I definitely see some questionable privacy practices by Apple...
- While "10x less", iPhone still sends your private information (such as location) to Apple on a regular basis[1].
- Apple encrypts iCloud backups with a key they control, not end-to-end[2]. This means that Apple can decrypt and inspect your phone and computer backups.
- According to the article, iOS developers can use their "new privacy-focused ad framework" to "allow anonymously retrieving data without getting a hold of the user or specific information". I don't fully understand that sentence but it sounds a lot like Apple trying to compete directly with Goog + FB in the advertising industry.
In case you weren't aware, the accuracy of "The Big Hack" (3rd citation) has been widely called into question. There has been no corroboration of their claims, despite a lot of interest in locating one of these compromised servers. While it raises an important point about the plausibility of supply chain compromises (see NSA and Cisco), the case in the article has not been shown to be a matter of fact.
The story earned two sarcastic Pwnie Awards from the security industry last year, "Most Epic Fail" and "Most Overhyped Bug".
> - While "10x less", iPhone still sends your private information (such as location) to Apple on a regular basis[1].
Apple documents cases where private information is used, even if it is never sent off device. macOS and iOS users would be familiar with the interstitial privacy screens that show up the first time you use a feature.
iOS has always shown an icon in the status bar when the location information is accessed and provides a log of recent accesses. Recent versions have been more aggressive of reminding you when location data is being shared.
The most common reason location data is sent to Apple is for navigation purposes; if you opt into Location Services, Apple uses your device location for traffic aggregation. You can turn this off at any time.
> new privacy-focused ad framework
App developers incorporate ad frameworks to monetize their apps. An advertiser pays for an ad, and the ad framework displays it in the app. If the user taps on an ad, the framework communicates this back to its servers to make sure the app developer gets credit.
Most ad frameworks try to slurp up as much information as possible about the user in order to tailor more ads to them. Apple's new SKAdNetwork API does not send user information back to the network, only the app identifier that is needed for paying the app developer.
- Apple doesn't let you secure your OWN device. Apple does not give you permission to run a firewall or any other app to do your own security.
- Apple doesn't allow you to see what your phone is doing. You cannot see what apps are running, when they are running or what data is being sent where.
- Apple encumbers your data. It doesn't provide an alternative to icloud. Why not a personal icloud, self-hosted on macos. Why not even a time-machine backup of your phone? Apple could make it easy, but instead they try to upsell you on more icloud storage.
> Apple does not give you permission to run a firewall or any other app to do your own security.
Apple does allow security products on the Mac, and I have analyzed popular ones such as SecureMac's MacScan 2, and others that were on the Mac App Store's bestseller list, and there are tons of scams.
Users hear that it's good advice to install antivirus but don't know how to evaluate them. It is to Apple's discredit (and publishers like MacWorld that gave glowing reviews to MacScan) that these flourish on the Mac, but thankfully iOS users have not been duped to the same extent.
I don't know if it's really true that you're not allowed to run firewalls and such on iOS. They provide content blocking and VPN APIs. See the ability for Wireguard to introduce a completely new VPN protocol simply by installing an app. There is a lot of engineering effort that goes into supporting that.
> You cannot see what apps are running.
The model for when apps are executing is more complicated on iOS. I don't think it's as useful to think about an app's lifecycle as you do on a traditional desktop OS. Security that relies on you "catching" an app executing (if such monitoring is not always-on) is not good security.
> Why not even a time-machine backup of your phone?
You can easily back up an iPhone (encrypted, even) to a Mac or PC. This has existed longer than iCloud Backup. Apple does not release tools for inspecting an opaque backup blob, though there are some reverse engineered ones.
the flaw there is that it is opt-out not opt-in, and you can only block web activity, not apps.
> You cannot see what apps are running.
Yes, the model is more complicated, but it abstracts away important ways apps can run even if you don't realize it, such as notifcations, "voip".
> > Why not even a time-machine backup of your phone?
> You can easily back up an iPhone (encrypted, even) to a Mac or PC.
Kind of. You don't back up apps or app private data. In other words, restoring your phone is at the mercy of apple and the app folks. Will you get the same app? Will you get your audiobooks? no, you will have to download them again.
1) The article never clarifies why Apple is sending location data. It could just be for the Find my Phone feature in which case users should just switch that off.
2) Apple doesn't have computer backups. But agreed that it isn't great that backups are not encrypted with my key.
3) It means Apple will provide information to advertisers about users but not in way that identifies them. Look into Differential Privacy. And I don't think you understand advertising if you think Apple can ever compete with the micro-targeting capabilities of Facebook/Google's advertising platforms.
You've been able to back up iOS devices to a Mac or PC since the first iPhone came out, longer than iCloud has been around. Those backups are encrypted with your own key that Apple does not have access to.
Indeed. While we're at it, let's not forget the PRISM [1] program, or the fact that "privacy from advert companies" does not imply "privacy from all surveillance".
Isn’t point 2 a consequence of the law that they have to follow? Don’t know about rest of the world but I think in EU they are forced to disclose your personal information to the government if asked to do so. This is also in their privacy policy.
- While "10x less", iPhone still sends your private information (such as location) to Apple on a regular basis[1].
- Apple encrypts iCloud backups with a key they control, not end-to-end[2]. This means that Apple can decrypt and inspect your phone and computer backups.
- According to the article, iOS developers can use their "new privacy-focused ad framework" to "allow anonymously retrieving data without getting a hold of the user or specific information". I don't fully understand that sentence but it sounds a lot like Apple trying to compete directly with Goog + FB in the advertising industry.
- Hardware made in China[3].
1. https://digitalcontentnext.org/wp-content/uploads/2018/08/DC...
2. https://support.apple.com/en-us/HT202303
3. https://www.bloomberg.com/news/features/2018-10-04/the-big-h...