1) they just ate every other 3rd party "secure" backup services lunch just like they did to the Hi-Res music industry.
2) details of what they backup securely, besides photos (which is top priority for me): iCloud Drive: Includes Pages, Keynote, and Numbers documents, PDFs, Safari downloads, or any other files manually or automatically saved to iCloud Drive.
3)BUT, perhaps the BIGGEST news here is that Apple is making a backup statement to what they've been saying for years and what they've recently gotten negative attention on: They don't want your data. They're not Goodle/FB/Amazon. They're giving you 2TB+ of space and you can encrypt it to the point that you'll lose your data and they don't care -- they don't want to mine your data, they don't want to know what you store on there, the don't care to scan your pictures with AI 20 different ways, they don't want to monetize it, etc, etc., just pay them money for their service and transactionally they give you only thing that you want in return -- reliable, secure, private service.
seriously, anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river.
It's good to be passionate, but blind devotion is dangerous, especially since we already know by now Apple is positioning itself to become a major player in the advertising space and - with a dwindling economy and an increased pressure to sustained growth from shareholders - that's going to continuously encroach on our privacy guarantees for monetization purposes.
I'm advocating for an open and interoperable ecosystem of operating systems, services and applications, which is the only way to ensure sustainable customer freedom. Unfortunately that ecosystem doesn't exist yet so we're stuck with the duopoly of evil-doers (and while Google openly admits it is their business model to monetize you and your data, Apple has been caught with their hands in the cookie jar a bunch of times already and they're just developing a sweet tooth, so...).
Full disclosure: I've been using only iPhones for 12 years and am still using one today.
> we already know by now Apple is positioning itself to become a major player in the advertising space
We don’t know that. We know that they put ads in the App Store, that’s it. I wish they did not, because it made the store even more of an unusable mess, but it really is not even in the same league as Google and Facebooks, systematic surveillance.
> increased pressure to sustained growth from shareholders
This sounds truthy, but is there any evidence of this? Apple is famously the company that tells rent seekers after more ROI above all to fuck off (both Jobs and Cook).
> I'm advocating for an open and interoperable ecosystem of operating systems, services and applications, which is the only way to ensure sustainable customer freedom.
Now that’s a real point, which deserves more than being buried after a paragraph of half-truths (and I almost entirely agree, FWIW).
> It's good to be passionate, but blind devotion is dangerous,
After starting a post like this, it is disappointing that you fell in the trap you warned the OP about. Being contrarian and using mis-informed tropes is not a good way of having a rational discussion. It is not being cool or clever at all.
> We don’t know that. We know that they put ads in the App Store, that’s it. I wish they did not, because it made the store even more of an unusable mess, but it really is not even in the same league as Google and Facebooks, systematic surveillance.
They also put ads in Maps, Stocks, and News, and they "started asking people last year if they wanted to enable personalized ads on these apps."[0]
> This sounds truthy, but is there any evidence of this? Apple is famously the company that tells rent seekers after more ROI above all to fuck off (both Jobs and Cook).
"Inside the ads group, Teresi has talked up expanding the business significantly. It’s generating about $4 billion in revenue annually, and he wants to increase that to the double digits. That means Apple needs to crank up its efforts. "[0]
Plus the advertise iCloud in the Settings app with a red badge, which is just annoying.
> "Inside the ads group, Teresi has talked up expanding the business significantly. It’s generating about $4 billion in revenue annually, and he wants to increase that to the double digits. That means Apple needs to crank up its efforts. "[0]
This doesn't mean they need to do it with targeting/data mining. I swear all the data mining does is show me ads for stuff I just purchased 3 days ago, and that's with google-level surveillance.
I don't like the idea that we discuss this as a law of nature.
I am an iPhone user since three years ago but if at some point I get a better deal elsewhere, I'm off.
And with Apple I pay extra for premium, and there is only so many ads[1] one can shove in before the premium feel is gone.
As for the targeted ads, I share your feeling that the targeting is badly over hyped, except you are lucky compared to me:
Ads for products I bought 3 days ago would be wildly relevant compared to most of the ads I can remember from Google. It was almost always scammy-looking dating sites. For a decade. Don't know what I did wrong but it seems there was a fluke with my account. Or they just god more money from scammy-looking dating sites than from anyone else.
Oh, and when it wasn't ads for scammy-looking dating sites it was pay-to-win games, and based on the ads you could be forgiven for thinking they were made by the same folks.
[1]: I'm no hardliner here: contrary to many on HN I actually see value in some ads and think I have sometimes made better purchases/been reminded to do things I wanted to do anyway.
> It was almost always scammy-looking dating sites. For a decade.
Every time people tell me that AI is great, I remind them that the most frequent ads I see are: 'Goth Muslim hookups' and 'automatic chicken coop door'.
It unfortunately seems to work if you don't go out of your way to block all trackers everywhere and never sign up for anything. I don't personally get any ads I would ever give a crap about, but my wife has been complaining like crazy and constantly blowing up our family plan with data overages since I started ad-blocking at the DNS level because she's constantly being served ads for stuff she actually wants and tries to click on it only to get blocked by my DNS server when it tries to go through a known tracker redirect to grab conversion stats for their campaign or whatever, and then she switches from WiFi to data in order to use the ISP's DNS instead.
They either have to do way more ads, or way more targeted ads. Would you prefer an endless stream of low-relevance ads, or a few high-relevance ones that required massive amounts of data mining to produce?
For a maps app I'd imagine it'll be more a case of businesses will be able to 'boost' themselves to people in the area. Slapping big banner ads across a maps app isnt going to generate much ROI given most people will be using it in carplay mode.
> Apple’s VP of advertising platforms Todd Teresi has been asked to bolster annual revenue into 'double digits' from about $4 billion today" (Aug 2022)
Double digits isn’t a major player. Google and FB are already making nearly 200B ad revenue each. If every Apple app and device showed ads constantly it still wouldn’t come close to the views that fb and web pages get to display ads used by Google and Facebook.
Just to put everything onto the same scale, 4 to "double digits" requires a 2.5X increase. "Double digits to triple digits" would require a further 10X increase.
Basically take everything lost by Meta/Facebook directly attributed to ATT and you'll get a very clear picture on what they can very easily get back with their own ecosystem.
> If every Apple app and device showed ads constantly it still wouldn’t come close to the views that fb and web pages get to display ads used by Google and Facebook.
I can’t begin to imagine how irritated Tim Cooke is by the revenue Google and Facebook make from adverts on iOS and he clearly wants in on it.
Given that both those ad companies make revenue off iOS, it’s not unreasonable to aim for a similar level on the platform.
That's only the immediate goal. It would be bad for them to eat up the percentage of the market lost by their competition right away; that would get some unwanted attention regarding monopolistic behavior.
They clearly want a slice of that market, and they have the patience needed to wade in.
Tim Cook told ROI-focused investors to "get out of the stock."
Unfortunately now you've unlocked the "haven't you heard of platform fees (Google Play) or walled gardens (Nintendo eShop) before?" tangent.
There is no new information here - some people are perfectly happy with Apple's walled garden business model as it is and/or don't think Apple should be forced to change, while some think that Apple should be forced to change it so that customers can have more freedom or developers can collect more money.
You mean “infamous” as in what every other platform does - including Google and the console makers? The console makers even force game developers to pay a royalty on every physical game sold.
> 30% of all revenue that passes through an iPhone
A bit of hyperbole there. 30% of revenue from sales of digital goods after the first $1m (15% before).
I’ve probably spent $20k on Amazon using my iPhone this year alone. You don’t think Apple takes 30% of that, do you?
Besides, it’s so funny when people use “rent seeking” as a pejorative. Like, yes, the reason my landlord bought this house for a lot of capital up front was that they believed it would be profitable rent it for much smaller amounts for a long time. What, am I supposed to feel entitled to use the house for free?
A bunch of years ago I made several hundred thousand dollars from the App Store. You know how much I would have made without the app store? Zero. Do you think I begrudge the 30% I paid, any more than I begrudge the rent I pay for this house?
I understand people who dislike the Apple walled garden and want no part of it. I do not understand people who want all of the benefits but expect Apple to provide it for free.
> 30% of revenue from sales of digital goods after the first $1m (15% before).
Not quite - if you go over $1m in revenue you pay 30% on all revenue in the following year.
I honestly believe that if the App Store were to start now, they would feel entitled for a cut of all physical goods transactions that happen.
I don't believe Apple produces 30% of value when someone (hypothetically) signs up for Netflix on an iPhone. Apple's App Store actively hinders value creation when they prevent Netflix from using their existing saved credit cards to re-subscribe a user on an iOS device.
> Do you think I begrudge the 30% I paid, any more than I begrudge the rent I pay for this house?
It sounds like you saw value in something, and you paid for it. A competitive product would be able to stand on it's own and developers (and users) could make a decision on what product they wish to use - I'm sure that a lot of developers would continue to use Apple's payment infrastructure because they find it easier!
> I honestly believe that if the App Store were to start now, they would feel entitled for a cut of all physical goods transactions that happen.
There must be a name for this fallacy, where one bases their opinions on speculations about how things would be different today if their already-held opinions had been true long ago. Some kind of retroactive confirmation bias?
> It sounds like you saw value in something, and you paid for it. A competitive product would be able to stand on it's own and developers (and users) could make a decision on what product they wish to use - I'm sure that a lot of developers would continue to use Apple's payment infrastructure because they find it easier!
You're not paying for the payment infrastructure. You're paying for the discoverability and distribution. I cheerfully paid 30% to reach a few hundred thousand users when I could have reached, maybe, tens of users on my own. I find it hilarious when people explain how I was ripped off with exorbitant fees.
>Besides, it’s so funny when people use “rent seeking” as a pejorative
"People" including anybody from Marx to the left, all the way to Friendman and Hayek to the right, including Adam Smith...
Sorry, rent-seeking is milking assets without producing value (or with only minimal investment/maintainance costs). It's the opposite of a functional market.
>Like, yes, the reason my landlord bought this house for a lot of capital up front was that they believed it would be profitable rent it for much smaller amounts for a long time. What, am I supposed to feel entitled to use the house for free?
No, you're supposed to not want an economy where people don't mouch off of standing assets, but actually contribute to making value (and products and progress and stuff).
Rent-seeking 101: "Rent-seeking activities have negative effects on the rest of society. They result in reduced economic efficiency through misallocation of resources, reduced wealth creation, lost government revenue, heightened income inequality, and potential national decline."
The Apple ecosystem is not the App Store. They make money off the sales of physical products and their own services like iCloud.
Making money off of the App Store is pure rent seeking. It's maintainance and (very infrequent) improvement costs (negliblible compared to its profit) don't make it any less so. Heck, actual rented properties like houses also incur some maintainances costs on the owner.
> Besides, it’s so funny when people use “rent seeking” as a pejorative. Like, yes, the reason my landlord bought this house for a lot of capital up front was that they believed it would be profitable rent it for much smaller amounts for a long time. What, am I supposed to feel entitled to use the house for free?
They mean "rent" the econ jargon, not "rent" the thing you pay to your landlord.
Everyone uses Google Play because it's convenient. But as a notable example, Fortnite refused to use Google Play for a while precisely because of that 30% fee, and it worked out pretty well for them. Eventually they gave in and put Fortnite on Google Play. Although Google kicked them off later (they pushed an update which allowed users to bypass Google's 30% cut using their own payment system) so it's back to direct download from the website.
> Apple is famously the company that tells rent seekers after more ROI above all to f off (both Jobs and Cook).
One of my favorite CEO moments comes from Tim Cook on an earnings call:
“If you want me to do things only for ROI reasons, you should get out of this stock,”
And then more recently “If you're a short-term trader, do not invest in the Apple stock,”
I understand both, but it’s so odd to hear a CEO tell people “no, we don’t want your money” and I will grant that Apple is luckily not in the position of needing it.
Keep in mind when a stock is trading the original company doesn't get any of that money unless they have shares.
What Cook is saying is that Apple is in the enviable position of being to make long term plans. Not every decision can immediately be boiled down to an ROI calculation, but that's what short term thinkers want.
For example, how much has Apple invested to develop this E2E system (the tech, support, etc...), and what is the ROI? IMO, over the long term it should have a positive ROI, even if I can't draw a direct link from quarter to quarter right now.
Doesn't matter what they claim, look at the numbers and what they're actually doing. Apple has a good product with the iphone but they aren't running a charity, it's a hugely profitable business that puts money over everything, even human lives (see how they aid the CCP's totalitarian regime as an example).
For users to trust them as a guarantor of privacy and rights is naive at best if not outright idiotic. Since they comply with Beijing why would one assume they won't feed your data to Fort Meade and Brussels - who as a sidenote are planning to outlaw end-to-end encryption for major apps: https://www.patrick-breyer.de/en/posts/messaging-and-chat-co...
So the fact that you don’t have to use Apple’s in app subscriptions for users to be able to subscribe is irrelevant to the argument that apps have to use in app purchases for subscriptions?
You're missing the point. The lack of alternative app stores or the ability to accept payments and control subscriptions via other gateways is the problem. You either use Apple app store/payments and accept the fee or you don't have any transaction ability in the app.
I want to make an iOS app. I've already paid Apple the $100 bucks per year or whatever it is, so I've "done my part".
Then, I want to have in-app subscriptions and payments, and I found a great service, XYZ, that does this.
So, on my own time, with my own device I bought (which by the way, in another money-grubbing move, HAS to be another Apple device, even though there are 0 solid technical reasons to force this), I write the app, I put in the integration for XYZ.
Can I publish this to large amounts of iOS devices?
They're both Turing machines, if that's what you're getting at.
In practice, no, a console is not a general purpose computing machine.
On iOS, by design, you can install almost any kind of application even without jailbreaking it. Which people do, you can have Excel and Maps and IDEs and whatever.
Consoles, by design, do not allow that. It's almost strictly meant for games and media.
And again. I don't care. Both types of walled gardens should be abolished.
I don’t think Apple is seriously considering a major play in ads and if they are I think this signals pretty hard that they won’t be doing it off the back of consumer data.
It just doesn’t make sense to their business strategy. Apple is premium, ads are the antithesis of premium. Just doesn’t make business sense.
> After starting a post like this, it is disappointing that you fell in the trap you warned the OP about. Being contrarian and using mis-informed tropes is not a good way of having a rational discussion. It is not being cool or clever at all.
Once a brand starts to build large-scale mindshare, there is of course the inevitable brand-wars fanboy faction, but there also pretty reliably seems to emerge an anti-brand faction - this pattern is consistent across NVIDIA, Apple, and many other leading-but-controversial companies. The mere mention of these companies in a positive context gets another faction reliably winding up about how awful they are and how everything they do is actually fake and a lie and intended to rip off customers unlike my favorite brand, etc.
It's essentially another form of parasocial relationship - but it's a negative parasocial relationship instead of a positive one. People gain identity from opposing the brand-signifier rather than supporting it.
The existence of fanboy factions is oft-observed at this point, but I rarely see anyone acknowledging the opposite side - the people who just are reflexively contrarian and negative about anything surrounding a brand, regardless of any counterbalancing concerns or factors. The hateboy, if you will.
And blind hate is just as destructive to nuanced conversation as blind devotion. It's also destructive to actual progress - positive steps need to be acknowledged and encouraged even if you think it's still the overall worse option, and negative steps from a brand you favor need to be acknowledged even if you think they're still the overall better option.
To do otherwise is to oppose actual progress over what amounts to parasocial tribalism - in both directions. The hateboys are just as toxic as the fanboys to reasoned discourse.
I can see your point, but wouldn't classify myself as an Apple "hateboy": I've been using iPhones since the 3GS (we have 4 iPhones in the family, 2 iPads and a MacBook).
I've just been extremely disappointed by their hypocrisy around privacy (which is a subject I'm very passionate about). They've betrayed my trust when they announced the on-device scanning functionality a few years ago; yes, I know they eventually dropped it after massive pushback from everyone that understands its privacy implications but before doing that they treated us "screeching minority" like dirt, I've never seen such condescending behavior from a legitimate company, especially one that I previously respected.
Their massive push in the ad space, combined with other scummy behavior (phone-home on macOS, backdoor access that sidesteps firewalls from 1st party apps, etc.) just paints a bleak future where all the big players (Google, Microsoft and now Apple) treat us like sheep; it's just so frustrating and sad...
The only way for a 2T business to grow is by expanding the Services business significantly, in some market that is already known to be close to half a trillion dollars in revenue.
You really think Apple is trying to make small change with ads in Apple Maps?!
> Google, for instance, used to show you ads based only on your search keywords.
This is still true. You basically never see personalized ads on search, since getting a contextual ad for cruises when searching for programming answers probably isn't going to end up with many clicks. Instead, it's only really 'Google Ads' (AdSense on other websites) and YouTube where personalized ads result in higher CPMs.
(Although Google does indeed use your search history for ad targeting.)
> (Although Google does indeed use your search history for ad targeting.)
Yes, and it's not the advertising part that is evil. It's the part where they spy on every aspect of your life because doing so makes ad sales more profitable.
Point of order: their inline-ad-placement on search results is evil. It exists to trick the unwary, including vulnerable people like the elderly, sometimes into landing on scams, thinking they're legitimate because Google presented them as top-level search results.
> Point of order: their inline-ad-placement on search results is evil.
I don't think that is necessarily evil, but it certainly is embarrassing for Google since Google used to make fun of competing search engines for that exact behavior back when Google was still the underdog.
Spying on everyone's credit/debit card transaction data, on the other hand, is definitely evil.
> as Google said in a blog post on its new service for marketers, it has partnered with “third parties” that give them access to 70 percent of all credit and debit card purchases
Personalized is "we're showing you ads for local gyms because we noticed that you've been watching a lot of Youtube videos about workout routines". Or whatever.
If I see ads posted in the wall on a subway in Manhattan, that they are talking about restaurants nearby and not in San Francisco does not cross the threshold of 'personalized advertisement'.
If a digital panel switched to show me restaurants in San Francisco because they detected that I travel there a lot, that is absolutely personalized.
Similarly, if a maps service shows me restaurants near my destination that have paid for placement, thats not personalized. If they show me fast food restaurants on my route because I got directions to one previously, that is personalized.
It is a moot point because Apple isn't anti-advertising _nor_ anti-personalization. They are pro-privacy. Like Google, they will just move ad determination onto the device.
I'd argue that the difference is memory. When a service provider starts making decisions based on an individual user's history, rather than only using factors which they can infer on the spot, that's the point at which I'd call the behavior "personalization".
We aren’t talking about blind devotion, though, are we?
We have a tangible actual important thing. Apple can’t plumb our backup data for their own profit.
You want to be careful not to ignore information just because it doesn’t comport with your preconceived assumptions. At least consider weighing them against your assumptions? I’m never going to be against a cookie-based metaphor, but that doesn’t make it apt.
> It's good to be passionate, but blind devotion is dangerous
Agree with you there -- the data might be encrypted on Apple's servers but that doesn't mean Apple can't scan your data on your device and report the findings back to the mother ship. They've made it increasingly difficult to know or control what system processes do.
"Unfortunately that ecosystem doesn't exist yet so we're stuck with the duopoly of evil-doers..."
That is no longer the case. There are projects starting to come out which are open source and building on top of AOSP like GrapheneOS, CalyxOS and a few others but those two are solid options at the moment.
I am not sure why GrapheneOS doesn't get mentioned here on HN but it's seriously a wonderful project that includes privacy features not available even on iOS. They are this far ahead of the game when it comes to privacy and security. Highly recommend checking them out.
> I am not sure why GrapheneOS doesn't get mentioned here on HN
Probably because with GrapheneOS you have to rely on Android phone vendors which lock down the devices more every year. In my opinion, this is not a sustanable solution in the long term. GNU/Linux phones could be more sustainable.
>Apple is positioning itself to become a major player in the advertising space and - with a dwindling economy and an increased pressure to sustained growth from shareholders - that's going to continuously encroach on our privacy guarantees for monetization purposes.
Or they could sell us a rugged iPhone with a removable battery and SD card slot to extend storage but keep the proprietary OS to keep the music/movie ppl happy plus keep out malware not sent via FISA warrant, but if they did that Tim Cook might jump off the top of the donut apparently, so they keep going the way you describe.
> Or they could sell us a rugged iPhone with a removable battery and SD card slot to extend storage but keep the proprietary OS to keep the music/movie ppl happy plus keep out malware not sent via FISA warrant, but if they did that Tim Cook might jump off the top of the donut apparently, so they keep going the way you describe.
I'm sure 3.5 humans who want that will appreciate that product.
> we already know by now Apple is positioning itself to become a major player in the advertising space
There's a fundimentally different approach to advertising by Apple than say, Google or Facebook. For one thing Apple isn't doing web ads. They've not got an adsense style platform and likely never will.
The ad network they're building is for inside their own apps, and likely eventually for app developers to integrate into their own apps - apps only.
In addition those ads are for items within their existing ecosystem, ie more apps.
In terms of data collection this means they dont need the insane levels of information that Google and Facebook collect. All they need is a rough idea of your interests, which can be gained from the apps you use, and your activity in their own apps. Everyone using an Apple device must know they store your location, so that ones an obvious no brainer.
They dont however need to know your browsing habbits. Would it help target better? Absolutely, but the whole aim of their ad network is to keep you inside apps, not browsing the web. If you're using Chrome, Safari, etc they cant advertise to you as again, its not a web-based ad network.
As data collection goes, the way they're doing it is about as least intrusive as you can get. Theres no following you around the internet going on, which has always been the biggest issue with Google and Facebook.
I'm not saying Apple is a 'saint' in all of this, but its not even close to the level of tracking other companies use.
> The ad network they're building is for inside their own apps, and likely eventually for app developers to integrate into their own apps - apps only.
The money generated there will affect behavior elsewhere. These walled garden profit centers always do - having disproportionate number of resources for the task and with it the ability to ignore the needs of the greater business.
Can you give examples of some of the times Apple has been caught with their hand in the cookie jar? Otherwise it seems like a bit of a false equivalence.
I can't generalize, but could point out to the contraction of venture capital investments, for example. Does that mean "dwindling economy"? Maybe not, but it does constitute some type of signal.
Yeah, this has been so depressing to see. I disliked that there were ads when I signed up, but it was part of a bundle with other things (arcade, music, tv, fitness, etc.), so I gave it a try. But they've been increasing in frequency and they've been added to places they didn't exist before (like when you swipe to see the next article). It's still nowhere near as bad as reading a web page without an ad blocker, but it's definitely past my threshold of pain, and so I'm just using it less. I want the other things in the bundle, so they'll count me as a subscriber, but I'm using it less each day.
What's particularly odd is that some articles have no ads at all. Some have the same ad repeated literally 3-5 times in a short 1,000 word article. And the ads are all trash. They seem like those awful chum-boxes you see on web sites. Who in their right mind thought this would be appealing to the typical Apple user? I mean, regardless, I have never intentionally clicked on any ad on the web in 30 years, and I'm not going to start now.
It's sad because it's exposed me to regional newspapers from around the world. I live in California and see articles from newspapers in Idaho, Utah, Connecticut, upstate New York, Dallas, Miami, Chicago, etc. and even from other (mostly English-speaking) countries like Canada, England, Ireland, Isreal, and Australia. They even include some (English-language) stuff from China. I don't normally see news sources that diverse on the web because it takes more effort. But the ads just make it not worth it to continue using.
News+ silently dropped one of my preferred news sources last week. No updated articles for a week now and it's no longer listed on the news sources page on the web site. Oh well, I'm still in a free 6 month trial but no longer intend to become a paid subscriber next year.
Even with the amount of leverage they have to control third parties, media companies are too big for them to control. I’d be willing to bet they had little choice but to let the various publications run ads as they please. Those companies don’t need to be available on Apple News+ to survive. But Apple News+ has no chance without them.
Are these ads? If I see a large derivative, I can usually glance down at the relevant news to see why. More often than not, it says "No Recent Stories", which shouldn't be the case for an ad.
The news articles in the main view are just top business stories from Apple News. I don't see anything ad like at all, actually.
