MacDirectory magazine is the premiere creative lifestyle magazine for Apple enthusiasts featuring interviews, in-depth tech reviews, Apple news, insights, latest Apple patents, apps, market analysis, entertainment and more.
Issue link: https://digital.macdirectory.com/i/1277879
PW: There are legitimate reasons for apps to access the pasteboard; for example, Google Chrome might look for URLs, and if it sees something that looks like a URL, will suggest browsing to that; I think the UPS app looks at the pasteboard to see if it’s a tracking number and asks if you want to track the package. So there are legitimate functionality reasons why apps would do this. The issue is that there’s a whole group of apps (I think the researchers identified 50+) that would access the pasteboard without providing a reason. And these are well-known apps: The New York Times app, NPR, a whole variety of games, social media apps like TikTok, hotels.com, etc. So everyone’s doing this — which doesn’t make it right, or OK, but again there are legitimate scenarios where this would happen. I think that if an application is actually accessing the pasteboard, then they should explain why they are doing that. As for LinkedIn’s excuse that it was “a mistake”? I don’t really buy that. I mean, maybe that was the case, but they’re likely just using it for some other purpose. I believe they did say, though, that they’re not capturing and transmitting pasteboard data, so at least it sounded like it’s all just done locally. And perhaps this was the case with TikTok as well. So we’re kind of stuck in the middle, as users. It’s like, OK, this is not an ideal behavior, but it might not be malicious, it might not be sending my data to a server in China. But we also don’t specifically know that. At least with iOS 14, there’s now a notification about this, so the issue is coming to light, which I think is a good thing. But I don’t think there was any “accident”, per se. I think maybe the accident was: “Oh, yeah … we shouldn’t have been doing this!” Or, maybe one scenario, if we’re going to give them the benefit of the doubt, was that it was being used in a debug build but somehow made it into production, or it was a feature that they were planning on using for some legitimate purpose that didn’t get taken out, or something like that. I’m more inclined to think it’s just an interesting feature of the operating system that provided them more data about user activity. Which, let’s be honest, is what basically all apps are after, right? Especially the free ones! They want to gather as much information about you as possible, not necessarily for surreptitious purposes, but usually to understand and predict user behavior. That’s the value: What are my users reading, what are they doing, where are they located. If you pull apart any free app, you’ll see it basically collects as much data as it can. And that, unfortunately, is kind of just the price we pay for these free applications. I saw a great quote that went something like “TikTok isn’t doing anything more than Facebook does … but that’s not a good thing either way.” While dozens of high-profile apps were found to be accessing the iOS pasteboard (some with dubious excuses for their activities), TikTok has borne the brunt of public criticism. Some people have suggested that the video-sharing app is being unfairly singled out due to its origins: TikTok is owned by the Chinese tech giant ByteDance, and for this reason has been the subject of whisper campaigns linking it to the Chinese government. We asked Wardle if he thought that the furor over TikTok was simply about an audio/video app collecting user data — or if it had more to do with the fact that TikTok is an audio/video app from China. PW: I think it’s a combination of both. I think the China connection is something that we can’t ignore — and this is a really interesting topic if we’re talking about app security and app privacy. Say you have an app like TikTok that probably needs access to your contacts, since it’s kind of a social media app, and so again there’s a legitimate reason why it would need access; and it probably would need your location to suggest certain things; it would also need access to your photos and videos … and so there’s a lot of legitimate reasons why it would need extensive access and permissions. But the million dollar question is: What is it doing with all of that? And if we look at other apps, we kind of have the whole gamut. On the one end we have an app like “ToTok” (not to be confused with TikTok), which turned out to be a government spying application used by the UAE government — the New York Times reported this after it was tipped off by an anonymous source in the U.S. intelligence service. I took a look at this app and did some research with the New York Times, and what we found was that it was basically collecting all the same information that a lot of other apps were, but then it was sending this information off to these back-end servers. So at that point, you wonder where that data is going and who’s doing what with it. That’s one end of the spectrum, where we have data or intel from an intelligence agency telling us that the people who have access to the data on the back end are using it for nefarious purposes. But if we didn’t have that information, really there’s not anything inherently suspicious about the application per se, if you’re just looking at the the binary code, the stuff that runs on the phone, it’s just collecting as much information about the user as possible, and much of that is for legitimate purposes. So we look at TikTok, and we’re seeing it doing things like enumerating what apps are installed on your device, and you wonder why they need this information. And if we start getting creative, we can imagine that if the Chinese government is behind the app, then if you have other apps on your phone that are perhaps related to your sexual preference, or your political views, that could be very relevant information in the wrong hands. On the other hand, maybe the app is just collecting data about users to better target them with advertising. For example, if I have an app installed for a GPS tracker for my dog, another