Passkey privacy issues

Today I downloaded a copy of my data from https://privacy.apple.com, Apple's Data and Privacy website. (For some reason it took 5 days after my request for the data to be ready for download.) I highly recommend that you download your data too, because you might be shocked how much Apple has on you. Apple's advertisement "What happens on your iPhone stays on your iPhone" appears to be a blatant lie. My purpose in downloading my data wasn't to go on a fishing expedition, though. I was just looking for my old reviews of movies and TV shows on the iTunes store, which were indeed included in the downloads. I like to keep a copy of reviews to remind myself what I've watched and liked or disliked. Anyway, browsing through the data downloads, I found a file "Passkeys Information.csv" (comma-separated values, readable by Numbers app, for one) in the "Apple ID account and device information" section of the data. The contents of this file disturbed me for several reasons.

First, I don't even use passkeys! I've written about passkeys before and why I avoid them. Unfortunately, Apple's passkey implementation requires iCloud Keychain. I don't want to use anyone's cloud service—not Apple's, not Google's, not 1Password's—because I don't want to place my credentials database under someone else's control and because I don't trust the availability and reliability of cloud sync. I prefer to manage credentials myself. Thus, I was surprised to find two passkeys in the "Passkeys Information.csv" file. I don't recall ever creating a passkey.

Leave a Comment