Tell HN: Signing out and in to Apple device forcefully activates iCloud sync

98 points by setnone ↗ HN
Tested on my iPad and MacBook, if you have an iCloud sync turned off and sign out of your account, upon the next login all the iCloud switches gets turned on and you have to manually turn them off again.

67 comments

[ 4.2 ms ] story [ 118 ms ] thread
This is particularly troubling in light of their CSAM detection.

"Before an image is stored in iCloud Photos, an on-device matching process is performed for that image against the known CSAM hashes."

You do not own an Apple device that you buy.

https://www.macworld.com/article/352875/ios-15-csam-scanning...

I’m willing to bet that this will be called an accidental bug by apple and never addressed.
I'd prefer we call it data piracy though.
> You do not own an Apple device that you buy.

There's no way to avoid the Apple. It's become the Berlin Wall of computing. No admittance, no escape, secret police, protection racket.

Companies with apps don't have customers. They're unnaturally fenced off, cajoled, and taxed. Apple laughably claims privacy.

Meanwhile device owners can't repair their phones or expect not to be spied on. When they aren't paying $500 for RAM, they're letting Apple define what activities are permissible.

The damn thing doesn't even have a web browser that isn't safari. The Apple is so afraid of runtimes threatening the app store distribution model.

> The damn thing doesn't even have a web browser that isn't safari.

Why would you claim this? There are no limitations on web browsers.

You are limited to WebKit rendering engine and JavaScriptCore, so practically all non-Safari browsers are more or less just a different skins of Safari.
> Why would you claim this? There are no limitations on web browsers.

All browsers on iOS must use the WebKit browser engine making them, in essence, safari clones with a different look and feel.

They say “the Apple” While it’s true for ios, “the Apple” also makes macos, where you can freely pick your browser
They say "There are no limitations on web browsers.", while on iOS, there are clearly some limitations on web browsers. It doesn't matter that there also exists another platform where that statement may apply; the statement was generic and itself made no distinction.
OK, so "no limitations" wasn't correct. But still, you can use chrome on ios, you get all the ui and behaviours you are used to, no?
No support for Chrome extensions. Not even support for Safari Web Extensions bundled with iOS apps.

Some browsers do have their own extensions (Edge has AdBlock Plus built-in, but that's all; iCab has quite a few Javascript-based extensions) and of course you get things like using another vendor's bookmark and password sync. But that's about it.

Oh really? But extensions are separate from the rendering, right? So is that a separate limitation then?
Not really separate. Many extensions designed for other browsers will still depend on quirks of the respective extension implementations, JavaScript engines, rendering engines, etc.

Of course, there are (supposed-to-be-but-aren't) browser-agnostic WebExtensions — but again, only Safari implements them on iOS (starting with iOS 15), they must be bundled with an iOS app, and non-Safari browsers don't have access to those bundled extensions.

Perhaps those browsers will implement support for WebExtensions by some other mechanism but it certainly won't be the case that Firefox for iOS could run extensions intended for Firefox on desktop, nor would one expect extensions from the Chrome Web Store to work properly on Chrome for iOS.

Perhaps that's an upshot? Better support for browser-agnostic WebExtensions?

Even then, that's up to whether or not Apple permits that in the App Store.

Ok, thanks for the thorough explanation
Apple forces all third party browsers on iOS to use WebKit, so really everything has to use safari’s rendering engine.
Is there any good reason to take Apple on their word that all their scanning for is CSAM? How certain can we be that they're not already using this technology secretly to look for other types of content when the government asks? I doubt they're going to announce every time the government requests they add detection for a new Pepe frog meme and other "far-right" content, and it seems almost inevitable governments will want them to do something like this at some point, if not already.

I feel like we're giving Apple too much trust by labelling this CSAM detection. In reality the technology can (and probably will) be used to detect anything they want to.

This same logic can be true of any cloud provider that scans indiscriminately.
Sure, I guess my point is that calling this CSAM detection is deceptive as the technology itself can (and probably will) be used to detect any type of content. We also have no way to verify Apple are only using the technology currently to scan for CSAM so why give them the benefit of the doubt when they have so many incentives to go beyond CSAM scanning?
At the same time, they did announce this. How would we know if they put a backdoor in and had said nothing at all?

I know there are a lot of eyes on iOS, but if they wanted find a place in the gigabytes of binary blobs to do this quietly, I think they could.