I hate ads, but for most people paying some bucks a month to make sure their 2nd brain of photos/notes/passwords/texts/etc is totally (and now privately) backed up is a worthwhile insurance policy.
I think the argument that advertising iCloud plan upgrades in settings, where you’ll be pointed to if you run out of backup storage, is very benign as far as ads go. Although I do think that they should have a method to dismiss it(I don’t see this so I’m projecting that they don’t).
I don't have ads on my phone or my desktop. Why should I settle for a shittier experience A? The fact that there is an even shittier experience B is no argument.
The only 'ads' I've seen from Apple have been the aforementioned iCloud invitation in Settings, there is also a prompt to sign up for iCloud when first setting up the system. That's an element of user choice - 'use our service, or don't, we won't ask twice'.
Unlike MS - you have to link everything with an ID when first setting up W11, no choice unless you go to extreme workarounds. Constant nagging and manipulation thereafter.
With that said, what platform are you using that has no ads at all? Presumably Linux on the desktop, which I can almost use. But unfortunately I can't use it on mobile, I have too many use cases in the personal and business world that require a 'normie' grade phone.
Yes, Apple is slightly less bad than Windows. On the other hand, Linux doesn't have any ads (other than the silly ones Ubuntu is trying to push on the command line these days).
Calling a onetime pop-up of a service offering an ad is stretching the description somewhat. Also, it's losing sight of the main argument - ads driven by gathering personal data is what causes concern.
If you consider that an ad, then we are not talking about the same topic. Like sure, pedantically it is an ad, but is not the kind people mind or hurts their privacy at all, nor does it have shady incentives (it is not a third-party service).
Nextcloud is more a backup-adjacent system. You can use it for backups, but you're on the hook for maintaining that system and keeping it secure. Maybe you have time and will to do so but most don't. It's a lot simpler than it used to be on Ubuntu (nowadays just `snap install nextcloud` and you're good to go) but that doesn't make it carefree.
I ran my own Nextcloud instance for ~3 years, recently moved to Syncthing for simplicity. But that use case is more about making certain pieces of data available to all my devices, not for backups.
File backup is just one of its many capabilities. I use these apps in Nextcloud currently which sync to all my devices:
News/RSS reader
Cospend like Ihatemoney
Contacts
Calendar
Music
Mail
Photos
Talk for voice and video
Bookmarks
Deck/kanban board
Tasks
Notes
Maps
Polls
Forms
Money
Health
Passwords
Collectives/Wiki
I did the same with my instance. More power to you if the tools are good enough for you, but I found them too clunky to use compared to dedicated products in the space.
Still, I did appreciate the breadth of apps that one could install.
Nextcloud ecosystem is best of class rather than best of breed. Not every app is the best, but many are under active development and improving rapidly. I might have too many eggs in one basket, the the maintenance is very easy this way.
Subjective and rhetorical, but yes lots of people think there's too much money on the table to just eschew ads in their products. Let's be honest, Apple has a captive market, and their largest real issue is that they make too much money and can't find anything to spend it on.
> seriously, anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river.
Their software is not open source. Before this announcement you had to trust Apple not to look into the files you store in the cloud, now you have to trust that they're actually going to encrypt your files and not save the decryption key. Ultimately you still have to trust Apple.
A combination of any open source OS, any cloud provider and Cryptomator or Veracrypt wouldn't require as much trust in one company.
You're trusting somebody no matter how you do it unless you own all the hardware that supports your ecosystem.
The Free Software world has had ample opportunity to produce something as carefully assembled, as smooth, and as capable as iOS, and what we got instead was Android.
I've watched the whole FOSS world happen in my career, and there are places where I cannot IMAGINE choosing a closed source solution, given my druthers. But it's also become super clear to me that the FOSS world isn't interested in producing polished user experiences. Sure, you or I could cobble together a FOSS-only phone-and-syncing stack, I guess, but I don't care to. Most people aren't us; doing so is beyond them.
Suggesting a normal person use something OTHER than iOS at this point is questionable at best.
A bazaar cannot produce things that are coherent and smooth: it takes a vision of a single person to control a large amount of aspects, implemented by other people the way the leader prescribed. That requires the cathedral approach.
Sometimes it works with a right BDFL, for some time (like Python). It also works with solo projects, and with projects with large commercial support (like Blender), especially those which don't normally accept your pull requests, except as a proof of concept (SQLite).
But the normal open-source model produces things like Linux, git, ffmpeg, VLC, etc, which are wonderful and have immense power, but are hardly sleek or excessively coherent. And each of them is much, much smaller than macOS or iOS.
Something I've come to understand is that just as we have "time vs. space" tradeoffs in, well, primarily computing (but can be applied to virtually everything), we can also reduce essentially all preferential decisions down to "freedom vs. convenience".
The kind of person that uses Apple products/services cares about convenience. The person that uses the third party Android ROMs, in particular, cares more about the freedom.
FOSS people who see themselves as digital freedom fighters LOVE to trot this out, but I don't think it's true in any meaningful sense.
It's more accurate to frame it as preferring low hassle to high hassle. Or to preferring well-designed tools to haphazard efforts. Or, from the other side, preferring some degree of DIY to turnkey products. (In particular, I think this is a HUGE piece of it; lots of hackers want to build their own toolchain, and then they get to feel noble because they're doing it for "freedom.")
I'm pretty "all in" on the Apple ecosystem. Each step of the way, I thought pretty deeply about my choices, and still ended up with an Apple option. But to characterize this as me caring more about convenience than "freedom" implies that I have somehow given up or endangered MY freedom, which isn't the case.
I'm able to do anything I want to do in this ecosystem. Macs are general purpose machines; I can build from source, and I can run code from any repository I want.
iOS is closed by design, and the result has been a very stable and predictable platform that I do not believe is possible WITHOUT that closed nature. I can't hack code on my phone, but I also don't WANT to. There are lots of appliance devices in my life I don't want to hack, and that I just want to USE.
You're right, you have the freedom to choose a device with less freedom. And that's fine. I'm not trying to be condescending to people who prefer convenience. It's a reasonable preference to have. I don't see how this disproves my point though.
I will admit, Macs are much better in the software realm, but the hardware has almost no internal upgradeability. There's some, but it's less. That's my point. And yes, many non-Apple computers also have that same problem. My gripe isn't with Apple. It's with companies who don't give maximal freedom with their devices, as I prefer more open systems, personally.
I am one of those FOSS people. I was all in on Apple up until about 6 months ago (iPhone 13, 13" M1 MBP, AirPods, an iCloud+ sub and some peripherals). My wife still is.
The main reasons I left are repairability and upgradability; forms of freedom that you simply cannot deny Apple isn't great at, from design all the way up to policy. Privacy was also a reason. It is true that you have to place trust somewhere up the chain when it comes to the way specific software handles your data, but things like where it is stored and how it is encrypted are in your own hands when you DIY.
These things are not theoretical; if I want to use a different Wi-Fi adapter, a new SSD, RAM, a replacement screen, speakers or barrel jack then I can. There are parts available for very reasonable prices as well as the manufacturers' repair manual. It doesn't require solvents or esoteric tools.
Now I use a business notebook with Linux that is worse than the M1 in some respects, but in hindsight I'm willing to give up the battery life and cool runnings for the ability to repair and upgrade (and ports! Ethernet, yay!). Same goes for the phone (I went for a FairPhone).
It isn't as polished, very true. There's some rough edges and it takes a little more work, and yes, sometimes a bit of frustration. But the upside is tangible, it's not some form of feigned nobility.
Wild. I can't imagine that transition. I can't imagine that thought process. It seems goofy to me. It's not just that you abandoned the high-polish, high-usability world of Apple; it's that you also had to bail from high-quality, high-polish hardware from any vendor. I've seen the kinds of laptops you're talking about; they're kind of awful, miles away from the best that Apple or even Dell or Lenovo are bringing to market. But you do you.
Honestly, I suspect you just like having to tinker with your stack to get work done. (I mean, I've been there - I use OrgMode.)
Sure, being able to swap out parts is theoretically nice, but you'll do that maybe once in the useful life of a computer -- but I haven't needed or wanted to do either in easily a decade. How often does this really come up? On the other hand, you'll confront that lack of whole-package QA and general polish every time you turn your computer on.
And I'm really curious about anyone's privacy needs if they abandon APPLE for roll-your-own. Yes, it's all in your hands now, but most people don't have the time or inclination to be sure they're doing all the right things, security-wise and privacy-wise, to stay safe. There's a good chance your DIY approach is less secure than iCloud unless you literally do this sort of thing for a living. I mean, this is why I don't run my own mail server anymore (hello, Fastmail!).
So yeah, I think lots of people say "freedom" when they mean "I just want to tinker with my toolchain a lot and occasionally feel superior about it."
>it's that you also had to bail from high-quality, high-polish hardware from any vendor. I've seen the kinds of laptops you're talking about; they're kind of awful, miles away from the best that Apple or even Dell or Lenovo are bringing to market. But you do you.
I use an HP 830 G5, a high end 13" thin notebook from 2018. It cost me 350 bucks. I sold my M1 for 70% of what I paid, and I can replace this thing for something similar, so it makes financial sense in my case. It's just a platform, I don't really care about the thing itself. It hooks into a thunderbolt dock for a lot of it's life anyway.
>Honestly, I suspect you just like having to tinker with your stack to get work done. (I mean, I've been there - I use OrgMode.)
I run Fedora 37 (35 and 36 upgraded without issue). I'm in the process of building a new house, which requires insane amounts of paperwork and communication as well as document storage and exchange. I need this to be rock solid, running E2EE on a NextCloud VPS in combination with this workstation setup does that for me. It's a little work up front, but it's been smooth sailing ever since setup was done. It just gets out of my way; I don't care about this WM versus that, this display manager, the whole systemd discussion. Everything except the fingerprint scanner just works, no tinkering required.
>Sure, being able to swap out parts is theoretically nice, but you'll do that maybe once in the useful life of a computer -- but I haven't needed or wanted to do either in easily a decade. How often does this really come up?
You can't predict breaking your computer. I managed a pretty large fleet of Macs for a living for about 2 years; build quality is great but they're not infallible. When they do break, you're at the mercy of Apple, and I simply do not have the time to wait for their repairs. With this setup, not only can I upgrade whatever, whenever, but anything that will run Fedora and has a modest amount of local storage can replace it for at least the time being.
Compare that to the situation I was in: Any repairs that I couldn't have DIY'd probably would have cost me at least the total cost of this computer (maybe even twice over) and would have put me out of business for a few days.
>And I'm really curious about anyone's privacy needs if they abandon APPLE for roll-your-own. Yes, it's all in your hands now, but most people don't have the time or inclination to be sure they're doing all the right things, security-wise and privacy-wise, to stay safe.
Sure, but I do. I simply hate surveillance capitalism with a burning passion; I honestly think there is a logical set of steps from that to political division and a worse world to live in. So I don't want any part in it. I must admit that that sounds like philosophical grandstanding, but I promise you it's a sincere belief. It's not so much about privacy from state entities; that's a lost battle in my threat model.
If you're locked into an ecosystem that you cannot easily get out of (and there's a BUNCH of dark patterns Apple applies to try and poke you to stay as well as the obvious loss of software licenses) you're a boiling frog. I see Apple going in a worse direction incentive-wise. Nowadays, I just don't care about where they're going anymore, it's not my problem.
Well, that one's not so bad, but is also mostly a commercially-supported endeavor and has been for a long time.
Now, the Linux desktop is a shitshow, sure. It'll remain that way until they can settle on One Windowing & UI Toolkit to Rule Them All, which looks to be happening never and is definitely in part a consequence of so many very basic parts of the GUI being swappable and having tons of competing options. Though the kernel's attitude toward providing stable driver ABIs (or rather, not doing so) isn't helping.
Is it a shit show, though? Things were more rocky two decades ago, but my computing experience with Linux today is unmatched by any other kernel or operating system. Comparatively it feels like the UX of OS X and Windows are the total shitshows.
> as carefully assembled, as smooth, and as capable as iOS, and what we got instead was Android.
Some of us prefer Android to iOS :) Having used iOS as well, the one thing I miss in Android is Continuity. Other than that, I find Android gives me a better experience. I'm certainly an outlier in many ways though compared to the average user.
My favorite part of android is how security patches go through a multi-tiered trickle-down system of testing to make sure they work with the dozens of custom flavors each manufacturer has so that by the time you get patched it's been in the wild for weeks or months. Oooh, ooh, no that's not my favorite thing, my favorite thing is how each cellular company gets to put their own bloatware on top of the bloatware that each phone manufacturer gets to add to it. Oh wait, maybe it's patch support ending for new phones 3 years after they were released. There is so much to love about how Android turned out it's hard to pick just one thing.
> My favorite part of android is how security patches go through a multi-tiered trickle-down system of testing to make sure they work with the dozens of custom flavors each manufacturer has so that by the time you get patched it's been in the wild for weeks or months.
This is not the reason for security patches taking too long to be released to certain phones; Google has a monthly cadence of releasing security patches and zero-days have rarely (I can't remember a case of that happening but maybe it has happened) missed do you have a source for it?
> Oooh, ooh, no that's not my favorite thing, my favorite thing is how each cellular company gets to put their own bloatware on top of the bloatware that each phone manufacturer gets to add to it.
There are unlocked phones available and honestly this problem is mostly a US problem. Rest of the world isn't in the iron fists of their carriers.
> Oh wait, maybe it's patch support ending for new phones 3 years after they were released.
You can vote with your wallet and choose vendors where this is not the case; Google, Samsung and Recently OnePlus offer 5 years of security updates.
>There are unlocked phones available and honestly this problem is mostly a US problem. Rest of the world isn't in the iron fists of their carriers.
In the rest of the world phones are unlocked in terms of being able to use different SIM cards, but mostly the bloatware is still there and can only be disabled (not removed)
> This is not the reason for security patches taking too long to be released to certain phones; Google has a monthly cadence of releasing security patches and zero-days have rarely (I can't remember a case of that happening but maybe it has happened) missed do you have a source for it?
Yet and still Microsoft solved this problem years ago. Why can’t Google? Hell my 2006 Mac Mini got years of Windows 7 updates after installing Windows on it.
This is interesting, they’ll try to tell you it’s because the cellular modem requires extra testing by the carriers and manufacturers, but windows can support upgrades that don’t affect an add-in card cell modem… so what gives?
I'm sure they do the same testing but because they control all the hardware and there are so few models to test on, it makes things much easier. I don't think there's anything in particular about Apple's process that would scale better to the number of devices supported by Android.
I don't, and that's not what I said. My point was that Apple doesn't have to think about testing vendor-specific bloatware every release across a wide range of very different devices.
Tbf the pixel phone does have issues making emergency calls, every time they claim to have fixed it we hear another report of an updated phone not being able to connect.
>The Free Software world has had ample opportunity to produce something as carefully assembled, as smooth, and as capable as iOS, and what we got instead was Android.
You mean the same OS that allows you to build your own open mobile OS as opposed to a closed source locked down OS that permits only 1 app store and 1 payment system?
>Suggesting a normal person use something OTHER than iOS at this point is questionable at best.
It's only questionable if you prefer the prison that is iOS.
Acceptable security afforded today - through usability - is better than superior security, that could've theoretically been gained, but wasn't, because it was too difficult to set things up.
In particular, reviewing open source code has been repeatedly proven to be way harder of a task, than the proponents of this strategy are painting it to be. If you want an auditable codebase, you pretty much have to throw Linux, Chromium/Firefox, Gnome/KDE all out the window - there's just way too much code.
Auditable code is naturally always preferable to non-auditable, but you need to choose your trade-offs - or at least stop pretending you can read a hundred million lines in your life time.
On top of that - do you know a single non-tech person who knows how to set up a VPS, or knows what Veracrypt is? OTOH I can just show my wife: click here to enable backups.
Let me reframe the problem: What is your threat model? How much effort are you willing to commit to mitigate the dangers?
This is a succinct explanation of the problem. Do we give the vast majority of users extremely easy, frictionless access to very high levels of security and privacy? Or do we give the vast majority of users a fundamentally insecure solution that with lots of learning and configuring and time can be have very very very high levels of security and privacy?
The crazy thing is that apple hardware beats most other hardware, too, at a high price. Better phones, better tablets, better laptops. More secure, more private OS than the popular consumer alternatives (Windows, Android). Arguably much better OS all around, too (at least IMO -- iOS beats even stock Pixel Android at use-ability, MacOS v Windows is like the Harlem Globetrotters playing the Washington Generals.)
> stop pretending you can read a hundred million lines in your life time.
For me, and I assume most others, it's not that we expect to read all the code ourselves. It's that there's a large developer community and security researchers who have access to the code who will collectively read it all. Of course this isn't a guarantee that there are no security flaws, and you still have the pipeline problem of ensuring the binaries you get actually come from the code you think they do. But all else being equal, I think open source provides a significant level of threat mitigation.
Even if you fully trust Apple not to intentionally back door anything, there's far fewer eyeballs on their code. Given that access to source code also has the potential to reveal security holes that may have gone unexploited, there of course a tradeoff here too.
> It's that there's a large developer community and security researchers who have access to the code who will collectively read it all. Of course this isn't a guarantee that there are no security flaws.
Yeah, about that, I'm as much of an Open Source buff as anyone, but:
> Analysis of the source code history of Bash shows the Shellshock bug was introduced on 5 August <<1989>>, and released in Bash version 1.03 on 1 September 1989.
[...]
> The presence of the bug was announced to the public on <<2014-09-24>>, when Bash updates with the fix were ready for distribution, though it took some time for computers to be updated to close the potential security issue.
Especially older Open Source software tends to have maintainers that haven't adopted modern software development practices so we're back to square one, since most of this older software is foundational technology, like Bash.
I'm not sure I understand the concern. I don't think it's at all unlikely that there are such long standing bugs in closed source software that's been around the same amount of time. We might just never hear about it or those bugs might never be found. Of course, I have no proof that's the case, but I'm not convinced that finding longstanding bugs in open source software is evidence of inferior quality (this is what you seem to be implying, but I may be mistaken).
> but I'm not convinced that finding longstanding bugs in open source software is evidence of inferior quality (this is what you seem to be implying, but I may be mistaken).
I'm not implying inferior quality, I'm implying no correlation.
There was a very strong assumption from back in 1999, that "lots of eyes make all bugs shallow", with a focus especially on security.
In reality, there's no correlation.
You need those eyes to actually be looking at stuff proactively, you want automated scans, you want modern software development practices and CI/CD pipelines, you want those eyes to actually be qualified to look at what they're looking correctly, etc.
Just putting stuff out there and assuming "people will look at its insides" is a bad assumption.
Open Source in my experience is not inherently superior from a security perspective to proprietary software.
I think this is less of an issue than you might think - if they're going to decrypt for law enforcement then it will become painfully obvious there's a backdoor literally the first time evidence is brought to a court that shouldn't have been available without a decryption.
But that could be a very long time if they just apply some form of parallel construction to most cases. They aren't going to burn such information on the first low level criminal/CP target they find. Instead they will wait 5 years and then sweep up a bunch of people involved in some criminal "ring".
And the problem with all these services that provide some kind of E2EE encryption and still have a way to push application updates (or run something in your browser), is that they just slip a version on your machine that sends the password to the feds/whoever when you type it in.
Thing is, if law enforcement is patient they can get the data off the actual devices themselves, if they're still alive. Yes, a fully patched iPhone tends to be a fortress of might to anyone other than a nation state willing to burn a few very expensive 0 days, but with almost any phone if you wait a year or two something will inevitably come out that will allow the ol' Cellebrite crowbar a cranny to slip into.
Notably, the only other serious competitor in the space is also not open source. Sure, you can probably carefully construct a phone from only FOSS, with some compromises of course. But this is unfeasible for regular users, who have for all practical purposes only two choices. And those same users are unlikely to go for alternative replacements for built-in functionality just to reduce their exposure. Convenience wins every time.
my comment was not against someone 100% paranoid using grapheOS and doing their own backups somewhere and trying to figure out how to get a good google maps alternative in open source.
my comment was that against main stream companies apple leads the way, and it's overall great for a consumer.
do you personally expect every piece of open source software? do you run your own email servers, music servers, photo backups, etc.? If not, you somehow trust those companies -- why?
> 1) they just ate every other 3rd party "secure" backup services lunch just like they did to the Hi-Res music industry.
This is an excellent point as to why you shouldn't even bother trying to develop software for apple machines. If it's anywhere near successful apple will just destroy you, after having taken a 30% cut from your revenue for years.
You pretty much have to be on their store to sell something, which means you give them access to your sales and customers. Which is a concept that is absolutely wild in any normal healthy competitive landscape.
Then they'll monitor and if you manage to actually be successful, 3 months later there's an Amazon Basics version of your product.
It's so incredible to me how these practices get no push-back. There used to be a time where in the case of Windows, people were wondering if its fair that they ship it with a calculator program. Now you can just use your massive platform and extend in every possible direction, seize secondary markets, nobody seems to care.
I think this is the part that is not legal, and which they say the don't do, etc
* Amazon uses third-party seller data to copy the site's most popular products, an antitrust report by the House Judiciary Committee alleged on Wednesday.
* Former Amazon sellers told an antitrust subcommittee the company released new products almost identical to their own and "killed" their sales.
* Amazon has denied accusations of this behavior in the past.
"We have a policy against using seller-specific data to aid our private-label business," Amazon CEO Jeff Bezos said in July.
> There used to be a time where in the case of Windows, people were wondering if its fair that they ship it with a calculator program. Now you can just use your massive platform and extend in every possible direction, seize secondary markets, nobody seems to care.
Windows was artificially crippled by the DoJ ruling and not including a PDF reader by default. I, for one, like it when more is built into the OS by default.
Well on the optimistic side, they might buy your product or company, which they have done numerous times in the past like with Beats, Shazam, Siri, etc..
ok, i may buy your argument from a perspective of a brand new cloud storage provider that's try to come up online and break into the market, but you're telling me that Dropbox, OneDrive, Box., etc., are all indie developers living in their parent's basements? These companies made a conscious choice not to offer encryption and now got the rug pulled out from under them. steve jobs famously said that this "Storage" is just a feature, not a product, and now they've proved it.
additionally, as far as i can see, those apps all free to download and you can buy their plans outside of the apple ecosystem and thus they get a free ride in the App Store without giving away any cut to apple.
While I am the very first one to fight for allowing side loading on apple devices, didn’t Netherland’s dating services decided in the end to go with Apple’s payment processing even with that cut?
I get this sentiment, but where do we draw the line? Shouldn’t OS makers (Apple, Microsoft) add additional apps just because third party developers have done it already?
"If you buy a phone or general purpose computing device, you have the legal right to choose your app store and applications installed on it seperate from manufacture demands".
The particular problem with Apple is not only duplicate your app, they can underprice it by 30% because they don't self pay their own store tax, and they can kick you out of the only app store for whatever reason they choose to make up that day.
I remember back in the early days of the iPhone, new feature releases would coincide with lots of apps being removed from the app store with the reason "this app duplicates core functionality of iOS."
> If you buy a phone or general purpose computing device
Point of clarity, the devices we are discussing are neither telephones, nor are they general purpose.
They are smartphones, a sort of miniature computer with a bunch of general-purpose sensors, and actuators viz. a screen and a speaker and some haptic feedback. They don't really do much computing per se; we outsourced most of that to The Cloud some 15-odd years ago. These things are just highly capable I/O devices, or clever terminals if you prefer.
And while Android has the PlayStore or whatever they call it this week, one can usually choose to load rogue APKs and one can usually succeed; and things like the Pinephone or Fairphone have been attempted that leave more power (and responsibility) in the hands of the user, but in practice it seems that they simply don't _work_ that well.
I agree with you wholeheartedly; I just think the "if" part is a bit out of sync with reality.
I like this view, though many people aren't just purchasing the phone from Apple, they are purchasing the OS and integration into the Apple ecosystem. Definitely think the user should have the option to pick the app store though
Apple doesn't seem to be in the business of selling software very much. Instead it's mostly used to increase the value of the hardware. The stuff I've seen them incorporate that at one time were apps weren't 30% cheaper when bought from Apple, they were free (i.e., they came with the device).
