Redazione RHC : 11 August 2025 20:33
Lumia experts have published a technical investigation called AppleStorm, alleging that the Siri voice assistant transmits more user data to Apple servers than is necessary to complete tasks. In particular, attention has focused on messages dictated via Siri in the WhatsApp and iMessage messaging apps: They are apparently sent to the company’s servers even though the task can be processed locally, without accessing cloud systems.
Apple claims high privacy standards and uses a hybrid AI model that combines local processing with the Private Cloud Compute (PCC) cloud service. However, it was discovered that Siri also accesses other servers that are not part of the PCC architecture. These include the dictation servers, the search infrastructure (subdomain smoot.apple.com), and separate Apple Intelligence extension servers, through which, for example, interaction with ChatGPT takes place.
During the experiments, the researchers used the mitmproxy and Frida tools on macOS Sequoia with Apple Intelligence enabled. Simple queries such as “Hello” or “What time is it?” were processed locally. However, when requesting weather information, two external connections were recorded: one to the speech recognition server, the second to the search service. Analysis of the transmitted data showed that Siri automatically collects information about the applications installed on the device, even if they are running in a virtual environment. Therefore, when requesting weather information, calls were recorded to both the built-in Apple Weather application and the Windows application in the Parallels environment.
Furthermore, the data sent contained the user’s exact location coordinates. Even with geolocation transmission formally enabled, such details would have been redundant for a weather request. Packet analysis also revealed the transmission of metadata about other applications, down to the names of files and processes open at the time of the Siri request.
The transmission of message content raises particularly acute questions. When using Siri to send a phrase via WhatsApp, it was discovered that the text, the recipient’s number, and other message attributes were being sent to Apple servers, not the PCC infrastructure. However, the functionality is not server-side dependent: even when connections are blocked, the message is sent correctly. This indicates that sending to the cloud occurs without any technical necessity.
In an attempt to clarify whether this is related to the specifics of WhatsApp integration via SiriKit, the researcher created his own application based on Apple documentation and found identical behavior: messages sent via Siri from the test application were also routed to Apple servers. A similar pattern was observed with iMessage.
The complexity of privacy policies adds to the confusion. Siri and Apple Intelligence are governed by different documents. As a result, two nearly identical commands—for example, “What’s the weather today?” and “Ask ChatGPT what’s the weather?”—are processed by different systems with different levels of protection and different data collection conditions. The user has no way of knowing which subsystem will be used.
Apple acknowledged the data transfer, but didn’t consider it an Apple Intelligence issue. Instead, it placed some of the blame on third-party developers using SiriKit. However, Siri itself is clearly sending more data than necessary, and it’s doing so without the user’s knowledge. Transparency is one of Apple’s key slogans when it comes to AI, but in practice, it’s implemented selectively.
Redazione