I guess it'll soon be save to call it Apple's devices and not owning your content follows.
It’s frustrating that companies have so many people with job descriptions that include maximizing these “engagement” statistics that abusing and disrespecting users is done without a second thought.
It's because of these people they know exactly what they can get away with that might cause so minor or major grumbling but not have any real impact on sales
Also if you activate the screenshot on tap, you'll notice that your iphone will take screenshots through out the day without you even providing the necessary taps.

see here: https://www.reddit.com/r/ios/comments/hzovl0/back_tap_set_to...

1. Even the reddit posts doesn't claim that

2. Do you think Apple would put the screenshots in the Photos app if they were taking them in order to spy on you?

> to spy on you

You made that leap yourself.

I'm not pointing out a grand conspiracy, I'm pointing out another another gap in Apples privacy model.

> Even the reddit posts doesn't claim that

That is literally the entire post. But okay

(comment deleted)
No, he's saying that if you enable it, you'll end up with a lot of screenshots. There is no implication that they were not triggered by a tap. He even says "accidentally being triggered constantly".

Yes I did make the leap, because it doesn't seem like a relevant issue if it's not done on purpose by Apple.

Something even more dangerous, if you have iCloud Drive enabled and open a (non-cloud) file in Numbers or Pages it'll save a copy in iCloud while you're editing it - it deletes it when you close it so you might even notice unless you go into iCloud on the web and check recently deleted files.
Wow, that's straight up espionage. I bet they don't even delete the files, but just hide them from you.
I don't really assume malicious intent here - this is presumably "caching" the current unsaved changes on the cloud in case your application crashes or something. But the fact that it's not obvious at all is a major problem. There's also no way to selectively disable this behavior - if you want to use iCloud Drive for some documents you need to put up with this.
> I don't really assume malicious intent here - this is presumably "caching"

This doesn't seem like thinking critically. Do you not imagine that Apple, the size they are, with all their lawyers take a decision like this seriously? It's not like a developer unilaterally decided that they were going to make this as a feature without levels of management and execs deciding that this was okay.

Assuming incompetence rather than malice only applies when there's no previous behaviour suggesting the contrary. The only explanation I can think of for this attitude, is that if we like using Apple products, we somehow have to 'make it ok' to ourselves. I'm at least able to separate the experience with using a product with the aspect of how that product is used by its manufacturer.

Do you really imagine that there is any kind of oversight on development like this? Levels of management getting involved in some random feature? Very unrealistic.

The requirement said to not lose the customers work. Everything else was on the development team most likely.

There are narrow areas where incompetence could explain Apple's failures. There are others that I don't buy, after the incident where non-Apple branded devices were intentionally made to work degraded in a plausibly innocent way by memo decree. With privacy being such a high differentiator, allowing iCloud to be used arbitrarily for any feature without oversight assumes gross incompetence at all levels.
You can just cache activity to a local duplicate file. It's not a new idea. There's no reason to do it on the cloud.
In fact, doing it on the cloud for a local file is a really bad idea. Some of us use our phones in areas with poor connectivity.
(comment deleted)
Is Apple’s sin, here, assuming that when you sign into iCloud, you want to use iCloud?
iCloud sync is just one of the features you might use under your Apple id
Apple should either remember those privacy-related settings or don't enable any privacy-leaking settings (like iCloud photos) by default. At least as long as they claim to be privacy-aware company.
How can it remember settings after you sign out?
The same way it keeps your files, photos, and any and all state of your devices. Signing out is not the same as deleting all information from the account.
There’s plenty of things you need to sign in to do other than sync.

For instance updating your payment info or your account info (name etc)

I can confirm experiencing this issue, at some point suddenly my iPad iCloud backups were enabled even though i’ve always had it switched off (for many years), since iCloud backups are not e2e encrypted and Apple can “see” all data…
Color me surprised

Seriously I really want to be able to claim I own a piece of electronics again. I feel the next step will be the FBI putting in a watchlist whoever buys a Polaroid, a Framework laptop or a Pinephone (suspicious that you don't want to be spied on...).

That's sad, but hilarious, but really sad
It's already begun - if you apply for a US visa, you are asked to list all your social media accounts, email id and phone numbers that you have used in the last 5 years:

> Previously, only applicants who needed additional vetting - such as people who had been to parts of the world controlled by terrorist groups - would need to hand over this data.

> But now applicants will have to give up their account names on a list of social media platforms, and also volunteer the details of their accounts on any sites not listed.

