When Background App Refresh is enabled, some iOS apps are using the feature to regularly send data to tracking companies, according to a privacy experiment from The Washington Post that explores the relationship between apps and tracking companies.
The Washington Post's Geoffrey Fowler teamed up with privacy firm Disconnect and used specialized software to see what his iPhone was doing and when. And while it's no surprise that apps are using trackers and sharing user data, the frequency with which apps took advantage of background refresh to send data off to tracking companies is surprising, as is some of the data shared.
Fowler found that apps were sending data like phone number, email, location, IP address, and more.
On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.
Apps that were found passing data along included Microsoft OneDrive, Mint, Nike, Spotify, The Weather Channel, DoorDash, Yelp, Citizen, and even The Washington Post's own iOS app. Citizen shared personally identifiable information that violated its privacy policy (the tracker was later removed), and Yelp was sending data every five minutes, something the company later said was a bug.
During the course of a week of testing, Fowler ran into 5,400 trackers, mostly found within apps, which Disconnect told him would likely send 1.5 gigabytes of data over the course of a month.
Trackers within apps, for those unfamiliar, serve different purposes. Some analyze user behavior to let apps streamline advertising campaigns, combat fraud, or create targeted ads. Delivery app DoorDash, for example, was found using a whopping nine trackers in its apps, sharing data like device name, ad identifier, accelerometer data, delivery address, name, email, and cellular phone carrier.
DoorDash also has trackers from Facebook and Google Ad Services, which means Facebook and DoorDash are notified whenever you're using the DoorDash service. DoorDash is not alone in sending tracking data, nor are the apps listed above - using tracking information is standard practice - but most people aren't aware that it's happening.
Not all data collection is bad, such as when it's anonymized and stored for a limited period of time, but some trackers are collecting specific user information and don't provide clear information on how long that data is stored nor who it's shared with.
As Fowler points out, there is no way to know which apps are using trackers and when that data is being sent from your iPhone, nor does Apple have tools in place that give iPhone users a way to see which apps are using trackers and for what purpose. Apple was contacted for comment, but provided a standardized privacy response.
"At Apple we do a great deal to help users keep their data private," the company says in a statement. "Apple hardware and software are designed to provide advanced security and privacy at every level of the system."
"For the data and services that apps create on their own, our App Store Guidelines require developers to have clearly posted privacy policies and to ask users for permission to collect data before doing so. When we learn that apps have not followed our Guidelines in these areas, we either make apps change their practice or keep those apps from being on the store," Apple says.
Fowler suggests Apple could require apps to label when they're using third-party trackers, while privacy company Disconnect suggests greater privacy controls in iOS to give users more control over their data.
iOS users concerned about the data apps are sending, especially at night and without user knowledge, can turn off Background App Refresh in the Settings app and can use a VPN like Disconnect's Privacy Pro to limit the data apps are able to send to third-party sources.
