected that anyway.
    3. “Your Apple Pay transactions are safe:” When using a credit card, Apple Pay can’t create a history of our purchases. With Apple Pay Cash, data is stored for fraud prevention. Ok.
    4. “Your features improve while your data stays private”: Here we can find the term “Differential Privacy” for the first time. It’s a cool concept, and we are going to look into it a bit later. But it applies only to Analytics/usage data, where we anyway have to explicitly opt-in, but usually, don’t do. So what?
    5. “Whether you store it or send it, your data is protected.” Apple Pay, iMessage and Facetime are end-to-end encrypted, which means not even Apple can watch us, or hand over our data to authorities. Our fingerprint and Face IDs are stored together with our personal data in a “secure enclave”, where neither apps nor iOS can access them. Ok, the last point sounds a bit fuzzy, but altogether, cool!
    6. “Your apps play by your rules.” This reminds us, that we can control in our privacy settings, which app can access which data/service. Remember Steves: “Ask them. Ask them every time”. Also, Apple defines strict rules for app developers and has a strict review process. Nevertheless, there have been cases of misbehaving apps, and Apple reacted by removing them from the App Store.

“This is how we protect your privacy.”

Time to look into the more detailed privacy statements:

“We build safeguards into our products to protect your privacy.”

Apple lists the different modules, where our personal data is stored and how it’s secured. Also, we find a prominent link to a more detailed explanation of differential privacy. So, here we go with a brief version: differential privacy is a way to scramble your data by throwing random information into it, so it makes no sense to anyone anymore. But if you combine the data of many people, the random info will average out and suddenly the data makes sense again. You can learn from many, you can’t learn individually. Super smart privacy-respecting way to learn from us in order to improve our user experience. Again, this feature as of now only applies to the Device Analytics (Settings/Privacy/Analytics). We’d need to enable this feature to contribute to the group learning.

  • Encryption: A reminder that iMessage, Facetime, Apple Pay, are encrypted. Apple is proud that they were one of the first companies to encrypt discs on MacOS and data on iOS. Plus, Apple will never build in backdoors into any of their products. Remember the FBI?
  • Apple Pay: Since it’s about our money, more information on how credit card information is safely stored in a secure element. We can furthermore find a link to more detailed information around security and privacy for Apple Pay.
  • iMessage and FaceTime: Again, the information that our iMessages and Facetime calls cannot be decrypted, even by Apple, or the FBI. Super private. Facetime data is never stored and iMessages are backed up to iCloud, but we can turn this off or specify for how long we want to store our data.
  • Health and Fitness: Health data is a sensitive topic. We decide with whom we want to share it and it’s encrypted when our iPhone is locked. When it’s backed up it’s encrypted in transit and on iCloud (we will look into iCloud security a bit later).
  • Analytics: If we want to help Apple and app developers to improve their apps, iCloud usage (including Siri!), health and fitness features, health records or wheelchair mode, we can share our analytics data. Personal information is either not logged, removed or protected by differential privacy. This is also the place where we can check out the Data & Privacy page (by tapping on more info for any of the analytics settings), which informs us in great detail how your data is managed.
  • Safari: Another proudly pioneered feature is third-party cookie blocking and private browsing. Web pages are sandboxed in single tabs, so bad sites cannot reach other data. Content blocking is implemented to prevent others from tracking your browser activity. A new Intelligent Tracking Prevention reduces cross-site tracking, minimizing the ads which follow you from website to website.
  • iCloud: Remember celebgate? A week ago the fourth hacker who leaked photos of celebrities got arrested. No, they did not hack iCloud. They phished for the login data, downloaded backups (which were not encrypted back then) and extracted the photos from there. Needless to say that Apple lists in great detail how it protects our data on iCloud. Our iCloud Keychain (including all of our saved accounts and passwords), payment information, Wi-Fi network information, Home data and Siri information are end-to-end encrypted (so not even Apple or the FBI can have a peek), but only if we activated two-factor-authentication (2FA). Since most of us deal with HomeKit, and 2FA is a prerequisite to access our HomeKit remotely, we are super safe here. If you have not activated 2FA yet, it’s a good time to do so. Here is a link to detailed security information for iCloud. You can find a 2FA how to in the next chapter.
  • CarPlay: Not too much info here. Only essential information is shared from your car, e.g. the GPS location to improve map info.
  • Education Privacy: Apple is very active in terms of supporting schools and universities. Plus they are committed to safeguarding student privacy. We can also find links to detailed information which student and teacher data is collected and how it is used.
“Get a personalized experience and maintain control of your privacy.”

