As Apple feuds with the U.S. government over iPhone privacy protections, the tech giant is also grappling with internal conflicts over privacy that could pose challenges to its long-term product strategy.
Unlike Google, Amazon and Facebook, Apple (AAPL) is loathe to use customer data to deliver targeted advertising or personalized recommendations. Indeed, any collection of Apple customer data requires sign-off from a committee of three “privacy czars” and a top executive, according to four former employees who worked on a variety of products that went through privacy vetting.
Approval is anything but automatic: Products including the Siri voice-command feature and the recently scaled-back iAd advertising network were restricted over privacy concerns, these people said.
Many employees take pride in Apple’s stance, and CEO Tim Cook has called it a matter of principle.
Get Data Sheet, Fortune’s technology newsletter.
“Customers expect Apple and other technology companies to do everything in our power to protect their personal information,” Cook wrote in a letter explaining the company’s opposition to a government demand that it help unlock the iPhone of one of the shooters in the December attacks in San Bernardino, Calif.
Such policies also have a business rationale: Apple’s apparent willingness to sacrifice some profit for the sake of privacy bolsters its image as a company that protects customers.
It’s an easier stand for Apple to take than, say, Facebook or Amazon—Apple’s chief business to date has been selling devices rather than advertising or e-commerce.
But now, amid stagnant iPhone sales, Apple executives have flagged services such as iCloud and Apple Music as prime sources for growth, which could test the company’s commitment to limiting the use of personal data.
Apple declined to comment for this story.
The Czars
Inside Apple, the trio of experts known among employees as the privacy czars are both admired and feared.
Jane Horvath, a lawyer who previously served as global privacy counsel at Google, is the group’s legal and policy wonk, often channeling the views of Apple’s board and citing regulatory requirements, said former employees who have worked with her.
For more on Apple vs. FBI, watch:
She was hired to formalize privacy practices after the 2011 “locationgate” scandal, in which iPhones were found to be gathering information about users’ whereabouts.
Horvath works alongside Guy “Bud” Tribble, a member of the original Macintosh team who is venerated by employees as one of the few who “had been to the mountain with Moses,” as one former employee put it, referring to Tribble’s ties to the late Steve Jobs.
Tribble has broad responsibilities as vice president of software technology, but he devotes substantial time to privacy, often working with closely with engineers. The meetings can be tense, but Tribble’s skill and easy personality make him a popular figure, people who have worked with him said.
The third czar, a rising star named Erik Neuenschwander, scrutinizes engineers’ work to ensure they are following through on the agreements—even reviewing lines of code.
Following a popular philosophy in Silicon Valley known as “privacy by design,” product managers start collaborating early with the privacy engineering and legal teams, former Apple employees said. For complicated matters, the privacy task force steers the issue to a senior vice president, and particularly sensitive questions may rise to Cook.
Key principles include keeping customer data on their devices—rather than in the cloud, on Apple servers—and isolating various types of data so they cannot be united to form profiles of customers.
Such privacy guidelines can cut against engineers’ instincts to “collect all the data, because sometime down the road it may be useful,” said Albert Gidari, director of privacy at Stanford University’s Center for Internet and Society.
Debates over new uses of data at Apple typically take at least a month and have dragged on for more than a year, former employees said.
Most tech companies now have privacy review processes; Facebook (FB), Google (GOOGL) , Twitter (TWTR), and Snapchat entered into consent orders with the Federal Trade Commission that require them. At Facebook and Google, the privacy teams also insert themselves early and often in product development, spokesmen for the companies said. A spokesperson for Amazon (AMZN) declined comment.
The consensus among privacy experts is that privacy enforcement is more stringent at Apple because of the company’s business model.
“Some of the data-intensive companies have very rich privacy practices,” said Deirdre Mulligan, an associate professor at UC Berkeley who studies privacy. But “there’s a lot more negotiating and disagreement than you might find in a company that is not trying to make their money off data.”
Advertising Woes
The biggest casualty of Apple’s privacy stance may be iAd, a service launched in 2010 that aimed to deliver ads inside iPhone apps, with revenue to be split between Apple and app developers.
Although Apple was a late entrant, it had a tantalizing asset: iTunes, one of the industry’s richest troves of consumer data.
That database, however, was off limits. Whenever employees wanted to use iTunes data to sharpen targeting, they had to appeal to the privacy team, according to two former Apple employees who worked on iAd.
The iAd team fought hard to give advertisers greater visibility into who saw their ads, those employees said. Their hope was to create anonymous identifiers so advertisers could discern which users had seen their ads.
But despite about a dozen similar pitches, the most executives would allow was a count of how many users had seen an advertisement, according to the former employees.
“It was so watered down, it wasn’t even useful,” one of the former employees said.
As a result, iAd struggled to entice advertisers, who will pay a premium for detailed data on their customers. In January, Apple announced it would discontinue the iAd app network.
“We always heard from the iAd team that they would love to get more data to help them optimize campaigns for marketers, and that was sometimes difficult,” said Peter Hamilton, CEO of TUNE, a popular mobile marketing platform, which worked with marketers on iAd campaigns.
Culture Clash
In other cases, Apple’s privacy stance forced tough workarounds.
Siri, a company Apple acquired in 2010, was the foundation for the voice-controlled digital assistant built into the iPhone the following year. But during the integration, privacy leaders insisted that voice data on what users say to Siri should be stored separately from personally identifiable information, according to a former Apple employee who attended some of the meetings.
“That was a major back-end surgery,” the former employee said.
During an update of the Spotlight search feature for the 2014 edition of Mac software, the privacy and engineering teams had to work closely to come up with a way to keep users’ search logs on Apple servers that would give engineers the data they wanted without raising privacy concerns.
“The obvious reaction I’d have as a data person is, ‘This is insane,'” said a former employee who worked on the project.
But the experience also underscored the extent of the company’s commitment to protect consumer data, the former employee said.
Apple must strike the right balance as it intensifies its push into services, said Bob O’Donnell, an analyst with TECHnalysis Research. In January, Apple’s earnings report showed $5.5 billion in services revenue for the most recent quarter, up 15 percent from the previous year.
“The value of a service is the ability to personalize it,” O’Donnell said. “The only way you can personalize it is with knowledge about an individual’s preferences.”
