Loading You might assume you can count on Apple to sweat all the privacy details. After all, it touted in a recent ad, "What happens on your iPhone stays on your iPhone." My investigation suggests otherwise. iPhone apps I discovered tracking me by passing information to third parties — just while I was asleep — include Microsoft OneDrive, Intuit's Mint, Nike, Spotify, Yelp, The Washington Post and IBM's The Weather Channel. One app, the crime-alert service Citizen, shared personally identifiable information in violation of its published privacy policy. And your iPhone doesn't feed data trackers only while you sleep. In a single week, I encountered over 5400 trackers, mostly in apps. According to US privacy firm Disconnect, which helped test my iPhone, those unwanted trackers would have spewed out 1.5 gigabytes of data over the span of a month. "This is your data, why should it even leave your phone? Why should it be collected by someone when you don't know what they're going to do with it?" says Patrick Jackson, a former National Security Agency researcher who is chief technology officer for Disconnect. He hooked my iPhone into special software so we could examine the traffic. "I know the value of data, and I don't want mine in any hands where it doesn't need to be."

In a world of data brokers, Jackson is the data breaker. He developed an app called Privacy Pro that identifies and blocks many trackers. If you're a little bit techie, I recommend trying the free iOS version to glimpse the secret life of your iPhone. Yes, trackers are a problem on phones running Google's Android, too. Google won't even let Disconnect's tracker-protection software into its Play Store. (Google's rules prohibit apps that might interfere with another app displaying ads.) The app gap Why do trackers activate in the middle of the night? Some app makers have them call home at times the phone is plugged in, or think they won't interfere with other functions. These late-night encounters happen on the iPhone if you have allowed "background app refresh," which is Apple's default. In one typical example, a food-delivery service app I launched sent data to nine third-party trackers, though you'd have no way to know it. One got a fingerprint of my device (device name, model, ad identifier and memory size) and even accelerometer motion data to help identify fraud. Three more trackers help monitor app performance, including one that routes onward data including your delivery address, name, email and telco.

The other five trackers, including Facebook and Google Ad Services, help the app understand the effectiveness of its marketing. Their presence means Facebook and Google know every time you open the app. All but one of these nine trackers made Jackson's naughty list for Disconnect, which also powers the Firefox browser's private browsing mode. To him, any third party that collects and retains our data is suspect unless it also has pro-consumer privacy policies like limiting data retention time and anonymising data. Loading Microsoft, Nike and The Weather Channel told me they were using the trackers I uncovered to improve performance. Mint, owned by Intuit, said it uses an Adobe marketing tracker to help figure out how to advertise to Mint users. The Post said its trackers were used to make sure ads work. Spotify pointed me to its privacy policy. Privacy policies don't necessarily provide protection. Citizen, the app for location-based crime reports, published that it wouldn't share "your name or other personally identifying information." Yet when I ran my test, I found it repeatedly sent my phone number, email and exact GPS coordinates to the tracker Amplitude.

After I contacted Citizen, it updated its app and removed the Amplitude tracker. (Amplitude, for its part, says data it collects for clients is kept private and not sold.) The letdown What disappoints me is that the data free-for-all I discovered is happening on an iPhone. Isn't Apple supposed to be better at privacy? "At Apple we do a great deal to help users keep their data private," the company says in a statement. "Apple hardware and software are designed to provide advanced security and privacy at every level of the system." In some areas, Apple is ahead. Most of Apple's own apps and services take care to either encrypt data or, even better, to not collect it in the first place. Apple offers a privacy setting called "Limit Ad Tracking" (sadly off by default) which makes it a little bit harder for companies to track you across apps, by way of a unique identifier for every iPhone.

And with iOS 12, Apple took shots at the data economy by improving the "intelligent tracking prevention" in its Safari web browser. Yet these days, we spend more time in apps. Apple is strict about requiring apps to get permission to access certain parts of the iPhone, including your camera, microphone, location, health information, photos and contacts. (You can check and change those permissions under privacy settings.) But Apple turns more of a blind eye to what apps do with data we provide them or they generate about us; witness the sorts of tracking I found by looking under the covers for a few days. "For the data and services that apps create on their own, our App Store Guidelines require developers to have clearly posted privacy policies and to ask users for permission to collect data before doing so. When we learn that apps have not followed our Guidelines in these areas, we either make apps change their practice or keep those apps from being on the store," Apple says. Yet very few apps I found using third-party trackers disclosed the names of those companies or how they protect my data. And what good is burying this information in privacy policies, anyway? What we need is accountability. Jackson suggests Apple could also add controls into iOS like the ones built into Privacy Pro to give everyone more visibility.

Or perhaps Apple could require apps to label when they're using third-party trackers. If I opened an app and saw nine tracker notices, it might make think twice about using it. Washington Post