This section details which information is collected to improve our user experience.

Photos: Face and place recognition happens on the device. If we have iCloud Photo library enabled we can share this information between multiple devices. iOS supports now a finer granularity for controlling photo access. An app can request to access only a single photo and read and write access can be specified independently.

Siri and Dictation: Finally, our favorite topic. To summarize: Siri learns from us, without knowing who we are. When we enable Siri, a random identifier is created, which is associated with our device (not our Apple ID). When we disable Siri, we “restart our relationship” with Siri. Our Siri profile gets deleted and she learns from scratch. Apple explains Siri features, where our data remains locally. In case there is real-time info required from Apple Servers (e.g. our location for time to leave predictions, taking the current traffic into account), our requests are anonymized and cannot be traced back to us. There are not too many details how Siri privacy actually works, so we will dig deeper when looking into the iOS Security Guide below.

Health and Fitness on HealthKit: Health data is a sensitive topic, Apple reminds us here again that the Analytics for “Improve Health & Activity” and “Improve Wheelchair” do not contain personal information.

News: Which news we read is a personal topic, so Apple links the info to an anonymous News ID and not our Apple ID. Siri can suggest us stories, channels and topics, which we like, only based on on-device information like the apps we use and sites we visit with Safari. Since 3rd parties provide the news content, Apple shares our usage data only in aggregated form. A detailed News related privacy link is provided.

Apple Music: A key feature, for which Apple provides a very detailed privacy information. Apple has to collect the information which songs we hear, for how long, to be able to compensate the partners/artists. A huge part of the policy explains how our shareable Apple Music profile works. Apple does check the contacts in your address book to suggest friends but does not save the data. We can disable the feature, “Allow Friends to Find You” in case we do not want to show up in suggestions of friends, who have our contact details.

Maps: Again random identifiers which are not linked to our Apple ID are used. Here Apple states the opposite of what is written in the Siri section, time to leave data is created on the device (Easy to imagine that with this plethora of Apple privacy info, things can get mixed up). Apps which use the map only receive minimal information.

Siri and Spotlight Suggestions: When searching with Siri a random identifier associated with our location is used, which changes every 15 minutes. So neither Apple nor apps can create a long-term profile of our searches.

Advertising: News and App Store display targeted Ads. News ads are personalized based on what we read and whom we follow. This info will not leave the News app. App Store Ads are personalized based on our search and download history. We can turn personalized Ads off by enabling “Limit Ad tracking”.

“We give developers powerful tools to protect your data.”

One of the “perceived” weak points of Apple are misbehaving apps on the App Store. Remember Zuckerberg’s hearing notes: “Lots of stories about apps misusing Apple data, never seen Apple notify people.” Well, media does, and we can find the list of AppStore banned apps quickly. Maybe he meant Uber’s trickery, who knows, he never explained.

