Apple cares about privacy, unless you work at Apple

Jacob Preston was sitting down with his manager during his first week at Apple when he was told, with little fanfare, that he needed to link his personal Apple ID and work account. 

The request struck him as odd. Like anyone who owns an Apple product, Preston’s Apple ID was intimately tied to his personal data — it connected his devices to the company’s various services, including his iCloud backups. How could he be sure his personal messages and documents wouldn’t land on his work laptop? Still, he was too giddy about his new job as a firmware engineer to care. He went ahead and linked the accounts.

Three years later, when Preston handed in his resignation, the choice came back to haunt him. His manager told him to return his work laptop, and — per Apple protocol — said he shouldn’t wipe the computer’s hard drive. His initial worry had come to pass: his personal messages were on this work laptop, as were private documents concerning his taxes and a recent home loan. Preston pushed back, saying some of the files contained highly personal information and there was no reasonable way to make sure they were all removed from the laptop without wiping it completely. 

He was told the policy wasn’t negotiable. 

Preston’s story is part of a growing tension inside Apple, where some employees say the company isn’t doing enough to protect their personal privacy and, at times, actively seeks to invade it for security reasons. Employees have been asked to install software builds on their phones to test out new features prior to launch — only to find the builds expose their personal messages. Others have found that when testing new products like Apple’s Face ID, images are recorded every time they open their phones. “If they did this to a customer, people would lose their goddamn minds,” says Ashley Gjøvik, a senior engineering program manager.

Apple employees also can’t use their work email addresses to sign up for iCloud accounts, so many use their personal accounts.

The blurring of personal and work accounts has resulted in some unusual situations, including Gjøvik allegedly being forced to hand compromising photos of herself to Apple lawyers when her team became involved in an unrelated legal dispute. 

Underpinning all of this is a stringent employment agreement that gives Apple the right to conduct extensive employee surveillance, including “physical, video, or electronic surveillance” as well as the ability to “search your workspace such as file cabinets, desks, and offices (even if locked), review phone records, or search any non-Apple property (such as backpacks, purses) on company premises.”

Apple also tells employees that they should have “no expectation of privacy when using your or someone else’s personal devices for Apple business, when using Apple systems or networks, or when on Apple premises” (emphasis added). 

Many employees have a choice between getting an Apple-owned phone or having the company pay for their phone plan. But one source tells The Verge that trying to maintain two phones can become impractical. In software engineering, certain employees are expected to participate in a “live-on” program that puts out daily builds with bug fixes. “You can’t have a successful live-on program without people treating these devices exactly the same as a personal phone,” the source says. “So a work device or a work account just won’t cut it.” 

None of these policies are unique. Tech companies almost always have rules in place to search employees’ corporate devices, including personal devices used for work. It’s also common practice for tech companies to ask employees to test new software, which could potentially expose personal information. But Apple sets itself apart from other tech giants through its commitment to consumer privacy. As Tim Cook said at the CPDP Computers, Privacy and Data Protection conference in January 2021, businesses built on buying and selling user data, without the knowledge or consent of consumers, “[degrade] our fundamental right to privacy first, and our social fabric by consequence.” The lack of employee privacy has made the perceived hypocrisy particularly irksome to some workers. 

Now, as employees begin to push back against a variety of Apple norms and rules, these policies are coming under the spotlight, raising the question of whether the company has done enough to safeguard personal employee data. It might seem like a company obsessed with secrecy would be sympathetic to its employees’ wishes to have confidential information of their own. But at Apple, secrecy requires the opposite: extensive knowledge, and control, over its workforce. 

This is how it starts: a new Apple employee is told during onboarding that collaborating with their colleagues will require them to make extensive use of iCloud storage, and their manager offers a two terabyte upgrade. This will link their personal Apple ID to their work account — in fact, the instructions for accessing this upgrade explicitly say “you must link your personal Apple ID with your AppleConnect work account.” The connection will give them access to collaborative apps like Pages and Numbers that they might need to do their jobs. (Apple employees who do not have a business need to collaborate do not go through this process.)

Employees could pause during onboarding and say they want to create a new Apple ID specifically for work or use a different phone. But most do not — it seems a little paranoid, and the Apple instructions say to go ahead and use your personal account. What’s more, most Apple devices don’t support using multiple Apple IDs. To switch between iCloud accounts on an iPhone, you have to completely sign out of one ID and into another — a clunky, disruptive process. It is far easier culturally and technically to simply link personal and work accounts, which adds a new Apple Work folder to the employee’s iCloud account.

In theory, this Apple Work folder is where all of the collaborative documents for employees are supposed to live in order to keep personal and work files separate. In practice, the owner of a document often forgets to store files in the work folder, and documents quickly become intermingled. In fact, when Apple employees create a document in, say, Pages, the app automatically enters the personal email address used for their Apple ID. “I asked my manager about it and it’s just sort of an issue everyone deals with,” Preston says. 

