Why you should begin using Sign in with Apple

Credit to Author: Jonny Evans| Date: Fri, 08 Nov 2019 06:17:00 -0800

Apple has published lots of information explaining how its newly introduced Sign in With Apple service solves a problem most of us didn’t know existed and which many of us would very much like to solve.

The issue:

Most social sign-in services act a little like people-tracking honey pots: You come to use a website or service and stay because the people providing the authorization use that moment to gather even more information about what you do.

What happens is that the persistent identity used by those services can be combined with other data to identify where you go, what you look for and more.

This sounds innocuous enough, but over time the individual profiles collected grow, and can be leaked, stolen or sold – and you don’t know who by or who to.

It is I think fair to say that this particular problem is not one that most people thought we had.

Apple’s Sign in With Apple service helps draw attention to it – while also providing a constructive solution.

Apple philosophically disagrees with the idea that user data is required to make systems work.

Instead, it sees its role as being that of a trusted intermediary capable of providing a source of authorization data that can be used by both end users and service/app providers.

“Apple believes that great user experiences and great privacy can go hand-in- hand, and that users should be able to enjoy the convenience and security of one-tap sign-in without compromising their privacy,” the company explains inside its detailed Sign In With Apple white paper, published this week.

Apple says it has built is service specifically, “To limit the amount of information that users are required to share, and to provide them with the peace of mind that Apple will not track them as they interact with their apps.”

When you use Sign in with Apple to access a website, service or app, Apple generates a unique token for the user/developer pair and also stores the email address you choose to use with that developer.

In future, you get to use the service without interruption, so long as you remain signed into iCloud on your device. You should never need to share any more data.

Developers also benefit, as Apple’s system shares a binary ‘bot/not bot’ message with them to let them know you are real, it calls this its Real User Indicator.

There are some services that need more insight – particularly financial services apps that log users out after a certain time.

Apple has developed a solution for this (called ASAuthorizationAppleIDRequest). This requires more information (such as Apple ID and IP address), but this is deleted after 30-days and is not shared with the service provider. Apple simply confirms the legitimacy of the request, acting as an agent of trust in the exchange.

“Apple does not provide any tracking tools to developers or receive data from any analytics or advertising tools that might be employed by any particular app. As a result, users can take advantage of the convenience of Sign in with Apple with the peace of mind that Apple is not tracking or profiling them,” said Apple.

Apple’s authorization system works on all the company’s platforms, can be accessed with popular web browsers, and can be used on Android and Windows (with Apple ID).

You don’t need to share any personal information as Apple has that data. All you are providing is an identifier that allows you to sign in with your Apple ID in future.

Some services and sites will want your email address.

Apple’s system lets you provide these from your Apple ID, but also lets you edit the name used and offers the Hide My Email, which creates a unique and private relay address.

Emails sent to you via this address will reach you (and will be checked by Apple for spam), but the service provider will not have your real address. 

You can review all the apps and services you have authorized with the service in your Apple ID account, both on the device and online.

Here you can review what information you have shared with an app, review its privacy policy, turn off the private email address or simply stop using the Apple ID.

Sign in with Apple will be required in any app in the App Store that uses 
 third-party sign-in services to set up and authenticate user accounts.

The bottom line is that Sign in with Apple is part of a parcel of privacy enhancing tools Apple provides.

While these tools aren’t foolproof – security is an ongoing battle – the fact they exist shows the company remains willing to use its power to disrupt the behaviors of existing data collectors while also pushing for more eductated conversations about privacy and the risks of losing it.

The strategy seems to be working.

There may be some who recall when the FBI tried to force Apple to open a back door into its devices following the San Bernardino shooting.

At that time many (including myself) argued that such systems did nothing to make people safer, as the details of any system weaknesses would eventually leak beyond law enforcement and into the hands or bad actors and rogue states. (You don’t even need to look too far to see this is what happens.)

Years later, it looks like there is a growing understanding that this is indeed the case.

Convenience is great, but not at any cost. The least we should know is what the cost and consequences of our convenience actually are.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

http://www.computerworld.com/category/security/index.rss