Though Apple has long been vocal about its stance on security and privacy, it has recently begun utilizing that stance
as a sales tool. If you’d like to keep personal data — anonymized or
not — to yourself as much as possible, the company has messaged, then
you should invest in Apple hardware.
That policy, of course, requires extra
examination when Apple launches features that require data to be sent
off of your phone in order to be effective. The ‘Hey Siri’ feature, for
instance, now no longer requires that your phone be plugged in to power
to be active. An ‘always listening’ phone logically raises some
questions about how that data will be handled, transmitted and sent.
Live Photos, as well, are a new wrinkle — photographs with audio and
motion attached.
These new features have raised some questions about how Apple will maintain user privacy. Our own Natasha Lomas covered some of those queries this morning. In a Q&A provided to TechCrunch, Apple has attempted to address them.
That information, along with some
knowledge I’ve gleaned from talking to folks around town this week,
makes the answers to some of these questions clearer.
Live Photos
Live Photos are a new kind of iPhone image ‘format’ that
look like a normal picture until you ‘force touch’ them (tap and push).
When you do so, the photo comes alive with a bit of motion and audio —
1.5 seconds before the picture and 1.5 seconds after it.
Live Photos are treated almost exactly
like any other photo shot on an iPhone. This means that they’re
encrypted, both at rest and in transit to iCloud.
Because Live Photos record motion before your
still image, they are continuously buffered beginning the moment you
open your camera app and see the Live icon (orange circle) at the top of
your screen. Apple says that this 1.5 second recording only happens when the camera is on, and this information is not permanently saved until you take a picture, period. 
“Although the camera is “recording” while
you’re in Live Photo mode, the device will not save the 1.5 seconds
before until you press the camera button,” says Apple. “The pre-captured
images are not saved to the user’s device nor are they sent off the
device.”
The 1.5 seconds after the still capture are also recorded because you’ve tapped the camera button in live mode.
From what we’ve gleaned, Live Photos are a
single 12-megapixel image and a paired motion format file, likely a
.mov. They are presented together by iOS but are actually separate
entities tied to one another. This means that you can send a Live Photo
to someone as a still image if you choose — or save it as a still image
separately. You do not have to include the motion format. If you want
someone else to be able to view them as Live Photos, of course, they
have to be running iOS 9 or above. The total size of a Live Photo varies
like any compressed image, but on average it takes up roughly the space
of two 12-megapixel images.
“We treat privacy and security of Live
Photos the same that we do for existing Photos and Videos. They don’t
leave the device for any reason unless you purposely share it or elect
to use iCloud,” says the company.
The Live Photos feature is on by default but can be turned off with a tap of the icon.
Hey Siri
Perhaps the larger question is how does
not having to have your iPhone plugged in affect the privacy of Apple’s
‘Hey Siri’ feature? Being able to say the phrase at any time to activate
Siri is convenient, but raises some questions about what Apple means by
‘listening’ and whether any of that stuff is recorded.
Hey Siri is an optional feature that is
enabled by an opt-in step in iOS 9’s setup. You can choose never to
enable it. If you do enable it, nothing is ever recorded in any way
before the feature is triggered.
“In no case is the device recording what
the user says or sending that information to Apple before the feature is
triggered,” says Apple.
Instead, audio from the microphone is
continuously compared against the model, or pattern, of your personal
way of saying ‘Hey Siri’ that you recorded during setup of the feature.
Hey Siri requires a match to both the ‘general’ Hey Siri model (how your
iPhone thinks the words sound) and the ‘personalized’ model of how you say it. This is to prevent other people’s voices from triggering your phone’s Hey Siri feature by accident.
Until that match happens, no audio is ever sent off of your iPhone. All of that listening and processing happens locally.
“The “listening” audio, which will be
continuously overwritten, will be used to improve Siri’s response time
in instances where the user activates Siri,” says Apple. The keyword
there being ‘activates Siri.’ Until you activate it, the patterns are
matched locally, and the buffer of sound being monitored (from what I
understand, just a few seconds) is being erased, un-sent and un-used —
and unable to be retrieved at any point in the future.
Of course, as has always been the case
with Siri, once a match is made and a Siri command is sent off to Apple,
it’s associated with your device using a random identifier, not your
Apple ID or another personalized piece of info. That information is then
‘approved’ for use in improving the service, because you’ve made an
explicit choice to ask Apple’s remote servers to answer a query.
“If a user chooses to turn off Siri,
Apple will delete the User Data associated with the user’s Siri
identifier, and the learning process will start all over again,” says
Apple.
The subtext here, of course, is the
constant battle Apple will have to wage to balance the data needs of its
more advanced personalization and convenience features with its
relatively hardcore position on user privacy.
Could Apple do more if it continuously
sent (anonymized) data back to its servers regardless of a personalized
Siri match? Surely. It would give its data scientists a ton more data to
work with to make the service better at a more rapid clip. And the
argument could be made that since the data was anonymized, no harm is
done. That’s certainly the argument that Google uses to provide better
Google Now services and to utilize the data to target ads.
But because Apple has explicitly
challenged itself to move as little data as possible off of your local
device, and to keep that data internal (not sharing it with partners),
it will need to stay solidly on the conservative side of the line with
any features like Hey Siri and Live Photos.
And it will doubtless have to answer
questions like these any time it pushes the boundaries of what is
possible with its cloud services.