  • Apps: App developers have to agree to specific guidelines to protect our user privacy and security. Misbehaving apps will be removed from the App Store. Apps undergo a through a review process before we can download them. When we install an app, we are prompted for permission, the first time the app tries to access information. We can change the app permissions anytime. Certain information on our devices cannot be accessed by apps at all.
  • DeviceCheck: Many developers try to store device information even when we delete/reinstall their apps: like, has this device already used a free trial or has this device been used for fraudulent activity. To discourage developers from sneaky tricks, like in the Uber case, Apple offers now to save 2 bits per app (equals 4 states) which Apple can save together with a timestamp for the developer.
  • HomeKit: Only apps for configuration and automation are allowed. Apple does not know which devices we are controlling and when. Siri only associates our devices with the random identifier, not our Apple ID. Data related to our home is stored in our keychain, always encrypted between devices and also when we control them remotely. Location-based automations are triggered via HomeKit, so 3rd party apps don’t receive location information. Apple states twice that they don’t know which devices we are controlling and when. We believe you. Home, sweet private Home!
  • Machine Learning: Our Apple devices are so powerful, that machine learning runs on them, hence our personal information does not need to leave the device. Apple uses it for image and scene recognition in photos, predictive text and more. App developers can use it to analyze our sentiment, translate and predict text, and other crazy stuff without putting our privacy at risk.
  • ResearchKit and CareKit: Both kits are open source. ResearchKit enables apps to gather meaningful data for medical research. CareKit is a platform to create apps which should help us to take an active role in our well-being. All of the apps which access our health data, must ask for our consent and provide detailed information how our data is handled. An independent ethics review board reviews them. There is a link with detailed info on ResearchKit and CareKit, and I found the already available apps around epilepsy, Parkinson, early autism diagnosis and more, quite amazing.
  • HealthKit: All our fitness apps use HealthKit to share the data with each other and with Apple’s Health app. All the apps may not use or disclose our health data to third parties unless they do it for improving our health and then only with our permission.
  • CloudKit: This helps apps to synchronize their settings across our devices. Developer receive a unique identifier and not our Apple IDs. Only with our permission, apps can use our e-mail to connect us with other app users.

“Here’s how to manage your privacy.”

In this final chapter of “Apple Privacy in Plain English”, Apple reminds us of what we can do to improve our privacy on Apple devices.

“Secure your devices.”

iCloud is only as secure as the weakest of our Apple devices.

  • Put a passcode on your device: The more complex, the better. The 6 digit passcode allows for 1 Million combinations. Here’s how to.
  • Enable Touch ID or Face ID: With touch or glance the unlock becomes very convenient. The biometric models are saved in the secure enclave, which is basically a closed system on its own on our device and they never see the iCloud.
  • Auto-unlock your Mac: We can use our Apple Watch to conveniently unlock our Mac (2FA needed).
  • Find your lost device: We can enable this feature to find our device if it gets lost or stolen. If we cannot get our device back, we can wipe all the data remotely. If it’s an iPhone or Apple Watch we can block the device to be activated again.
“Secure your Apple ID.”

Our Apple ID is the key to iCloud which holds our calendar, contacts, e-mails, photos, and backups. Here’s how we can safeguard it:

  • Choose a strong Apple ID password: Make it long and make it strong, here’s how.
  • Turn on two-factor authentication: This adds a second layer of security by sending a verification code to all of our trusted devices. No code, no login from a new device. Here’s how to enable 2FA.
  • Beware of phishing: Ever got a strange call or e-mail asking for your account data? Some have. Don’t you ever think that Apple would do that. Turn on 2FA and tell reportphishing@apple.com. Here’s more info from Apple on phishing.
  • Pay attention to notifications about your Apple ID: If we access our account from a new device, Apple notifies us. If we get such notifications without accessing our account, we should immediately change our Apple ID password here or contact Apple ID Support if this is not possible.
“Be aware of what you’re sharing.”
  • Data & Privacy Information: If Apple asks us for information, they will display a new screen with information on what data is shared for what use.
  • Configure your iCloud settings: We decide what is synchronized via iCloud and what not. In our iCloud settings, we can enable and disable services individually.
  • Emergency SOS: We can use our Watch to call emergency services, inform selected SOS contacts and share our location for a specific period.
  • Manage your location data: We can specify which apps have access to our location in our location settings.
  • Control data shared with apps: We had to explicitly allow apps access to our location, contacts, calendars, or photos. We can always change this in the settings.
  • Limit targeted interest-based ads: If we do not want to see targeted ads in the App Store and the News app, we can enable Limit Ad Tracking.
  • Browse the web privately: Private browsing does not remember the sites we visit, our search history or any forms filled. Here are the Safari settings for iOS.
  • Protect your children’s privacy: Parental controls allow us to control the websites, type of movies, access to Facetime and Camera and download of apps. With Family Sharing you have insight into children activity and content. Here’s more info on Family Sharing.

