IIRC Apple does apply differential privacy - sending wrong information randomly about your trips to themselves, where they then average over all users to get rid of the noise they added so it becomes useful aggregate data.
And they never submit the start and end locations of the trips. Maybe the privacy is still terrible but it’s way way way better than Google’s IMO
“We specifically don’t collect data, even from point A to point B,” notes Cue. “We collect data — when we do it — in an anonymous fashion, in subsections of the whole, so we couldn’t even say that there is a person that went from point A to point B. We’re collecting the segments of it. As you can imagine, that’s always been a key part of doing this. Honestly, we don’t think it buys us anything [to collect more]. We’re not losing any features or capabilities by doing this.”
The segments that he is referring to are sliced out of any given person’s navigation session. Neither the beginning or the end of any trip is ever transmitted to Apple. Rotating identifiers, not personal information, are assigned to any data or requests sent to Apple and it augments the “ground truth” data provided by its own mapping vehicles with this “probe data” sent back from iPhones.
Because only random segments of any person’s drive is ever sent and that data is completely anonymized, there is never a way to tell if any trip was ever a single individual. The local system signs the IDs and only it knows to whom that ID refers. Apple is working very hard here to not know anything about its users. This kind of privacy can’t be added on at the end, it has to be woven in at the ground level.
Still… its closed source. I can tell you that my closed source code that i only have access, doesnt track your movement everywhere. “Trust me bro” move. The first sentence doesnt make sense at all.
You’re absolutely right that closed source makes it much harder to verify that software does what it’s supposed to do. I’m not sure in the absence of ability to view the source how we can be sure that Apple does what they say. (maybe network packet sniffing? Are there privacy audits? Must it be disclosed in GDPR requests?) I hope someone with the appropriate qualifications is able to chime in on this.
I’m sorry for my poor explanation, and unfortunately I do not specialise in differential privacy. My layman’s understanding is that they add noise to the segments of your navigation before sending it to themselves. Once they receive the noisy data, if they average out many samples, the noise is “averaged out” in aggregate statistics. I hope an expert on differential privacy is able to chime in.
IIRC Apple does apply differential privacy - sending wrong information randomly about your trips to themselves, where they then average over all users to get rid of the noise they added so it becomes useful aggregate data.
And they never submit the start and end locations of the trips. Maybe the privacy is still terrible but it’s way way way better than Google’s IMO
Source: https://techcrunch.com/2018/06/29/apple-is-rebuilding-maps-from-the-ground-up/
“We specifically don’t collect data, even from point A to point B,” notes Cue. “We collect data — when we do it — in an anonymous fashion, in subsections of the whole, so we couldn’t even say that there is a person that went from point A to point B. We’re collecting the segments of it. As you can imagine, that’s always been a key part of doing this. Honestly, we don’t think it buys us anything [to collect more]. We’re not losing any features or capabilities by doing this.”
The segments that he is referring to are sliced out of any given person’s navigation session. Neither the beginning or the end of any trip is ever transmitted to Apple. Rotating identifiers, not personal information, are assigned to any data or requests sent to Apple and it augments the “ground truth” data provided by its own mapping vehicles with this “probe data” sent back from iPhones.
Because only random segments of any person’s drive is ever sent and that data is completely anonymized, there is never a way to tell if any trip was ever a single individual. The local system signs the IDs and only it knows to whom that ID refers. Apple is working very hard here to not know anything about its users. This kind of privacy can’t be added on at the end, it has to be woven in at the ground level.
Still… its closed source. I can tell you that my closed source code that i only have access, doesnt track your movement everywhere. “Trust me bro” move. The first sentence doesnt make sense at all.
They added noise and then removed the noise?
You’re absolutely right that closed source makes it much harder to verify that software does what it’s supposed to do. I’m not sure in the absence of ability to view the source how we can be sure that Apple does what they say. (maybe network packet sniffing? Are there privacy audits? Must it be disclosed in GDPR requests?) I hope someone with the appropriate qualifications is able to chime in on this.
I’m sorry for my poor explanation, and unfortunately I do not specialise in differential privacy. My layman’s understanding is that they add noise to the segments of your navigation before sending it to themselves. Once they receive the noisy data, if they average out many samples, the noise is “averaged out” in aggregate statistics. I hope an expert on differential privacy is able to chime in.