Apple Pay privacy
 

Apple is not in the middle. They do not get any transaction data and have no idea where you shop or what you purchased.

I recall Apple saying that they won't store ApplePay customers' purchase history or credit card information on its servers and that the ApplePay-accepting merchants will not be able to see ApplePay customers' credit card numbers but that those merchants will get an Apple transaction number and the payment from ApplePay. And I've not yet seen anything that indicates it to be otherwise.

Amex, on the other hand, definitely stores purchase history on its servers; and that purchase history stored by Amex on servers can and will be used against customers at times. I am curious how reliably it goes with making an ApplePay purchase with an Amex card at a merchant but then the buyer returning the purchase for credit to a non-Amex card linked to a given ApplePay account. Amex would have the initial purchase transaction, but would it have the refund transaction data?

Curious, if Apple do not have this information on its servers, where does it have it? Locally stored on the users phone/Ipad/etc.? That cannot be right either. I can pull my Apple purchase history on my Windows using ITune, and it seems to be syncing to Apple (hence its servers), and doesn't pull Apple purchase history from my Ipad (where I do all the Apple purchases).

Apple may not pass those information to merchants, but they definitely seem to have customer information on their servers.

Can you see non Apple purchase on itunes or just those from Apple? When I look on itunes I see my Apple Music, App purchases, iCloud etc but I do not see my Amex purchases done via Apple Pay.

Technically Apple is very much in the middle and has access to all that is happening. Whether you choose to believe they won't use your data, now or in the future, is up to you.

Agree, technically they are in the middle but they are not the people you go to to sort out issues with purchases or statements for the cards you use in your wallet with Apple Pay. Even for the Apple card you contact Apple CS first they they put you through to Goldman. If I have an issue with Amex I go to Amex. There's no recourse against Apple Pay. They are very much like a 21st Century authorize.net or Stripe. They are a glorified payment gateway.

Having said that, Apple Wallet keeps a track of all my Apple Pay transactions in their App so I do have to believe somewhere in the cloud all my transactions are sitting. So while an individual may not have access to them they sure as are accessible.

‘In the middle’ is a fairly general term. Apple is a facilitator, and I’m fine with that. As far as identifying the means of payment goes, all my Apple Pay receipts Show the same ‘card’ number, different from my Amex number. Apple Pay shows all purchases, including ones made with the card itself.

That's exactly where it is, encrypted on the device.
Purchases made in the iTunes store are visible in iTunes, as it would be in any other store's portal. Apple Pay transactions are not.


Apple is not in the middle and does not have access to transaction information.

Apple Pay Press Release, Oct 16, 2014 (emphasis mine):


Transactions are in the Wallet app and the card issuer's servers. Merchants also have a record of the transactions, but not the customer's name (unless it's provided separately).

https://support.apple.com/en-us/HT203027

has the ApplePay security and privacy overview. But this ApplePay stuff should likely be in its own thread since it applies to all card users and isn’t really a Centurion thing despite the ability to use a Centurion card with ApplePay and whatever that means in terms of getting Amex MR points for ApplePay purchases, refunded in ways or otherwise.

Funny, but not technically accurate. The client side code that runs Wallet and Apple Pay executes on the iPhone, as does the GPS location info that can note and timestamp your location when you make the transaction. So they do have access to all the necessary information. Again, it is your choice to believe that they do not, nor will not in the future make hay with your data.

What runs on the phone is local to the device and not accessible by Apple nor is it kept on Apple's servers.
More detailed information is in Apple's security white paper.

Sorry, but EVERYTHING that is local to the iPhone is accessible by Apple. If they choose to.

That is absolutely false. What's on the device is encrypted with keys that Apple does not know nor can the data be extracted, and is normally end to end encrypted when in transit to others on top of that.

We are way off topic, but I have to say that is a very naive opinion. Apple has FULL control of their OS and can do whatever they like. And they update this OS with every major and minor release. That's why I keep repeating they can do this today or in the future. None of us know what policies or procedures they will implement in the future. And they do not have to tell us what they have done or not done. In fact they are extremely secretive and will not release the actual code involved for obvious reasons. Both competitive and legal.

Further you can read up on Apple Financial Identifier Requests. "Financial Identifier requests are based on financial identifiers such as credit/debit card or iTunes Gift Card. Financial Identifier requests generally seek information regarding suspected fraudulent transactions - for example, law enforcement investigations on behalf of customers in which a credit card was fraudulently used to purchase Apple products or services." These could be server side or client side but there isn't a whole lot of transparency about that.

