I don't think privacy works when I don't trust Apple period. They have done shady anti consumer things like decreasing battery life. This feels like lip service till I see implementation details(and even then I want to see the code).
When you say "implementation details", do you mean things like their Safari Privacy White Paper[0], their Photos Tech Brief[1], their Location Services White Paper[2], or their Apple Sign On White Paper[3]?
By decreasing battery life, do you mean decreasing performance so the battery doesn’t prematurely die? I think most of us admit they could have relayed it to users better; but, what they did was far from nefarious.
They throttled the phones with bad batteries so the peak energy usage doesn’t exceed what the battery can provide and shuts down the phone. But unfortunately people just remember the click bait headlines.
Don't get me wrong, I'm impressed with the progress Apple has made in spearheading consumer privacy practices — but unfortunately, half of the benefits listed here are negated by the fact that my iCloud backups are fully unencrypted (or "encrypted" with a common key that Apple holds; same thing in my view).
So, if I want convenient nightly backups (without plugging my phone in and using the "new" Catalina apps, which I'm still convinced are just new iTunes skins), Apple — and adversaries — will still have unfettered access to all my iMessages, Maps history, photos, health records, almost everything listed here and more [0][1].
Tim Cook has claimed a fix is coming for a while now [2], but meanwhile using iCloud for its intended purpose is a huge, and largely unadvertised, gaping hole in Apple's otherwise impressive privacy promises. :(
> if I want convenient nightly backups (without plugging my phone in ...)
I haven't found a need for iCloud.
I get regular (daily?) backups to my Apple desktops/laptops over WiFi -- it works after you pair the mobile device with the desktop once and check the sync over WiFi box.
"Messages are only seen by who you send them to." - Unless that person shares an Apple ID with someone else.
I recently sent an iMessage and got a "who is this?" response. Turns out the message went to one of their family members.
I guess they shouldn't be sharing an Apple ID, but I don't think it's a super crazy thing to do among family members (e.g. a parent who provides a phone for their child), and having private text messages go to the wrong person seems like a pretty bad failure mode.
Apple protects the message in transit. What you are talking about is the equivalent of letting someone borrow your phone, then getting mad when your carrier delivers sms messages to your phone number while someone else was holding your phone. Apple has done their part, it's up to the users to enforce security of their endpoints as well.
Are you saying that 2 people logged into iMessages on 2 devices with the same Apple ID and you want only one of those people to see an iMessage? How would that work?
I either don't understand the scenario you are describing or I don't understand the failure mode you mention?
My intended recipient doesn't actually have an iPhone (but I didn't know that at the time). In my contacts I have both their phone number and their email address, and I'm assuming that email is what's associated with their Apple ID.
I normally don't pay much attention to whether a message is being sent out over iMessage or SMS, and less technical folks probably pay even less, so it's a bad situation when those two methods end up going to different people.
That said, I'm actually not sure what the best behavior for iOS would be here - I get that they want to use the "best" transport and send over iMessage rather than SMS if it's available. Ideally there would be some kind of warning if the phone number I have in my contacts doesn't match the one on the device that's going to receive the message, but that seems finicky as well (what if I only have their land-line?).
How recent was this? Years ago I remember hearing the scenario where people who switched from iPhone -> Android (keeping the same number) would continue to have iMessages go to their old phone. Or the messages would just get lost in the ether if their old phone was off or sold.
For awhile, at least at the Apple store, they were very deliberate about disabling "Find my iPhone" and iMessage when handing off or wiping a phone. I don't remember them doing this recently, so I figured it was built into the process now.
I do think we need some basic awareness about digital devices, just like people do when they let someone borrow the keys to their house (although, many people are terrible at managing that). I recently sold a house with a Nest and a few other IoT things. I wiped them and reset them to factory settings. The realtor and new owner were asking me for my login/password (I'm sure this happens often for them) because they figured it was still tied to my old account.
iMessage was launched in 2011 and archive.org shows that page first showing up in late 2014. I remember hearing very few options for removing your old phone early on.
