Apple Intel: Surprising Surge in User Data Collection

In this Dark Reading News Desk interview at Black Hat USA 2025, Yoav Magid, senior security researcher for Lumia Security, explains that Apple Intelligence, which powers various AI applications including an enhanced Siri, presents a privacy risk to users. 

His research revealed that Apple collects surprising amounts of contextual data even for simple queries; for example, when asking about weather, Siri might capture and send to Apple servers information about what music a person is currently listening to. More concerning, he discovered that when using Siri to send messages through supposedly end-to-end encrypted apps like WhatsApp, the content and contact information are sent to Apple’s servers unnecessarily.

Most concerning? When Magid disclosed these findings to Apple, the company initially showed interest but later dismissed most concerns as “expected behavior” vaguely mentioned in their privacy policies.

Full Transcript: Lumia’s Yoav Magid Discusses Siri & Apple AI Privacy Risks

This transcript has been edited for clarity.

Becky Bracken: Hello, and welcome to the Dark Reading News Desk from Black Hat USA 2025 at Mandalay Bay in Las Vegas. We are thrilled to have you join us for a conversation with someone who’s making a bit of a splash here at Black Hat: Yoav Magid, senior security researcher for Lumia Security. We are here to talk about his new research, “Apple’s Storm: Unmasking the Privacy Risks of Apple Intelligence.” Welcome.

Related:What Is the Role of Provable Randomness in Cybersecurity?

Yoav Magid: Thank you very much.

Bracken: Apple Intelligence is an AI assistant?

Magid: I think to be more precisel, Apple Intelligence is the combination of local processing on the device and their private cloud computing. Together, they launched many new apps in the last year, like writing tools, image tools. Even Siri is now more powerful with the capabilities of Apple Intelligence.

Bracken: This suite of apps is running on Apple Intelligence infrastructure. What are the risks of putting all of that potentially sensitive information into this environment?

Magid: In the last year, I worked to check which features of the many AI apps in Apple Intelligence run directly on the user device and which ones send data to their servers. What data do we share with them? What do they agree to do with our data? Most of my findings were around Siri and the intersections with the new extensions feature, the combination of ChatGPT and Siri, and the writing tools.

Bracken: What did you find? Is it a big privacy concern?

Magid: It was surprising how much info Apple thinks they need to know about us in order to answer very simple questions. You might activate Siri and ask it, “What is the weather today?” And you’ll be very surprised at how much context they collect on you to answer this very simple question. You might ask about the weather, and if you’re listening to a Taylor Swift song on YouTube at the same time, Siri is going to know that and it’s going to be sent to Apple servers.

Related:Beyond the Broken Wall: Why the Security Perimeter Is Not Enough

Bracken: Was this built in? Is this not a bug, but a feature?

Magid: I think most of these are actually features. I think there is a lack of awareness, because nobody today reads the privacy policies. But there are a few things that I think are bugs. For example, you might interact with WhatsApp or iMessage through Siri. You can ask Siri to dictate or write a message to a friend, and you’ll be surprised that despite end-to-end encryption in WhatsApp and iMessage, the message is being sent to Apple servers. This is surprising because WhatsApp is on your device.

The message is sent back to Apple together with contact information, his name, his phone number. And I’m not sure it’s a feature because I can block all Apple communication from my device and the “feature” still works.

Bracken: Broadly speaking, if I am in an enterprise and these AI agents are the thing we all have to figure out how to use, how should business leaders be looking at how they roll out these tools? Or is the genie out of the bottle?

Related:K-12 School Incident Response Plans Fall Short

Magid: What most consider today’s AI comes in different shapes every day; on your browser, desktop, and part of your operating system. We saw it here in Apple Intelligence, Gemini on Android, and Copilot on Microsoft. What most companies and enterprises can do right now is to redefine governance all over again. In the last year, since the AI era started, CISOs were concerned about what employees are uploading and if that data is being used to train the LLM. This research highlights other topics about context; companies should implement governance tools as fast as they can.

Bracken: How would that look for an organization?

Magid: The first thing should be visibility; governance tools need to give the CISO the bigger picture of what’s going on in the organization, which data is being sent to AI models, what kind of data puts you at risk. This is the first step before talking about policy and how to enforce it. Visibility is the first thing. In this research, it shows that large vendors like Apple made it really hard to find these issues.

Bracken: Has Apple been receptive to your research? Have you been communicating with them? 

Magid: I created a proper disclosure to them after I found these issues. At the beginning, I was very surprised. They said there’s something interesting here and they were going to address the issues. Three months later, they said it was expected behavior and they’re not going to address them because these are features mentioned in a vague way in the privacy policy.

Actually, yesterday night they reached out and said that the WhatsApp issue might be a problem and they may address that.

Bracken: What has the reaction been amongst your research peers?

Magid: It’s surprising because Apple emphasizes privacy, and it’s surprising the amount of data that they collect. We don’t know what happens with the data. They have many promises about private cloud computing, but as we see in this research, our data isn’t even sent to the private cloud. I was very surprised to hear from people that during my talk today, they already applied policies to block the specific domains I mentioned. It seems like people are very surprised and concerned about this.

Bracken: Do you use these AI tools? How do you balance the speed and efficiency of AI tools and the potential privacy risk?

Magid: I use a lot of AI tools. Too many, actually. But the first step I do with every AI app is not read the privacy policy, but rather go to the settings and opt out of the “learn from this app” program. I disable it first. I also always take into consideration what kind of data I share and with which app. For example, ChatGPT, we have an agreement with them, they’re not trained on our data.

Bracken: Wonderful. Yoav, thank you much for joining us and sharing your important work.

Magid: Thank you for having me.

Bracken: This has been an interview with Yoav Magid from Lumia Security from the Dark Reading News Desk at Black Hat USA 2025.