If they think some third party feature should be part of the core experience, they're going to incorporate it. This is true when building on anyone's platform (e.g., Microsoft, Facebook). Non-core experiences, like domain specific software, are less likely to suffer this fate. It's similar to when MS decided to ship a browser. God help you when the platform you're on decides they want to subsume your features.
> Apple doesn't seem to be in the business of selling software
As sheer hardware revenue growth slowed, they moved their focus to services [0].
That’s also what we’re seeing on their push into more ads for instance, and this new feature goes the same direction: to benefit these encrypted backups you’ll need to sign up for storage. For most people wanting to cover more than one device, they’ll probably end up with the 2Tb plan which is at 10 bucks a month, the bare minimum 50GB being at 1$ a month.
> Apple doesn't seem to be in the business of selling software very much.
This is veritably false, they made $80 billion selling software this year. You might not see the App Store as software revenue, but Apple certainly does.
The context of the text you quoted seems to pretty clearly be about Apple selling their own software, e.g., as a publisher, not as a distributor. This whole branch of the discussion thread is, after all, about whether Apple adding end-to-end encryption for iCloud backups is "sherlocking" other cloud backup providers (spoiler: no).
People who didn't live through that era really don't appreciate a key aspect of it, which was that MSFT OWNED the desktop -- like, 90+% of the market. There were no other real options. For a good chunk of that period, Apple was seriously on the ropes and might not have survived. (Michael Dell famously said it should be sold off and the money returned to the investors.)
Microsoft had deals in place with PC makers so that it was impossible, nearly, to buy a computer without buying a Windows license. BillG specifically told Netscape he planned to "cut off their oxygen supply" by shipping a browser with Windows, and he did this because he was smart enough to see that browser-based software could endanger their control of computing. That was literally illegal.
No one has anything like the control they had back then. The desktop market is still mostly Windows, but Apple got healthy and took a decent chunk back. Now there's also ChromeOS and Linux out there, too -- plus, we have mobile, which is an even BIGGER chunk of the platform market, and it's split between iOS and Android.
So that's at least 6 different software platforms a hypothetical user could pick in 2022, and they're spread over dozens of hardware manufacturers. That's been the norm for so long now that it's easy to forget how little choice we had in 1998.
*ANYWAY* the bigger point is that adding features to your system isn't a problem if you're not acting as a monopolist. Microsoft WAS in the 90s. Nobody has that ability now.
Apple just undercut this by creating an ecosystem which funnels something like 80% of mobile profits in their pockets.
Then they just point at marketshare and say: "we only have 30% worldwide". Yeah, but your stuff is aspirational and the vast majority of Android users have lower disposable income so spend less and many switch to iOS when they have enough money.
It's very sneaky and it's breaking everything down.
They do not control the market, and thus are not subject to -- and should NOT be subject to -- the kinds of restrictions justifiably imposed on actual monopolists.
>Android is stagnating, if anything despite the free and Open Source operating system
I might argue that Android is stagnating BECAUSE it's free/open source, and as such lacks effective leadership.
If a company could have 1 single user and that user could pay them $500bn in perpetuity for a product costing $1, they'd only want that customer.
They want more customers because they can't have that ideal case. First of all nobody would pay that much for such a cheap thing, secondly, nobody lives for ever. So companies expand to make more money (= profit) and to future proof themselves.
Again, as I said, very sneaky from Apple, and I'm arguing it's breaking down existing economic models.
It's basically another run-around at "winning capitalism". Monopolies were one way. This is another one.
I think you misunderstand why monopolies are regulated.
There is AMPLE computing choice today. There is even healthy choice available in mobile alone.
Monopoly regulation is about preventing those with market-controlling power from exploiting that position in unfair ways to the detriment of consumer choice. Microsoft did this when they tried to destroy Netscape by bundling a browser with Windows. There really WASN'T another viable desktop system at the time, and mobile didn't really exist; they owned the market.
Apple is free to improve their offerings in any way they see fit. They are even free to incorporate features into their systems that began life as products from other vendors; this is the normal way of things. If you don't like how Apple is behaving, you are free to shift your desktop to Linux or Windows or ChromeOS, or to migrate to mobile devices running ChromeOS or Android. That's a functioning market.
There's nothing sneaky about openly continuing to improve one's offerings.
HN is really, really bad about ascribing dark motives to every tech company not on the Approved List (which, of course, is constantly changing). Apple is pretty smart. Adding encryption to their backup scheme is one of those scenarios where yes, it's good business, but it's also the right move for customers.
There are still a lot of companies out there with significant control over their respective markets. Apple, for example, still has a huge control over the mobile device market and is not afraid to use it to their advantage. Companies like Amazon and Google also have significant control over their respective markets, particularly in the technology space.
Seems like we can never relax, always some company waiting for the chance to take over a space. Gotta stay vigilant.
Microsoft had something around 95% of the desktop market share in the 90s. Apple is not anywhere close that. I would agree it's similar in behavior but not intent. Microsoft was terrified of the Internet and applications that could "run anywhere" so they tried to control how people accessed the Internet. Apple is arguably adding these features because it's what their user's want.
> Microsoft was terrified of the Internet and applications that could "run anywhere" so they tried to control how people accessed the Internet
I see reflections of this throughout the history of the iPhone. Apple has always controlled how people access both the internet and even what applications they can install. Every "browser" on iOS is just Safari with a skin for example, because Apple will not allow any other browser engine.
Apple will not allow other browser engines because they are a subset of "programs that run arbitrary code".
Allowing anyone to put their browser engine on iOS through the App Store would open the door to a wide variety of security problems. It would also effectively bypass the App Store, as Google (just as a totally random example) could release their own iOS "browser" that's actually their own platform for apps that they sell. Not to mention inserting their own ads into anything people browsed on it. And tracking literally every single tap and text entry that people do in that browser, including bank passwords, credit card info, etc.
On a platform like the Mac, that doesn't matter very much, because it's small enough that basically no one would bother.
On iOS? If you could get 0.0001¢ per website visit from even 1% of iOS users, that would be a money-printing machine.
> Apple is arguably adding these features because it's what their user's want.
Apple would certainly argue that, yes. Foremost though, they're adding it because it's what Apple wants, and conveniently converges with the desire of the user.
Why do people act like what happened in the MS anti trust case is lost to the annals of history? Absolutely nothing came of the bundling IE with Windows in the US. There was never a time that IE was not bundled with Windows because of the lawsuit and there was no browser choice mandate in the US.
Spotify is pretty successful and yet, Apple went in direct competition with them, using APIs that only Apple gets to use in their Music app (like integration with Siri).
In the car today I asked Siri to play me a particular song (I have had Spotify defaulted for a while), it helpfully signed me up for a 7 day preview of Apple Music Voice and started playing it there! Where's the FTC? Is Apple too big to fail?
Or use Linux, the highly advanced MPRIS protocol is capable of tracking multiple media applications and presenting their playback controls. It's like space-age tech!
In recent versions, the "default" is just whatever last played media—if you were watching a YouTube video yesterday, and the tab is still open, pressing the play/pause key will start it playing again. There's even a little menu bar widget (it's called the Now Playing menu, and you can find it under Control Center in the system settings) that shows all the instances of actively- or recently-playing media the system knows about. Whatever is on top (IIRC) is what will automatically be controlled by the media keys.
I think you and I have vastly different ideas about what "giving" means.
I get 5GB of iCloud storage, unless I pay them £6.99/month for 2TB. No idea what the rate is over 2TB.
Have I missed a trick to getting this 2TB+?
(I have 7 Apple devices in my possession and have owned a further 2 that I've passed on to my kids; given the premium I paid for those I almost expect that I should get 5GB PER DEVICE, but of course that's fairly unreasonable in reality)
You can't even get over 2TB unless you subscribe to Apple One and even then you only get another 2TB. Pretty useless as a large scale backup service if the maximum you can ever pay them for is 4TB.
Per user. I know you would probably like to backup your linux isos to icloud but besides that the 4tb per account/user is pretty much all one would need.
This is for personal use, not business ;)
Been seeing a lot more of these snarky sort of comments on HN as of late, and its not encouraging. Can we keep it civil without making light jabs at others preferences or tech needs?
Oh come on, that's over-sensitive. The person made a lightweight remark, complete with wink at its conclusion. It was on topic and conveyed information.
Your reaction is derailment because you grabbed the wheel and steered the topic down a road about you and your expectations of discussion standards.
Part of respectable human interaction includes humorous, short and sharp casual responses on occasion. In this case, the post was replying to someone who called Apple's storage limit "pretty useless"... so we're well and truly in the fun zone of casual conversation. Not sure what you're seeking, the equivalent of a formal meeting with diplomats and official representatives?
Except the previous comment had no level of snark involved. You clipping out the "pretty useless" from the context is also misleading. You turn to hyperbole and end of your reply insinuating that I'm expecting some sort of formal discourse. I'm commenting on the "linux distros" portion and the which makes it sound more like a cheap karma harvesting reddit post.
Just imagine if more people made these sorts of quips out of the blue and how crap it would make the forum over time?
I wasn't aware linux distros would push the limits of 4TB cloud storage, so for me it was micro-informative. I also wasn't insinuating, I was asking you directly how much formality you want in online tech discussions.
All good. I don't want to drown in cheap karma-harvesting reddit posts either, but I don't see that happening here.
When "snark" is measured like spice in cooking, it adds flavour. I'm not suggesting popping the lid and dumping a jar of snark in the broth!
Except the previous comment had no level of snark involved. You clipping out the "pretty useless" from the context is also misleading.
You then add on hyperbole to end of your reply that I'm expecting some sort of formal discourse. I'm commenting on the "linux distros", which seems irrelevant. Putting a ;)
Unless something has recently changed, Apple One gives you either 200GB or 2TB to share in a family group. It’s not per user. Each user can purchase an iCloud+ plan on top of the shared iCloud storage included in Apple One.
Of course you are correct, Apple is not giving that storage away.
They do make a family plan for Apple Plus ($30/month) fairly compelling: 2TB per family member, Apple TV both has some good original content as well as serving as a quick index into most other stream services, the Arcade Games are fun enough, Fitness+ is something I use about 90 minutes a week, and Apple Music. That is a lot of “stuff.”
Then there are some things that Apple gives away for free. Their podcast app is free and lets you subscribe to a lot of interesting stuff that I might otherwise subscribe to Spotify for. Handoff saves me about 5 minutes a day. Anyway, I don’t much like the walled garden aspect of Apple, but for value and convenience they must be difficult to compete against.
sorry, yes, i meant it that you can can now purchase 2TB of stand alone E2E storage from apple for 9$/mo, or get it as part of iCloud+. "giving" was a poor word and should have been "available".
> anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river
Ok, come on. What apple’s done here is great, and I personally use an iPhone, but you couldn’t think of a good reason to use anything else? An open-source OS?
The GNU/linux distros (in contrast to android) available for mobile phones are so far from usable, it is not funny. Android is a viable choice, but only if it doesn’t come with all the shit from the vendo/Google, which gives you effectively.. a pixel phone with GrapheneOS? Not too much of a choice, especially if you would like to filter based on hardware as well (where apple is just laughably ahead, iphones are ~2 generations ahead in raw performance)
I don't bring this up to start an argument, only because someone reading might look at this comment and assume they can't use a DeGoogled ROM for their phone unless it's a mainline Google flagship -- but LineageOS maintains a list of fairly lengthy list of supported devices, so if you want to use something other than your phone's stock ROM, you should definitely check to see if it's supported, it very well might be.
I also encourage people to check if their devices are supported by LineageOS when they run past their support period, it can be a good way to keep getting security updates past official support windows.
Good point, though pay very close attention for which device you have, some vendors (e.g. Sony) will wipe their camera’s fancy firmware or pull similar shenanigans. That way the tradeoff may very well not be worth it.
Yep, thanks for bringing that up. I should have mentioned that.
The forums should list some caveats for the device if they exist, but don't assume just because it shows up on the list that everything will work perfectly out of the box -- double check to see if there are any downsides.
Also, I should bring up that LineageOS comes in two variants: one without Google services and one with Google services. If you want to actually de-Google your phone, check to see that you are not going to run into problems with the apps you use.
Occasionally I see people who don't realize how deep Google services can go on Android, which in some ways gets back to your argument about how "open" Android really is. So it's just good to make sure that your stuff will all work afterwards if you're planning to go down that route.
You cannot match the features or usability of iOS with anything open-source. Full stop. It's not even a comparison.
Sure, if you're so laser-focused on privacy that you want some obscure phone which will do nothing aside from text, call, and send Signal messages, go buy the weirdest one you can find. otherwise you won't be finding anything remotely enjoyable if it's not iOS or a major android flagship. And out of those options, only one respects the user's privacy and security.
Apple has a lot of things going for it, but let's not pretend they're perfect and anyone who doesn't use their products is unreasonable.
iOS still doesn't allow you to sideload without shenanigans (requiring your to not only have a Mac, but also have it resign any custom apps every week is beyond unreasonable). Some people don't care about that, but I do and not being able to do so is 100% a dealbreaker for me.
Not using Apple because you disagree with their decisions does not make one intentionally "going out of their way to swim up river." It just makes one a normal person who doesn't want to use, what it to them, an inferior product.
> the don't care to scan your pictures with AI 20 different ways
This is especially ironic as another post on the HN front-page today is about Apple giving up on their plan to scan iCloud photos for CSAN after months of pushback.
> seriously, anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river.
This is a little hyperbolic. E2EE backups are fantastic; Apple seriously deserves a ton of praise for this. And iPhones have been getting a ton of security/privacy features that I really love, I am not going to dismiss their contributions to privacy. And while I wish some of their services like the Apple VPN/masked emails were better done, they are still fantastic features that I encourage iPhone users to enable, and that I am thrilled to see rolled out to a mass audience.
Alongside that praise, I am though going to point out that the adblocking on the iPhone is sub-par[0] because mobile Safari lacks Firefox's extension APIs, and I'll point out that their app store model blocks some privacy apps like Newpipe, which forces people into using more invasive alternatives that require stricter privacy controls. I'll point out that it is harder in some ways to get away from the default tracking that happens in Apple's apps than it is to root an Android phone and disable/swap Google services.
Threat model and personal expertise matters here; I like a lot of what iPhone do, but I also dislike a lot of what they do. Personally, I feel more confident in my ability to secure a rooted Android device than I do to secure an iPhone against the majority of privacy attacks I'm worried about. That doesn't mean that iPhones aren't the correct choice for a lot of people. I feel much less confident in a family member's ability to secure an Android phone if I can't give them advice or help them through the process.
And all of this is ignoring that privacy is one aspect of consumer freedom and rights. I think we can praise Apple for what is objectively a great move for privacy without being this over-the-top.
----
[0] Before someone complains, I'm not saying that iPhones don't have adblocking. They do have adblocking and I encourage you to use it, it's great. But that adblocking is objectively not as powerful or comprehensive as it would be to use a tool like Ublock Origin.
I think this might be the single strangest objection to using an adblocker I have ever heard. Are you implying that installing uBlock Origin in a browser raises your risk of being tracked online?
I don't think I've ever seen someone make the argument that Gorhill should be trusted less than the advertising industry, that's a new one for me.
Well seeing there is a proven alternative method with iOS that allows ad blocking without the extension being able to intercept your browsing history, you don’t have to make that choice.
I already explained this in my parent comment, but the Safari APIs for adblocking are factually, objectively less effective at blocking trackers than uBlock Origin is. It's not a matter of opinion, there are things that uBlock Origin can do that Safari adblockers can't do.
People get really offended when I bring this up. I'm not saying that Safari adblocking is useless (you should use an adblocker with Safari, and there are devs doing excellent work to get around Apple's limitations, I have a lot of respect for them), but you are making a tradeoff for that sandboxing/permissions in the form of a less effective adblocker. This isn't just me saying this, if you talk to people writing iOS adblockers, they will tell you the same thing.
If you are so scared of Gorhill that you need to make sure he isn't tracking you, then sure, make that tradeoff. Or more realistically, if there are other privacy features on iOS that you care about more than adblocking, then make that tradeoff. But it's not just silly to pretend that the browsers are equivalent, they aren't.
And it's even sillier to pretend that an Open Source standard in adblocking should be rated higher on someone's threat model than the actual websites that are tracking you when you use a browser.
Once again, it's OK for people to like iOS or to point out that it has some excellent privacy features that make it a good choice for privacy-conscious consumers. And I'll give Apple praise that on iOS, the default browser supports an adblocker at all -- it doesn't require you to install a separate browser to get access to one. But we don't need to get hyperbolic and start arguing that Apple is somehow leading the pack on literally every single privacy issue; they aren't. It's OK to say, "in this specific issue, it isn't possible on iOS to get the same anti-tracking behavior that we could get on Android or on a desktop PC/Mac."
This is specifically looking at (pre-manifest-V3) Chrome, so there are some other differences with Safari, but CNAME uncloaking is the most obvious example.
See also some of the previous comments I've made about this in the past (https://news.ycombinator.com/item?id=23622206). A few of these details might have changed (I vaguely think I remember Apple raising the rule limit), but I think the fundamentals are all still true.
> Did you personally vet the open source code? Did you compile it from scratch and install it on your phone or are you trusting it’s the same code?
I have read through parts of uBlock Origin's code, yes, but ultimately I'm trusting the broader Open Source community to say it doesn't have holes in it. And yes, I'm trusting Mozilla's vetting process for its "trusted extension" category. I think that's a reasonable thing for most people to do.
Of course, I could compile the extension myself, but I think to a certain degree that would be security theater.
----
Again, just really surprising to see an argument that boils down to "this Open Source application might potentially spy on me, and that's a greater danger than the websites that I know are actively spying on me right now." If Safari adblocking is good enough for you and your threat models, great. You don't need to justify that by pretending that uBlock Origin is insecure.
I will note, by the by, that Safari's limitations mean that (at least on desktop) the top-rated adblockers like AdGuard have shifted to running as external applications separate from the browser (https://adguard.com/en/welcome.html). This is not a dig at AdGuard, I think the AdGuard devs (as of last time I checked) are doing really great work. But if you're worried about sandboxing, running a desktop app is a lot more invasive than running a browser extension. I don't know if there are ways to do the same circumvention on iOS, so it's possible that AdGuard devs are staying in the browser sandbox there; I'd need to double-check.
Of course, you can use apps like AdGuard as pure extensions in their more limited form (I don't recommend a specific iOS app, but unless something has changed since the last time I checked, AdGuard is a solid choice) -- but you will get a more limited adblocker as a result. The performance might be good enough for you, and that's fine. But it's still correct to say that it will be more limited.
----
I will also add to this just to preempt anyone arguing otherwise that I am not saying that browser extensions shouldn't have better sandboxing. They should, extension sandboxing is awful and it needs to improve. What I am saying is that the specific sandboxing model that Safari uses (and that Chrome is moving towards) for adblocking limits their effectiveness.
This. Technically the iphone can process images locally. Photos app shows what is in the picture (faces, pets, food) and can do ocr on text in screenshots and photos. This is a very real possibility to outsource the processing to your device.
The camera itself does software processing and you can't encrypt the light. It detects faces even before you click the shutter for capture. There is no way to keep the device itself from ever knowing what it was looking at. Something that sensitive is something you don't photograph.
we agree I believe. I am saying that technically the device gets thst information on-device, and could send it. Idk if that is the case, but it is possible.
Edit:The ocr and face recognition on the iphone is definitely more advanced than usual, thanks to the custom hardware on device.
I mean, if you can’t trust the very OS that handles your encrypted data, then you are lost either way, so that argument doesn’t make sense. It is similar security LARPing then hardware kill switches.
* Their executives admit that they want you and your family locked into their ecosystem (leaked emails).
Sorry, but advocating for them seems like very bad idea. Google was cool, pro-customer company once too. Until they had position to not be anymore. Open standards, without any vendor lock are only reasonable way.
>>seriously, anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river.
Well for your use case maybe, but I do not find the value of trading privacy for freedom to be a good one, specifically since I can secure my data other ways including not storing it at all on my phone.
My phone is a tool, and I prefer to own and control completely that tool
What phone do you own and control completely? I was under the impression that every phone capable of being a phone contains BLOBs that you have no control over.
Not to mention a veritable panoply of chips that you could probably spend a lifetime on trying to prove correct and not malware'd, assuming you could even get the schematics, etc.
Can I use AppleTV+ without them tracking what programs I'm watching? Can I get them to stop showing me an ad in front of each program? Can I use Apple Music without them tracking the music I listen to? Can I use the App store without them tracking what apps I browse and download? Can I remove the ads from the App Store? Can I remove the ads for Apple Music from my iPhone?
> they just ate every other 3rd party "secure" backup services lunch just like they did to the Hi-Res music industry.
Except they only control 50% of the smartphone market and 15% of the PC market. So there is still a large market they're not covering
> Can I use AppleTV+ without them tracking what programs I'm watching?
Can I buy something from my local supermarket without them knowing what I bought? Can I create an EC2 instance on AWS without Amazon knowing who created the instance?
I don't like a super powered monopolistic company as much as the next guy and I totally agree that ads situation in App Store is not a straight business but come on.
Some people want to use their computer completely privately and that's totally fine, but when you are using a cloud service, they probably will know how you use it. What they do with that data and how they handle it on the other hand is of importance. The problem with the whole tracking fiasco starts when the provider sells your data or "access", collected using dark patterns for example to others.
I interpreted GP's comment to be more about how it's inevitable that businesses track consumer patterns, because after all it's directly their data. Who bought it is usually irrelevant.
That still leaves the purchase data freely available, and if you purchase the same kinds of items regularly you can probably build a profile. The purchase data itself is still valuable and still tracked.
I don’t know about you but when I go to our local supermarket and use cash to buy a beer, the person behind the register kinda sees me and recognizes what I picked. They even happen to know my name as they live in the neighborhood. Do you cover your face when you shop? Because this is the scenario I was talking about.
Apple doesn’t control ads shown on TV outside of Apple TV+.
How will they do recommendations if they don’t keep track of what you listen to? How will they do recently played lists?
How will they know if they should send notifications to your phone for your apps if they don’t have a record of what apps you have installed? All notifications are bundled together and sent from their servers to save battery life.
So two words I can't find in this thread are "lawful intercept". If a judge comes down on Apple and says they are required to produce your private content, is Apple going to throw up its hands and say, "Nope, it's e2e encrypted." No, they will not. They will either run something on your device to scan it, or they will exfiltrate your encryption key, because at the end of the day they own your device. Maybe this makes it harder for man-in-the-middle attacks or whatever, but if someone with the right amount of power cares, your data isn't secure.
so that means if your iphone breaks or gets stolen the data is lost? I guess they would have to enable exporting the encryption key to users to make the backup useful in these cases.
Give me open source dev tools for the iPhone and I'll jump.
While it is a closed garden, I'll begrudgingly accept it can be marginally better in some fields than other options, but Apple tries very hard to be a proprietary island in a world that has switched to free software.
The world of phones is based on free software. Android is based on the Linux kernel and AOSP - iOS is based on XNU, which is a combination of GNU implementations and BSD patches.
The fundamental iCloud product itself however is subpar and until that is dealt with, it won't be that huge.
Few examples:
Still can't keep photos on iCloud and delete thumbs on the phone. A real issue my old iPhone had insufficient space and I had to move to OneDrive.
Support for other operating systems is lacklustre. One of the core benefits of cloud is accessing your files anywhere when you need them, not possible unless you're lucky enough to find yourself on a Mac at that moment.
This is the biggest gotcha that causes people to lose data every day. They try to free up space on their phone only to unwittingly permanently delete photos.
The other really annoying thing is you pay $3/m for 200gb or $10/m for 2tb… there’s no middle ground, I’d like to pay $4 for 500gb or $6 for a tb.
I don't want to be offensive but this comment really feels like an intelligently-made shitpost. Or maybe I hope it is, and I hope OP doesn't have as much devotion to any company as they are displaying through this comment.