Apple Privacy in Legal English

If Apple would not care about our privacy they would have left us with this boring legal version.

It starts with what personal information Apple collects and how Apple uses this information. Then it goes on with non-personal information and that Apple can do with that data basically whatever they are up to. They list some examples, nothing shocking though.

Next, we find a lengthy chapter on Cookies and other technologies. Our IP is considered a non-personal information unless our local law defines otherwise. Then it details cookies, targeted ads, website tracking and marketing e-mails and what they track there.

Apple goes on with what data they have to share with our service provider or other parties. And in case they have to share our data with public and governmental authorities by law (you can check out Apple’s transparency reports here) they will have to do that.

Apple explains how they always encrypt our personal information not only in the case they put iCloud on 3rd party storage (Google, Microsoft or Amazon servers).

Basically, we can keep our Apple ID data accurate here. If we have any access, correction or deletion requests, we can place them here.

Children & Education is the next topic and details the process of creating Apple IDs for kids under the age of 13 and family sharing. Above link to access, correct and delete data applies also for parents.

Apple reminds us that unless we provide consent our location data shared with apps is anonymous.

The data which apps and services collect from us is governed by their privacy policies (e.g. Facebook app) and Apple encourages us to learn about those privacy practices.

If we are in Europe or Switzerland, our data is controlled by Apple in Ireland. Apple abides by APEC rules system, which ensures the protection of personal information transferred among APEC economies.

Apple communicates it’s privacy and security guidelines to Apple employees and enforces privacy safeguards within the company.

Last but not least, if we have any questions we can ask them here.

If you’re into legal texts, you can indulge in the countless Terms & Conditions of Apple products and services, or just have a laugh here.

Apple’s Security Guide in Technical English

I know, I know, the last part was a bit boring and I am already afraid that more of this is waiting for me when I check the Amazon and Google privacy policies.

Anyway, we are done with legal, now comes the technical part. Let’s check out what we can find about Siri and HomeKit in Apple’s iOS Security Guide. If you are a techy person, you can find a lot of interesting technical details in these 81 pages, I will focus on Siri and HomeKit here.

HomeKit

As already mentioned above, HomeKit is a home automation infrastructure which uses iCould and iOS to synchronize data in a protected way, so that not even Apple sees it.

Behind the scenes, our iOS device creates encryption keys and stores them in our keychain. This is our HomeKit identity. HomeKit accessories create their own keys. When we add a new accessory the iOS device and the HomeKit accessory exchange their keys in a secure way. During usage, the HomeKit accessory and iOS use those keys to authenticate each other.

HomeKit data (homes, accessories, scenes, users) are encrypted on the iOS devices and only saved encrypted to iCloud. This data is treated as an opaque blob, which means it looks like binary garbage from the outside. Since the keys for encryption are only on the iOS devices, the content is inaccessible to anyone else during transmission and iCloud storage.

When we invite another user into our HomeKit the same security mechanisms just like when adding a HomeKit accessory are used. The original home user authenticates the new user with the devices so that the accessories can accept the new user.

Siri receives anonymously minimum information to be able to understand our HomeKit voice commands.

HomeKit IP cameras encrypt their streams with random keys. When apps display the camera view, a separate process decrypts the streams so the apps cannot access or store the content of the stream. Apps are not permitted to capture screenshots from the video stream.

Apple TV (or any home hub) allows us to remotely access our HomeKit. Two-factor authentication is needed on the iCloud account and AppleTV is added to HomeKit using the same security as HomeKit accessories. When we access our homes remotely through iCloud, Apple does not see which devices we control or which notifications are sent.

Siri

We can talk naturally and send messages, schedule meetings, place phone calls, listen to music and much more. Siri has been designed so that only the minimum personal information possible is sent to Apple and even this data is fully protected.

When we enable Siri for the first time, a random identifier is created. This identifier is not tied to our Apple ID, but rather to our device. Once we disable Siri, this identifier is recreated and any old session data on Siri servers deleted.

