Ex-Apple employee takes Face ID privacy complaint to Europe

Privacy watchdogs in Europe are considering a complaint against Apple made by a former employee, Ashley Gjøvik, who alleges the company fired her after she raised a number of concerns, internally and publicly, including over the safety of the workplace.

Gjøvik, a former senior engineering program manager at Apple, was fired from the company last September after she raised concerns about her employer’s approach toward staff privacy, some of which were covered by The Verge in a report in August 2021.

At the time, Gjøvik had been placed on administrative leave by Apple after raising concerns about sexism in the workplace, and a hostile and unsafe working environment which it had said it was investigating. She subsequently filed complaints against Apple with the U.S. National Labor Relations Board.

Those earlier complaints link to the privacy complaint she’s sent to international oversight bodies now because Gjøvik says she wants scrutiny of Apple’s privacy practices after it formally told the U.S. government its reasons for firing her — and “felt comfortable admitting they’d fire employees for protesting invasions of privacy”, as she puts it — accusing Apple of using her concerns over its approach to staff privacy as a pretext to terminate her for reporting wider safety concerns and organizing with other employees about labor concerns.

The U.K.’s Information Commissioner’s Offie (ICO) and France’s CNIL both confirmed receipt of Gjøvik’s privacy complaint against Apple.

A spokesperson for the ICO told TechCrunch: “We are aware of this matter and we will assess the information provided.”

France’s CNIL also sent confirmation that it’s looking at Gjøvik’s complaint.

“We have received this complaint which it is currently being investigated,” a CNIL spokesperson told us, adding: “I cannot communicate any further details at this time.”

The development was first covered by the Telegraph — which reported yesterday that it’s thought to be the first time Gjøvik has sought to press her privacy complaint against Apple in the U.K. 

Ireland’s Data Protection Commission (DPC), which is Apple’s main data protection regulator in the European Union for the pan-EU General Data Protection Regulation (GDPR) — and which would, under the regulation’s one-stop-shop mechanism, likely take a lead role on any inquiry related to a GDPR complaint that’s also been lodged with other EU privacy regulators (such as France’s CNIL) — declined to comment. Nor would the DPC confirm or deny receiving Gjøvik’s complaint.

A spokesperson for the DPC said: “The DPC cannot comment on individual cases. All queries that come before the DPC are assessed and progressed in line with the DPC’s complaint-handling functions, where it is appropriate to do so.”

Ireland has a number of GDPR probes ongoing into Apple data processing practices — including into the company’s privacy policies — but the DPC has not yet issued any decisions in relation to those multi-year-long investigations.

Were the DPC to decide this complaint merits opening a fresh investigation into Apple, it would likely take years to reach a public outcome given the Irish regulator’s extensive GDPR case file backlog.

In a conclusion to the complaint, Gjøvik urges the regulators to “investigate the matters I raised and open a larger investigation into these topics within Apple’s corporate offices globally”, further alleging: “Apple claims that human rights do not differ based on geographic location, yet Apple also admits that French and German governments would never allow it to do what it is doing in Cupertino, California and elsewhere.”

Face ID Gobbler app

The 54-page “privacy invasion complaint”, which Gjøvik says was submitted to European regulators earlier this month, takes issues with the company’s approach to employee privacy — raising concerns about a number of practices including an internal program by Apple to gather biometrics data from staff using an app called “Gobbler” (later “Glimmer”), apparently as part of the product development process for Face ID.

More broadly, the complaint centers on the breadth of Apple’s secrecy and “anti-employee privacy” policies, as well as what Gjøvik alleges to be “unlawfully restrictive” NDAs.

Apple was contacted for comment on the complaint but at the time of writing the company had not responded.

The tech giant’s approach to inviting employees to engage in product testing, which involved capturing biometrics at times, left Gjøvik feeling that her participation was mandatory, per the complaint, and — in one instance that she details — she describes responding to what she thought was a “mandatory social event” which turned out to involve manually testing Face ID using the Gobbler app while being penned into a secure outdoor compound in full sunshine.

According to the complaint, information Apple provided internally to staff about Gobbler urged employees to upload data from the app captured in their homes.

