“Then of course you just get bombarded by notices and you just start ignoring them, and in the midst of it there’s something important,” he said.
Meanwhile, apps will soon be required to self-report the kinds of data they link to you in identifiable profiles, as well as the kind of tracking data that may follow you across other apps and services, which will be added to the App Store as “nutrition labels”.
But just like with actual nutrition labels, the onus is on the user to understand or care about what the information means in context.
“People are literally saying there is a prompt that is between me and achieving the task which I set out to do by downloading this thing in the first place. How do I get past the prompt as fast possible,” Mr Hunt said.
“So there’s a valid argument to be had here about how effective a warning is in the first place.”
Going beyond warnings and actually cutting apps off from data such as the clipboard or location services isn’t practical for Apple. The company has been keen to present privacy as a key differentiator for its phones in recent years — as it makes its money from selling its devices and services, it has no interest in collecting user data like rival Google — but most of the apps on its store very much need that data. And Apple needs the apps in its ecosystem.
Access to user data is often key to how apps work, whether that’s a browser that sees you’ve recently copied a URL and offers to take you straight there, a weather app that serves you location-specific forecasts or an email app that knows who you want to contact.
“They need to be able to allow these apps in, which in some cases need access to things which could be a privacy violation,” Mr Hunt said.
“There’s a value proposition in terms of the cohesiveness of the whole ecosystem. And the challenge they’ve got is how do you … ensure you keep the bits to make it better, while discarding the bits that are privacy violations.”
Apple subjects all apps on its store to rigourous tests to ensure they don’t violate data privacy standards, but ultimately the most important piece of the puzzle could be completely out of Apple’s hands; what happens to the data after it’s been collected.
Mr Hunt runs a site called Have I Been Pwned, which scans and indexes dumps of stolen data. He said several weeks ago he found his own personal data in a set that originated from the breach of an app he’d never used. It was an app that stored people’s entire contact lists in the cloud.
“Now it can only do that with the consent of the user. But suddenly myself and 10s of millions of other people have had their personal data exposed after never even using the thing, because someone else decided that it was a good idea to put us in there,” he said.
“They just stored all the data up in the cloud somewhere and they didn’t secure the cloud, now that’s well and truly outside the scope of the Apple ecosystem.”
Tim is the editor of The Age and Sydney Morning Herald technology sections.