Apple offers hi res audio, but most cant and wont take advantage of it. Why? because most users of apple music use AirPods, and apple claims lossless wireless audio is not possible (despite the existence of LDAC). Therefore, you are streaming hi res audio to your phone only to downscale it when listening via your headset. Only people who really benefit are carriers, who can rate limit your data.
"most can't and won't take advantage" of it is a broad statement. i would think there are a lot more DAC/lighting adapters and analog headphones in the world than there are of AirPods, anyone that wants to listen to CD (16/44) quality can probably do so for free or a few $ already. my home "hi-fi" now consists of an old iPhone 8+ hooked up to a DAC piped into my receiver utilizing 24/96 setting from iTunes, no longer need for Tidal or Qobuz.
With high enough “resolution” does it really matter? (Don’t trying to start a fight, genuinely curious as I’m not too well versed in audio)
We don’t cry over bitmaps vs vector graphics in most contexts, especially that the hardware is trivially limited. It’s probably a bit more nuanced with speakers, but I imagine that they also have very real limits on distinguishable outputs for a given input, even if it is not as trivial to see as in the case of a w*h pixel grid of depth n.
It might be possible that with very ($1000+) high end headphones about 5% of people could tell a difference, but even that is questionable. I have done many blind A/B tests with my $500+ headphone setup and no one has ever been able to accurately tell the difference repeatedly. There is absolutely no way that someone would be able to discern the sound difference between 320 and lossless on an AirPod-quality speaker.
I’m not sure about large speakers however. I assume that it’s equally difficult to tell any difference, and I couldn’t when I tested my setup. However, I have listened to some incredible $4000+ speakers before, and at that level I wouldn’t be surprised if differences emerged.
There’s so much snake oil in audio and placebo can effect sonic perception so heavily that it’s nearly impossible to find anything objective. There’s also a lot in the chain - the DAC, the AMP, room acoustics… that will effect the sound, sometimes substantially - let alone the speakers and the actual source.
While microphones obviously exist, you can’t measure sound the same way that you can measure the nits and white point of a monitor - it’s far more intangible.
It does to some - I recently rediscovered my love of CD's and was surprised to find they sounded much better than I remembered - I am currently in the process of upgrading my music to CD quality and higher, and was equally surprised to find that Apple doesnt support a hi-res codec for their wireless headphones, even though they offer hi-res music. For me, it makes their $549 (!!!) AirPod Max product extremely confusing, laughable even.
So yes, I think mp3/aac to CD, the change is very noticable. CD to HD (24bit), not so much
Using lossless audio with AirPods is still preferable. Rather than re-encoding a lossy stream with another lossy codec, you only encode it once. Is it minor? Yeah. Can I actually hear it on AirPods? No. But it's not entirely moot.
This is true. It's better than nothing, but the price they are asking for ($549) for a top tier headset that CANT do hi-res audio is offensive if you know what you are looking for.
> they just ate every other 3rd party "secure" backup services lunch just like they did to the Hi-Res music industry.
Cross platform support is always a problem though. And frankly I don't buy the "like they did to the hi-res music industry"-- Spotify is still king here.
> 1) they just ate every other 3rd party "secure" backup services lunch just like they did to the Hi-Res music industry.
This is not something to celebrate IMO, Apple keeps doing this and then pushing out the 3rd party options either by pure positioning and bankruptcy or by app store policy.
The result is no choice, no competition, and over time a worse product due to absence of market forces ... beyond the high resistance threshold of getting bad enough for a user to flip the table and exit the entire iOS ecosystem they've invested in - this is the danger of 100% vertical integration.
That was a bombastic final sentence. I'm going to assume you're ignoring third party Android ROMs like Graphene, Calyx, Divest, etc.? And all of the excellent open source projects that substitute Google's stuff?
i'm speaking from the perspective of the mass consumer and thus am comparing them to other mass consumer product companies.
what you're describing is not the norm and those options should always be available, but the effort to value is simply not there to large portions of the mobile users.
> the don't care to scan your pictures with AI 20 different ways
They actually systematically scan photos and declare people to the police if IA determines it looks wrong.
With Apple, you’re at risk of losing your business just like with any other company who wants your data. Apple didn’t solve the “An offline account is better than a Cloud account” problem.
> seriously, anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river.
That's an awfully bold statement! I'm quite happy in the Microsoft ecosystem for OneDrive, etc, and I'm not reading this and jumping to Apple. I'm not sure if most people care about these claims, and the people who are very security aware probably don't believe them.
That’s a non sequitur. Also, there is no reliable way to check whether a given source code is the actually deployed version, neither on servers, nor local devices.
>seriously, anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river
Fanboyism is expected, but this kind of statement is always bizzare to me. I run an aosp build with no Google software. How can a closed, proprietary system which pinky swears they will not do nasty stuff with your phone possibly be better than that?
> they just ate every other 3rd party "secure" backup services lunch just like they did to the Hi-Res music industry.
... so, they... didn't? Plenty of those services, including Tidal, probably the most prominent one, still exist.
> seriously, anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river.
This is the top comment in this thread right now, and I'm guessing it's because the readers of Hacker News value satire. If Apple's ecosystem is so bewilderingly excellent that nobody in their right mind would choose anything else, why did Apple start offering a bunch of their services, like Apple Music and Apple TV, on other hardware ecosystems?
I genuinely do not understand why you say other backup solutions aren't secure. Do you have anything to back that up?
re: point 3 - they really TRIED to scan all your data with your CSAM tool but got too much pushback. They are only doing this now because they are dropping CSAM and trying to garner public favor.
so did apple, you could encrypt through iTunes for decade, and if you're that paranoid about encrypted backups i would trust an off-line encrypted backup more than i would an encrypted backup in google's cloud.
> they just ate every other 3rd party "secure" backup services lunch...
Really? Isn't this the same Apple that told the FBI that they could get access to a suspect's data from their iCloud account. And the same Apple that was part of the US government's PRISM program to sell user data to the NSA? What makes you think people happy with competing services will jump to them blindly?
> They're not Goodle/FB/Amazon.
They are exactly like them. All of them claimed they care about user privacy, before massively collecting the private data of their users and then exploiting it.
> ... reliable, secure, private service ...
Reliable, sure. "Secure" is debatable when the keys are stored on the iDevices that only Apple can access any time. "Private" is laughable when every Apple product now comes with a disclaimer / popup permission informing that they will use your data to enhance personalised ads served to you by their ad platform.
So that they are legally saved from “storing child porn on their servers”. They explicitly wanted that feature so that they can freely upload user content, fully encrypted, without worrying about that - it was just grossly miscommunicated.
> just pay them money for their service and transactionally they give you only thing that you want in return -- reliable, secure, private service.
In every country they operate in? Especially those run by dictators, autocrats and wannabe dictators/autocrats?
If not would their next Ad or Speech on humanity, morals, rights, privacy and other virtue signalling include a disclaimer that those are not available in such countries?
I'm baffled that the information security requirement has reduced from zero-trust to trust the shiny hardware maker because 'they say so'.
> anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river.
I'd happily swim (or) drown trying instead of blindly trusting privacy claims of a Child labor exploiting, Union Busting, Virtue Signalling insanely hypocritical ultra-mega corporation.
> anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river.
Did Apple ever implement the ability to run software without first phoning home and asking for permission? The last time I checked they had not followed through on their promise to do so.
> they don't want to mine your data, they don't want to know what you store on there, the don't care to scan your pictures with AI 20 different ways, they don't want to monetize it, etc, etc...
What's stopping them from doing this scanning at acquisition or access by the user? We already see Google running models on your phone for things like Magic Eraser.
All Apple has really announced here is that if you're using Apple Apps and Services then they're the only ones who can mine your data. This pivots nightly into their Ad Services.
> They don't want your data. They're not Goodle/FB/Amazon. They're giving you 2TB+ of space and you can encrypt it to the point that you'll lose your data and they don't care -- they don't want to mine your data
Their devices are still sending a bunch of telemetry. They're still in the ads business
Not saying that this recent move is bad, it's good to see. But at the same time, I'd rather manage and encrypt my own files on my own dfs than get trapped in the walled garden
>"seriously, anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river."
Not sure how common is my attitude but I do not give a flying fuck about what Apple does. I keep my own backups (been doing it since the 80s). Today's Apple to me looks like a money company that makes some hardware by accident.
and in general, the less I attached / depend on a single company for anything significant, the better I feel.
> seriously, anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river.
If there's anything I learned about any offers made from big tech, I would never trust any of them until proven for long-term usage for half a decade at bare minimum.
3-2-1 strategy is still a proven method for decades and will still be over any cloud services out there, including iCloud's.
It's fine that very few people care Apple is very good at attracting customers without it anyway, so it's not the classical situation where we, tech people should feel sorry that non-tech people "just don't get it" and don't use Apple services.
And lastly, if indeed no customers care, then that speaks for even bigger respect toward the individuals working at Apple who pushed for this and made it happen. (But I think Apple believes this will be a good business decision, not altruism.)
Yeah, and this also shows that the future is not necessarily all decentralized/run by crypto punks in basements. There is an elegant way we can move to a safer, more reliable Internet all while using the current stack that might be hyper-centralized, but has proven to be the most cost-effective and reliable way to do things.
You’re calling out FB here but they’re one of the few to have rolled out similar backup encryption for WhatsApp messages and that was quite a while ago at this point.
I think FB really wants data about your behavior but based on what they’re been doing with chat security I don’t get a sense they want to or need be able to read through peoples chat history to get that.
> seriously, anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river.
Probably. Android is getting locked down with remote attestation anyways. There's no point to it anymore, might as well choose the better tended walled garden.
So up until now the government have had access to all your data because of the backups. This renders the e2e encryption on their different messaging platforms useless. Kind of a joke:"your convo can't be read because it is e2e encrypted, bit when we backup, we can read it".
What's the truth though? Are they able to coordinate with law enforcement if needed or not? I find it hard to believe there's no government agency paying attention to iMessage of criminals. Am I mistaken?
Yeah but it’s still basically the great philosophical question of the douche or the turd sandwich.
With everything that has happened with Apple since Job’s death, my trust has been eroded so much that yeah I still use Apple but they are the turd sandwich at the end of the day. I trust Google a percent or two less.
I like that they are doing with this E2E encryption. It protects against hackers better. It doesn’t protect against Apple though… they will still continue to sell the analytics on you. Which is fine if you don’t care.
>BUT, perhaps the BIGGEST news here is that Apple is making a backup statement to what they've been saying for years and what they've recently gotten negative attention on: They don't want your data.
If they don't want their user's data then why are they running an ad business?
Seriously. Your data is probably going to be mined on-device. Would make way more sense to further screw you by using your resources to mine you while you sleep.
Jesus, the Apple fanboys truly are a different breed. E2E encrypted backups are nice, great even, but the rest of your post and especially the last paragraph are cringe worthy.
you know your first two sentences aren't really honest. there's the secondary market, considering that apple keeps updating their devices past typical android equivalent you're getting same $/years of use value. there are SE models that are in line to cheaper android alternatives.
if you're poor you're probably not data hording TBs of data, because you've got other problems, so yes, this is all speaking from the point of the privilege, and you being here is also from the point of privilege.
and to answer your 3rd question -- i'll bite and say that this maybe true. but is it really apple's problem or the problem overall? where we're all mined for data and now when someone does offer security you scream that it's unfair. shouldn't you take the equivalent effort and write your legislator and ask them what they're doing about bringing the bar to the level that apple is bringing it to, for all of the poor people out there?
Obviously a device doesn't become useless once it stops receiving OS patches. For one, it'll keep receiving security patches for other components (eg the browser, which is in many ways more important than the OS) for many years past end of life.
>>>seriously, anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river.
Lol I would never advocate for any company I engage with to use apple products. Why? Because they suck.iphoto and iCloud are pieces of trash. Most basic thing like, delete local but keep cloud copy seems to be missing. Can't keep a iPhone synced and do this with iCloud. Lulz worthy sitcho.
Also can't even copy files off device easily. Can't put custom apps on devices easily. The company actively kicks back against things like, freedom of information, following standards, reducing e-waste.
You know some of us make decisions around the companies we support on greater levels than just feature a or b is present in device. Apple are a predatory company that in no way promote a software or hardware ecosystem that is ethical imho and they don't promote one I want to participate in.
I wouldn't touch their shit with a barge pole and ontop of this due to being IT everytime I'm forced to I'm mostly confused by wtf folks think is so great. I legit find the kids toy ux difficult to work with, borderline impossible.
I also like blowing clients away with simple tasks like....copying photos to a usb...browsing files on my phone on a pc. You know the basic stuff like they used to do when they were younger but apple cucked it along the way for zero reason lol.
> You will, from May, thanks to the EU Digital Markets act.
Is this fact? Last I read about this the law was passed, but it's still unclear if apple will actually allow this.
I absolutely would love if I could use the latest version of iOS and install apps that are not in the app store. I'm currently using trollstore to do this but that means using older versions of iOS that are vulnerable to exploits.
The law has passed - but it also has exemptions for security.... So we can expect a lot of negotiating between the EU & Apple/Google on what they actually have to do.
Downloading some random GitHub app to access a phones storage sure as shit won't be happening on any managed corporate devices I deploy. Or unmanaged devices tbh. That's the kinda shit I leave for quarantined VMs.
Data is still not easily accessible once it's on a iPhone.
Okay... then use iTunes on Windows or Mac? (Not sure how those work, never used them, but I assume they provide the same functionality as imobiledevice)
Nah I thought that was the case too. Turns out it is not. Had a clients employee as me for help w/ her iphone about 2 weeks back. 32gb phone, no storage space left on device so it legit just stopped working, wouldnt recieve texts or anything cus it was full. So clients like, help me get photos off phone onto a USB or set photos to store in icloud only and ill delete the phone copies (well this is what I thought was an option because I can do it w/ just about every other backup software I use). Turns out big fat nup to either options. Only way she could delete phone photos but keep cloud ones was to disable sync entirely (lol wtf is the point of linked cloud if sync is so shithouse?). Plug phone into itunes, all you get re. access to device is no ability to view pics as files too extract, you cant even control apps on the device (good luck finding out what apple referred to as other apple software that used up >30% of phones internal space it just gets all lumped in under one grey color of storage being used.
Got forced to use a iphone 11 or someshit a few years back as a company issued device. Man it was alright at making phone calls, complete POS for doing any actual work on. Basically found it to be an overpriced paperweight that could take ok photos but was impossible to retrieve photos from. No i dont want a icloud account or any of that bs i just want to plug in to pc and pull files like I've been doing for 25+ years on every other platform ive ever used.
"Some metadata and usage information stored in iCloud remains under standard data protection, even when Advanced Data Protection is enabled. For example, dates and times when a file or object was modified are used to sort your information, and checksums of file and photo data are used to help Apple de-duplicate and optimize your iCloud and device storage..."
Photo checksums can't be e2e encrypted huh? They reported today they abandoned their plans to do CSAM scanning on people's devices[1] and connecting the dots it seems like they wont need to since they can just do it in the cloud.
The abandoned plan was perceptual hashing, which should return the same hash for very similar photos, while the new one is a checksum, which should return the same hash only for identical photos. I don’t think that invalidates the point, but it does seem relevant. It certainly makes it much less useful for CSAM scanning or enforcing local dictator whims, since it’s now trivial to defeat if you actually try to.
The big difference is with photos end-to-end encrypted, Apple can't (by choice nor force) have human "content reviewers" look at photos to inspect them for unlawful content, as was the intention under Apple's 2021 plan [1] after a threshold of 30 hash matches was met.
Although it was starting on CSAM material, it wasn't clear which other illegal activities Apple would assist governments in tracking. In countries in which [being gay is illegal](https://www.humandignitytrust.org/lgbt-the-law/map-of-crimin...), having Apple employees aid law enforcement by pointing out photographic evidence of unlawful behaviour (for example, a man hugging his husband) would have been a recipe for grotesque human rights abuses.
With photos encrypted, Apple can't be pressured to hire human reviewers to inspect them, and thus cannot be pressured by governments that enforce absurd laws to pass on information on who might be engaging in "unlawful" activities.
>The abandoned plan was perceptual hashing, which should return the same hash for very similar photos . . .
Is there any proof they actually abandoned this? NeuralHash seems alive and well in iOS 16[1]. Supposedly the rest of the machinery around comparing these hashes to a blind database, encrypting those matches, and sending them to Apple et al. to be reviewed has all been axed. However that's not exactly trivial to verify since Photos is closed source.
Anything over a network can be decrypted and inspected with a MITM proxy (manually adding its root certificate to the trust store), as long as only TLS (no application-level encryption) is being used.
There are a multitude of ways to inspect the decrypted traffic of your own device, whether it's a jailbroken iPhone provided by Apple to the security community or a non-kosher jailbroken device. People inspect this traffic all the time.
> . . . as long as only TLS (no application-level encryption) is being used.
Therein lies the rub: the payload itself is protected by an encryption scheme where the keys are intentionally being withheld by either party. In the case of Apple's proposed CSAM detection Apple would be withholding the secret in the form of the unblinded database's derivation key. In the case of Advanced Data Protection the user's key lives in the SEP, unknown to Apple.
By design the interior of the "safety vouchers" cannot be inspected, supposedly not even by Apple, unless you are in possession of (a) dozens of matching vouchers and (b) the unblinded database. So on the wire you're just going to see opaque encrypted containers representing a photo destined for iCloud.
The original implementation also involved sending a "safety voucher" with each photo uploaded to iCloud, which contained a thumbnail of the photo as well as some other metadata.
The vouchers were encrypted, and could only be decrypted if there were, I believe, 30 independent matches against their CSAM hash table in the cloud. At that point the vouchers could be decrypted and reviewed by a human as a check against false-positives.
It sounds like with a raw byte hash they might be able to match a photo against a list of CSAM hashes, but they wouldn't be able to do the human review of the photo's contents because of E2E.
That would be interesting. Then all someone has to do is generate images that collide with the ones in the CSAM hash database and airdrop them to someone, then they’re suddenly the target of a federal investigation. I remember someone posting about a year ago a bunch of strange looking images that produced those collisions. If it’s all E2E then all Apple sees is a matching hash and can’t do any further review other than refer to law enforcement.
Someone mentioned here but I didn't confirm that Apple is stopping the CSAM scanning. It makes sense because there's nothing they could reasonably do even if they found matching hashes. It seems unlikely they'd report these findings to the police if there's no manual ability to review the contents first.
I'm assuming these are normal checksums (bitwise hashes), whereas before they were doing a hand-wavy AI-based thing that they called "checksums" but weren't really. The latter captured rough visual qualities of the images in question, which is why it had a false-positives problem. A real checksum shouldn't have that problem; in theory you'd only be able to detect an exact match of a file you already have and are looking for. So it is meaningfully different.
I assumed separate checksums are made from the file name and the contents. Though even if not, it would seem useful for eg. syncing between devices ("does file X already exist so we don't need to download it?")
Uhm... that's a significant leak. Most files you have are not unique, including personal photos (if you shard them). So all Apple needs to do to uncover a significant part of what you have on iCloud is get all the hashes of your files and find the same hashes in others accounts that don't have e2e enabled and other sources to recover the content. And even without content, it is a great way to find connections between people (but they already have non-e2e encrypted contact data to do that...).
Personally, I don't think Apple intends to screw you, and they have a good reason, but isn't not trusting your provider the entire point of e2e encryption?
It is one of the first question I asked myself: "with e2e encryption, it means no de-duplication, it will be expensive for Apple". Turns out they still have de-duplication, and therefore weaker privacy.
Anyways, "As we continue to strengthen security protections for all users, Apple is committed to ensuring more data, including this kind of metadata, is end-to-end encrypted when Advanced Data Protection is enabled". It would be interesting to see if they really are committed. For now, I don't blame them, it is already better than most offerings, and it just came out. However, it will be an interesting point to watch for in the future: it is a privacy feature that actually costs Apple money to run, will they do it?
Note: I assume a standard hash like SHA, working at byte level. Not the CSAM scanning thing that can match similar pictures even if the files are not exactly the same.
Can you elaborate on this comment in terms of how no de-duplication is in any way expensive to Apple? People have to pay for their cloud storage generally (past 5GB) and Apple presumably has their price structure setup in a way where it is either profitable or at least only negligibly costs them as a loss leader for its expensive products.
If someone has all kinds of duplicates, so what? Eventually, they have to pay and up their subscription price for the additional cloud storage. The only way de-duplicating could possibly save money is if two or more people with the same file are both pointed to that same file in a location that is not within their account.
"checksums of file and photo data are used to help Apple de-duplicate and optimize your iCloud and device storage"
This is likely describing content-addressable storage. It is the underpinning of many iCloud services that store user files / blobs. It is also a commonly used pattern in backend services generally.
The problem is that a stream cipher is going to have some per-object uniqueness (a salt, IV, etc.), so by design even if you feed it related input blocks you will get different output blocks. This is, of course, antithetical to deduplication: so you need to check/store the hash of the input before it goes through the cipher.
The presentation about ZFS' native encryption[1] covers many of these sorts of trade-offs necessary to do full-disk encryption at scale.
I always thought the client-side hashing plan was something of a giveaway to authoritarian governments which would have demanded Apple check their own list of verboten files against what the users had uploaded to iCloud. E.g. tank man photos.
So I read this as Apple quietly saying "we're not bending to China on privacy". Which is the first step toward probably being banned from providing Apple services in China.
People sharing images that an authoritarian government considers banned might still be exposed by such a scheme, given they are likely to be exactly the same data. There are, after all, no new photos of tank man being photographed, any that are shared would be identical to someone elses, unless every recipient opened them up and modified them, and even then I'm not sure that actually modifies the data if done on an iOS device, as modifications done to images can be undone suggesting to me they are only a layer on top of the unchanged image, which would still return the same hash.
Unfortunately, I think the privacy problems surrounding iCloud Photos remain to an extent.
Given that modifying just a single bit in an image results in a wildly different hash digest, I think the risk is a little overblown. There are probably easier ways for authoritarian governments to figure out who's sending illegal content, like just taking somebody's device and looking at their messages.
It's a little hard to take any percentage of 1.4B peoples phones, get them to comply unlocking their devices, and then inspecting those.
It's a lot easier to tell vendor X that "in country Y list Z is the one that should be used when looking for CSAM", and then add some known Tank Man derivative hashes to that list and find out directly who to arrest.
According to the Wired article linked by parent, there is no longer any hashing or client-side scanning scheme at all, except one that can be enabled locally by parents and doesn't report anything to Apple.
But in the documentation[1] under the heading "Encryption of certain metadata and usage information" they state:
> Some metadata and usage information stored in iCloud remains under standard data protection, even when Advanced Data Protection is enabled. For example, dates and times when a file or object was modified are used to sort your information, and checksums of file and photo data are used to help Apple de-duplicate and optimize your iCloud and device storage
This checksum is described as:
> The raw byte checksum of the photo or video
This hash can technically be shared by Apple, since they own the key used to encrypt it. And depending on when the hash is computed (post-encryption it's no problem, pre-encryption we have a problem), this could technically be used to find people sharing known undesired images e.g. Tank Man or CSAM.
Apple already has different terms of service for Chinese users. They simply won’t have this feature, or is it turned off silently on authority requests.
There is no way for a user to verify if Apple has actually end-to-end encrypted their backups or not.
I always thought that program was technically limited from the start. It seems like it would be very easy to rotate a small value of the file, even a single pixel, and return a different checksum.
"People rioted when we scanned for CSAM in a privacy-preserving manner but don't give a shit when we do the same thing when it's not privacy preserving so I guess just do that."
How is this a win? Either is bad, who wants them to keep a database of their image hashes? In some ways this is arguably even worse. If they keep this data online leaks and/or third party access are almost guaranteed. At the very least by authorities with a perma warrant looking for "CP" or "terrorist" material.
And that's exactly the problem and why I put CP in quotation marks. With everything we know about these completely unaccountable agencies, what guarantees you it will be limited to a actual crimes against children? For the children is the oldest trick in the book. Already if we talk terrorism, it's explicitly political. One woman's freedom fighter is another man's terrorist.