Apple has control over the OS, but not the encryption keys used, and without the encryption keys, they can't access the data, nor can anyone else for that matter.

Further information available in Apple's iOS Security white paper as well as developer documentation.

Not the case, at least not a couple of years back. At least then, Apple would have had to push out an iOS update — one that would be designed to allow for a run-around of sorts that could do what you suggest— and hope that the device users wouldn’t frustrate the downloading and installation of such pushed-out iOS update on the devices. I know some will say that the encrypted data local to a device would still be encrypted data that the OS can’t decrypt by itself; but I don’t want to get into that as brute-force decryption efforts at a targeted, locally-possessed device would be frequently successful (given the nature of most people’s password/passcode habits).

Could Apple have access to transaction information via contractual agreements with ApplePay-accepting merchants and/or card-issuers/payment networks (ie, an access which doesn’t require electronic access to all the data local to a device enabled for ApplePay)? Given the KYC/AML regimes out there and the issues with financial-related fraud in general and bank card misuse/theft at retailers in particular, I wouldn’t rule it out. But I doubt that Apple’s access to all that transaction data is as readily available to it and anywhere near as systematically comprehensive as it is to the ApplePay-accepting merchants and the card-issuers for the typical ApplePay transaction.

It is rather clear there are no software engineers on this thread!

Casual readers should not accept anything anyone here says about data privacy or encryption. There is a lot of ignorance posted here. If it is important, go outside of Flyertalk and speak to an expert who has built or worked on an operating system similar to Apple's IOS or maybe even a former Apple software engineer. Or Android even. If you do have this experience, you will know for a fact that Apple can have full access to all this data if they choose to.

Sure, Apple could choose to do so, but they would first need to get the device OS revised or use a hole-y app to try to do the dirty work and be willing and able to ignore their own public disclosures/posturing about what it says it can/does do and what it can't/doesn't do. Commercially, that's risky for Apple and opens a Pandora's box of problems for it. Slow-going on acknowledging and/or fixing zero-day vulnerabilities may provide it some cover. But as even governments learn, secrets are not as easily kept entirely secret and without any public revelation even when there is criminal prosecution danger for disclosure. And in the commercial sector, the danger of disclosure (for the disclosing parties) is more commonly not going to go beyond civil liability, and so disclosures contrary to corporate interest in this area are at least as likely if not way more likely than they are from the government and government contractor/partnership side.

I am no software engineer -- about that you are 100% right about, even as I can't speak about others here -- but I have been around enough of the national intelligence and law enforcement communities (and domestic and foreign enablers for such) to not be entirely clueless about what kind of discussions to rely upon and not rely upon and where the points of frustration come from when it comes to such government operations and investigations that have a deep technology angle.

If a government wants ApplePay transaction data -- whether or not it can get a physical or remote hold on the ApplePay user's device -- it's going to get more and more useful ApplePay-related transaction information from the card-issuing banks and ApplePay-accepting merchants than from Apple and get it more easily from those parties than from Apple.

Avoiding ApplePay card transactions due to privacy concerns while using the very same bank cards issued in one's own name for the same transactions that could otherwise be done using ApplePay? It doesn't make much sense to me to avoid ApplePay for privacy reasons. When privacy concerns are paramount, best not to do any in-person electronic payment transaction that is easily investigated from two or more ends.

Bingo!

And back to the code, I hope everyone knows that certain aspects of code behavior are different based on environmental determiners.

“When privacy concerns are paramount, best not to do any in-person electronic payment transaction that is easily investigated from two or more ends.”

Those words apply to use of bank cards at merchants even for transactions without the use of smartphones/personal electronic devices. In other words, don’t do in-person.purchases with bank cards in the purchaser’s name — whether or not using a phone/PED — when privacy is paramount.

I believe it has been indicated that the main card networks pay Apple a small percent amount per transaction ran on Apple Pay. In order to facilitate that payment, Apple must know details of the transaction to reconcile those payments.

However, I am not saying that Apple makes enough to cover the development or infrastructure cost of the Apple Pay network.

Is it?? Based on what, exactly?
I've been writing iOS apps for more than a decade (and other platforms before that), so there is at least one software engineer on this thread, and who has more than enough experience to know that what you say is false.

Apple does not have access to user data on an iOS device, and in fact, they go out of their way so that they don't.



Apple has repeatedly stated that they do not know specifics of individual transactions.

They only need to know the total amount transacted via Apple Pay per bank per cycle, and calculate their cut based on that amount.