Information about our home, music library, contacts and relations, reminders, etc. is sent to Siri so she can make sense of our commands. Siri fetches the information from our devices on a demand basis: If more information is needed to perform a task she will fetch the information rather than sending all info upfront. The basic principle here is: minimum information only is sent to Siri, fully protected and this information is deleted after 10 minutes of inactivity.

Our voice recordings are sent to Siri servers. If it’s only a dictation, we receive the text back. If it’s a command Siri analyzes the additional information and sends the command information back to be executed on the device. Most commands can be executed on the device without sending additional information to the server (“read messages”, “whats on my calendar”, etc).

Siri keeps a copy of our voice commands in anonymous profiles (remember the random ID) for half a year. This voice profile is trained with any Siri commands we are uttering. After half a year another copy is saved without the random identifier and is used for improving Siri for everybody, for two years. Siri R&D will also pull out some samples without identifiers for ongoing improvement and quality assurance.

If you like to dig deeper than the security white paper, I’d recommend the Apple Developer documentation or the Apple Machine Learning Journal. Last summer Apple launched the latter with articles from Apple engineers about Siri, Encryption, FaceID and more.

What’s coming (initially only to some of us)

The EU is going to enforce the General Data Protection Regulation (GDPR), which are privacy protection rules, by the end of May 2018. These rules will make sure that organizations dealing with EU citizens (like Apple, Facebook, Amazon, and Google) give users insight into the data which is saved about them. Companies are obliged to handle the data more responsibly and the fines for not doing so, go up to 4% of the annual global turnover or 20 Million Euro (whichever is greater).

As we have seen in this post, Apple devices are private by design. Apple will additionally extend it’s Apple ID management site to get a copy of our data, temporarily deactivate our accounts or delete our entire Apple ID. Furthermore, Apple has deployed tools to developers so that the information saved in apps can be controlled by us the same way.

These features will be rolled out initially only in Europe, but Apple plans on making them available globally for all of us.

Conclusion

Every day, each of us, average internet users, generates about half a Gigabyte of data. This equals to around: this super long post times 18.000.
Daily.

Some of this data is quite personal, still, we trust the big companies to not take a byte of it or sell it to others.

Let’s get back to our initial question:
Apple, what would you do?
Remember, you could know everything about us!

A) Would you avoid the forbidden tree and our yummy apples?
B) Would you shake the apple tree and sell our apples?
C) Or maybe your rebel inside just cannot resist? You take one curious bite, then many, and deal with the consequences (if you get caught).

Apple has clearly answered with A).

Our Apple devices are private by design, not by afterthought. Wherever possible, Apple will avoid the tree and leave our private data on the Apple device. Our HomeKit and Siri uses are completely safe and anonymous, to the point that even Apple cannot tell that it’s ours.

There were reports of Ex-Apple employees who saw this privacy focus as a reason for slow progress in Siri development. I doubt that. Apple won’t forget Steves advice: whenever they need something from us, they just have to ask.

Personally, I am now thinking of turning Analytics on and send Apple my then randomly scrambled usage data to contribute to improving our user experience. Something I usually avoid.

If you are wondering whether Apple’s logo has anything to do with our story: Would be cool, but no. According to Walter Isaacson’s Steve Jobs biography, the art director Rob Janoff got the assignment with the instruction from Steve: “Don’t make it cute!”. He came back with two apples, one whole, one with a bite taken out of it. Steve picked the latter because the whole apple looked too much like a cherry to him.

I hope you’ve enjoyed this post!

Stay safe & private!

By the way: To make smartenlight more fun and interactive for all of us, I have added a GDPR compliant discussion section at the end of every post.

You can subscribe with your e-mail address to receive notifications when anyone posts in the comment section, even without commenting yourself. This is useful if you want to keep up to date, as I will drop a comment when there are interesting updates.

You can also configure to receive notifications only for answers to your posts, which can come from me or actually anybody on this planet. I will moderate, to make sure we keep it human.

On top of everything, you can manage all your subscriptions yourself and also simply one-click unsubscribe. Easy!

Have fun!

You can find more Siri posts here!

Making Of