Maybe I'm confused. From the Wired article and other sources, it sounds like they have abandoned the idea doing any form of hash comparison or client-side scanning. Am I reading that wrong?
If that article is correct it doesn't sound like they've abandoned the idea at all, only modified. It's still the same thing essentially, they check your file hashes for "known illegal images or other law enforcement inquiries".
One must understand that E2EE is used when you don't trust your service provider to handle your data. In other words, the adversary in your threat model is the service provider - and in this case, Apple. And what good is that encryption, if Apple obviously can do almost anything with your device?
They can remotely wipe apps. They can force-install apps and force updates. It is not too far-fetched to think that they can just remotely copy anything stored on your device to their servers. So, with an adversary that capable, I'm not sure encrypted backups provide a meaningful improvement to security and privacy.
> In other words, the adversary in your threat model is the service provider - and in this case, Apple. And what good is that encryption, if Apple obviously can do almost anything with your device?
The adversary in this threat model isn't the service provider. The adversary is someone attacking the service provider, like a hacker or a government with a warrant, and getting access to Apple's storage of your data.
Now of course it's not impossible for such an adversary to also defeat other systems at Apple and get your data another way, for example by controlling Apple's ability to send over-the-air updates to Apple devices. But I think that is a sufficiently distinct threat that it's not worth dismissing solutions to the first threat. That would be like dismissing the importance of a web server storing passwords salted and hashed, since attackers could just use a totally different attack to bypass the web server's database access control. Another way to illustrate this might be to point out that attackers can physically coerce you to hand over data regardless of any security measures any service provider could possibly make, but that doesn't mean we should dismiss all such security measures.
remember Lavabit [0]? will Apple choose to shut down rather than to comply [1]? if the government comes with a warrant, it will be with a gag order, and they will be compelled to silently update your phone to extract whatever the govt needs over the course of a few months.
What is your actual point here? It feels like we’re just playing a game if hypotheticals that are no longer based in reality.
Sure Apple could update your device to send all your photos unencrypted to them. They could also remotely turn on the mic and spy on all of us. They could also add key word detection to iMessage and flag law enforcement if you text out the wrong words.
I think everyone here understands what Apple could do. Which is why it’s a good thing that signs point to Apple not wanting their customer data. And why Apple refusing government orders that they feel violate their customers is unequivocally a good thing (even if they’re doing it for selfish reasons)
that e2e encryption by a third party does not give you privacy from the US government if that third party can remotely control or update your device and is subject to US laws. it is a direct reply to the assertion made in the GP: "The adversary is someone attacking the service provider, like a hacker or a government with a warrant, and getting access to Apple's storage of your data."
> will Apple choose to shut down rather than to comply
Apple will probably comply, just like I would probably comply rather than go to jail or suffer injury to myself or my loved ones. But I think it's fair to treat that as a distinct threat.
I disagree - the service provider should be considered an adversary and their service - and your tooling - should make it possible to obfuscate every single bit of data and metadata that you store there.
rsync.net is great and I've always appreciated the exposed ZFS capability, even if at this point 3x the cost per gb for a small scale users vs B2 is a lot more painful. Having encryption, including for transfers, also be part of the filesystem (which is open source) is great. Pity but for a small turn of history ZFS didn't become the native FS for Apple. And I think backups in particular is one of the focused completely unambiguous areas where Apple really has behaved in textbook anticompetitive fashion, and they should be required to allow people to point their iOS devices at any 3rd party service (including their own!) they wish that implements the right API (which Apple should have to document and follow themselves).
Still with all that said:
>I disagree - the service provider should be considered an adversary and their service - and your tooling - should make it possible to obfuscate every single bit of data and metadata that you store there.
If you're using Apple devices at this point then I think they do unavoidably form some part of your core trust foundation. With current hardware Apple is everywhere in the stack right down to the CPU level, heck arguably below that since they have a special license with ARM and can implement their own custom extensions. If you really think they're an adversary to the point of doing custom backdoors explicitly going after you, then the hardware just can't be trusted.
It's not unreasonable though to look at both Apple's incentives and the state of American law at least and see distinctions between Apple being compelled (or hacked) to provide something they have passive access to on their side anyway vs being compelled to engage in non-consensual active work and feature development (or having that slipped in and make it into general deployment) on things that necessarily must go out to end user devices. The former is both bog standard warrant/subpoena territory and not inherently detectable outside of Apple and the government, since it doesn't directly involve the user as a party at all. The latter is very arguably illegal and provokes far more public response, and involves deploying in ways that make it far harder to keep concealed (and open up other avenues of challenge).
I don't get it. If you don't trust Apple, then you don't take photos with an iPhone. There is no possible service they could offer that assures you every bit of data and metadata is obfuscated end to end in any sense of before Apple software has a chance to see it. At bare minimum, the camera app has to put together a file before there is anything to encrypt. A malicious Apple could just keep a second copy of that file, and even if you used a different backup service, they'd still have it.
However, as with all things here, you can just email and discuss with a real person and we'll set you up the way you need to be set up wrt billing and pricing, etc.
I think that's a separate issue. I'm not saying that Apple or any other service provider should not be considered a potential adversary. I'm saying it's still a good thing for service providers to implement solutions to threats.
I think the right way to advocate for this really is to focus on the warrant aspect. It’s not about preventing law enforcement but keeping it above board where there’s at least the possibility of oversight and targets can exercise their rights to things like legal representation.
I think it mostly matters in the context of US case law, specifically the third party doctrine.
> The third-party doctrine is a United States legal doctrine that holds that people who voluntarily give information to third parties—such as banks, phone companies, internet service providers (ISPs), and e-mail servers—have "no reasonable expectation of privacy" in that information. A lack of privacy protection allows the United States government to obtain information from third parties without a legal warrant and without otherwise complying with the Fourth Amendment prohibition against search and seizure without probable cause and a judicial search warrant.
There are multiple meanings of trust in this scenario: belief in honesty, and confidence of ability. Eg I can trust you to tell me the truth but not trust you to protect me from a missile.
I trust Apple’s honesty. I don’t trust many attack vectors. Someone could gain access to their data center. E2EE protects that. A gov could legally compel them to provide data. I trust when they say they’ve engineered it in such a way that they can’t currently do it, and that they would publicly cause a scene and legal battle if attempted-as they have before. Accidental data leaks also happen. In all these scenarios I trust Apples intentions but know that nothing is perfect. E2EE adds a lot for me.
Also, companies like Apple are huge, with thousands of staff.
These protections aren't there to protect you from "Apple", but Apple staff.
So for example if someone at Apple has been compromised by a foreign state, they can't copy sensitive customer data just willy nilly. They'd have to jump through a lot of hoops that would be prohibitively difficult.
Google had issues like this in the past where some employees were sending data to the Chinese government. E.g.: information about dissidents, political opponents in Taiwan, etc...
This is one of the reasons Google encrypts even internal server-to-server traffic, because the threat is on the inside of the firewall!
In theory it adds a speed bump. Apple as the cloud service provider can respond to the legal order by saying they don't have the key. And then the police can ask for a booby trapped update for just your phone which may or may not happen. Or they can lobby the legislature for an encryption backdoor for all devices which will force them to show their hand in terms of "lawful intercept" capability.
If you want maximum security use an air gapped computer. But that won't let you send messages on the go.
> If you want maximum security use an air gapped computer. But that won't let you send messages on the go.
You can, with some inconvenience, use optical diodes to transmit data from a trusted input device to an untrusted network device for transport over tor, and then push the received messages over a second diode to a display device that decrypts the messages, so that even if you receive an exploit/malware, there is no physical connection that allows unencrypted data to be exfiltrated.
If you want maximum security then just obviously don't use Apple services, or any other provider that has a capability to fetch your data under any circumstances.
Starting in May next year, the Digital Markets Act [1] requires Apple to "allow the installation of third-party software applications [...] by means other than the relevant core platform services of that gatekeeper."
I'm still on the fence about whether this will end up being a net good or not but people don't seem to consider the potential knock on effects of this. Apple puts some nice pro-consumer, along with some less nice anti-developer, requirements on Apps in the AppStore. Easy subscription management, privacy disclosure, parental controls etc. If the developers of an app decide to only make it available outside the AppStore you as a consumer may be forced to choose between using that app and getting those benefits.
> If the developers of an app decide to only make it available outside the AppStore you as a consumer may be forced to choose between using that app and getting those benefits.
And Apple already chooses the reverse for you by not allowing apps you may want and by charging at 30% tax for doing so. There is a vast disparity between the behaviors!
It won't help to download apps on an iPhone, which, I must say, isn't even yours: you don't get to decide which apps you can install on your phone. Apple gets to decide. Factually speaking you're merely renting the iPhonefrom Apple, which, being the device owner, decides the terms under which you can use it.
In practice this distinction is meaningless. In fact I trust Apple more than my own government. To take your argument to an absurd logical conclusion, I don’t own ANYTHING because my government can take it.
It is known that Apple would do quite a lot of what governments will ask of it. It removes app from national AppStores on a simple request from countries like China or Russia. (Well, now Apple might ignore Russian takedown requests, but prior to the war with Ukraine they were very receptive to their demands)
This is why side-loading and the option for alternative app stores is so crucial. If Apple bans Signal or other E2EE messenger apps from your national app store, you can't get them. Full stop.
If people in China and other privacy-hostile countries can side-load from alternative app stores (like F-droid for Android), the government/Apple doesn't control user access to particular undesireable apps.
There's obviously reverse concerns to this side of the coin but the overall concept has arguably always existed eith jailbreaking (Cydia store, AltStore(?)) and I haven't heard any stories about people becoming massively compromised in the way all the naysayers and Apple would have us believe.
Yes, I have heard of the GDPR and in my opinion it has improved/consolidated my digital privacy rights and not affected the "web browsing experience" in any negative way. I believe you are referring to the ePrivacy Directive (aka cookie law). As you may know, it's only mandatory to inform the user when the website is collecting information from the user beyond what is necessary for technical purposes - and in that case I do want the option to refuse that.
They don't have to lobby anyone for this. Apple has operations in aus. We have laws here gov can force you to put a backdoor in software or hardware and you are not allowed to tell even your employer you have been requested to do so.
Tbh in theory apple aren't allowed to tell you they have done it or otherwise. So their phones have probably been backdoored for a few years now at request of aus gov.
I would not be surprised if there is a backdoor already. Either explicitly ordered or secretly inserted like Dual_EC_DRBG. They’re not burning a zero day vulnerability or certificate authority just to convict one defendant. They’re saving them for something like Stuxnet.
Nothing is secure. Once we remember that, we'll stop nitpicking improvements.
Use your own server? Great, it's secure software-wise, but if someone broke into your house, it's all of the sudden the worst liability ever. The next thing you know, your entire identity, your photos, everything is stolen. You have excellent technical security, perhaps the weakest physical security.
So new plan, you use a self-hosted NextCloud instance on a VPS somewhere. That's actually not much smarter than using iCloud - VPSs handle data warrants all the time. They also move your data around as they upgrade hardware, relocate servers, and so forth.
So new plan, you use iCloud E2E encryption. You have to trust that Apple does as they say, and trust that their algorithms are correctly functioning. Maybe you don't want to do that, so new plan:
You use a phone running GrapheneOS, with data stored on a VPS, with your own E2E setup. Great - except you need to trust your software, and all the dependencies it relies on. Are you sure GrapheneOS isn't a CIA plant like ArcaneOS was? Are you sure your VPN isn't a plant, like Crypto AG? And even if the VPN is legitimate, how do you know the NSA doesn't have wiretaps on data going in and out, allowing for greatly reducing the pool of suspects? Are you sure that even if the GrapheneOS developers are legitimate, the CIA hasn't stolen the signing key long ago? Apple's signing key might be buried in an HSM in Apple Park requiring a raid, but with the GrapheneOS developer being publicly known, perhaps a stealth hotel visit would do the trick.
So new plan, you build GrapheneOS yourself, from source code. Except, can you really read it all? Are you sure it is safe? After all, Linux was nearly backdoored with only two inconspicuous lines hidden deep in the kernel (the 2003 incident). So... if you read it all, and verify that it is perfect, can you trust your compiler? Your compiler could have a backdoor (remember the "login" demo?), so you've got to check that too.
At this point, you realize that maybe your code, and compiler, is clean - but it's all written in C, so maybe there are memory overflows that haven't been detected yet, so the CIA could get in that way (kind of like with Pegasus). In which case, you might as well carefully rewrite everything in Rust and Go, just to be sure. But at that point, you realize that your GrapheneOS phone relies on Google's proprietary bootloader, which is always signed by Google and not changeable. Can you trust it?
You can't, and then you realize that the chip could have countless backdoors that no software can fix (say, with Intel ME, or even just a secret register bit), so new plan. You immediately design and build your own CPU, your own GPU, and your own silicon for your own device. Now it's your own chip, with your own software. Surely that's safe.
But then you realize there's no way to verify, even after delidding the chip, to verify that the fabrication plant didn't tweak your design. In which case, you might need your own fabrication plant... but then you realize that there's the risk of insider attacks... and how do you even know those chip-making machines are fully safe? How do you know the CIA didn't come knocking and make a few minor changes to your design, and then gag the factory with a National Security Letter from giving you any whiffs about it?
But even if you managed to get that far, great, you've got a secure device - how do you know that you can securely talk to literally anyone else? Fake HTTPS Certificates from Shady Vendors are a thing (TrustCor?). You've got the most secure device that is terrified to talk to anybody or anything. You might as well start your own Certificate Authority now and have everyone trust you. Except... aren't those people... in the same boat now... as yourself... And also, how do you know the NSA hasn't broken RSA and the entire encryption ecosystem with that supercomputer and mathematicians of theirs? How do you know that we aren't using a whole new DUAL_EC_RBG and that Curve25519 isn't rigged?
The rabbit hole will never end. This doesn't mean that we should just give up - but it does mean we shouldn't be so ready to nitpick the flaws in every step forward, as there will be no perfect solution.
Oh, did I mention your cell service provider always knows where you are, and your identity, at all times, regardless of how secure your device is?
Edit @INeedMoreRAM:
For NextCloud, from a technical perspective it's fantastic, but your data is basically always going to be vulnerable to either a technical breach of Linode, an insider threat within Linode, or a warrant served (either a real warrant, or a fraudulent warrant, which can happen).
You could E2E encrypt it with NextCloud (https://nextcloud.com/endtoend/) which would solve the Linode side of the problem, but there are limitations you need to look into. Also, if a warrant was served (most likely going to be authentic if police physically show up, at least more likely than one they served your data over), you could always have your home raided, recovery keys found, and data accessed that way. Of course, you could destroy the keys and only rely on your memory - but, what a thing to do to your family if you die unexpectedly. Ultimately, there's no perfect silver bullet.
Personally... It's old school, I use encrypted Blu-rays. They take forever to burn, but they come in sizes up to 100GB (and 128GB in rare Japanese versions), they are physically stored in my home offline, and I replace them every 5 years. This is coupled with a NAS. It's not warrant-proof but I'm not doing anything illegal - but it is fake-warrant-resistant and threats-within-tech resistant, and I live in an area where I feel relatively safe (even though this is, certainly, not break-in-proof). Could also use encrypted tape.
I run Nextcloud on a RPI at home with fail2ban, brute force protection, MFA, and E2EE which is backed up remotely using encrypted Borg backup. The 4TB SSD drive safely serves my friends and family too. My laptop and Graphene phone's files, apps and settings are backed up automatically to it daily. I have too many apps installed on Nextcloud to list, but it is basically an all in one solution to your cloud needs.
Both Nextcloud and GrapheneOS are FOSS which addresses your concern about it being a government trap.
My partner is able to access my Bitwarden account if I were ever to be indisposed.
Sure nothing is perfect, but tell me how this is not a better solution than trusting the closed source ecosystem of the biggest corporation in the world.
“Both Nextcloud and GrapheneOS are FOSS which addresses your concern about it being a government trap.”
I was merely referring to the fact that unless you build the code yourself, there is no certainty that you have that a government has not shipped a custom hacked build to your device and stolen a FOSS signing key. Unlikely? Yes. Possible? Yes. Also, backdoors, as seen in the 2003 Linux incident, can be as hidden as a deliberately missing equals sign in 1 line of code - so, a sneaky government commit with the smallest backdoor could be undetected even if FOSS. I still think it’s better than proprietary - don’t get me wrong - but it’s not invincible which was my main point about how security does not end.
Right, but nobody can write all the code they need for every service. I agree nothing is invincible. We put varying degrees of trust in people and processes of communities who maintain the SW. FOSS requires much less trust than proprietary SW developed by megatech.
> Use your own server? Great, it's secure software-wise, but if someone broke into your house, it's all of the sudden the worst liability ever.
this doesn't invalidate the rest of your point, but if your data isn't encrypted at rest on your own hardware, that one very particle point? that's your own fault.
you will need some kind of remote mounting mechanism. Imagine you are abroad and your power at home is off for a short period of time. How to boot remotely and mounting the encrypted filesystem?
Not an easy task. You will need some kind of dropbear ssh that you dial into and input your encryption key. Many moving parts. Don't get me started if you have to update the packages due to security fixes.
I've been running my own Nextcloud instance on a Linode with 2FA and your response made me question how secure it is.
Even though I get an A+ on the Nextcloud Security Scan (https://scan.nextcloud.com/), have 2FA, and custom IP blocking set up in my .htaccess file, it's disheartening to know that I'm not as secure as I thought I was.
I removed all my photos/files from iCloud for privacy reasons, and now I feel helpless contemplating how Linode may just hand my data over if served a warrant.
Any other Nextcloud hardening tips besides Fail2ban and reverse proxying you'd recommend? May I ask what your workflow looks like for preserving files throughout time?
Nextcloud has three recommended add-ons that you can install in a few clicks:
-Brute force protection
-End to end encryption
-Multi-factor Authentication
> And what good is that encryption, if Apple obviously can do almost anything with your device?
Because apple isn’t in control of apple for data at rest, and that’s the specific risk.
You have to trust control of the device sure, but you cannot trust cloud data - almost at all - between subpoenas from over eager LEOs and break ins from criminal and state hackers
> Because apple isn’t in control of apple for data at rest
That's not really true if Apple also holds copies of your iCloud decryption keys. If they want to access your data, they already have all the necessary components.
Now we're going in full circle, so I'll just point you to the parent thread:
> One must understand that E2EE is used when you don't trust your service provider to handle your data. In other words, the adversary in your threat model is the service provider - and in this case, Apple. And what good is that encryption, if Apple obviously can do almost anything with your device?
Ironic, since if you follow the thread you'll learn that since Apple still has complete control of your device, it essentially still has access to the keys.
Let me re-phrase, by giving Apple control over the keys, you give control over the data to whoever controls apple - which is non-zero (Eg. LEO), and whoever may gain control (security vuln).
Apple isn't a monolithic entity. For example, a rogue engineer might be able to access your iCloud data, but it's orders of magnitude more complicated to push a specifically manufactured app to your device.
There's a similar variance of complexities for hacking and law enforcement overreach scenarios.
E2EE isn't a solution for all attack vectors, but it's a significant mitigation in itself.
Technically no. I still have Fortnite on my iPhone, it just can't be opened. Apple can't wipe apps from your phone, but if they're App Store installed (as opposed to Ent MDM/Sideloaded), they can render them inoperable by revoking the certificate attached to the bundle.
It's all a closed source jumble though. Even if they can't do it right now, they have the power to install an update that allows them to add that power, if they had to.
What's the functional difference between "remotely deleting" and "remotely rendering inoperable"?
Remotely deleting probably just exposes them to all kinds of legal issues, since it would wipe user data too (which you can otherwise possibly still extract, e.g. through the "Files" app).
What’s missing is context - Fortnight’s account is in breach of the agreement and can’t deliver updates to address issues with the latest version of iOS.
This is identical to any developer that doesn’t deliver updates or suspends their developer account.
Those which have downloaded Fortnight at least once can still download and use the game on earlier versions of iOS and even with iOS 16 by following certain mitigations.
Contrary to some online posts Apple haven’t done anything unique to the fortnight account.
One must also understand that you're wrong. My threat model isn't Apple. My threat model is
a) Overreaching law enforcement, which want to take a look at what I'm up to.
b) Data breach at Apple exposes all my data
c) Errors where my pictures gets in another users photo album, as seen on Google Photos once.
It is becoming increasingly difficult to not just recommend an iPhone to the average person with privacy/security concerns. Sure, you can tell them to go the GrapheneOS route, but I don't think you can trust the average user not to just go and install Google Maps/Google Photos/etc as soon as the alternative FOSS option inconveniences them. I've certainly struggled with this. Then they're arguably worse off than if they'd just stuck with the Apple equivalents.
Apple produces a very nice set of golden handcuffs. Polished shiny look, comfortable fur lining. Customers are really going to going to scream bloody murder when Apple latches them down tight.
The problem here is we are wholly dependant on Apples goodwill. It is not required in anyway (hence Googles behavior). At any moment Apple can revoke said goodwill and exploit us to our hearts content and we will have no fallback what so ever because we decided to let the market codify our freedoms rather than preventing companies from being ruthless.
It's because the "lanes" that non-tech juggernauts break out of are typically pretty restricted, much in advance (aside from "Emergency Use Authorization" etc). Maybe it was "paranoia" (thinking of conditional incentives ahead of time), or people had to suffer enough before these to come into existence.
What's the equivalent of the FDA but for consumer privacy?
That has nothing to do with Apple. Just because the American government doesn't understand the importance of technology doesn't mean Apple is in the wrong.
Let's assume they do eventually flip their brand on its head and turn on the users.
While waiting for them to latch you down tight, you could have already been enjoying the most consumer-centric and privacy-conscious mainstream mobile OS since 2007.
>Let's assume they do eventually flip their brand on its head and turn on the users.
Chinese customers don't need to wait. Apple flipped sometime in 2017 and gave up all user emails, photos, messages, etc. to the CCP to stay in the market.
People complain about TikTok spying for China, but Apple is one of the biggest CCP spies around. That runs counter to the brand headspace they keep investing in though.
I'll never understand people who expect Apple to try and fight the CCP and inevitably get themselves barred from the Chinese market. It's not principled, it's just dumb and will completely screw over all of their current customers in the country who will now have useless devices. Apple is not a nation-state and has no judiciary or military power, and if they're to have any hope of making positive change in the country they need to play ball to some extent and become a large player who can actually exert some influence.
>I'll never understand people who expect Apple to try and fight the CCP and inevitably get themselves barred from the Chinese market.
People have this expectation because other companies have done this.
For example, Google employees revolted when dragonfly was leaked, and got the CCP search-spying project killed. It's weird to think that Google cared more about user privacy than profits than Apple does, but that's how weird the branding works here.
"I am in a benevolent dictatorship, nothing ever could go wrong"
Just because Apple is playing nice at the moment, there is no reason not to force them, and all the other players to have a legal requirement of playing nice. I mean, the hog that is fattened for slaughter thinks its life is great, right up until its not.
I've been using an increasing number of Apple products since 2006 or so, after having used Linux for a decade and Windows from 3.1 through 2000.
If it's a benevolent dictatorship, it's undeniably been a good one to me over nearly half my life. If they ever do turn, I can always just leave. But what is and/or was my alternative? The less-benevolent dictatorships of Google or Microsoft? Spending inordinate amounts of time and effort making a hodgepodge of various Linux devices work together (often unsuccessfully)? I'll pass.
Except Apple does not have a police force that will detain you if you try to leave after they institute less-desirable products, and I'm sure they'd lose a lot of money and value if they literally disables data exports.
I used to think Apple could be forced to play nice, and again and again that doesn’t seem to happen. The hammer never fell on their 30%, nor on Safari binding, nor on third party stores. And the funny thing is Google sees that and just goes the same direction, so if tomorrow Apple goes south it’s not like Google would rise as a bastion of vertue.
The question could be less if Apple should be trusted, and more if phone makers in general should be allowed to be dictators.
Why should phone makers not have ultimate control over their devices?
