Apple has published lots of information explaining how its newly introduced Sign in With Apple service solves a problem most of us didn’t know existed and which many of us would very much like to solve.
Who watches the watchmen?
Most social sign-in services act a little like people-tracking honey pots: You come to use a website or service and stay because the people providing the authorization use that moment to gather even more information about what you do.
What happens is that the persistent identity used by those services can be combined with other data to identify where you go, what you look for and more.
This sounds innocuous enough, but over time the individual profiles collected grow, and can be leaked, stolen or sold – and you don’t know who by or who to.
It is I think fair to say that this particular problem is not one that most people thought we had.
Apple’s Sign in With Apple service helps draw attention to it – while also providing a constructive solution.
No one knows
Apple philosophically disagrees with the idea that user data is required to make systems work.
Instead, it sees its role as being that of a trusted intermediary capable of providing a source of authorization data that can be used by both end users and service/app providers.
“Apple believes that great user experiences and great privacy can go hand-in- hand, and that users should be able to enjoy the convenience and security of one-tap sign-in without compromising their privacy,” the company explains inside its detailed Sign In With Apple white paper, published this week.
Apple says it has built is service specifically, “To limit the amount of information that users are required to share, and to provide them with the peace of mind that Apple will not track them as they interact with their apps.”
How does no tracking work?
When you use Sign in with Apple to access a website, service or app, Apple generates a unique token for the user/developer pair and also stores the email address you choose to use with that developer.
In future, you get to use the service without interruption, so long as you remain signed into iCloud on your device. You should never need to share any more data.
Developers also benefit, as Apple’s system shares a binary ‘bot/not bot’ message with them to let them know you are real, it calls this its Real User Indicator.
There are some services that need more insight – particularly financial services apps that log users out after a certain time.
Apple has developed a solution for this (called ASAuthorizationAppleIDRequest). This requires more information (such as Apple ID and IP address), but this is deleted after 30-days and is not shared with the service provider. Apple simply confirms the legitimacy of the request, acting as an agent of trust in the exchange.
“Apple does not provide any tracking tools to developers or receive data from any analytics or advertising tools that might be employed by any particular app. As a result, users can take advantage of the convenience of Sign in with Apple with the peace of mind that Apple is not tracking or profiling them,” said Apple.
How it works
Apple’s authorization system works on all the company’s platforms, can be accessed with popular web browsers, and can be used on Android and Windows (with Apple ID).
- First you should make sure you have enabled two-factor authentication on your Apple ID (as around three quarters of users already have).
- When you use a website or service that requires you to set up an account, you’ll be shown a Sign in with Apple button.
- Tap the button and you’ll be shown what you are agreeing to, usually this will say something like “Create an account” and use your Apple ID email.
- You authenticate the request using your passcode, Touch ID or Face ID.
- If using the web you can authenticate using a sign-in sheet.
- When using third-party browsers or a non-Apple platform, sign-in takes place using an Apple-hosted website.
You don’t need to share any personal information as Apple has that data. All you are providing is an identifier that allows you to sign in with your Apple ID in future.
Hide your email
Some services and sites will want your email address.
Apple’s system lets you provide these from your Apple ID, but also lets you edit the name used and offers the Hide My Email, which creates a unique and private relay address.
Emails sent to you via this address will reach you (and will be checked by Apple for spam), but the service provider will not have your real address.
How to revoke permissions for apps and services
You can review all the apps and services you have authorized with the service in your Apple ID account, both on the device and online.
Sign in with Apple will be required in any app in the App Store that uses third-party sign-in services to set up and authenticate user accounts.
The bottom line is that Sign in with Apple is part of a parcel of privacy enhancing tools Apple provides.
While these tools aren’t foolproof – security is an ongoing battle – the fact they exist shows the company remains willing to use its power to disrupt the behaviors of existing data collectors while also pushing for more eductated conversations about privacy and the risks of losing it.
The strategy seems to be working.
There may be some who recall when the FBI tried to force Apple to open a back door into its devices following the San Bernardino shooting.
At that time many (including myself) argued that such systems did nothing to make people safer, as the details of any system weaknesses would eventually leak beyond law enforcement and into the hands or bad actors and rogue states. (You don’t even need to look too far to see this is what happens.)
Years later, it looks like there is a growing understanding that this is indeed the case.
Convenience is great, but not at any cost. The least we should know is what the cost and consequences of our convenience actually are.
Copyright © 2019 IDG Communications, Inc.