“We don’t build a profile based on your email content or web browsing habits to sell to advertisers,” CEO Tim Cook said in a letter on a new section of its website. “We don’t ‘monetize’ the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you.”
Apple was blamed recently for the leak of celebrity photos from iCloud, which were thought to have been accessed by hackers, trying out different combinations of usernames and passwords. The company on Tuesday introduced an optional two-step verification for iCloud accounts that would require users to enter a numerical passcode sent by SMS to their phones, besides entering usernames and passwords.
Ahead of the public availability next year of its Apple Watch, a digital watch with a fitness tracker and other apps, the company has also come under scrutiny from Connecticut Attorney General George Jepsen, who wrote to Cook asking for a meeting with company representatives to discuss how personal consumer information collected through the device will be stored and safeguarded.
Apple moved to reassure users on the new website that their data in the Health app is encrypted with keys protected by their passcode, and does not leave the device unless the user chooses to back it up or grant access to a third-party app. “When you do choose to back up your Health data through iCloud, it is encrypted both in transit and on our servers,” it said. Apps that work with Health are banned from selling or sharing Health data with advertising platforms, data brokers and information resellers.
The company also outlined privacy measures around allowing children under 13 to have their own Apple ID, and for Family Sharing, which allows up to six people in a family to share purchases from iTunes, iBooks and the App Store. The features were added in iOS 8, the update to Apple’s smartphone and tablet operating system that was rolled out Wednesday.
Consent from parents or guardians will be required to set up the Apple ID for children under 13 years, and Apple may take additional steps to verify that the user giving permission for the child’s Apple ID is the parent or legal guardian. The company said it will not knowingly collect, use or disclose any personal information from the child without verifiable parental consent. Parents are, however, advised that they should check separately the data collection practices of third-party apps before purchase or download.
The company also cautioned that it may collect information like device identifiers, cookies, IP addresses and geographic locations and time zones, which is information that in some cases has been defined under the Children’s Online Privacy Protection Act (COPPA) as personal information.
An “Ask to Buy” feature will allow parents to approve apps or in-app purchases by children.
“We’re going to make sure you get updates here about privacy at Apple at least once a year and whenever there are significant changes to our policies,” Cook wrote in the letter.
Cook also addressed a key concern of many users about tech companies sharing data with governments, an issue that came up after former U.S. National Security Agency contractor Edward Snowden leaked documents that telecommunications and Internet companies were providing user data to the agency.
“I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services,” Cook said. “We have also never allowed access to our servers.” This has been a stand taken by other Internet companies as well.
Apple said it didn’t have a way to decrypt iMessage and FaceTime data when it’s in transit between devices. “So unlike other companies’ messaging services, Apple doesn’t scan your communications, and we wouldn’t be able to comply with a wiretap order even if we wanted to,” it said on its website.
The company, however, complies with requests for information if it is accompanied by valid legal process. The most common requests it receives for information come from law enforcement in the form of either a device request mainly for helping locate a stolen device or an account request usually asking for information on an iTunes or iCloud account.