Employees can choose to not sync certain folders, like their photo libraries. But others, like messages, can be trickier. Apple adopted Slack in 2019, but some teams still use iMessage as a primary way to communicate, which makes opting out of a message sync nearly impossible.

Over the past few weeks, employees have been discussing the difficulty of setting up different Apple IDs to keep work and personal files separate, noting that while it’s possible, there are significant technical hurdles. “I don’t understand why they didn’t create an Apple ID and iCloud account from our work email address during the onboarding process,” one employee said on Slack. “I get mad that I have to use my personal phone to text my boss,” said another. 

Concerns about data privacy are not ubiquitous inside Apple. Many employees who spoke to The Verge said they were aware the company gave itself extensive rights to search their data, but — for various reasons — weren’t overly worried about the fallout.

“When I joined Apple, I personally expected it to be pretty invasive and took some serious steps to separate my work and personal life,” one source says. 

For other employees, however, the mixing of personal and work data has already had real consequences. In 2018, the engineering team Ashley Gjøvik worked on was involved in a lawsuit. The case had nothing to do with Gjøvik personally, but because she’d worked on a project related to the litigation, Apple lawyers needed to collect documents from her phone and work computer. 

Gjøvik asked the lawyers to confirm that they wouldn’t need to access her personal messages. She says her team discouraged the use of two phones; she used the same one for work and personal and, as a result, had private messages on her work device.

A member of the legal team responded that while the lawyers did not need to access Gjøvik’s photos, they did not want her to delete any messages. During an in-person meeting, Gjøvik says she told the lawyers the messages included nude photos she’d sent to a man she was dating — a sushi chef who lived in Hawaii. Surely, those weren’t relevant to the lawsuit. Could she delete them? She says the lawyers told her no. 

In 2017, Apple rolled out an app called Gobbler that would allow employees to test Face ID before it became available to customers. The process was routine — Apple often launched new features or apps on employees’ phones, then collected data on how the technology was used to make sure it was ready for launch.

Gobbler was unique in that it was designed to test face unlock for iPhones and iPads. This meant that every time an employee picked up their phone, the device recorded a short video — hopefully of their face. They could then file “problem reports” on Radar, Apple’s bug tracking system, and include the videos if they found a glitch in the system. “All data that has your face in it is good data,” said an internal email about the project. After rumors of criticism, Apple eventually changed the codename to “Glimmer.”

Unlike other Apple features, Glimmer wasn’t automatically installed on employee phones. It required an informed consent form so employees would know what they were getting into. Still, for some people on engineering teams, participation was encouraged — even expected, according to two staff members. Once it was installed, some data that didn’t contain personally identifiable information would automatically upload to Radar, unless employees turned off this setting. 

Apple was careful to instruct employees not to upload anything sensitive, confidential, or private. But it didn’t tell people what was happening with the hundreds of images they didn’t upload in Radar reports. 

The reports themselves were also a cause for concern. When employees file Radar tickets, they include detailed information about the problems they are seeing. In 2019, Gjøvik filed a ticket about Apple’s photo search capabilities. “If I search for ‘infant’ in my photo library, it returns a selfie I took of myself in bed after laparoscopic surgery to treat my endometriosis,” she wrote, including four images in the ticket. The default sharing settings for the ticket included all of software engineering. 

Radar tickets also are not removable. Even when the tickets are closed, they remain searchable. In training, employees say they are told: “Radar is forever.”

What’s more, when employees file Radar tickets, they are often asked to include diagnostic files, internally called “sysdiagnose” to give Apple more information about the problem. If they are filing a bug about iMessage, they might be asked to install a sysdiagnose profile that exposes their iMessages to the team tasked with fixing the issue. For employees using a live-on device, default settings can mean that, as they are filing a Radar ticket, a sysdiagnose profile is being automatically created in the background, sending data to Apple without the employee realizing it. 

When sysdiagnose profiles are not included, employees have been known to post memes calling out the omission. 

Gjøvik is currently on administrative leave from Apple due to an ongoing investigation into claims she made about harassment and a hostile work environment. If she leaves the company, she’ll likely face the same conundrum as Jacob Preston, related to the mixing of her personal and work files.

Employees likely wouldn’t care too much about this were it not for another Apple rule that bars them from wiping their devices when they leave the company. If they do, they’ll be in direct violation of their employment agreement, leaving them vulnerable to legal action. 

After Preston gave notice, he received a checklist from his manager that explicitly said: “Do not wipe or factory reset any Apple owned units (such as laptops, Mac, ipads, and iPhones).”

“Before joining Apple I had a lot of respect for the company,” Preston says. “They’re the one tech company that takes privacy seriously. But then they go and have these policies that are hypocritical and go against their stated values. It’s sort of hard to reconcile. It’s like now that I’m leaving, my privacy isn’t a concern anymore.”

Apple did not respond to a request for comment from The Verge.