Why you should begin using Sign in with Apple

Convenience is great, but why should it cost you your privacy? Apple has an answer.

Apple, iOS, Sign in with Apple, security, privacy

Apple has published a lot of information explaining how its newly introduced Sign in With Apple service solves a problem most of us didn’t know existed – something many of us would very much like to solve.

Who watches the watchmen?

The issue: Most social sign-in services act a little like user-tracking honey pots: You come to use a website or service and stay because the people providing the authorization use that moment to gather even more information about what you do.

What happens is that the persistent identity used by those services can be combined with other data to identify where you go, what you look for and more. It sounds innocuous enough, but over time the individual profiles grow, and can be leaked, stolen or sold – and you don’t know by whom or to whom.

It is, I think, fair to say that this particular problem is not one most people thought we had. Apple’s Sign in With Apple service helps draw attention to it – while also providing a constructive solution.

No one knows

Apple philosophically disagrees with the idea that user data is required to make systems work. Instead, it sees its role as being that of a trusted intermediary capable of providing a source of authorization data that can be used by both end users and service/app providers.

“Apple believes that great user experiences and great privacy can go hand-in- hand, and that users should be able to enjoy the convenience and security of one-tap sign-in without compromising their privacy,” the company explains inside its detailed Sign In With Apple white paper, published this week.

Apple says it has built its service specifically, “to limit the amount of information that users are required to share, and to provide them with the peace of mind that Apple will not track them as they interact with their apps.”

How does no tracking work?

When you use Sign in with Apple to access a website, service or app, Apple generates a unique token for the user/developer pair and stores the email address you choose to use with that developer.

Later, you get to use the service without interruption, so long as you remain signed into iCloud on your device. You should never need to share any more data.

Developers also benefit, as Apple’s system shares a binary ‘bot/not bot’ message with them to let them know you are real; it calls this its Real User Indicator.

There are some services that need more insight – particularly financial services apps that log users out after a certain time.

Apple has developed a solution for this (called ASAuthorizationAppleIDRequest). This requires more information (such as Apple ID and IP address), but this is deleted after 30-days and is not shared with the service provider. Apple simply confirms the legitimacy of the request, acting as an agent of trust in the exchange.

“Apple does not provide any tracking tools to developers or receive data from any analytics or advertising tools that might be employed by any particular app. As a result, users can take advantage of the convenience of Sign in with Apple with the peace of mind that Apple is not tracking or profiling them,” said Apple.

How it works

Apple’s authorization system works on all the company’s platforms, can be accessed from popular web browsers, and can be used on Android and Windows (with Apple ID).

  • First, make sure you have enabled two-factor authentication on your Apple ID (as around three-quarters of users already have).
  • When you use a website or service that requires you to set up an account, you’ll be shown a Sign in with Apple button.
  • Tap the button and you’ll be shown what you are agreeing to – usually this will say something like “Create an account” and use your Apple ID email.
  • You authenticate the request using your passcode, Touch ID or Face ID.
  • If using the web, you can authenticate using a sign-in sheet.
  • When using third-party browsers or a non-Apple platform, sign-in takes place using an Apple-hosted website.

You don’t need to share any personal information, as Apple has that data. All you are providing is an identifier that allows you to sign in with your Apple ID in future.

Hide your email

Some services and sites will want your email address. Apple’s system lets you provide these from your Apple ID, but also lets you edit the name used and offers the Hide My Email, which creates a unique and private relay address.

Emails sent to you via this address will reach you (and will be checked by Apple for spam), but the service provider will not have your real address. 

How to revoke permissions for apps and services

You can review all the apps and services you have authorized with the service in your Apple ID account, both on the device and online. Here you can review what information you have shared with an app, review its privacy policy, turn off the private email address or simply stop using the Apple ID.

Sign in with Apple will be required in any app in the App Store that uses 
 third-party sign-in services to set up and authenticate user accounts.

Coming next...

The bottom line is that Sign in with Apple is among a parcel of privacy enhancing tools Apple provides. While these tools aren’t foolproof – security is an ongoing battle – the fact they exist shows the company remains willing to use its power to disrupt the behaviors of existing data collectors while also pushing for more eductated conversations about privacy – and the risks of losing it.

The strategy seems to be working.

You may recall when the FBI tried to force Apple to open a back door into its devices following the San Bernardino shooting in the U.S. At that time many (including myself) argued that such systems did nothing to make people safer, as the details of any system weaknesses would eventually leak beyond law enforcement and into the hands or bad actors and rogue states. (You don’t even need to look too far to see this is what happens.)

Years later, it looks like there is a growing understanding that this is indeed the case.

Convenience is great, but not at any cost. The least we should know is what the cost and consequences of our convenience actually are.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Copyright © 2019 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon