Evidence of meeting #155 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was apple.
A video is available from Parliament.
9:35 a.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
I come from the open-source community, so I can relate to that comment.
I'd like to speak to Mozilla for a second.
You talked about enhanced tracking protections. Would you describe tracking and anti-tracking as an arms race?
9:35 a.m.
Vice-President, Global Policy, Trust and Security, Mozilla Corporation
Unfortunately, yes. I think we are very clear-eyed about the fact that we will build this set of tracking protections. We think they provide real value. I'll give a shout-out to our friends at Apple. They're doing something similar with Safari that's really good.
The trackers will find other ways to get around this, and we'll have to build new tools. I think this is going to be an ongoing thing for some time, which is unfortunate for users, but it is an example of how we can do things to protect users.
9:35 a.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Understood.
To go to Apple for a second, there was recently the sensor ID hack that was patched in 12.2 of iOS—I'm not familiar with it—that permitted any website anywhere in the world to track any iPhone and most Android devices based on sensory calibration data. You're probably familiar with this.
9:35 a.m.
Manager of User Privacy, Apple Inc.
Yes, it's the fingerprinting issue.
9:35 a.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
Yes, the fingerprinting issue. Can you tell us more about this, how it was used and if it is truly prevented now in iOS 12.2?
9:35 a.m.
Manager of User Privacy, Apple Inc.
First, I'll step back, I think, to explain a bit of the context. When we're talking about, say, tracking, there can be some technologies that are explicitly for tracking, such as cookies. One of the evolutions we've seen is the development of what we call a synthetic fingerprint. It's just a unique digital number that is synthesized by a third party, probably to attempt to track. It can also be used for anti-fraud and some other reasons, but certainly it is fit for the purposes of tracking.
You're right. Some researchers, by looking at variations in sensor manufacture, identified that there was the ability to try to synthesize one of these unique identifiers. Fingerprinting, much like anti-tracking, is going to be something that will continually evolve and that we're committed to staying in front of. When you ask how it was used, I don't have any data that it was used at all, but I also can't assure you that it was not.
We introduced a number of mitigations in our most recent update, which the researchers have confirmed have blocked their version of the attack, but again, I'd put this in the context of fingerprinting being an evolving area, so I choose my word “mitigations” also carefully. Without actually removing sensors out of the device, there will continue to be a risk there. We're also going to continue to work to mitigate that risk and stay on top of it.
9:40 a.m.
Liberal
David Graham Liberal Laurentides—Labelle, QC
I have only about 20 seconds left. I have one more question for Apple.
On iOS, when you switch between applications, one application suspends and the next one opens. When you come back to the original application, if it's been more than a few seconds, it will reload the data. Is that not providing ample tracking opportunity to any website you're on, by saying that this is the usage of the device? I find it strange to have to do that, instead of storing the content that you're actually using.
9:40 a.m.
Manager of User Privacy, Apple Inc.
I'll split that into two parts, I guess.
One, when the application gains the foreground and is able to execute, they can reload the content, if they see fit to reload the content. At that point, you've transferred control to that application, and it will be able to execute and reload, if you'd like.
It's our goal, actually, to minimize those reloads as part of the user experience. It's also our goal that the application currently in the foreground should get, within a sandbox, within a set of limitations we have, the maximum execution and other resources of the device. This can mean that the operating system will remove some of the resources of background applications.
In terms of the reloading that you're seeing, iOS, our operating system, could contribute to that, but fundamentally, regardless of what resources are preserved for that background application, when you transition back to an app, it has execution control and it can reload if it sees fit.
9:40 a.m.
Conservative
The Chair Conservative Bob Zimmer
Thank you, Mr. Graham.
We'll go to my co-chair, Mr. Collins.
Go ahead with your opening comments. It's good to have you back.
May 29th, 2019 / 9:40 a.m.
Damian Collins Chair, Digital, Culture, Media and Sport Committee, United Kingdom House of Commons
Thank you.
My apologies, since the other U.K. representatives and I were not here for the start of the session, but we're delighted to see all of the witnesses here on the panel.
We had focused yesterday on some of the social media platforms, but I think our interests are much broader, looking at a range of technology companies.
I wonder if I could start with a couple of questions first for Apple.
As I came in, there was a discussion about data collected about voice. Could you tell me a little bit about the sort of data Apple collects in terms of sound captured by its devices? With smart devices, are the devices capturing ambient background sound to gain an understanding of the users—maybe the environment they're in or what they're doing when they're using the device?
9:40 a.m.
Manager of User Privacy, Apple Inc.
In terms of the information on our devices that support Siri, there is a part of the device that is constantly listening. On some of our devices we've isolated it beyond even iOS, beyond our operating system, into a dedicated coprocessor, basically a specialized piece of hardware, which is not recording or storing that information but is listening only for the wake-up word to trigger our personal assistant, so that information isn't retained on the device.
Further to the point of your question, it isn't being collected into any sort of derived profile to identify something about the users' behaviour or interests. No.
9:40 a.m.
Chair, Digital, Culture, Media and Sport Committee, United Kingdom House of Commons
Is it collecting information about the environment they're in at the moment? Let's say, for example, I was commuting to work and I was on the bus. Would it pick up that sort of ambient sound?
9:40 a.m.
Manager of User Privacy, Apple Inc.
It's not collecting it all. There's what we call a “ring buffer”. There's basically a short period that is transiently recorded to analyze for that wake-up word, and then it's continually overwritten as time progresses. There isn't any collection for more than just the ephemeral milliseconds of being able to listen for that wake-up word.
9:40 a.m.
Chair, Digital, Culture, Media and Sport Committee, United Kingdom House of Commons
The only purpose of the listening is for a command to Siri.
9:40 a.m.
Chair, Digital, Culture, Media and Sport Committee, United Kingdom House of Commons
For product development or training purposes, is any of that information retained by the company?
9:40 a.m.
Manager of User Privacy, Apple Inc.
Again, it's not even retained by the device. As it's transiently listening, it's being continually overwritten. When the user uses a wake-up word, there is some machine learning that happens on the device as it adapts the audio model to the speaker to reduce the number of false positives or false negatives for that wake-up word. Then if the user is using Siri, at the point Siri is woken up and being communicated with, that is the initiation of transmission of data to Apple.
9:40 a.m.
Chair, Digital, Culture, Media and Sport Committee, United Kingdom House of Commons
What would the scope of that data be?
9:40 a.m.
Manager of User Privacy, Apple Inc.
The scope of the data is the utterance until it reaches a termination point and Siri thinks the user has stopped talking, along with information like the device model to tailor the response back to the device and a random device-generated identifier, which is the key to the data that is held by Siri for purposes of your interactions with Siri. This is an identifier that is separate from your Apple ID and not associated with any other account or services at Apple.
9:40 a.m.
Chair, Digital, Culture, Media and Sport Committee, United Kingdom House of Commons
Would Apple keep a record of the sort of things I've asked Siri about, the commands I've given?
9:45 a.m.
Chair, Digital, Culture, Media and Sport Committee, United Kingdom House of Commons
Is that used by the company, or is that just used to inform the response to my device?
9:45 a.m.
Manager of User Privacy, Apple Inc.
I guess the second part is a form of use by the company. Yes, we use it for Siri, and for Siri purposes alone.
9:45 a.m.
Chair, Digital, Culture, Media and Sport Committee, United Kingdom House of Commons
To get at what the Siri purposes are, are the Siri purposes just actually making Siri more responsive to my voice—