On Aug. 29, Apple made headlines by announcing its big fall event, at which the hotly anticipated iPhone 11 was expected to be announced.
Later that evening, Google’s Project Zero research team posted an explosive report revealing it had found a severe glitch in the iPhone’s operating system. Google researchers detailed five distinct attack chains and described how countless Apple devices had been exposed to malware simply by visiting hacked websites.
The press pounced on the report.
In an instant, Apple’s long-standing reputation for ironclad security was shattered.
Google’s report was met with derision from Apple fans while sparking barely contained glee from Android devotees. Apple responded a few days later in a terse blog post that disputed several details and challenged Google’s assertion that the attacks were indiscriminate.
Apple clarified that the attacks were “narrowly focused” and had affected only websites related to the Uighurs, an oppressed minority group in China. The clarification didn’t go over particularly well and was perceived by many as insensitive to the Uighurs.
Buried by the controversy over Apple’s tone-deaf response was the fact that Google had held on to the Project Zero report for more than six months after the iOS exploits were patched. As it turns out, Google had alerted Apple to its findings in early February—about one month after Apple had embarrassed Google at the world’s biggest technology show.
Why Google shook Apple’s tree
Google had taken over January’s Consumer Electronics Show (CES) in Las Vegas with “Hey Google” ads plastered all over the city, an enormous interactive Google playground installation, and, to top it all off, an elaborate Google Assistant theme park ride.
It was Google’s week to shine.
But towering over the festivities was a colossal Apple billboard proclaiming “What happens on your iPhone, stays on your iPhone.” The underlying message was clear: You can trust Apple with your privacy—but not Google.
Surely Google didn’t appreciate being mocked in front of the entire tech industry during the year’s most important trade show, especially by its rival Apple which wasn’t even attending the event.
Google needed to find a way to strike back—and it wouldn’t be long until Project Zero researchers found what they were looking for.
Google privacy issues are an easy target for Apple
Unlike Google, Apple doesn’t rely on tracking the behavior of its users to make money. That’s why Apple has made it a mission to expose all of the tricks Google and others use to collect private data and monitor people across devices and the internet.
Moreover, Apple’s Safari web browser has been increasingly fortified against targeted advertising by limiting third-party cookies and other tracking mechanisms.
Likewise, Apple’s upcoming iOS 13 will include numerous enhancements aimed directly at Google’s business model. New features will include a single sign-on for websites that supplants Google’s more invasive option, and a pop-up system to alert users when an application is accessing background data (e.g., location) with an option to shut it down instantly.
Pushing a privacy agenda at the expense of its competitor is a win-win for Apple. The company scores points with a public that is increasingly wary of the methods internet companies using to violate their privacy. At the same time, hindering targeted advertising cuts deeply into one of Google’s primary revenue streams.
Google searches for relief from privacy issues
Google was recently announced as the target of a broad antitrust investigation by a coalition of 50 state attorneys general. The company was also recently fined $170 million by the FTC for violating the Children’s Online Privacy Protection Act (COPPA) for illegally targeting children with ads based on their viewing habits.
Meanwhile, the European Union has slapped Google with more than $9 billion in antitrust fines since 2017 and hit the search giant with the first major GDPR fine earlier this year.
Adding to Google’s privacy problems is the impending California Consumer Privacy Act (CCPA), scheduled to go into effect Jan 1, 2020. The regulation will impact all companies that collect and store the data of California’s web users but will be especially impactful for companies that depend on targeted advertising—companies like Google. That might be why they’ve been working with a consortium of tech companies to weaken the CCPA.
All of this to say, Google has serious privacy issues. But they’re not alone, and Apple’s meticulous positioning as the privacy model against which all others should be compared is inviting closer scrutiny of its own shortcomings.
The humbling of Apple’s pious privacy pose
Google’s Project Zero report isn’t the only privacy scandal Apple has dealt with this year. Back in January, a 14-year-old user discovered a critical flaw in Apple’s FaceTime app when he realized he could hear his friends talking before they answered a call.
The boy’s mother, an attorney, made numerous fruitless attempts to report the issue to Apple. Several days later, others noticed the bug and it went viral, finally prompting Apple to suspend the service until it was fixed with an unscheduled patch. Interestingly, this was the very same patch that resolved the exploits later described in Google’s report.
Then, in July, The Guardian reported that Apple contractors had been listening to Siri recordings to improve functionality. Apple downplayed the report stating that less than 1% of recordings were being monitored—somehow missing the point entirely. One week later, the program was suspended amid rising privacy concerns.
Recent reports also indicate that, for the first time, iOS zero day exploits are now less expensive on the underground market than equivalent Android exploits. In other words, Apple’s iOS is becoming easier to hack than Google’s Android.
This might explain why Apple recently expanded its bug bounty program and increased top rewards to $1 million for security researchers who find specific vulnerabilities in iOS code.
Apple’s difficult path forward
The reaction to Apple’s iPhone 11 event was generally lukewarm with the most exciting development a series of memes based on the device’s new triple camera design. That’s not good because iPhone sales have declined significantly over the last year. Apple is also facing increased costs due to tariffs resulting from the U.S.-China trade war.
Now come rumors that Apple might soon face its own federal antitrust investigation into allegations of unfair app store rankings. This following the Supreme Court’s decision in May to green-light Apple Inc. v. Pepper, a class action lawsuit accusing Apple of excessive app store commissions, an issue the E.U. is already formally investigating.
Apple will no doubt continue its admirable (read: marketable) endeavor to improve consumer data privacy, but the company’s once seemingly impervious security bubble has officially been pierced. And even if they can’t prove that Apple is rotten to the core, Google has managed to leave a few bruises.
Privacy strategies for SMBs
Clearly, Apple and Google are facing considerable challenges with regard to data privacy. But both companies have staggering financial resources and robust legal teams to help mitigate regulatory risk.
Small and midsize businesses don’t have those luxuries. That’s why ensuring compliance with privacy regulations is even more important for SMBs. You can get up to speed on data privacy regulations such as CCPA, GDPR, and more by reading our primer.
An effective compliance solution for SMBs is to implement a data classification program that identifies regulated data, making it easier to protect. Learn how to get started by reading our data classification guide which includes a free downloadable template.