Apple Adds Engagement Metrics to Spotlight Search Results, Revealing User Interaction Data

Apple’s hidden “num_engaged” and “num_shown” fields are now surfacing in the wild, turning Spotlight into an inadvertent telemetry dashboard for every query a user makes. The data, which appears in the JSON payload returned by Apple’s internal Spotlight API, shows how many times a particular web result has been displayed to users (“num_shown”) and how many of those impressions turned into a tap (“num_engaged”). The fields are not documented anywhere in Apple’s public developer kits—Core Spotlight, MapKit, or even the Maps API—yet they are attached to every web result served to the more‑than‑billion iPhones, iPads and Macs that run Spotlight today, according to security researcher Buchodi.

The most striking illustration comes from Apple’s own AI‑product showdown. By issuing the same query to Spotlight for each major chatbot and reading the two hidden counters, Buchodi was able to compare raw engagement volumes and conversion rates. ChatGPT’s web result, for example, logged 12 million engagements out of 44 million impressions—a 27.3 % engagement rate. Perplexity, a smaller competitor, showed 410 000 engagements from 1.6 million impressions, yielding a 25.6 % rate that is almost on par with ChatGPT’s despite the 30‑fold gap in absolute numbers. Claude lagged far behind with 17 000 engagements from 220 000 impressions (7.7 %). The disparity underscores a classic “head‑and‑shoulders” effect: ChatGPT dominates in sheer reach, but Perplexity’s users appear just as intent‑rich per impression. Notably, Google’s Gemini vanished from the web‑result metrics entirely—Spotlight returned only app and Knowledge Graph entries for “gemini,” suggesting Apple’s search layer is deliberately keeping the rival AI off the engagement radar.

Those AI numbers are just the tip of the iceberg. The same two fields accompany every web result, from e‑commerce to health. A query for “tesla” returned the company’s homepage with 1.1 million engagements out of 5.7 million shows; “ozempic” logged 250 000 engagements from 5 million impressions; “tiktok” saw 1.1 million engagements from 8.7 million shows. Even niche topics like “tariffs” and “layoffs” generate measurable interaction—1 200 engagements from 35 000 impressions for a tariff article, 40 000 engagements from 230 000 shows for a layoffs site. The breadth of data suggests Apple is aggregating a massive, cross‑category view of user intent, likely feeding internal recommendation engines or ad‑targeting models, though Apple has never publicly confirmed such usage.

Beyond the metrics themselves, the way Apple authenticates Spotlight requests raises fresh privacy questions. Buchodi’s traffic analysis shows each request carries three authentication components: an “eat” token in the URL, an X‑Apple‑Whitelisted‑App‑Signature header, and an X‑Apple‑UserGuid header. The “eat” token, a 64‑byte encrypted bearer token, was observed unchanged across four distinct device UUIDs, three edge nodes and multiple U.S. states over a 48‑hour window. The token is not tied to a device, IP address, or TLS session, effectively acting as a regional credential that can be reused by any device in the same area. Meanwhile, the app signature header exhibits low entropy (3.80 bits per byte), far below cryptographic standards, hinting that Apple’s server‑side validation may rely more on opaque heuristics than strong cryptography. If the same token can be harvested from one device and replayed on another, the “num_engaged” and “num_shown” counters could be weaponized to infer aggregate user behavior across households.

Apple’s Spotlight autocomplete scores add another layer of nuance. The model assigns a numeric “score” to each suggestion—Perplexity’s “perplexity” query scores 109 999, while ChatGPT’s “chatgpt” lands at 79 999. The higher score for Perplexity indicates Apple’s algorithm treats that term as higher‑intent, even though its raw engagement volume is dwarfed by ChatGPT. Similarly, “nvidia” autocompletes to “nvidia stock” (score 69 999) and “bitcoin” to “bitcoin price” (79 999), revealing Apple’s internal inference about what users actually want when they type a brand name. These scores, paired with the hidden engagement counters, give a surprisingly granular picture of how iPhone users navigate the web via Spotlight—information that Apple has never officially exposed.

All of this points to a silent, massive data‑collection engine humming behind a feature most users think of as a simple search bar. While Apple has historically framed Spotlight as a privacy‑first tool, the undocumented fields and reusable authentication tokens suggest a more complex reality. As Buchodi notes, the metrics are “attached to every web result the API returns,” meaning Apple now has a real‑time, device‑wide ledger of what users see and click. Whether that ledger will stay behind the scenes or eventually surface in new services—perhaps refined AI assistants or personalized content feeds—remains to be seen, but the evidence is already in the code.