Apple said Monday it’ll change the way it logs data from your Mac about the apps you launch. Cybersecurity experts pointed out Thursday that a security feature was sending the information to Apple along with your IP address, which effectively ties data about the apps you use to your location. The data was also transmitted to Apple over the internet without any encryption, meaning that it’d be easy for a third party to intercept and read.
The result of the data collection, security blogger Jeffrey Paul wrote, is that “you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.”
While the data collection was happening in previous versions of MacOS, Paul found that the tools some tech-savvy iMac and MacBook owners used to stop the data collection no longer work on computers running the latest version, Big Sur. Apple released the new operating system to the public on Thursday.
Additionally, Apple’s collection of IP addresses can no longer be defeated with a VPN, a with a proxy IP address. That’s because the security feature (and some other Apple services) can circumvent VPNs on devices running the Big Sur operating system, according to security researchers who focus on Apple products, collecting users’ true IP addresses instead.
Now, Apple says it has stopped logging user IP addresses collected by the feature, and will delete previous logs of IP addresses. Without IP addresses, there’s far less danger that records of app usage could be tied back to users. The company said it has never collected Apple IDs or other information that can identify a user’s specific Mac with the app usage data.
Apple also committed to other changes within the coming year. It’ll encrypt data about app usage while it flows over the internet to the company’s servers, and it will let users opt out of the security check that collects the data.
The security check is part of Apple’s Gatekeeper app, and it verifies that apps launched on Macs have valid security certificates. A security certificate is a piece of code created with encryption that’s meant to be impossible to replicate. It serves as a guarantee that the app legitimately comes from the software maker it claims to come from.
If a software maker, such as Microsoft, Adobe or Google, believes its app has become infected with malware, or if it believes criminals have stolen the certificate to sign malicious software to make it look safe, it can revoke the security certificate and effectively cancel that guarantee. Gatekeeper in turn will notice the security certificate is revoked and prevent the app from launching.
The security check works by connecting to a remote server, where it logs data about its checks. If users opt out of the security check, they could potentially launch apps infected by malware that would have otherwise been blocked.