Say I make the Avocado Phone:
- my entire shtick is that "you can only run apps we make, and we vet the source code of every one of the few thousand third-party apps we allow on our device. We will pay you $10,000 if you get compromised using our phone"
- Of course, to achieve this, the phone can't be susceptible to "informed" evil maid attacks (as in, say the hotel's cameras capture you entering your passcode and Avocado ID Password) that replace your OS with an identical one preloaded with Malware. This means that, even as a user, you literally can't load any other software onto the bootloader or OS that would touch the operating system.
- it also takes every opportunity to prevent third-party apps from gaining access they don't need, which includes disabling JIT compilation (ruling out third-party browser engines, unless they want to use a slow javascript interpreter).
At what point does my phone turn from a product that services the security-conscious crowd with a completely bulletproof device, into something that people want to be able to preload software onto, because they didn't realize that security comes at a price? Is it when I sell enough? Is selling 10 million a year enough to where my market presence becomes a problem? 100 million a year? Why would people buy it if the government forces it to be 'open' at the cost of invalidating its entire use-case of being a secure device?
> Why should phone makers not have ultimate control over their devices?
First part is, fundamentally these devices are sold. You could eschew the very notion of property and make it a pure rental, but it’s not the point we are now.
The second part is, as you point out, your idea is completely valid until your service becomes life critical, a huge portion of the country’s population relies on it day to day, you killed any competitor that had a significantly different value proposition and it would have catastrophic consequences if you were to screw it up badly. Basically you became part of the infra. Is it 100 million units ? It’s up to your regulators to decide.
I think a lot of the privacy-conscious Apple users would wholeheartedly support laws that guarantee better privacy than is currently required. That said, we have to act in the world we live in not the world we want it to be.
In any case, I don’t see how using Apple products is at odds with supporting better privacy laws. If anything, they are perfectly aligned since it demonstrates a $2 trillion alternative to surveillance capitalism.
the fact you believe this is true today is most telling, I do not find them to be "consumer-centric" they have very draconian policies and if your use of the device fits in their narrow band of use cases then it is find, if it does not you are SOL
Given they accommodate over 50% of United States residents[0], I'm not sure the band is as narrow as you say it is. Of course, for those it doesn't accommodate, there is a different product that hopefully better fits their use cases.
Market share is irrelevant if there’s a high enough barrier to entry and cost of switching for the user. For instance Comcast probably has a very good market share and competitors too on paper.
Is the cost of switching that high? People at the phone store do 'data transfers' already (seemingly just texts, pictures/videos, and contacts), and, hilariously, the transfer to Android is a lot better than the 'move to iOS' app that has terrible reviews[0]. I bet most of the time being spent on switching will be on reinstalling all your apps and logging back into them.
It is, depending on how long you've been using the platform.
For instance if you've been on iOS for a few years and bought a healthy amount of music, those are virtually gone after moving to android. You can mitigate that by either
- forever keep paying Apple through an Apple Music subscription
- somewhat extract the tracks and DRM free them (tracks were DRM free when bought from the Mac, but not when bought on iOS last time I tinkered with it). Of course Apple will make as hard as they can to block this route.
Same for movies and books, and for games/apps as well if they don't have a multi OS pricing scheme.
Switching cost is not just time spent to get used to, more often than not it"s a non significant amount of money lost in the process.
Same deal the other way round of course: Google is more diligent on exposing their content on iOS, but there will stil be paid games and apps to be lost in the process.
If I don’t like what Apple does with iMessage, I can move to WhatsApp. If I don’t like what Apple does with photos, I can move to Google Photos. If I don’t like what Apple does with iCloud, I can move to Dropbox. If I don’t like what Apple does with iOS, I can move to Android.
> If I don’t like what Apple does with photos, I can move to Google Photos
I can’t. I don’t use Apple Photos, and I can’t set Google Photos as the default photo handler, nor default source or destination, nor tell any iOS device to never save photos in Apple’s silo.
> If I don’t like what Apple does with iCloud, I can move to Dropbox.
I can’t either. I wanted to backup my phone elsewhere and there is no option outside of iCloud.
How have you hacked your system and how long will you be able to?
To use Google Photos on iPhone: install the Google Photos app and grant it access to your phone's photos. Then you can go into the Google Photos app to see and manage all your photos.
To keep Apple from saving your photos: turn off iCloud Photos, or log out of iCloud.
To back up your iPhone without iCloud: make a local backup on your Mac or PC. You can even encrypt the backup with a password you choose. You can sync these backup files in any way you would like, including via Dropbox.
You can also sell your iPhone and get a different phone if you don't want anything to do with Apple.
You're skirting around the issues, as Apple just won't allow you to get out of their system in the key parts. Any of the alternative you describe are just clunky workarounds with utterly broken parts (local backups through a Mac have severe issues compared to cloud backups)
> You can also sell your iPhone and get a different phone if you don't want anything to do with Apple.
If you come to that conclusion, it's basically the answer to your "How am I handcuffed to Apple?" question. If you need to give up the system to properly manage your backups, it's pretty much a situation where you're handcuffed or not, with no clear negotiable middle ground option.
I use Firefox just fine on iOS. Sure, it's just user chrome and Firefox Sync, but those are the things I care a lot more about than the rendering engine.
I'd love to support Gecko on mobile too, as I've moved the vast majority of my desktop usage to it, but Webkit is still fighting the Blink/Chromium hegemony, too, and that's still fighting the good fight.
I appreciate that you feel that way. I think most users don't care about the details of rendering engines and think user chrome choice (not Google's Chrome specifically; it's stupid Chrome confused pre-existing browser language) is enough. I mostly agree, as I already stated, and I'm okay with the compromise on rendering engine for security and I'm okay with the compromise on rendering engine to keep at least one non-Blink renderer high enough on caniuse usage statistics that I can fight back some in corporate projects that "Chrome is the only browser we need to support" because we have enough iOS using users and many of them are executives. That's a more important fight to me than "user rendering engine freedom". I don't personally need IE6 2.0 "Chrome is the only supported browser for the next few decades" (whether or not you think Google would declare victory in the same way that Microsoft did and stop innovating on Chrome entirely that very minute that happens), and I don't think the web as a whole needs that either. So I'm with Apple right now on their compromise choices.
I don't expect you to agree with me. I just want you to know it is a perspective of its own merits. The web has seen what happens when one rendering engine gets enough market share to dominate and that had a decade or more of repercussions, especially in enterprise application development. We're so dangerously close to that happening again. You may think you are fighting the most for freedom of the two of us, but from my perspective you are fighting a proxy battle in the Cold War and I'm much more worried about the Cold War and the freedoms it may lose us in the long run.
In the future Chrome might achieve a monopoly, therefore we should give Apple a monopoly on Safari today? If we're doing Cold War metaphors, this sounds like "we had to destroy the village in order to save it".
I'm much more worried about the Cold War and the freedoms it may lose us in the long run.
I will have to disagree that freedom is advanced by an OS that forbids you from using software that hasn't been approved by a megacorporation.
Apple's usage of Safari on iOS is much more akin to a monopsony than a monopoly (though we are busting at the edges of the anti-trust analogy). Apple is only the only (allowed) "buyer" of rendering engines on iOS, and so is only buying Apple. So it is a bit of apples and oranges when comparing to potential monopoly where Google is the last supplier remaining for rendering engines.
We're probably all going to keep disagreeing because it is apples and oranges no matter what analogy we try to use. I do think "potential monopoly" is worse than "practical monopsony" (especially when it is a proxy monopsony and people are still free to not buy Apple and thus not buy Apple's rendering engine choice), but you are welcome to continue to disagree. Again, I appreciate why a lot of y'all see the "practical monopsony" as the larger and more immediate threat.
Whatever you label it, it's an arbitrary limitation of technical capabilities that is done for the user without asking them. You can backpedal as far as you'd like, but you can't apologize away the fact that the user should have more power over their iPhone than Apple does. That shouldn't be contentious on a site called 'Hacker News'.
I'm not backpedaling, I stand by my opinion that "this isn't a technical user choice that matters to many users (including me)". That's the first thing that I said on the subject, and that's what I've been sticking to. I don't know why my opinion is upsetting you so much, but consider toning things down a bit before they get personal or hurtful?
What may sound like "backpedaling" is that I am admitting sympathy for your concern, despite disagreeing with it. I think you've made good points. I don't find anything "contentious" about it. I still disagree with you, and I'm not apologizing for disagreeing with you. I can understand your points just fine, and also still disagree with them. I would like you to consider my point of view, and maybe engage with me on this issue that it is much more complex than a simple "good versus evil". I hope this not to change your mind, but in the hopes of a better overall discussion than just "Apple is evil and doing evil things because Freedoms". The reality is not that simple. I don't blame you for thinking it is, and you are free to continue to do so, just don't yell at me for saying "well I think it's kind of complicated", please.
I'm not yelling at anyone. You're making weasel-y statements, and I'm calling you on them outright. If Apple wants to lead the way in browser development, then they should do so on their own merits. They're welcome to pre-install it on my iPhone, and they can even make it impossible to delete like on Mac. Just don't use it as an excuse to prevent alternative browser engines, it's not a solid argument. The concerns over Javascript engines and JIT compilation was sketchy at best, but I won't stand around and listen to people defend an opportunistic greed magnet for trapping their users.
There can be no free or fair market here. The barrier to entry for new companies to enter the phone market is just unbelievably high with all the patents.
Modern human communication, phones, are too important to be held hostage by just two companies, neither of which are acting in consumers best interests.
IMO this is the time that governments should be acting on behalf of the people, and not the corporations with the deepest pockets.
There is a Chrome app on iOS. I don't think many people pick their browser based on rendering engine, but rather on actual browser UI and features (like sync).
Is it really that hard to switch from Apple to/from Google or to/from Windows/Linux?
I mean, I really emjoy my current Apple ecosystem, and I do have all the devices, and I like how everything works currently. But, a switch is mainly a matter of movies my files and exporting/importing photos, contacts, and email. It might take a few years to cycle out ALL the devices, but I don't feel like there is a ton of friction in switching my data over.
It is more that everything is working so well together that I don't want to switch right now.
I do stay away from Apple home automation though, for this very reason. I want something open and local that I control since that WOULD be a huge pain to try and swap away from.
>Because in theory Apple could go completely against their own philosophy and our decades of prior experience with them, you should instead give all your information to Google so that they can sell it
I’m a FOSS person and run Linux as a daily driver. But I recommend every single person who asks to just buy an iPhone or a Mac (if they can afford it). The user experience alone is so superior to the other options. Security and privacy too, these days.
Apart from some very niche options, so is everything else.
This is about trust. If you don't trust the manufacturer of your hardware (or developers of software), that puts you down a very specific path of what you can happily purchase.
This was tied to an action in the App Store. Not sure how you purchase apps without tying it to your Apple ID. It is also laid out in the ToS "We use information about your browsing, purchases, searches, and downloads. These records are stored with IP address, a random unique identifier (where that arises), and Apple ID"
No one (or even the author) has been able to replicate it or find the Apple ID in any other logs calls.
> Sure, you can tell them to go the GrapheneOS route, but I don't think you can trust the average user not to just go and install Google Maps/Google Photos/etc as soon as the alternative FOSS option inconveniences them
Isn't it fine to install Google Maps, etc, in a separate profile, inside GrapheneOS?
A small number of comments here are not about E2EE backups but rather the security key announcement. If there's a more detailed URL for that part of the story, we can factor it into its own thread.
> Some metadata and usage information stored in iCloud remains under standard data protection, even when Advanced Data Protection is enabled. For example, dates and times when a file or object was modified are used to sort your information, and checksums of file and photo data are used to help Apple de-duplicate and optimize your iCloud and device storage — all without having access to the files and photos themselves.
> • iCloud Drive The raw byte checksums of the file content and the file name
> • Photos The raw byte checksum of the photo or video
That means that you’re not safe to store known files your local dictator doesn’t like, isn’t it? Wouldn’t a sort of per-user salt allow the same functionality and give more confidentially?
If there is a "Revolution Plan (WIP)" document shared amongst a few agitators, and someone in power gets their hand on it (and its "checksum" or whatever), then can they figure out _who else_ has it?
More or less, yes. Apple could search for a list of iCloud users with that hash in their account and single them out without breaking the encryption (not that they can't do that too).
My understanding of how E2E encrypted iMessage works is that in group chats it does indeed send 30 copies of your messages, individual encrypted for each recipient in the group.
Perhaps they're doing multi-recipient encryption, ie. the data is wrapped with one key, and that private key is then encrypted with the public key of each recipient, so everyone ends up using the same private key to decrypt the file data itself. This means the actual file data isn't sent 20+ times (although the data is indeed stored in everyone's Messages backups separately; if Apple is doing de-dupe based on file data+filename, they're probably benefiting from deduping group message images).
> APNs can only relay messages up to 4 or 16KB in size, depending on the iOS or iPadOS version. If the message text is too long or if an attachment such as a photo is included, the attachment is encrypted using AES in CTR mode with a randomly generated 256-bit key and uploaded to iCloud.
Only the attachment encryption key and URL need to be encrypted to each recipient.
This is a great step, but I really hope Apple also change their position on no longer allowing users to provide a high-entropy passphrase to unlock all of this end-to-end encrypted data.
As it is, my iPhone unlock PIN is everything that's needed to decrypt the data server-side [1], and I'm not changing to an alphanumeric password on my phone only because of that.
[1] https://support.apple.com/en-us/HT204915 ("You might also be asked to enter the passcode of one of your devices to access any end-to-end encrypted content stored in iCloud.")
You are not limited by 6-digit passcodes only, you can also
“…Or tap Passcode Options to switch to a four-digit numeric code, a custom numeric code or a custom alphanumeric code.” which is on their support web site[1]
Yes, but then I need to enter a custom alphanumeric password every time I unlock my phone or tablet.
I want to be asked for it if and only if I grant a new device access to my end-to-end encrypted iCloud data.
I don't think this is an absurd demand. WhatsApp supports this security model, for example. Evem Apple used to, before they forced every iCloud keychain user to switch to their HSM-based model!
Do you not use FaceID or TouchID or unlock with the Watch?
I switched my pin to alphanumeric because I’m not putting it in every time I pickup my phone. I can live with the inconvenience of putting the passcode in every couple of days or so.
I just want to second this. I use a long alphanumeric password to unlock my iPhone plus FaceID.
I enter the password at most a few times a week after reboots and if someone plays with the phone and gets FaceID to fail too many times. It’s not annoying at all to unlock with the keyboard rarely.
Lately I've found FaceID can't handle my 'first thing in the morning and haven't had my coffee' face. I'm not sure if it's me or if Apple updated the algorithm.
If you haven’t already, I would nuke and pave the facial recognition. Haven’t faced anything like that since TouchID but that would be a red flag to me that the recognition data set is betraying me.
I see what you're asking for, but I don't think Apple would ever do it. A passphrase that is only used once every few years is a recipe for endless support calls.
Then hide it behind an option deep in the settings, and label it "only for advanced users, and if you lose it, all your data will forever be gone".
Apple even had this exact setting in the past! And they still have a similar thing for Mac disk encryption (the default is iCloud escrow, but a local-only recovery passphrase is also an option).
I’ve been using an alphanumeric passcode for about 7 years now. I’ve gotten used to it. It’s not too long to be annoying but better than a numerical pin.
Even if you used 4 numbers for an alphanumeric password, it’s still much more secure than a 6 digit pin.
> Even if you used 4 numbers for an alphanumeric password, it’s still much more secure than a 6 digit pin.
Unfortunately, that's not the case:
If you trust the secure enclave (for the device unlock scenario) or Apple's HSMs (for the key escrow scenario), a 6-digit PIN is just as secure as a 4-character alphanumeric password. In both cases, you get 10 invalid attempts before your data is wiped, and the odds are negligibly small in either case (10/10*6 vs. 10/62*4).
If you don't, i.e. you are concerned your adversary can somehow perform a brute-force attack, you need way more than four alphanumeric characters.
It's not exactly what you want, but one mitigating factor is if you're using FaceID, TouchID, or Apple Watch -- Those things will dramatically reduce the frequency that you're prompted for your password.
I want to use a low-entropy PIN on my phone, because I enter it dozens of times per day, shoulder-surfing is a concern as big as hacking in many scenarios, and because I trust Apple's hardware to be capable of efficiently limiting local PIN attempts and wiping high-entropy keys if required.
At the same time, I log in to new iOS devices with my Apple ID about once per year. I would love to be able to use a high-entropy key in that scenario. (As a point of reference, WhatsApp allows exactly that for encrypted backups!)
If that's still baffling to you, I'm glad I could introduce you to a very different viewpoint :)
There's still too many situations in which I do end up having to enter my passcode.
Mask unlock isn't perfect, wet hands can throw off Touch ID, and once per day I believe they will just reset and as for the passcode anyway. It's also required for software updates and reboots.
I'm not asking for this to become the default, or even an option given in any setup wizard. Just allow me to set up my own end-to-end encryption recovery passphrase and let me remove all of my device passcodes, i.e. allow me to opt out of HSM-mediated key escrow.
Is your Apple ID password not a sort of "secondary passphrase" as you're wondering? You enter the Apple ID password to download the encrypted data and the low-entropy passcode to decrypt it.
Not really. The Apple ID password is a regular server-verified password and does not contribute to end-to-end encryption in the cryptographic sense. In other words, it gates access to the end-to-end encrypted data, but not the keys used to encrypt them.
If you trust Apple to never get hacked or hand over your data to any third party, that's perfectly fine, but that is not the scenario that end-to-end encryption is designed to address.
Got "1234" as a passcode on a long-forgotten family iPad or test iPhone? Better go change it to something secure, as that's what stands between an advanced attacker (that can compromise your 2FA), or somebody able to compromise/apply sufficient pressure to Apple, getting into your iCloud end-to-end encrypted data.
The iCloud recovery key is a 28-character string, not your iPhone PIN: https://support.apple.com/en-us/HT208072. There is no situation that I can think of where a device PIN is of any use off-device.
Recovery keys were part of iCloud Keychain end-to-end encryption when used without "two-factor authentication", which is now a deprecated setup and can't be used with new iCloud accounts anymore:
Thank you for the links. In my case, I have two-factor _and_ a recovery key set up. The Account Recovery icon on Apple ID says "Your device passcodes can be used to recover end-to-end encrypted data. If you forget your passcodes, you'll need a recovery contact or recovery key."
Are you sure it's either/or? Have you gone through the process, and are you sure the PIN is required off-device, rather than ? If that's the case, I do agree that it's not good.
Also I don't quite understand the threat model where a stronger authentication to iCloud allows for weaker data encryption. Considering Apple is usually pretty spot on with these things, this would definitely stick out.
> Got "1234" as a passcode on a long-forgotten family iPad or test iPhone? Better go change it to something secure...
according to the article, I don't think this will be possible because you won't even be able to turn on Advanced Data Protection in this scenario.
"You must also update all your Apple devices to a software version that supports this feature."
Just to get the feature enabled you're going to have to go and "touch" all of the devices you're signed into and either update their OS (and also update their passcode if you're smart) or sign out of them.
I admit I still use a 6-digit passcode, but if you're actually serious about protecting your data you should be using an alphanumeric password anyway. Even ignoring the server-side stuff, that single password unlocks most of the data on your phone.
It's much easier to securely limit invalid PIN attempts on a device locally than in the cloud, though. This is the bread and butter of embedded security cores like the secure enclave or Google's Titan M.
Users shouldn't be forced to use high-entropy local passwords just because a service provider insists on reusing them for a completely different purpose.
> As it is, my iPhone unlock PIN is everything that's needed to decrypt the data server-side
That's not quite true. They use a HSM on their datacenters, which only allows a limited amount of guesses. They only allow a limited amount of guesses, before your data is wiped forever[1].
Technically, the keys are in the processor's state. You are just trusting that it won't divulge the keys without a correct PIN. You are also trusting the processor is properly secured. And you are trusting that no one would go through the effort to extract the keys physically with scanning probe microscopy or something.
Sure, but I won't, and neither will many other people, realistically.
There is no technical need at all for the same password to gate both local device unlock and remote end-to-end encryption key escrow.
It's a pure security vs. availability (and realistically genius bar support load) tradeoff, and I even think they nailed it for the vast majority of users! I just wish they'd let advanced users participate in that tradeoff more actively.
This. It seems like for the average person, if you go from not using cloud backups to using cloud backups with their pin, then this is a huge step backwards for security.
On the other hand, for the average person already using unencrypted iCloud backups, it is a considerable step forwards, and arguably managing their own high-entropy recovery key could be a significant burden.
I just really wish they'd made PIN-based HSM escrow the default, but optional (with the "off" switch behind several scary-sounding warnings).
For everyone else who was hoping to enable E2EE for backups right away:
> Advanced Data Protection for iCloud is available in the US today for members of the Apple Beta Software Program, and will be available to US users by the end of the year. The feature will start rolling out to the rest of the world in early 2023.
Unfortunately, it seems that this requires all connected devices to be on the latest OS versions (iOS 16.2, macOS 13.1, etc.), which means you can’t use it as long as you have older devices connected to your Apple ID.
It also doesn’t work for Shared Albums, and for other “Shared” features it requires all participants to have ADP enabled.
It's not particularly surprising that all your devices need to be updated, how else would it work? The whole point of E2E is that the ends are your devices.
Right, but it may be unexpected that a single device can prevent using a new feature on your other devices. This is just a heads up. And conceivably Apple could provide updates for older OS versions, as they sometimes do for security fixes.
This has been the case for other iCloud features and they've historically done a good job communicating this to the user at the time they upgrade the service and when they attempt to access it from an old device. I would expect that to follow the same process here either refusing to enable it until your devices are updated or having the old device kicked out until it's updated.
>as long as you have older devices connected to your Apple ID
Is it possible to have an old device connected to Apple ID, Find My enabled and iCloud backups/sync disabled for ADP to work on your newer devices?
Having no backups/sync on the old devices is fine, presumably people who care about encryption have that turned off at the current state of matters anyway.
Probably not, because Apple doesn’t keep track centrally of which features you have enabled on which device, so they simply prevent you from activating the new feature when you have any signed-in device with an older OS version (which is something they do track).
They already communicate to you when you use a newer iOS feature that won't work on your other device. But you can still use it. Maybe you won't be able to turn back on those features on the older device, or something
I have been waiting a long time for backups and photos to support this, and I am glad we are finally getting it.
I don't feel like updating to a beta to get this feature (especially for the risks associated with it). But I am curious how the migration will work. Will this basically re-encrpt everything locally and then upload it or will what is already there stay unencrypted.
Also does anyone know, how do features like this work for someone with a single apple device? I don't worry about loosing access to anything because if my phone dies I have... several other devices with keys. But what about someone who doesn't?
"Because Apple will not have the keys required to recover your data, you will be guided to set up an alternate recovery method in case you ever lose access to your account."
I would assume a physical sheet of paper containing recovery codes is a suitable alternative recovery method.
I should have looked closer at the screenshot, didn't really think it would tell me anything beneficial for an e2e system.
Thanks for pointing that out!
Honestly might not be a bad idea to have a backup somewhere else just in case. Like in the event of a fire or something have a backup sitting in a safe.
It does bring up an interesting conversation, what levels do we go to make sure we can recover accounts in situations like this? Store a USB or a paper in a safety deposit box on the other side of the country? I tend to store all of my backups for my other accounts on my iCloud Drive so... loosing access to that would be catastrophic.
I have often criticized Apple for marketing iMessage as end-to-end encrypted while the vast majority of encryption keys still reside on their servers and are routinely used to decrypt messages for law enforcement on demand. This is a long overdue step forward.
However, for most people their messages will still not be end-to-end encrypted because their contacts will mostly not have this optional feature enabled. To be truly effective, this feature would have to ensure that Apple does not strip the end-to-end encryption from your messages when they are sent to other people using iMessage. In my opinion it is still fraudulent to market iMessage as an end-to-end encrypted system until this is fixed.
>However, for most people their messages will still not be end-to-end encrypted because their contacts will mostly not have this optional feature enabled. To be truly effective, this feature would have to ensure that Apple does not strip the end-to-end encryption from your messages when they are sent to other people using iMessage. In my opinion it is still fraudulent to market iMessage as an end-to-end encrypted system until this is fixed.