“Apple was pressuring employees to upload their ‘faceprint data’ to Apple internal servers, capturing secret photographs and videos of employees, and told employees that face-related logs were automatically uploaded from their iPhones daily,” Gjøvik alleges. 

It was extraordinarily unclear what data was being automatically uploaded, how and when,” she also claims. “My open questions included whether my personal data was being backed up on employee iCloud backups, synced via iCloud, and/or accessed/copied by Apple’s corporate MDM profiles – or other Global Security surveillance of employee phones. It also disturbed me that the app was taking photos/videos without any notification (sound, signal, etc), which made me think that Apple, if it wanted to, could activate my device cameras and watch me without me knowing at any time as well. I talked to other employees, including managers, with similar concerns.”

Gjøvik cites a public statement by Apple that more than one billion images were used in the development of its Face ID algorithm — claiming the company never answered questions raised by Senator Al Franken who had asked it where those images came from following the launch of Face ID. “What [Apple VP Craig] Federighi did not say is that those images came from employees just like me, whether I wanted to share them or not,” she suggests. 

Per the complaint, Apple informed staff of restrictions on employees uploading data to Gobbler in countries outside the U.S. — although the complaint also cites an email from an Apple manager which states that one such study was being conducted in “the USA, Brazil, Tel Aviv,” and the EU “but not France or Germany”.

“I also saw in notes that the app was forbidden to be used in Japan and China, but then at some point, Apple decided to gather some logs there anyways,” Gjøvik further suggests.

Apple does have offices in Europe — including in the U.K., France, Ireland and elsewhere in the region — so it’s at least possible that employees at those locations used the Gobbler app to upload their biometric data. If that happened, it could engage data protection considerations, such as over the legal ground Apple would be able to rely on for processing this data. But whether or not the European regulators who have received her complaint decide there’s something here for them to investigate remains to be seen.

Under the GDPR, consent is one of several possible legal grounds for processing personal data. However for consent to be a valid legal basis, it must be informed, specific and freely given — and, even setting aside questions over whether staff were provided with adequate information on what would be done with their biometric data, an employer-employee power dynamic might undermine their ability to freely consent (i.e. versus feeling they must participate in such testing because it’s their employer asking). So there could be reasons for closer scrutiny.

Gjøvik’s complaint has also been addressed to the European Data Protection Supervisor (EDPS), although a spokesman for the body confirmed the EDPS would not investigate such a matter as its oversight function is focused on the EU’s own institutions, bodies or agencies.

The complaint also lists the Canada’s Office of the Privacy Commissioner as another body to which it has been submitted, along with digital rights groups EFF and Big Brother Watch.

Beyond the Gobbler/Glimmer app, Gjøvik raises concerns about the potential for Apple’s software development ticket/bug reporting system to harvest personal data without staff being properly aware — claiming that the system defaults to sharing reports to all of the company’s software engineering function (potentially tens of thousands of people). It also says these tickets could ask employees to include diagnostic files — which Gjøvik suggests could result in additional personal data from an employee’s personal device, such as their iMessages for example, being passed to Apple without the employee fully realizing it.

In The Verge’s article last year, which quoted Gjøvik and a number of other Apple employees, it was reported that staffers at the company were routinely told to link their personal Apple ID to their work account.

“The blurring of personal and work accounts has resulted in some unusual situations, including Gjøvik allegedly being forced to hand compromising photos of herself to Apple lawyers when her team became involved in an unrelated legal dispute,” The Verge reported, before referencing what it described as a “stringent employment agreement that gives Apple the right to conduct extensive employee surveillance, including ‘physical, video, or electronic surveillance’ as well as the ability to ‘search your workspace such as file cabinets, desks, and offices (even if locked), review phone records, or search any non-Apple property (such as backpacks, purses) on company premises'”.

Another Apple policy The Verge’s report highlighted was a ban on staff wiping any devices before returning them to the company, including if/when they leave Apple — suggesting employees who have linked their personal Apple ID to their work accounts are potentially exposing privacy data to the company when they hand back corporate devices.