Tuesday, August 31, 2021

Privacy for Apple Employees

Zoë Schiffer (tweet, Hacker News):

Jacob Preston was sitting down with his manager during his first week at Apple when he was told, with little fanfare, that he needed to link his personal Apple ID and work account.

[…]

Three years later, when Preston handed in his resignation, the choice came back to haunt him. His manager told him to return his work laptop, and — per Apple protocol — said he shouldn’t wipe the computer’s hard drive. His initial worry had come to pass: his personal messages were on this work laptop, as were private documents concerning his taxes and a recent home loan.

[…]

Employees have been asked to install software builds on their phones to test out new features prior to launch — only to find the builds expose their personal messages. Others have found that when testing new products like Apple’s Face ID, images are recorded every time they open their phones. “If they did this to a customer, people would lose their goddamn minds,” says Ashley Gjøvik, a senior engineering program manager.

Dogfooding leads to better products, but Apple’s systems aren’t designed to do this in a privacy preserving way. Apple work e-mail addresses can’t be used to sign up for iCloud or AppleConnect, so employees are required to use personal accounts. iOS and macOS only let you sign into one Apple ID at a time, so it’s not practical to have separate “personal” accounts for work and personal. Having separate devices for work and personal is also discouraged because it gets in the way of “live-on” dogfooding.

The blurring of personal and work accounts has resulted in some unusual situations, including Gjøvik allegedly being forced to hand compromising photos of herself to Apple lawyers when her team became involved in an unrelated legal dispute.

Underpinning all of this is a stringent employment agreement that gives Apple the right to conduct extensive employee surveillance, including “physical, video, or electronic surveillance” as well as the ability to “search your workspace such as file cabinets, desks, and offices (even if locked), review phone records, or search any non-Apple property (such as backpacks, purses) on company premises.”

[…]

It might seem like a company obsessed with secrecy would be sympathetic to its employees’ wishes to have confidential information of their own. But at Apple, secrecy requires the opposite: extensive knowledge, and control, over its workforce.

It’s not clear to what extent the policies are standard corporate ones that elevate the company’s interests over the employee’s—because they can—or whether they date to Tim Cook’s 2012 doubling down on secrecy, or before. But however much Apple cares about privacy for customers, that doesn’t seem to extend to employees. Developers, too, are encouraged to attach privacy invading sysdiagnose logs to each bug report, where they live in Radar “forever.”

The legal dispute that led to turning over Gjøvik’s private data did not even involve her personally, though she is separately fighting the company over discrimination and harassment.

Casey Newton:

Wrote about the twin challenges hitting Apple simultaneously: regulators and lawmakers forcing it to release its grip on the App Store, and employees organizing effectively demanding internal change.

Apple has never seen anything like it.

Zoe Schiffer (tweet, Lorenzo Franceschi-Bicchierai, Hacker News):

Apple employee organizing took another step this morning with the launch of a website called AppleToo. The goal is to collect stories from workers at all levels of the organization who’ve experienced harassment or discrimination.

Previously:

Update (2021-09-07): Neil Jhaveri:

The article implies coercion that I didn’t experience. For a while, I used a separate iCloud.com account for work (I did eventually go personal). The tradeoffs were made clear to me, and many coworkers didn’t enable iMessage on their work systems.

Sami Fathi:

In a video broadcasted to staffers days before Labor Day, Apple’s retail and people chief Deirdre O’Brien addressed the growing number of Apple employees voicing their opinions about workplace issues like pay inequality.

[…]

In the video, which was seen by MacRumors, Deirdre O’Brien tells staff who are experiencing workplace issues to talk to their managers and “business relations partner.” She says that Apple has a “confidential process to thoroughly investigate, in a way that treats everyone with dignity and respect.”

See also: Decoder.

Update (2021-09-10): Zoe Schiffer (tweet, Dell Cameron, tweet, Hacker News):

Apple has fired senior engineering program manager Ashley Gjøvik for allegedly violating the company’s rules against leaking confidential information.

Update (2021-10-15): Zoe Schiffer (Hacker News):

Apple has fired Janneke Parrish, a leader of the #AppleToo movement, amid a broad crackdown on leaks and worker organizing. Parrish, a program manager on Apple Maps, was terminated for deleting files off of her work devices during an internal investigation — an action Apple categorized as “non-compliance,” according to people familiar with the situation. The files included apps like Robinhood, Pokémon GO, and Google Drive.

Ashley M. Gjøvik (via Scott):

I think the hearing today went very well. Best case scenario was I keep all my claims; worst case is I only keep the 4 claims Apple’s not fighting - but sounds like outcome will be in the middle ground, which is great news. When they’re released I’ll share transcripts & decision!