By this logic, every other secure messaging method (Signal, Matrix, etc.) all have the same issue because someone could have it open on multiple devices.
It's really not up to Apple to enforce whether you use your one Apple ID with multiple devices.
I think the issue is that an Apple ID is used for multiple things (iCloud backup, the app store, etc.), and also that the seamlessness of SMS/iMessage (usually a good thing) causes them to be conflated.
This person doesn't use their Apple ID for communication, because they have an Android phone. They probably purchased an iPhone for their child and set up the Apple ID using their email address. So to clarify, they weren't using their Apple ID with multiple devices, they just set up their child's Apple ID using their email address.
I'm not trying to slam Apple here, it's a complicated issue. I'm just saying that through a sequence of pretty reasonable steps we ended up in a situation where I was texting a colleague's daughter. Fortunately they were about parking my car, but it was pretty weird regardless.
edit: I guess they may use their Apple ID on their laptop as well, so it is on multiple devices. I just don't think they use it for iMessage.
Apple cares more about privacy than, e.g., Google, for sure, but it is extremely complicated to use an iOS device without an Apple ID, and Apple employs "know your customer" logic that caused me to give up after a few hours trying to create an Apple ID not connected with my real name and credit card.
Not sure what you tried and from which location, but Apple doesn’t need the real name or a valid payment method for creating an account to be used for purchases. Such an account can be used to get all the free apps and content on its stores.
On the other side, does stock Android allow one to use a phone without creating a Play Store account and associating it for other services from Google? I’m just curious how that works. I’d presume that Google doesn’t need a payment method or one’s real name either.
I rejected buying an iPhone because I could not find reliable information saying how to use one without an account. By contrast it's easy on Android. Follow the "skip" path. Of course then you can't get access to the play store for apps, but there are other sources for apps.
You don’t need an Apple ID, you can “set up later” aka “the skip path”.
If you do need an Apple ID, say, for free apps, you can make one without real name or ID and yes, you can get set up for free downloads from the app store without a credit card.
The UI is no longer the same, but the approach still works from when I wrote about this in 2011:
From my perspective, your threat model is strange.
I'm most concerned with (1) the device and the OS preventing me from accidentally installing malware in the App Store, (2) preventing drive-by malware from the web browser, (3) secure against physical tampering. High assurance authentication (Touch ID, Face ID, etc) is nice, although the account+device registration+provisioning does prevent me from being anonymous to my phone manufacturer+provider, but I have no expectation of that on a smart phone anyway. If I needed anonymity, I would prefer a prepaid burner be a feature phone with no apps at all.
I don't use iCloud because I don't think it fits within my current threat model. That which is synced to Apple servers (beyond my account/authentication info) is banal stuff. If I needed a more secure communication system, I would use an app specifically designed for it and not owned by an Apple/Facebook, although I'm not sure any lawful company can resist something like a National Security Letter. The best policy is simply not to hand over the content, so it's not subject to the Third Party Doctrine (as flawed as it is).
If a nation-state is attacking me, the best option I have is not to have a listening and tracking device on me all the time and probably to use offline-only devices.
I downloaded a copy of my data from Apple and they store the computer serial number, hostname and ip.
I recently found this (I haven't check the source):
> iOS forces users to “activate” devices (including non-cellular) which sets up a remote UUID-linked (also collecting registration IP) database for a given device with Apple for APNS/iMessage/FaceTime/Siri, and then Apple ID, iCloud etc. Apple ought be open to users about “activation” and allow users to avoid it.
> What you share from those experiences, and who you share it with, should be up to you.
They should have added this: ultimately it's up to you to trust us, you don't control Apple devices, we do :-) and we make decisions that are best for you - just give us money.
Privacy my ass. Allow me to setup MY phone without a ping back to the mothership, and allow us to side-load apps or download free apps from the store without an apple ID.
