48 comments

[ 2.7 ms ] story [ 105 ms ] thread
how is this even possible? this feels like beyond a bug so maybe a hidden feature?
Yeah, I get that files aren't truly "deleted" until they're overwritten but these pictures didn't have their data messed with over 5+ years? Hard to believe.

At this point, assume any data that touched an internet connected device is sitting somewhere you don't want it to be.

Imagine the privacy violations of refurbished iPhones. You buy an iPhone or get a trade in that’s a refurb and you suddenly have randoms “nudes” appearing in your recents? This can’t be right….
Pretty sure its encrypted with your private key. There would be no way for someone else to ever see your data, unless I am totally misunderstanding how Apple does this.
Refurbs are presumably factory-reset before resale, which in turn presumably includes zeroing out user storage. Presumably.

The issue in TFA is probably different. If files are only marked for deletion and their data never overwritten, it's conceivable they might show up again after a buggy update.

Of course, one would assume iOS would actually delete the data of files marked for deletion after some expiry, but it's also possible this wasn't happening.

Beyond deleting the reference to file , Delete the data on disk means one of two things : Overwrite with zeros or have another file contents written over it .

Overwrite with zeros is generally not done as default in flash memories to improve disk life, flash memories have a limited number of times they can be written too, so most memory controllers will try to distribute writes

This seems less a OS bug, more likely iOS/iCloud had a bug on marking deletion correctly

"Overwrite" on flash requires erasing the block containing the data you wish to overwrite, so pre-erasing blocks that will never be used again until rewritten doesn't reduce available write cycles, and can improve both endurance and performance.

Two potential issues when relying on flash erasure for privacy, neither of which apply to a full device wipe:

1. Filesystem allocation units are almost always smaller than flash erase blocks; erasing and rewriting, e.g., a 1MB flash block whenever a single 4 kB allocation unit it contains is freed will lead to performance and endurance problems.

2. On desktop and laptop systems, erase (ATA TRIM/SCSI UNMAP/NVMe Deallocate) operations are typically deferred to a low-priority or periodic background task for performance reasons; the same may apply to iOS devices.

In the case of full device wipes on modern Apple devices (iOS and Apple Silicon Mac), this is mostly moot anyway from a privacy perspective, because encrypted storage makes data effectively unreadable as soon as encryption keys are wiped.

I don't think this is an issue. It seems to be an iCloud-related bug based on just how long the reports claimed photos had been deleted. If you're signed out of iCloud, I'd expect the photo to not resurface.

Either way, horrible day for Apple's "Privacy First" charade.

I've always really hated how Apple (and a growing number of companies) are deliberately blurring the distinction between local and cloud storage. When I store a photo somewhere, I want to know where it is, on the device or in the cloud. When you look through Photos (and many other apps) this is not very clear. They're all just in this nebulous "Library" which could be actually anywhere.

I think a lot of people are uploading private pictures to the Internet without even being aware of it because of how tricky and sneaky companies are being, nudging you to Cloud-ify everything without explaining clearly that "Cloud" ultimately means "Posted to someone else's computer."

You're spot on. The lines are being blurred and it's already biting us.
When the whole celebrity nude leak thing happened a while back, my first instinct was to victim blame: "Why on earth would you do that? Upload your nudes to the Internet (iCloud)? Are you insane?" But, the UI absolutely doesn't help: It's not even remotely clear that when you take a photo, it's not going into some private library, but it's instead being uploaded. So you kind of have to have some sympathy. I'm sure a lot of people are fooled by this.
"Cloud storage" does feel kinda magical to use. But it turns out it elides over some details that are kinda important.

The other half of the story is data loss. Will the files still be there if you leave them alone for a day or a year? Who knows?? Will they really be gone if you delete them? There's literally no way to tell!

> Yeah, I get that files aren't truly "deleted" until they're overwritten but these pictures didn't have their data messed with over 5+ years?

While the data may technically remain, unless the storage medium explicitly specifies otherwise (like E.G. snapshotting filesystems), "deleting" does often imply immediately overwriting enough metadata that it probably shouldn't be possible for the files to be trivially/accidentally resurfaced by a bug.

The internet is always permanent except when you want it to be.

I wish I could find the video I uploaded to YouTube when me and my friends were kids. I deleted it out of embarrassment when I was older but it was so funny. (Video involved us getting shocked by a CRTs capacitor on camera).

Also note that this could include every screenshot you’ve ever taken:

1. “Sync to iCloud” is enabled in Photos

2. You take a screenshot, it saves to photos, it syncs to iCloud

3. You delete the screenshot from Photos

…is there still a copy in iCloud? Maybe…

I wonder how people have ruled out just iCloud storage not downloading stuff on device for weird reasons. Like were the photos also deleted from iCloud or just on device?
An non-conspiracy would be that iOS confused deleted data as corrupted data and recovered it, although that's quite a bad bug, although maybe it just happened during a deployment script I guess?

Remember: deleting data only removed inodes, not raw data: the raw data get overwritten with time. The more full you storage is, the faster that data gets overwritten.

iPhone have a lot of storage, so yeah, most likely a bad deployment script. Still not good for such a company.

A conspiracy would be a worker tasked by NSA to introduce such a bug to keep deleted files as long as possible, "just in case", for spying matters.

Only nudes ?
Everything, no. Just old deleted photos.
Nudes might have a higher probability of being deleted.
Many people don't want to risk accidentally surfacing a nude while showing off other pictures and delete them more or less immediately. So it's merely a bright-line indicator; where other decisions to delete or not may be more easily forgotten.
some function leftover from the csam / on device scan - because also deleted pictures are csam. Its a feature for the police. Sorry guys.
what hard evidence do you have to support this accusation?