I think your opinion is mistaken in conflating separate problem spaces/threat models. E2EE deals exclusively with the transit and reading of data between trusted ends, that's the point. It deals with the threat posed by middle observers. What happens to the data after it reaches and gets stored on one end or the other is out of scope. Certainly important, but still has nothing to do with whether something is E2EE. Communications between people necessarily means no one person is fully in charge. The person on the other side could perfectly well have their PIN be "1234", that wouldn't suddenly mean Signal/iMessage/SSH/whatever are no longer E2EE.
This is definitely an unambiguously significant improvement, and it will help more people stay secure more easily while still making use of wireless services (vs backing up with a cable to a system like I have always done and still do with iOS devices). However, while technology is helpful it's not a total substitute for opsec either. And I think it's a mistake to mush together different domains. iMessage going full E2EE was a good all by itself and its own specific thing, even if Apple was wrong to not deploy the same thing everywhere and also wrong (and still wrong!) not to allow 3rd party options for backups. There was nothing fraudulent about saying it was E2EE.
You want to separate iMessage and iCloud and say that it doesn't matter that iCloud is less secure than iMessage by default because it's separate. You'll still call iMessage end-to-end encrypted separately from iCloud Backup by defining the "end" as before iCloud Backup runs, and blame users for making insecure choices when they enable iCloud Backup.
This argument makes no sense for two reasons. First, iMessage and iCloud Backup are not simply apps that you can replace with other services as you choose. "For your own protection" against malware or whatever, Apple restrictions prohibit anyone from offering an SMS-integrated messaging app or a cloud backup app in competition with iMessage or iCloud Backup. iMessage and iCloud Backup are not separate; they are part and parcel of the larger piece of software called iOS. Apple can't play dumb and blame users for making insecure choices when Apple is the one limiting them to insecure options.
Second, even if they were separate apps and replaceable, they are made by the same company. The service provider the end-to-end encryption is supposed to protect against is the same one making the non-E2EE backup. If Facebook started making a phone backup app that was "separate" from WhatsApp but made non-E2EE backups of WhatsApp messages to Facebook servers, and it was used by a large fraction of WhatsApp users, and the FBI was sending subpoenas for WhatsApp messages to Facebook and routinely getting decrypted messages back, would you really be defending Facebook for marketing WhatsApp as end-to-end encrypted? If so, I guarantee you would be in an extreme minority.
>You want to separate iMessage and iCloud and say that yes iCloud breaks end-to-end encryption
No, iCloud simply has nothing to do with iMessage E2EE, nor with Signal nor Nextcloud nor anything else.
>but that doesn't matter because it's separate from iMessage
It is indeed.
>so you can still call iMessage end-to-end encrypted separately from iCloud Backup by defining the "end" as before iCloud Backup runs.
Yes, because that is correct, and you are wrong. The "end" is when an authorized end user possessing the keys access the data. That's how it works. What they do with that data afterwards in completely orthogonal. They can print it out, make it into paper airplanes, and throw it off a skyscraper in the middle of a city and it still will have been E2EE. By your argument, there is literally no E2EE in existence on any common hardware in the world, since it's easy to use a PC to backup unencrypted (and indeed at least until relatively recently that was the rule not the exception, and even FDE only rose to general usage within the last decade or so.
>First, iMessage and iCloud Backup are not simply apps that you can replace with other services as you choose
Irrelevant even if you were right, which you are not.
>"For your own protection" against malware or whatever, Apple policies prohibit anyone from offering an SMS app or backup app in competition with iMessage or iCloud Backup.
You seem awfully confused if you think "SMS" has even the slightest security anywhere on anything. As far as messaging apps, Whatsapp utterly dominates iMessage worldwide. Signal is also very popular. There are Matrix apps, etc etc. What an absolutely ludicrous statement. Internet backups not being open to 3rd parties is indeed bad as I've said, but you can backup to a computer same as was always the option well before iCloud Backups even existed. That's what I do. Or simply not backup of course, such as if someone was using a phone in a high security situation and would rather lose history if they phone had to be wiped then have any risk of disclosure.
>iMessage and iCloud Backup are not separate; they are part and parcel of the larger piece of software called iOS. There is no firewall between them.
Wrong. If you want to allege that Apple is secretly backdooring stuff at a much lower level, well why not go straight down to the silicon? And you're going to need quite the evidence for that.
>Second, even if they were separate apps and replaceable, they are made by the same company. The service provider the end-to-end encryption is supposed to protect against is the same one making the non-E2EE backup blah blah
Also all irrelevant.
You've come up with a make believe fantasy head canon version of what "end to end encryption" means that has nothing to do with what it actually means. People like you love to throw around criminal allegations like "fraud" very lightly.
He has several good points attacking strawmen of his own creation, which he willfully confuses with my actual arguments, to which he has no substantive response. It's an easy method to make yourself look good in online arguments and a total waste of time to engage with.
>E2EE deals exclusively with the transit and reading of data between trusted ends, that's the point.
That's transit encryption. The point of E2EE is to prevent anyone, including the service provider from decrypting the communication. Apple making a backup copy of the comms that they can read breaks the E2EE.
>The point of E2EE is to prevent anyone, including the service provider from decrypting the communication.
The point is to prevent anyone between the ends from reading it, not anyone at all obviously. The ends are trusted by definition. Once the data reaches them, it's decrypted. They can then do whatever they want with that. The job of the E2EE is whatever happens in the middle (both in transit and at rest).
>Apple making a backup copy of the comms
What the heck are you talking about? Apple does not make a backup copy of the comms. Users may choose to use an Apple provided service that right now is not E2EE to make a backup themselves, if they wish. Or they can choose to backup in other ways (remember, Macs can access iMessage too). Those other backups that have nothing to do with Apple also may, or may not, be E2EE.
I see where you're coming from, and it's a bit of an old school view of E2EE.
Wikipedia even has a section for the meaning of the term with a lot of citations requested, suggesting not everyone views the meaning of E2EE the same. https://en.wikipedia.org/wiki/End-to-end_encryption#Etymolog...
I wonder how far you would take the separation of functions. If Signal started offering a service to scan your messages and attachments for spam/malware, sending them plaintext from the app to their server to do so, does that break their E2EE? If they recommended the feature, implied that not enabling it was reckless, and didn't explicitly explain the result being Signal servers reading your messages?
Hmm, but law enforcement can ask Interpol, which can ask the FBI, which can ask the NSA, which can directly get the data from the backdoored endpoints that seem to be on the Apple devices since 2012, without the need of a warrant ?
(Alternatively it might be law enforcement => local intelligence agencies => NSA, since the local law enforcement might still need to provide a warrant to ask this from Interpol ?)
Sometimes news is about market developments, not technical innovation.
Android backups are E2EE but I don't think Google photos is. Photos aren't included in the phone backup, I think. Would welcome correction if that's wrong.
Google Drive does have E2EE (https://support.google.com/docs/answer/10519333) but it might (?) require a corporate account. It severely affects collaboration and sharing which is probably why it's a bit of a niche feature.
If they're still hashing files, its not end to end.
An anecdote, an activist had a document in their Google Drive. It was not something people high up wanted being distributed. It was deleted not just from their account, but platform wide. Guess how they did that? Its hash.
People need to demand sources for some of the stuff said on this site. Unless you can provide an example of that incident of an activist having a file deleted, you're just spewing stuff.
It's not inconceivable, but you need to source it.
You are correct, but how could Apple solve this issue without hashing? Syncing files alone without E2E is tricky. I can't imagine a way to sync files between devices without having some sort of hash or id.
Big...deal...? That wouldn't be a "you" problem. That would be an Apple problem. If you pay for cloud service (say 100GB), Apple has no business "optimizing" or de-duplicating anyways. If you want it as an option, sure.
But let's not pretend this isn't a subtle backdoor that can invalidate the entire "E2E" implementation. I believe that in the US, having the filename and/or hash/checksum is most of what is necessary to trigger the Foregone conclusion doctrine and force the person to lose their 5th amendment protection and be compelled to decrypt their data to be used against themselves.
I'd like if someone with legal knowledge could comment if my understanding is correct.
Activists could always salt their own files by adding some junk content to the end (or cropping images by one pixel, cropping video clips by a fraction of a second, etc)
It also allows them to track the contact/social graph of all users based on clusters of who has the same unique file hashes.
Then again, they already have everyone's address books and iMessage traffic, so I guess they already have that data for most of the industrialized world. I wonder who else will preserve copies?
100% - this was my largest concern when they announced perceptual hashing, and it seems to be the big takeaway here. Of course, this is a concern with most online hosting services, but at Apple's scale it's pretty scary to consider the possibilities.
But Apple must be able to still access all your encrypted data using your stored icloud password somehow right? Otherwise how are they able to show all your files in a web browser, from an arbitrary computer, after you've logged in
> When Advanced Data Protection is enabled, access to your data via iCloud.com is disabled by default. You have the option to turn on data access on iCloud.com, which allows the web browser that you're using and Apple to have temporary access to data-specific encryption keys provided by your device to decrypt and view your information.
What does temporarily opt in mean? Like everytime you want to use icloud on a browser, you use your devices to upload the key temporarily, then after you don't want to use icloud, apple deletes your key?
It hasn't been released yet, but I can see two scenarios -
A. Apple could create a tunnel from your browser to your devices, they could have key exchange via the web after you scan a QR code shown on your web browser with your iPhone, with some sort of "verify these words are the same" scheme.
B. Apple does the typical OTP/2fa scheme where you enter a x-digit code from your device, and in doing so your Device furnishes a key to Apple to be temporarily used to access your files from the web.
But in both of these scenarios, Apple compromising you via malicious javascript is ever-present, so you're right in that you'd be trusting Apple even more to not store your temporary key for too long or at the request of a NSL.
> Every time a service key is uploaded, it is encrypted using an ephemeral key bound to the web session that the user authorized, and a notification is displayed on the user’s device, showing the iCloud service whose data is temporarily being made available to Apple servers.
I can’t help but feel this dovetails with the CSAM-scanning work that Apple canned last year.
I was always under the impression that ultimately they were doing that work because they needed some mitigations for the fact that iPhoto backups meant people were storing CSAM on Apple’s servers. If they were serious about privacy, that would be a big big problem for them —- hard to say no when the government comes knocking with a legitimate warrant, so they needed a solution that would let them preempt that scenario.
Now they are storing hashes for every file, so they no longer need to do on-device scanning.
If they were serious about E2E, of course everything would be encrypted.
There is no reason why they shouldn't store only hashes of the encrypted data, or, in fact, not store hashes at all, except -
1) data deduplication, which only saves Apple money
2) storing hashes and thus enabling govt and LE intrusion by mass scanning of content through matching hashes
Neither of these options is good for consumer privacy, and I would expect better from a company that is supposedly about privacy.
I would also be interested to know if they are still doing the perceptual hashing, because that would actually still fit in with their language about storing hashes, because AFAIK they didn't specify what kind of hashes they are storing.
Apple never said that it was scrapped. They did, however say that they intend to do it.
EDIT:
Follow the links from those articles. Apple never killed the plan! This is what Apple actually said:
> Based on feedback from customers, advocacy groups, researchers and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.
That's not killed. That's just delayed. It's
also them
reiterating their intention to ship these misfeatures. It was, as pointed out, widely misreported.
Apple is very good at writing technically truthful things that say one thing that cause reporters to report a different thing (which is not factual). This becomes an "everybody knows" sort of thing where the narrative that is widely believed/accepted is not what Apple actually said. They exploit poor reading comprehension ability.
Fun anectdote. Many years ago, I had all my photos and other personal documents encrypted in a PGP Disk on a RW-DVD, and did not store the password in any digital form, because that was the most secure thing to do. Some time later I forgot the password, could not find where I had written it down, and to this day have never recovered them. (Don't have a DVD reader anymore either, though I could still get one of those.) Lesson: don't forget your encryption key.
My freshman year of high school we had a project where we created a “Time Machine” for us to open when we graduated. Everything was stored on a floppy disk. Finding a working 3.5A: drive has been quite difficult…
> Starting with iOS 16.2, iPadOS 16.2 and macOS 13.1, you can choose to enable Advanced Data Protection to protect the vast majority of your iCloud data, even in the case of a data breach in the cloud.
Interesting, so this is an opt-in (not default secure).
Probably concerns about people losing data. Probably the vast majority of people would rather someone gains access to their photos than having their files lost
It's currently opt-in, because a significant percentage of the user base is not running an OS version that can support the E2EE features.
When that percentage is high enough (a few years), I don't see why Apple wouldn't make it opt-out. (Default it to encrypted, you need to specifically disable it if you don't want it).
To be honest, end to end encrypted cloud backups and the upcoming forced-by-EU opening of the platform to third party developers without going through the App Store are the two killer features I was hoping to see on iOS.
Remember the CSAM scanning debacle almost a year ago? I and others speculated that the reason Apple was trying to make the CSAM-scanning and Safety Vouchers client-side was so that they would be able to allow E2E encryption while having a plausible reason to shut down law enforcement's biggest argument against E2E.
It wouldn't stop at CSAM. Along side it in urgency of appeal to fear is counter-terrorism* . Next would be drug dealing, threats of violence. Then copyright infringement. And finally Amber Alerts and silver alerts. A backdoor or warrant-less search for one category is a backdoor for all. The point is for government power to trump privacy.
*The definition of terrorism depends on your jurisdiction.
While the on-device CSAM scanning was a huge overreach I'm not sure how you could leverage that system for things like Amber/silver alerts or threats of violence. It's not really backdoor, more of a snitch system.
That's a very optimistic point of view. On the other hand, I and others speculated that the reason Apple wants to introduce code on your device that scans local content on your device against a government mandated database of "wrong content" was to appease law enforcement's desire for more control.
I don't understand how your other hand argument is more pessimistic. Isn't your phone scanning locally for checksums better than requiring the data to be unencrypted and scannable server-side? Surely they couldn't just do _nothing_.
edit: I take this back—"nothing" should be the right answer.
_nothing_ is exactly what I expect them to do when it comes to my local files.
We all like to vilify Microsoft (rightfully so for all the telemetry crap they pull) but imagine if Windows started scanning all your local disks for files matching certain checksums then notifying authorities when matches occur (thumbnails / other metadata uploaded with the reports) like Apple was planning. Sure, it'll be CSAM first. Then, domestic terrorism; then RIAA / MPAA would jump in on the action... and finally, opaque checksum databases from local governments ("wrong think", Winnie the Pooh memes, pictures from protests, etc.) ; if we don't stop it in its infancy we're quickly tumbling down the slippery slope.
The "damn spec" clearly stated that they would be introducing functionality on your device that is capable of scanning content on your device and matching that against a database of opaque hashes downloaded from a 3rd party. That's functionality I don't want on my device.
FWIW, I don't use iCloud and never have used it; I don't care if they scan content once uploaded (it's their servers and I'm confident they'll continue scanning content there no matter how "E2EE" it is - see China and key sharing). As long as they keep their scanning on their devices and off of my device it's all good.
> The CSAM scanning was only enabled if you had iCloud uploads enable.
This is nonsensical. iCloud Photos is not e2ee and Apple already scans everything serverside. There is no need for redundant clientside scanning of iCloud Photos.
The clientside scanning is only needed in the cases where:
They wanted to enable #2 with the local CSAM scan. That way the authorities wouldn't have a reason to ask for cloud data to be decrypted. And Apple could lock it so that they couldn't de-encrypt it even if they wanted to.
Apple actively doesn't want to know your shit or analyse it on their servers. That's why they constantly do things on-device even if it's of worse quality than Google's approach of doing everything in the cloud.
Apple is a business and does indeed "want to know your shit" for many legitimate revenue-generating activities, such as growing their services business, a top priority for the company.
It seems to me a little bit suspect that they wanted to do clientside scanning as a prerequisite for e2ee, as if they simply would not be allowed to publish society-wide e2ee privacy software (without government/regulatory retaliation) without such a law enforcement backdoor. This screams of prior restraint and we should be loudly asking our legislators why the fuck the FBI is pressuring Apple about what software they do or do not publish.
Every day the US government takes more steps to erode our civil rights, even against the largest companies in the world. Someone needs to rein them in.
People don't care about them scanning the files, they care about them doing it on their own device. People read the damn spec, and that's why they disagreed with it.
I could have sworn apple even straight up said that was their goal?
Maybe I am just misremembering since like you I figured that was the reason they were doing it, no other reason to do something like that if it was all going too sit there unencrypted.
No, they didn't say anything like that at the time, so I was even downvoted on HN and argued with for making the suggestion. Because Apple was definitely just being evil and had no bigger picture.
Please don't be fooled. If you look at the table in the article, you'll see that there are several categories of data that are not end-to-end encrypted, like Contants, and the reason for that is probably because US government and courts want to have them, even for non-US citizens. Otherwise why not encrypt them too?
It would be fair if Apple gave a warning about US governments and courts before enabling sync to iCloud, but I guess they don't want users to know about it.
Also this is a closed source system, so we can't know whether Apple can remotely extract encryption keys or not.
Also as I understand, Apple now demands a phone number to sign up for Apple ID, so it means that now all users and their contacts are non-anonymous for Apple.
Anyone else noticed that they mentioned MacOS for iCloud backups?
As of now, there is no backing up your Mac to iCloud. There is iCloud Drive and all the individual services but TimeMachine is local storage only (shared drive or the legacy TimeCapsule).
Does this mean we’re finally getting TM backups to cloud?
Well, for the Apple fans celebrating this "win" - pay attention: all of the metadata is still visible to Apple and that can reveal a lot more information than you'd think. You can build advertising off this data. Mail/Contact/Calendar is also still not secured, and that can contain a lot of information (as Google can attest).
I think, on top of all that, it's still an overall "win" for consumers. But don't treat Apple like the white knight it purports to be. Beware the 'nice guys'.
Remember, they say nothing of what happens when they receive the data for the first time. It may be enough that they scan and store this information upon the initial ingestion, then leave you with the keys.
(This comment was posted when the linked URL was https://www.apple.com/newsroom/2022/12/apple-advances-user-s..., which contains the physical security key announcement as well as the E2EE stuff. If there's a better URL for the security key announcement, we can factor this topic into its own thread, since it's a minority topic in this one and mostly getting overlooked.)
That's what I am most looking forward to. I hope they also allow you to disable the phone-based recovery scheme that is just a boulevard for SIM-swapping hackers to breach through.
Given they already support standard WebAuthn (passkey or other), I think it’s a pretty safe guess to say they’ll support Yubikeys. I can’t find any written confirmation yet though.
I don’t think this is directly related to the E2EE announcement, rather it is an option to replace the current MFA method of receiving codes on your Apple devices.
The section of the announcement is emphatically about 3rd party security keys support, so the worry about lack of support of YubiKey over some push for some imaginary Apple Dedicated Key didn't make much sense to me.
Also, security key (at least to me) implies a small, keychain sized device. I wouldn't think of calling my Mac Studio a security key. There is no device marketed as such, even though yes, the SEP can and has fulfilled these purposes.
Encrypted iCloud! Never thought I’d see the day- figured intelligence agencies wouldn’t be a big fan- I guess it’s only optional though. Still won’t be using iCloud on my iPhone, but I could at least consider it.
1) They explicitly state that they're going to keep an eye on the hashes of your files, allowing them to nuke anything they don't like from orbit system-wide. They still know what you have in cases where someone else has it and they know the plaintext. They're definitely going to scan what you keep in their cloud. It will start with kiddie porn, but then it'll be that plus terrorist documents (and who decides what that is???), and then illegal music and movies, and then...
2) It's all implemented with closed-source mysteryware. Who the fuck knows what it's doing? You've got to trust their pinky-swear, and you shouldn't. It probably works as it is described until it receives the special wink from Apple's servers, and then it sends along your private keys (possibly using an exploit they put there on purpose). If it's not verifiable (open-source and reproducible builds), it's a pinky swear.
3) This is your reminder that your iMessage isn't actually E2EE, they have a lot of the keys on their own servers.
These are all things they could fix, but don't. And they won't fix them because they don't actually give a damn about your privacy and security. We should all demand open-source, reproducibly-built encryption software.
Excellent, I’ll be adding hardware keys right away. Their existing iCloud-connected-device 2FA is better than SMS but it’s always bugged me that I wasn’t able to use a hardware key.
Now if we could just get banks on board… they’re probably the single biggest glaring hole in non-SMS 2FA. To my knowledge there’s only 2-3 US banks that even support TOTP, let alone hardware keys, which is insane given how important they are.
AFAIK no Canadian banks even support TOTP - it's all SMS (or in one case a bank "app" that does TOTP, but frequently logs you out so you have to use SMS anyways). Maybe they'll catch up in a decade or so.
Yea super annoying - this is the one thing stopping me from getting a Yubikey. Whats the point if I cannot use it on the stuff I really want to use it for?
While I agree it would be great if more sites like banks supported hardware keys, your reply reminds me of the saying "Don't let perfect be the enemy of good". There's plenty of services you can use a Yubikey with right now.
Wow, Apple enabling E2EE for backup is huge, since before they would bypass iMessage security by including your iMessage keys in the unencrypted cloud backup (so governments could request that copy then watch your messages in real time).
I’m sure they’ll get pushback for closing this loophole
They planned to scan only the files that would end up in the cloud anyway.
iCloud off -> no local CSAM scan.
Local CSAM scan with multiple failsafes (+ actual person checking) + E2EE iCloud -> zero need to allow law enforcement access to iCloud servers. This would also mean that Apple cloud've encrypted them in such a way that even they can't access them.
I’m not quite sure what you’re getting at. It’s not a sin to comment on a security issue while the issue still exists. Furthermore, correcting a security issue doesn’t render somebody immune to all complaints on future security issues.
The physical security key is interesting as it shows a lightning port in the image. Maybe a sign that a portless iPhone isn't necessarily in the immediate future? I also wonder if there's another copy of the image showing a USB-C port, since it's assumed the iPhone 15 will be USB-C to comply with the EU's standard port requirements.
If there's a better URL for the security key announcement, we can factor this topic into its own thread, since it's a minority topic in this one and mostly getting overlooked.
Yeah, Apple is a ways away from the rumored portless iPhone. I think a prime example of their stalled efforts is the iPhone's Magsafe charging speed. It's remained at 15w since 2020 whereas Lightning can charge at roughly 30W. Apple's not going to remove the Lightning port, force people to buy new charging pucks, and then tell them their device won't charge as fast. Conversely, switching to USB-C means they can use USB PD to boost charging to around 45W.
This opt-in, because of sneak's law ("users can not and will not securely manage{generate, backup, authenticate} key material")[1]. Apple knows that enabling this by default would be a disaster. This means most people will not ever even know the feature exists, and few will turn it on.
This means that iMessage as a platform is still backdoored, because most people you iMessage with will be escrowing their endpoint iMessage keys to Apple in their effectively unencrypted iCloud Backups.
Apple (and the FBI/DHS/CIA/NSA soup bois without a warrant) will still be able to read everyone's iMessages in real-time.
Everyone wins. Spies keep spying, Apple gets to trot out the e2ee marketing flag.
Meanwhile, there is nothing to indicate that they don't intend to continue the rollout of their clientside photo scanning software that they previously announced.
I wonder if they will push for client side scanning for CSAM material again, since photos are covered under end to end encryption based on this announcement. As a consumer, it feels like two different teams with two different ideas of what kind of consumer privacy should be protected are trying to guide Apple in opposite directions.
Apple, the client side scan pushing and ad platform expanding company is now the same company that is releasing strengthened cloud data protection. Deduplication becomes impossible at any sort of scale and for safety Apple even turns off web access to iCloud when E2E cloud protection is turned on for the first time.
Apple has stated it will cache thumbnails using standard protections when sharing files, using "anyone with a link" will expose the unencrypted data to Apple servers. I wonder if CSAM scanning can take place for those files only.
According to The Washington Post [0], "In a second victory for privacy advocates, Apple said it was dropping a plan to scan user photos for child sex abuse images. The company had paused that plan shortly after its announcement last year, as security experts argued that it would intrude on user’s device privacy and be subject to abuse."