> It's a feature to me that I can't accidentally download an (potentially hostile) app from a (potentially hostile) app store, but a bug.
I don't really understand this point. It is not like Android implementation of side load is insecure.
As a user, you need to explicitly enable it in settings. After Android 8 I think, each application that tries to install a application is blocked first and need an explicitly permission too. Even with all that, you still need to explicitly consent installation and upgrade of any sideloaded application. Nothing is automatic.
Privacy coming from Apple is laughable.
If you have an iPhone and have location services on ( which most of us do) go to location settings and check “system services”.
Google what those services actually do. They’re all for sending unnecessary location data to Apple for analytics, which is all enabled by default.
They claim to respect your privacy, but under the hood it’s a different story.
Privacy coming from Apple is laughable.
If you have an iPhone and have location services on ( which most of us do) go to location settings and check “system services”.
Google what those services do. They’re all for sending unnecessary location data to Apple for analytics, which is all enabled by default.
They claim to respect your privacy, but under the hood it’s a different story.
41 comments
[ 3.3 ms ] story [ 56.7 ms ] thread[0]: https://www.apple.com/safari/docs/Safari_White_Paper_Nov_201...
[1]: https://www.apple.com/ios/photos/pdf/Photos_Tech_Brief_Sept_...
[2]: https://www.apple.com/privacy/docs/Location_Services_White_P...
[3]: https://www.apple.com/privacy/docs/Sign_in_with_Apple_White_...
If you mean something else, I’m curious.
I was under the impression they throttled devices with poor batteries to _increase_ battery life.
They have sometimes reduced performance in order to increase battery life.
So, if I want convenient nightly backups (without plugging my phone in and using the "new" Catalina apps, which I'm still convinced are just new iTunes skins), Apple — and adversaries — will still have unfettered access to all my iMessages, Maps history, photos, health records, almost everything listed here and more [0][1].
Tim Cook has claimed a fix is coming for a while now [2], but meanwhile using iCloud for its intended purpose is a huge, and largely unadvertised, gaping hole in Apple's otherwise impressive privacy promises. :(
[0] https://www.theverge.com/2016/3/2/11144588/walt-mossberg-app...
[1] https://www.cellebrite.com/en/productupdates/move-your-inves...
[2] https://www.macrumors.com/2019/02/28/eff-user-encrypted-iclo...
Please refer to the recent issue regarding Saudis and Twitter.
You can argue that that was a state level adversary, but the people who accessed data could as well may have done that of their own volition.
I haven't found a need for iCloud.
I get regular (daily?) backups to my Apple desktops/laptops over WiFi -- it works after you pair the mobile device with the desktop once and check the sync over WiFi box.
I recently sent an iMessage and got a "who is this?" response. Turns out the message went to one of their family members.
I guess they shouldn't be sharing an Apple ID, but I don't think it's a super crazy thing to do among family members (e.g. a parent who provides a phone for their child), and having private text messages go to the wrong person seems like a pretty bad failure mode.
I either don't understand the scenario you are describing or I don't understand the failure mode you mention?
I normally don't pay much attention to whether a message is being sent out over iMessage or SMS, and less technical folks probably pay even less, so it's a bad situation when those two methods end up going to different people.
That said, I'm actually not sure what the best behavior for iOS would be here - I get that they want to use the "best" transport and send over iMessage rather than SMS if it's available. Ideally there would be some kind of warning if the phone number I have in my contacts doesn't match the one on the device that's going to receive the message, but that seems finicky as well (what if I only have their land-line?).
For awhile, at least at the Apple store, they were very deliberate about disabling "Find my iPhone" and iMessage when handing off or wiping a phone. I don't remember them doing this recently, so I figured it was built into the process now.