1) You've accused the iphone users of having CSAM on their device, and

2) you've attributed a motive to Apple inc. as the root cause of the technical issue.

what hard evidence do you have that the parent post is meant seriously?
According to Apple, their CSAM only applies to iCloud and would only need the photo at the moment of uploaded

https://www.apple.com/child-safety/pdf/Expanded_Protections_...

Yeah they retracted the plans to scan locally on device as I may remember. Somehow, I remember it as being reported exactly in that connection "csam & on device" before imgvideo-files are being sent and encrypted in messengers. Intercepting later can't be easily done.. They retracted and said after criticism "we do it on iCloud".

Then a link to be found on goog or few comments further down, says, they wanted to do it on iCloud. But everyone is going rage mode. So they retracted and wanted to do it with more "privacy" on device.. and then, the link also say, they created an API to filter what for example kids should not see or send and app developers can use it.

iCloud scanning is ok with me and my privacy advisor. There are bad guys out there.

Surely the corporation that built the on-device scanning and recognition that runs on your opaque little computer box to find pictures of your dog wouldn't lie or "accidentally" keep the csam scanning running on the device too?

And certainly the corporation couldn't be be coerced by the government that's built the largest surveillance apparatus in human history to keep the csam feature running on billions of devices?

Yes, the corporation can be trusted.

/s

Trust, but check too. Like in a relationship too :)

The government / the law is the problem. The similar in China. And in Europe is planned: you have to make it possible that we read E2E encrypted messages, if a judge say so. Lol

So it's not about the company(s) but rather about the forced compliance with laws

I've seen this on photos sent via iMessage, even before this update. I have the feature enabled where photos sent to you from certain contacts automatically show in your photo library. Some photos... do not need to remain. I can delete them, but they return.

May be related, may not be. I do wish iOS had a better "hidden photos" concept.

The Photos app does have a special hidden album now, and requires biometrics to unlock (or your password).

You can also ask the app to not showcase certain people or photos in features photos / widgets.

This happened to me! Well, some of it anyway. I updated to iOS 17.5.
(comment deleted)
If Apple wants to train some AI model, using the photos and documents on everyone's iPhone/iPad would be very convenient. People will have their privacy violated and potentially their lives destroyed, but the ends (maximizing shareholder value) justify the means.

Alternatively, maybe this is just a stupid way to try to push people into buying more overpriced iCloud storage? There's no way those pictures survived "years" on the disk without being overwritten and somehow were accidentally restored with an update.

So, what's the GDPR say about the backend keeping photos or voicemails that the user "deleted" years ago— And doing so inaccessibly and in secret from the user?
As per the article, this isn't specific to iCloud:

> This could be more innocent than it sounds. Computer data is never actually “deleted” until it’s overwritten with new 1s and 0s — operating systems simply cut off references to it. One user also said they saw a photo return even though they don’t sync their phone or use iCloud, implying the photos could be originating from on-device storage.

Except, the computer needs to know where to point to to read the data. So why are they keeping the index/inode around? Unless they're doing some unrequested data recovery to find these files?
Yup, exactly. If it's removed from the index it won't just show up again one day. This tells me that that innocuous explanation is not what's going on here.
On the Reddit threads, there are also users reporting photos returning after being deleted from a different Apple device of a different type— Even when the original device did not have ICloud enabled.

It's very odd. For it to be a local storage issue, it seems like IOS would have to be copying entire disk images across devices and accidentally doing file carving on freed resources. So I think ICloud is the most plausible technical explanation currently. At the same time, a cloud storage issue implies either malice or incompetence at a level that we currently only have indirect evidence of.

This is a clear violation of GDPR. The GDPR emphasizes the right to erasure (Article 17) and data minimization (Article 5). These principles require that personal data be:

* Kept for no longer than necessary * Deleted upon request or when no longer needed

Both of these conditions are met when someone "deletes" a picture from their device.

This bug basically proved that Apple is non compliant with this and there's no way that EU is going to ignore this big of a violation. If found guilty then they can fine Apple 20 million euros or 4% of global turnover(revenue) which is > $4 billion.

Is that also true even if the data is only on customer-owned hardware and not stored in the cloud?
Protections under GDPR apply to both local storage and cloud storage.

In this case both local storage and cloud storage are provided by same company so that distinction doesn’t matter but this storage location agnostic coverage of GDPR comes in handy on Android.

Hmm I sense a business opportunity of selling “GDPR compliant” GNU rm.
I guess they weren't as "deleted" as people thought...
This is the thing stating people in the face that many don't want to just observe and accept. You didn't sync something to icloud and somehow it's undeleted? It was synced to somewhere. This plainly points to a massive, industrial scale invasion of people's privacy that apple fanboys are not going to acknowledge.
excerpt from article : "And a person claimed in a later post that “around 300” of their old pictures, some of which were “revealing,” appeared on an iPad they’d wiped per Apple’s guidelines and sold to a friend."

Is this true?

Did a quick scan of the reddit posts referenced in the article and could not find this particular post. But it probably its my fault scanning too fast.

More worrisome is, is the scenario possible? Assuming "wiped per Apple's guidelines" was indeed followed, isn't that technically not possible since the encryption keys were wiped?

Risks like this is why I don’t sell my old personal devices. A few hundred bucks is not worth the potential security compromise.