> Anyone who lies about their social media use could face "serious immigration consequences", according to an official who spoke to The Hill.

https://www.bbc.com/news/world-us-canada-48486672

So it appears that the US have already started a program to assign a "social score" to individuals, just like the Chinese. However, unlike China, the US hasn't yet extended it to its citizens yet and the pilot program has been extended from "terrorists" only to all visiting foreigners and immigrants in the US.

how about all apple owners start "Abusing" the system by having copyritten gettypage photos and shutterstock photos. in coming days, a la youtube you will be made aware of copyritten material in your possession for which you would have 2 options. blur the photos/videos or delete them or pay royalty everytime the photo/video gets viewed in the gallery app. pretty sweet deal for the copyright holders because you are obviously earning off of their IP and they need to be compensated. Or, you can buy a photo size wise viewing license to view photos and videos on the phone in your hand because you don't really own it, apple "licenses" the device to you. think about it, you pay rent to use an apple device for a year and after that, return the same back to apple and get a new model instead for another year. rinse and repeat
Better yet just spam folks with AirDrop to show how merely having an image on device doesn't mean squat irrespective of automatically downloaded images from a website or AirDropped in a bunch of unrelated media, lest you get a engineered adversarial image which has the same NeuralHash as CSAM catalog.
> Better yet just spam folks with AirDrop to show how merely having an image on device doesn't mean squat

Been a long time since I've had an AirDrop from a device that wasn't mine - don't you have to confirm acceptance?

According to [1], yes, unless it's from your Apple ID, you get a preview and have to explicitly accept/reject.

"When someone shares something with you using AirDrop, you see an alert with a preview. You can tap Accept or Decline."

https://support.apple.com/en-gb/HT204144

Are you saying that if you hit "Decline", it still saves the photo to Photos?

My iCloud has been full for years, I never got more space. Keeps my newer files safe I guess!
(comment deleted)
There are 2 iClouds - one where you store your files, and one where Apple stores all the data that it has collected on you from your device.
i was just wondering/thinking if this was a viable path.

Create a 5Gb (or whatever the default storage allocation is) file from /dev/zero and max out iCloud.

I have a Basic iOS Hardening MDM profile which disables iCloud Backup, ad tracking identifier, etc that I deploy on all my iOS devices the moment I set them up.
Can you productise that? It sounds appealing!
I guess one could productize that but not sure if the market is big enough to simplify the process even further without getting into full enterprise MDM business. If you got a Mac, the productization is called Apple Configurator 2.
I wondered what was doing it!!!! Thank you for explaining.

I don’t use iCloud and always turn the sync off but once in a while I see the toggles on again it’s so frustrating.

I also help some elderly with their iPhones and had setup iTunes backup to their iMacs, but every time I go to fix something the toggles are all on again. For one of them, they somehow enabled purchasing extra iCloud space so now they pay when they didn’t need to, and I don’t have the time to go through and figure out how to turn it off while also ensuring they keep all their photos.

If a user chooses to configure something in a certain way the vendor should not change that. Is it so hard to comprehend?

> they somehow enabled purchasing extra iCloud space so now they pay when they didn’t need to

> Is it so hard to comprehend?

"It is difficult to get a man to understand something when his salary depends upon his not understanding it."

I'm realling getting fed up by how predatory technology has gotten in the last 10 years.

You really have to continuously look your back and double-check anything.

And you have relatives, especially older ones, that want to buy and use all the new shiny things, and often don't understand that the tech we use today is not like the tech they used to buy 50 years ago.

50 years ago you bought a piece of technology, you paid it, you brought it into your house and it made your life easier, and that was it.

Nowadays you buy a piece of technology, it's going to spy you, the producer is going to alter its behavior via software updates, it's often going to refuse to work without a subscription and recurring payments, it's going to just stop working prematurely when the producer decides that you have to upgrade, and it's going to conviniently allow the government (or a foreign government) to take a look into your private life.

And it's so painful to see big tech companies wash this in shiny and colorful commercials.

Stallman had seen this before anyone else, he was right all along.

What's worst if even if I disable everything, I will find that some app will turn on iCloud sync by default at a later date without me knowing. I have to constantly check the settings to make sure nothing is syncing without my permission.
Yes, happened many times on my and my mom's iPad / iPhone too.
iTunes does this routinely. I never went to back up to iCloud, but somehow that switch keeps getting flipped to backup to iCloud.
Please let Apple know how you feel about this: https://www.apple.com/feedback/
As if they care - it's a feature, not a bug. I am not even being sarcastic. Don't believe me? Try blocking Apple processes on macOS with an application firewall and watch how macOS starts acting erratically, randomly.