I do think we need some basic awareness about digital devices, just like people do when they let someone borrow the keys to their house (although, many people are terrible at managing that). I recently sold a house with a Nest and a few other IoT things. I wiped them and reset them to factory settings. The realtor and new owner were asking me for my login/password (I'm sure this happens often for them) because they figured it was still tied to my old account.
iMessage was launched in 2011 and archive.org shows that page first showing up in late 2014. I remember hearing very few options for removing your old phone early on.
It's really not up to Apple to enforce whether you use your one Apple ID with multiple devices.
This person doesn't use their Apple ID for communication, because they have an Android phone. They probably purchased an iPhone for their child and set up the Apple ID using their email address. So to clarify, they weren't using their Apple ID with multiple devices, they just set up their child's Apple ID using their email address.
I'm not trying to slam Apple here, it's a complicated issue. I'm just saying that through a sequence of pretty reasonable steps we ended up in a situation where I was texting a colleague's daughter. Fortunately they were about parking my car, but it was pretty weird regardless.
edit: I guess they may use their Apple ID on their laptop as well, so it is on multiple devices. I just don't think they use it for iMessage.
On the other side, does stock Android allow one to use a phone without creating a Play Store account and associating it for other services from Google? I’m just curious how that works. I’d presume that Google doesn’t need a payment method or one’s real name either.
If you do need an Apple ID, say, for free apps, you can make one without real name or ID and yes, you can get set up for free downloads from the app store without a credit card.
The UI is no longer the same, but the approach still works from when I wrote about this in 2011:
https://www.engadget.com/2011/01/07/get-an-itunes-or-mac-app...
The latest UI looks like this:
https://support.apple.com/en-us/HT204034
From my perspective, your threat model is strange.
I'm most concerned with (1) the device and the OS preventing me from accidentally installing malware in the App Store, (2) preventing drive-by malware from the web browser, (3) secure against physical tampering. High assurance authentication (Touch ID, Face ID, etc) is nice, although the account+device registration+provisioning does prevent me from being anonymous to my phone manufacturer+provider, but I have no expectation of that on a smart phone anyway. If I needed anonymity, I would prefer a prepaid burner be a feature phone with no apps at all.
I don't use iCloud because I don't think it fits within my current threat model. That which is synced to Apple servers (beyond my account/authentication info) is banal stuff. If I needed a more secure communication system, I would use an app specifically designed for it and not owned by an Apple/Facebook, although I'm not sure any lawful company can resist something like a National Security Letter. The best policy is simply not to hand over the content, so it's not subject to the Third Party Doctrine (as flawed as it is).
If a nation-state is attacking me, the best option I have is not to have a listening and tracking device on me all the time and probably to use offline-only devices.
I recently found this (I haven't check the source):
> iOS forces users to “activate” devices (including non-cellular) which sets up a remote UUID-linked (also collecting registration IP) database for a given device with Apple for APNS/iMessage/FaceTime/Siri, and then Apple ID, iCloud etc. Apple ought be open to users about “activation” and allow users to avoid it.
https://gist.github.com/iosecure/357e724811fe04167332ef54e73...
(It’s fine to discuss your concern, but it’s not the same concern.)
They should have added this: ultimately it's up to you to trust us, you don't control Apple devices, we do :-) and we make decisions that are best for you - just give us money.
It's a feature to me that I can't accidentally download an (potentially hostile) app from a (potentially hostile) app store, but a bug.
I don't really understand this point. It is not like Android implementation of side load is insecure.
As a user, you need to explicitly enable it in settings. After Android 8 I think, each application that tries to install a application is blocked first and need an explicitly permission too. Even with all that, you still need to explicitly consent installation and upgrade of any sideloaded application. Nothing is automatic.
Google what those services actually do. They’re all for sending unnecessary location data to Apple for analytics, which is all enabled by default.
They claim to respect your privacy, but under the hood it’s a different story.
Google what those services do. They’re all for sending unnecessary location data to Apple for analytics, which is all enabled by default.
They claim to respect your privacy, but under the hood it’s a different story.