Update (2024-12-02): Emma Roth (PDF):

An Apple worker is suing the company over claims it requires employees to waive their right to privacy and subjects them to surveillance, as first reported by Semafor. In a lawsuit filed on Monday, Apple employee Amar Bhakta accuses Apple of accessing employee data through company-managed devices — including personal iPhones it “actively encourages” workers to use.

[…]

Additionally, the lawsuit claims that Apple breaks California law by requiring employees to agree to a policy that allows it to “engage in physical, video, and electronic surveillance” of them, as well as gives it the ability to search Apple and non-Apple devices on “company premises,” which, in some instances, could allegedly involve a worker’s home office.

10 Comments RSS · Twitter


Internal employee organizing is a new route with some potential for change at Apple. I felt a tiny glimmer of hope reading that which I haven't from the lawsuits and lawmakers.


Preston is being more compliant than I was, I guess. I did not wipe my work machines when I handed them in, but I did remove my personal data and accounts. It was a little weird that they theoretically had access to everything -- you were explicitly supposed to use your work phone for *everything* if you worked on iOS, for obvious dogfooding reasons. But I never worried about it that much until I was looking for a new job. Have to use phone and email for that!


Beatrix Willius

What does Apple do with the computers? Do they check them for personal data?

What exactly is in the sysdiagnoses? As we developers are required to add them to every radar issue, too. But I never thought that these could contain private data.


Sadly, this does not surprise me. Years ago when they were first opening Apple stores, I wanted to get away from my then-current job and I applied for a Genius position. In a group interview they asked us all to sign a document which no one seemed to read but me. It was granting Apple the right to do background checks on us with literally NO LIMIT. Past jobs, finances, family, friends, neighbors, you name it! At that point I had done things in my career such as work on the personal computers of Nobel Prize winners without such investigations being done on me. I was not just offended, but disgusted! I told the woman "Yeah, I won't sign this" and just left.


Sysdiagnoses are _heavily_ redacted, unless you’ve installed a special logging profile that enables logging of private data for specific subsystems (and these profiles are also time-limited too so you don’t forget and log private data indefinitely).

In fact, the logging system is paranoid enough that the private data is never even logged to disk without these special logging profiles. So even if someone gets direct access to your HD they can’t get previously-logged private data (or, more usefully, if you install a logging profile it doesn’t retroactively provide access to historical data).


@Lily That’s how Apple presented the new logging system, but looking at the actual sysdiagnose files I find that, without a special profile, they do contain unredacted stuff that I consider to be private.


>...says Ashley Gjøvik, a senior engineering program manager

oh, it's this person again.
the same grifter who tried to make bank on social media, after it being exposed for spending large amounts of work hours on the company's private Slack server, attempting to stir up claims of "workplace sexism".

not a person you want to interview if you wish to add credibility to your article.


Kevin Schumacher

So if you actually read the entire article at The Verge, it actually later says that Apple lawyers told Gjøvik not to delete messages/photos, but that they would not need access to them. So in other words, just don't delete them. Document preservation is a standard litigation practice for discovery purposes and not complying can land the company in a lot of crap. Deleting things, even ostensibly unrelated things, could be construed as violating discovery rules, since once it's deleted, the other side doesn't know what was deleted. And you don't want an employee up on the stand saying "Oh, yes, Your Honor, we deleted some stuff."

I don't know anything about the allegations that Some Person made above, but The Verge's credibility just took a huge hit, claiming in one breathless paragraph that she was forced to hand over photos, only later saying she was explicitly told they didn't need to see them but not to delete them.


@Kevin Yes, it makes sense in terms of document preservation/discovery. That’s why I think the main issue is the mixing of personal and work data, not preventing deletion. I took the access comments to mean that everything was handed over but that they will (they say) not be proactively reading the personal stuff. (But perhaps it will show up in searches?) If not needing access means that the personal stuff was not handed over, just that it needs to remain preserved on the device, then I would agree that the article is very misleading.


> Apple work e-mail addresses can’t be used to sign up for iCloud or AppleConnect

That's wild.

> iOS and macOS only let you sign into one Apple ID at a time

Well, true (and problematic) for iOS — but on macOS, you could always have multiple user accounts and fast user switching.

>That’s how Apple presented the new logging system, but looking at the actual sysdiagnose files I find that, without a special profile, they do contain unredacted stuff that I consider to be private.

Amusingly, I find both to be true: they often redact information that might help me figure out the cause.

Leave a Comment