The less user data access Apple wants or needs to get for its commercial interest, the more it makes Apple’s life easier than it would otherwise be. One day that may change, but for now ApplePay is no more a threat to ApplePay-enabled persons’ privacy than if they are using their own legitimate credit card directly with the merchants via the merchants’ other card processing/acceptance systems.

This assumes that Apple is storing the necessary encryption keys, etc. somewhere that it can access. I'm fairly sure they use hardware that physically won't let them (akin to the TPM chip on modern PCs or the chip in a credit or debit card), at least not without completely destroying the device in question.

It doesn’t assume that Apple need to store or even procure the encryption keys for this to be possible.

With a sneaky iOS change and/or app update installed on a device, the information that is encrypted could be accessible (even remotely) upon a device being unlocked (by device owner’s) — with the data being decrypted upon the device being unlocked — and the device being available to transfer that decrypted data.

Very good! GUWonder admits he is not a software engineer, but he still gets the obvious. When you own the OS, you can do anything. Furthermore, who cares if you have a bullet proof key management scheme when you can simply bypass it?

Conspiracy theories. Just because a company 'can' do that doesn't mean they will. There's way too much to lose to even consider it. Apple has also said they'd never backdoor anything.

As I wrote several times in this thread, you can choose to believe what they do, or will do in the future. There is a rather small pool of people who know exactly what they do, release to release.

Everyone should also be aware that Apple has to comply with the laws of every nation that they sell products and services in. Those laws can change and they can change in secret. There is an abundance of history of governments requiring compliance in secret reporting from financial infrastructure providers.

Apple's previous history seems to indicate they aren't so willing to do so (for instance, them refusing to create a backdoor for the FBI back in 2015-16).

Also, Apple does create hardware that makes certain things impossible for them in software (e.g. the T2 security chip in the MacBook Pro physically disconnecting the microphone when the lid's closed). Any change of heart would require them to stop doing that first, which would only affect future models and not the ones already in customers' hands. Oh, and would probably cause a huge PR mess at best.

So far, I haven't seen anything that remotely indicates they're backing down from their current privacy/security stance, so I'm taking them at their word for the time being. Of course, I'm sure people will reevaluate using Apple products if that ever changes.

(BTW, taken to its logical conclusion, you probably don't want to trust any device that doesn't have fully open software and hardware. This might be more up your alley in that case.)

Willing and able is not the same thing as unwilling and able; nor is it the same thing as willing and potentially able with a software alteration; nor is it the same thing as perpetually unwilling and able/unable.

I will note that when it came to some people’s encrypted WhatsApp messages (from very recent times) on iOS devices (with device lock codes on them), a bunch of the WhatsApp messages got picked up and/or reviewed even by some intelligence/security agencies from the “third world” countries. And that was even without the willful cooperation of Apple and Facebook-owned WhatsApp to assist in such (non-US) government-serving efforts. Tapping into ApplePay info local to iOS devices would be possible too, but that’s really not a great reason to avoid ApplePay while still using your own name-linked bank cards directly in person at merchants and using electronic devices to check your accounts online.

Your frequently flyer and frequent guest programs are also enablers of being hacked and tracked, and so skipping use of ApplePay while running around heavily-vested in the airline and hotel points and status game is sort of like worrying about locking the front door while leaving the back door unlocked and open.

When privacy is paramount, there are a lot of things you should avoid doing to heighten privacy maximizing outcomes. But avoiding ApplePay while using your credit cards in your own name for in-person transactions at merchants directly for the same goods/service purchase as for which you could use ApplePay? That isn’t going to do much of any good for maximizing your privacy. But I will say that segregation of habits may provide some privacy benefit, and that would mean not consolidating all your banking/buying info/capability into any single device or under any single account; however that’s not going to maximize privacy either. To maximize privacy, old school is the best — even as that may mean minimizing bank card-using transactions and not getting any/as many miles/points as possible. ;)

I choose to believe in reality, not conspiracy theories. There's nothing to gain and everything to lose.

The FBI tried to sue Apple to force them to create a back door. Apple said no and the few people at Apple who had the knowledge and skills to do it stated that they would resign if it ever came to that.


But even that can't be trusted unless you also write your own compiler and design and build the hardware...

As long as the compiler is open source as well, you wouldn't need to go that far.

You'll need an existing compiler to compile it, which could be hacked...

You can't hire anyone to help, because they could be a secret agent...

At some point, you have to trust people.

And have enough knowledge about cryptography to roll your own ciphers.

One time pads. Of course, you'd only be able to use it once, you'd have to get that pad to the other end somehow (and it'd have to be exactly the size of the thing you're trying to encrypt, too). :p