To help protect user privacy, Spotlight Suggestions never sends exact location, instead
blurring the location on the client before sending. The level of blurring is based on
estimated population density at the device’s location; for instance, more blurring is
used in a rural location versus less blurring in a city center where users will typically
be closer together. Further, users can disable the sending of all location information
to Apple in Settings, by turning oﬀ Location Services for Spotlight Suggestions. If
Location Services is disabled, then Apple may use the client’s IP address to infer an
The anonymous session ID allows Apple to analyze patterns between queries
conducted in a 15-minute period. For instance, if users frequently search for “Café
phone number” shortly after searching for “Café,” Apple may learn to make the phone
number more available in results. Unlike most search engines, however, Apple’s search
service does not use a persistent personal identiﬁer across a user’s search history to tie
queries to a user or device; instead, Apple devices use a temporary anonymous session
ID for at most a 15-minute period before discarding that ID.
Information on the three most recently used apps on the device is included as
additional search context. To protect the privacy of users, only apps that are in an
Apple-maintained whitelist of popular apps and have been accessed within the
last three hours are included.
Search feedback sent to Apple provides Apple with: i) timings between user actions
such as key-presses and result selections; ii) Spotlight Suggestions result selected, if
any; and iii) type of local result selected (e.g., “Bookmark” or “Contact”). Just as with
search context, the search feedback is not tied to any individual person or device.
Apple retains Spotlight Suggestions logs with queries, context, and feedback for up to
18 months. Reduced logs including only query, country, language, date (to the hour),
and device-type are retained up to two years. IP addresses are not retained with
In some cases, Spotlight Suggestions may forward queries for common words and
phrases to a qualiﬁed partner in order to receive and display the partner’s search
results. These queries are not stored by the qualiﬁed partner and partners do not
receive search feedback. Partners also do not receive user IP addresses. Communication
with the partner is encrypted via HTTPS. Apple will provide city-level location, device
type, and client language as search context to the partner based on which locations,
device types, and languages Apple sees repeated queries from.
Spotlight Suggestions can be turned oﬀ in Settings for Spotlight, for Safari, or for both.
If turned oﬀ for Spotlight, then Spotlight is reverted to being a local on-device-only
search client that does not transmit information to Apple. If turned oﬀ in Safari, the
user’s search queries, search context, and search feedback are not transmitted to Apple.
Spotlight also includes mechanisms for making local, on-device content searchable:
The CoreSpotlight API, which allows Apple and third-party apps to pass indexable
content to Spotlight.
• The NSUserActivity API, which allows Apple and third-party apps to pass information
to Spotlight regarding app pages visited by the user.
Spotlight maintains an on-device index of the information it receives using these two
methods, so that results from this data can be shown in response to a user’s search, or
automatically when Spotlight is launched. There is also an on-device federated search
API, only available to Apple-provided apps, which allows Spotlight to pass user search
queries to apps for processing, and receive their results.
iOS Security—White Paper | May 2016