Thank you for the link, I had not come across that news. It seems like Apple is still scanning photos when NSFW photos are sent to phones belonging to minors.
"When receiving this type of content, the photo will be blurred and the child will be warned, presented with helpful resources, and reassured it is okay if they do not want to view this photo. Similar protections are available if a child attempts to send photos that contain nudity. In both cases, children are given the option to message someone they trust for help if they choose.
Messages analyzes image attachments and determines if a photo contains nudity, while maintaining the end-to-end encryption of the messages. The feature is designed so that no indication of the detection of nudity ever leaves the device. Apple does not get access to the messages, and no notifications are sent to the parent or anyone else."
They are offering E2EE despite not currently having plans for client side scanning of content. I have to imagine it's different teams because I want to give the encryption team the benefit of the doubt.
I can't imagine people working on E2EE at Apple would be okay with client side scanning. The reasoning isn't important, it's an easy slippery slope once implemented. I imagine the encryption team has to constantly push for consumer privacy in a climate where privacy is challenged and compromised for ad companies and governments. I would be absolutely shocked if there wasn't a large amount of internal pushback when the old CSAM detection plan was first announced publicly.
What is the chance that there is a law-enforcement backdoor? Honest question! Could be anything from "no chance" to "pretty likely" and I don't know enough to hazard a guess. But I believe the answer is important and I'd love to hear what the HN crew has to say about it.
The metadata for files (checksum, filename) is not e2ee so they can access that info and be compelled to provide it when served with a warrant. This is quite a clever twist on a previous theme. The filename and/or checksum might be all it takes to incriminate.
It seemed clear they were making moves in this direction back when their announcement about on device hash checking for CSAM prior to iCloud photos backup was made. That announcement only made sense in a world where they wanted to enable end to end encryption for photos. It's cool to see them do this, and see them also extend it to Messages too (surprising imo).
--
> The apple policy was likely about coming up with a way to enable encrypted photos on iCloud while still having some privacy preserving form of CSAM detection. Since it was only enabled when iCloud photos was enabled it was better for privacy on net than the status quo (unencrypted iCloud photos that are accessible to apple and scanned anyway).
As someone who uses SpiderOak One for e2ee backups on my gaming/media/windows box, this is really cool of them.
This should be a default, basic feature of any service today offering storage of personal information. It's not like we haven't had the technology for decades. It's win-win, too: The company can't be held responsible for the contents because they can't read them, and the user gets privacy. Which in America is legally protected from the government. That means that if the company can't peer into the data, there's no point in even wasting their time with a warrant.
If the keys on the device are generated at the user's behest with some input of theirs, it's out of Apple (e2ee vendor)'s hands, logically, logistically, legally, and ethically.
Even better security would be to allow users into their own devices. This would mean that critical data just wouldn't leave the device via the network.
(letting users into their own devices means the ability to access the entire device, examine what their device is doing, and firewall it if wanted)
1. iMessage without internet would be tricky.
2. You don’t have to backup in iCloud. Just plug your phone on a Mac or Windows computer with iTunes installed and backup it locally.
That's still not access to the data. That's limited access to data that Apple allows. I remember when Tinder stored their messages in a local unencrypted SQLite database. I wanted to save the conversations between my GF and myself, but I had to get an Android phone and extract the db manually as I couldn't do that with my iPhone at the time.
One can argue the iOS approach was more secure, since someone getting hold of your iPhone wouldn’t be able to snoop on your Tinder messages.
On the other hand I appreciate the hackability, and it is your data. If you’re in the EU, maybe you could have made a GDPR request to get the messages in a database.
Ultimately I don’t disagree with this iOS choice because we’re the odd ones; I understand the decision to put the privacy of “regular users” above a niche developer method which could be exploited more than used in a legitimate way.
It feels to me the correct solution in this case is that Tinder’s database should be encrypted on both iOS and Android and they would provide a way to export chats.
> On the other hand I appreciate the hackability, and it is your data.
I really think this is the wrong attitude and the result of boiling frogs. Having access to data on our devices should be a given. To me it makes me think of the non-touch iPods of yesteryear. Music files were obfuscated on the device by shoving into human-unfriendly folders and filenames. The argument that this was to avoid music piracy is laughable since we originally had DRM'd music for downloads. The database was proprietary and undocumented which meant the only real way to get music on the device was through iTunes. It also meant that unless your ID3 tags were really good and you went through the process to copy all the tracks off and rename them, your music was locked to your device.
Even then, at least you _had_ a way of getting your music back. I'm not going to say E2EE isn't good or that the security protocols put into place for modern OS's isn't important, but imo it's eroding ownership of data and killing third party businesses. Everything has to be done through a web API now, which means your data has to exist in the cloud. This isn't good.
> I really think this is the wrong attitude (…). Having access to data on our devices should be a given.
I don’t get your post. You quote a part to disagree with but everything after that agrees with it. I did say you should have access to your data. I did not say you should have DRM, or that your data should exist in the cloud, or that you should have to access it through an API. I also said “feels to me the correct solution in this case is”. In this case where we are discussing personal, private, possibly sensitive conversations. That has nothing to do with downloaded music, purchased or pirated.
> the result of boiling frogs.
That’s a myth¹, but it wouldn’t apply anyway. I don’t agree with Apple’s decision in the case you presented, but I do agree with it in the other instance. It isn’t incongruent to believe you should have access to your data while also believing it should be reasonably protected from snooping bad actors.
¹ From https://en.wikipedia.org/wiki/Boiling_frog: “While some 19th-century experiments suggested that the underlying premise is true if the heating is sufficiently gradual, according to modern biologists the premise is false: changing location is a natural thermoregulation strategy for frogs and other ectotherms, and is necessary for survival in the wild. A frog that is gradually heated will jump out. Furthermore, a frog placed into already boiling water will die immediately, not jump out.”
It‘s ridiculous that I can only backup my (iOS) device to either a computer via USB (what is this, 2005?) or to the cloud.
Just let me use my local Time Machine backup server!
Sadly, I am convinced I'll never see that feature – it would basically remove the need for any iCloud subscription for me and thereby undermine Apple's "service" efforts too much.
Yes, to its local storage only, which makes it completely useless to me. (I have more data on my phone than on my computer, and I can't be the only one.)
> TM doesn’t make much sense without the Finder’s interface.
Why? I can even already connect to the same SMB mount that holds my Mac's backup via my iPhone's "Files" app. Just let me backup to that!
Yes, but I don't want that data on my Mac in the first place. It takes up almost all disk space there, completely needlessly.
(Actually it doesn't – I symlinked the backup directory to an external drive, and fortunately ~iTunes~ Finder follows that. But this is something completely unrealistic to ask of an average user, in my opinion.)
True. My situation is probably different: I've got a fairly large disk (1TB), and a tiny phone (16GB). I guess they prefer to sell iCloud subscriptions.
I think other commenters are missing your point: an iPhone should be able to back up to a "server" the same way a macbook does. I have a 24 TB NAS with Time Machine on it so the phone should be able to backup to it (over wifi, usb, whatever) the same way it does to a Mac. And this should be possible out of the box by-design (not by using Linux based tools to backup the iPhone in ways Macs do not let you do).
They do. Parent just wants to back up directly to a Time Machine backup, rather than backing up to computer, then backing that up to TM.
A reasonable desire, but clearly niche enough that it's unlikely to come to pass. (Particularly since, given what little I've seen of how Time Machine works, it would likely require some quite significant dev work on Apple's end to enable.)
this wouldn't backup the apps, and app private data
for example, if your phone was running myapp 1.0 and 1.1 was out, restoring might cause your phone to download myapp 1.1
Also, I think if you had 20 kindle books in the kindle app on your phone and backed it up, after restoring you would have no books. You would have to redownload them all.
(strangely, I wonder if you have icloud backups, do these kinds of thing count against your storage space?)
> The new encryption system, which will be tested by early users starting Wednesday, will roll out as an option in the U.S. by year’s end, and then worldwide including China in 2023, Mr. Federighi said.
They seem to be abandoning China, they are planning to move some 40% of the total iPhone production to India within the next couple of years, so China might not have all that much leverage.
The times have changed in the past 5 years, going all out on China is simply untenable. Leaving China on the other hand is positive PR.
Just because Apple couldn't officially sell any iPhones in China doesn't mean that the Chinese public would suddently stop coveting them. I don't think they'd blame Apple if it came to that.
They have to respect the laws of the countries they operate in but they don't necessarily have to do so silently.
If you go to set up encrypted backups and find out the feature isn't available or get a message saying something like "Feature cannot be activated in China, Turkey, and Russia", that's better than the feature not being available anywhere.
And in case anybody is interested in the gory technical details, Google let a third party review their implementation of encrypted backups that included visiting their data center because it used their custom Titan hardware. Fascinating read https://research.nccgroup.com/wp-content/uploads/2022/04/NCC...
Great stuff. The question I have is what is Apple's position on scanning for contact on phones themselves? In the past they hinted that they would not enable e2e encryption unless that was in place.
During the client-side scanning debacle I noted they'd have to implement server-side scanning anyway, so they might as well abandon client-side scanning. The wording still allows for server-side scanning ("raw byte checksum" is vague enough be a image hash or merely a CRC-32; I strongly suspect it's the former) - and I'm perfectly fine with Apple choosing this. Their server their rules. It's also the better technical choice IMHO.
> ("raw byte checksum" is vague enough be a image hash or merely a CRC-32; I strongly suspect it's the former)
1) The image fingerprinting they were talking about before is really different from a "raw byte checksum", since it could recognize photos that had been resized or cropped.
2) AFAIK the plan was always to generate the fingerprint on the device, but to check it server-side, possibly as a pre-flight check before sending the actual file. The thing that upset people was the device generating a too-good fingerprint [EDIT: To be fair, people were also concerned Apple would expand the fingerprint-generating-and-uploading to photos that weren't bound for iCloud—the concern would have been pretty silly otherwise, since of course unencrypted photos sent to iCloud are CSAM-scanned, same as everywhere else). Pretty sure they were gonna keep the naughty-list server-side all along. So, if this is the same thing (I doubt it, see #1) then checking the fingerprints(/hashes) server-side isn't a change in plans.
1) I'm aware of the difference. However, I think the Apple phrase is sufficiently ambiguous to legally cover an image hash as well. An image hash is technically a checksum and is made of raw bytes that cannot be converted back to the image. If Apple is indeed using an image hash, I don't have a problem with this - it's their servers.
2) The fingerprint check was supposed to be done client-side based on a server supplied list so that Apple would not get the image and image hash unless there was a match (I'm simplifying this, there was a rather complex procedure involved with thresholds and manual review).
My main concern was that normalizing and making possible client-side scanning would lead to other things being scanned. e.g. China adding images of Winnie the Pooh to scan list, and then sending every Chinese suspect to dissident-ville in the sky. The Apple plan here was insufficient: it wanted to rely on multi-country lists, this had both legal and practical problems - e.g. China has sufficient sway with friendly countries to add its choice of images to the list.
Ah, thanks for the clarification, seems I was off on some of that.
> My main concern was that normalizing and making possible client-side scanning would lead to other things being scanned. e.g. China adding images of Winnie the Pooh to scan list, and then sending every Chinese suspect to dissident-ville in the sky.
Right, but that hardly mattered as long as it applied only to iCloud-uploaded files, since those were and are already being scanned so all those scenarios were already in play (well, not now, I suppose, if you enable encryption... maybe. But at the time they announced the scanning, certainly)
>Right, but that hardly mattered as long as it applied only to iCloud-uploaded files
There were some practical differences. e.g. Some programs have a permissive default of always marking as 'save to iCloud', and avoiding this can be nonintuitive. Also certain difficulties with deleted images which I am not sure how Apple had wanted to resolve but could lead to unfortunate differences from the other scenario.
More importantly, the moment the client-side capability was there, legal pressure to use it in all cases was bound to come. Normalizing client-side scanning was also bound to legitimize and encourage doing the same on Android, and I can easily think of certain brands which are way less scrupulous than Apple.
All in all, I didn't see the benefit given that server-side scanning was accepted as legitimate and sufficiently effective by just about everyone, but without the risks of client-side scanning.
> All in all, I didn't see the benefit given that server-side scanning was accepted as legitimate and sufficiently effective by just about everyone, but without the risks of client-side scanning.
Oh, absolutely—unless you want to prevent super-easy use for storing CSAM while also having E2E encrypted storage. Which I'm still nearly-certain was their entire reason for wanting to do that in the first place—which isn't to say there can't also be legitimate concerns about such functionality, I just don't think it was some kind of nefarious plot on their part. At this point I expect they're sitting on the feature until or unless there's public outrage over their inability to provide evidence in some kind of CSAM case or investigation—if that doesn't happen, fine, if it does, they'll push it out as soon as that sentiment overwhelms the anti-scanning one.
>At this point I expect they're sitting on the feature until or unless there's public outrage
Possibly so. However, I believe they have two alternatives to client-side scanning:
A) I think their wording still allows uploading a perceptual hash, which would then allow typical server-side scanning without entirely breaking E2E.
B) They could handle this on a case-by-case basis. I'm sure their code-signing privileges can be (ab)used to get around E2E if Apple really wanted to, and they probably can push an 'update' to a single device to do just that.
I have a MacBook from 2015 and an iPhone 7 that I've been avoiding upgrading because I wasn't sure if I wanted to remain in Apple's walled garden. This issue was a huge sticking point for me, and it's an incredible relief they're closing the loop. Guess I'll be giving them a bunch more money in the near future!
WhatsApp recently added e2e backups (as an option) too.
I always thought the reason they didn't encrypt backups was as a way to remove pressure from security services to weaken the encryption. Better to let the security services go after Google/apple as the backup provider. And have an option to turn off backups for the security paranoid users.
I think I'll stick to trusting duplicati. I love apple but it's already simple enough to use duplicati, an open source client, to incrementally backup to multiple destinations at pre-defined intervals.
Plus you can't always trust such a huge business 100%. What'll happen when you're locked out of your apple account? Yeah, no backup!
I really enjoy the automatically generated iPhoto “experiences” that include background music and photo/video effects that appear sometimes, more often after I took vacation pictures. Hopefully those can be generated on my device and I won’t have to give those up to get encryption at rest.
Because its not. They have all the filenames and checksums/hashes, access/modification dates, and also take "temporary" custody of the key when using icloud.com. Zero-knowledge does not have any of these things.
The problem is that any of that information is obtainable by a warrant because Apple retains possession of such data. The whole point of this exercise is to eliminate that possibillity.
It's interesting that this announcement was being predicted after Apple unveiled their on-device CSAM scanning feature. Perhaps this was indeed the plan all along, but they lost control of the narrative.
Whatever did happen to the on-device CSAM scanning? Is it still coming to iOS?
That always made the most sense as the reason for attempting that. I agree with some concerns about it surely being abused (especially in some jurisdictions) but on the other hand they can ship whatever software they want to the devices anyway so the idea that this was some sly way to sneak in spying that they couldn't otherwise get away with made no sense. Doing it out of a desire to enable more encryption without instantly becoming the overwhelmingly-preferred platform for child porn enthusiasts was a far more likely explanation.
Curious what they're going to do to mitigate that repetitional risk now. Possibly they'll just eat it and say, "look, this is what you fuckers wanted, we tried to solve the problem but you said no."
Not thrilled to see what the next showdown between them and e.g. the FBI is gonna look like. I expect it's not gonna look good in the court of public opinion and that might have unfortunate legislative consequences.
[EDIT] Actually, wouldn't be surprised if they wait until the first high-profile case involving their inability to deliver data on someone who probably is a disgusting scumbag, and use that as cover to go ahead with the local-CSAM-scanning-for-iCloud-uploads, once it's 100% clear what'll happen if they don't and the no-scanning crowd isn't the loudest set of voices anymore.
> First, iCloud users may now take advantage of hardware security keys like YubiKeys. Both NFC keys and plug-in keys are supported.
This is great news! I wonder if this is able to replace Apple's bespoke 2FA system or it's strictly in addition to that.
Edit:
From Apple's announcement:
> Now with Security Keys, users will have the choice to make use of third-party hardware security keys to enhance this protection. This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government. For users who opt in, Security Keys strengthens Apple’s two-factor authentication by requiring a hardware security key as one of the two factors.
If I read that right, it sounds like it's in addition to Apple's 2FA? I'd love to replace Apple's weird 2FA mechanisms, but this is still nice.
Nothing Apple has ever said has indicated that they reversed position on their announced plan to roll out clientside scanning. Read the Apple statements carefully.
On macOS photoanalysisd phones home even when not using iCloud at all, fwiw. Who knows what it is doing?
This is correct. Apple said they've abandoned CSAM scanning for iCloud Photos, but they haven't said anything about on-device scanning as far as I've seen.
When they announced the on-device CSAM, I was absolutely sure that they want to do this.
Lawfully nothing is stopping them, but since pretty much all US cloud services scan files it's clear there are some forces making them to do so. I thought that Apple was able to negotiate a compromise where they scan locally and then they are "allowed" to to E2EE.
Interesting that they proceeding with the encryption regardless.
Is there a way to use this for non-Apple devices? I am "in" Apple's ecosystem, but i work on Linux and play on Windows.. it would be nice to have Dropbox/storage on an E2E Backup solution i already pay for (1TB+ family plan for iPhone mainly)
Not sure about E2E but for standard icloud you basically only get the clunky web ui. No way last I checked to mount icloud like you can other providers.
If there is a need for new security measures...new security recommendations - Chrome is bugging me, every day, not very different from Apple.
What a world is that?
So then, someone is working against my security every day!
Looks like a war my friends...
Maybe this is just a matter of the buzzword doesn't precisely convey the technical implementation, but I don't want "end-to-end" encrypted backups, I want backups that are stored encrypted on the server and that only I can decrypt
Yep that is the plan. There is a good table in the article that shows the implementation for each service and rationale for it. Most of the iCloud services are now able to enable an optional feature where the user’s devices are the only ones that have keys.
Ah. The link answers to this question under "Advanced Data Protection and iCloud.com web access"
> When a user first turns on Advanced Data Protection, web access to their data at iCloud.com is automatically turned off. This is because iCloud web servers no longer have access to the keys required to decrypt and display the user’s data. The user can choose to turn on web access again, and use the participation of their trusted device to access their encrypted iCloud data on the web.
Then they explain that if you turn it on again, your devices will send your keys to Apple's servers for the duration of the web session. Technically this leaks your keys to Apple forever, but they promise that they keep it for the duration of the session.
Wish they worked on the clients on other platforms though. I have PC, iPad, Mac and Android. I want to use one storage solution for all platforms. Apple still is dragging their feet on making feature rich platforms for anything but Apple
(Not an iMessage user) Does iMessage actually have a way to display the raw public key(s) locally associated with a contact and your public key(s)? Wondering if you can verify keys out of band or if you have to trust Apple to be the authority.
It's not surfaced in the UI but, as far as I recall, the information does actually reach the device already. Here's a paper [1] which dives into the cryptography used in iMessage (at least whatever was used at time of publication).
Wait what is the point of using icloud if you use this e2ee thing? If you lose your phone, all your data is useless because the key is on your phone. So using icloud with e2ee is basically using a phone with no icloud backup a all.
"E2EE" is probably more like it. I have no doubts there will be a data, picture, movie or some-such leak eventually that proves that the encryption keys were in the hands of Apple all along.
Looking into the details it seems like they're using Convergent Encryption [1][2] in order to enable deduplication in iCloud drive and photos. Which would imply it is possible for an attacker to determine if your account is storing a file for which they know the plaintext. It's still a lot better than the status quo but that's a pretty big asterisk in my mind.
Now will they offer icloud tiers over 2tb next, like google does? Will icloud be actually usable for 3rd party apps outside of ios without constant reauth?
FWIW, there's a "product packaging hack"¹ that gives you 4TB if you pay for both Apple One Premium and iCloud+ at total cost of $40/mo. It's not a great value, but it's possible. I'd bet on them adding a 4TB plan in 2023.
All I want is a roadmap to ever increasing tiers of storage, like google, so I know if I need to, I don't need to do a big migration once my life history gets too big. Good to know about the hack.
> CSAM scanning on device never happened. The plan was abandoned.
Barely, and only after massive backlash. The code was actually pushed to everyones' phones, and Apple's last-minute decision to disclose its existence before turning it on is the only thing that stopped it.
Maybe the "lesson" Apple learned was to not disclose that sort of thing.
Apple abandoned CSAM scanning on phones because people were vociferously against Apple reporting them to the government when an image on the citizen's phone matched something in the government's own "bad images" database. Whether the scanning was on the phone or in the Cloud was largely immaterial to most people. Some of the more hardcore privacy advocates weren't happy with the on-device scanning, but that wasn't really the thing the majority of people didn't like.
What we learned from all that is that Apple can and will push whatever suits their agenda down onto the phones themselves. If the majority of users are acclimated to being tracked and profiled for the purpose of targeted ads, we won't hear the same outrage that we did for CSAM. Especially if Apple decides we simply don't need to be informed about it.
Data has always been encrypted by a key, which Apple held in a HSM (hardware security module, a special “black box” for encryption keys in this case). Previously Apple could take those keys, decrypt your data, and hand it to law enforcement. A hacker, too, could sign into your account and access everything if they found a vulnerability.
Now, if you opt-in to this, the key will be deleted from the HSM and stored on your devices only. New keys will be used for newly added data, but the old data will be encrypted with the same key (imagine the computational load of suddenly re-encrypting all those files, not to mention that you’d need to temporarily give Apple the new key or re-do it all locally). You will always need your Apple ID password (or a recovery key/“contact”) to decrypt your data now, and Apple won’t have the key to decrypt your data and give to law enforcement, nor will hackers be able to access it if they find a vulnerability in iCloud.
If you trust Apple not to implement a backdoor, you no longer need to trust them in any other regard to keep this data private.
Exit: upon further reading, it seems the encryption key is stored on your device, and you’ll need one of the recovery methods if you lose all your devices. This is much better as it means a weak iCloud password cannot be used to compromise your key.
> For users who opt in, Advanced Data Protection keeps most iCloud data protected even in the case of a data breach in the cloud.
Here, "cloud" is treated generically - as if Apple doesn't have to do with it. I suppose they don't want to spell it out. A more honest, but still easy-to-understand statement would be:
> For users who opt in, Advanced Data Protection keeps most iCloud data protected even in if someone hacks Apple's iCloud servers.
I don't think that's them being dishonest. I'm pretty sure the way I read the first sentence and your re-write is the same thing. I guess the only difference is maybe the layman might not gather that. That said the layman probably isn't going to care about end to end encryption either.
Nice to hold the corporates accountable but I don't find this to be slimy or anything - maybe just me though.
I hope this is true, but since their entire stack is proprietary, we have no way to know if there is not a backdoor to get the key from you.
Since Apple was part of the PRISM program, I'm going to assume there is at least one for the 3 letters agency, which mean it's available for Apple, who designed it, as well.
But it does mean that they can mass scan easily the data, and have to target people personnally, which is already a huge improvement, and cover most people threat model.
It's not only for backup, the article literally lists all categories of data that is end-to-end encrypted: iCloud Backup, iCloud Drive, Photos, Notes, Reminders, Safari Bookmarks, Voice Memos, Wallet passes, Health data, Home data and more.
not if it's backdoored. end-to-end doesn't mean it's actually secure. there's 0% chance that there isn't some apple-owned backdoor, key escrow system, or other scheme. "end-to-end" means nobody has the keys and nobody can read the data except for the end user. And of course apple (via super-duper security backup key, non acknowledged). And the 5 eye's TLAs. And so on.
I wouldn't trust any of these guys for a millisecond.
This reminds me of a hacker exploiting a victim’s system, patching the vulnerability and installing a keylogger.
Yeah it’s nice you are taking the security seriously so others can’t get in easily, but you (Apple) are still siphoning off my data for profit after I spent an arm and a leg on your equipment…
It just feel like protecting your investment more than my data security.
They can still simply push a software update that sends the victim's keys to the mothership and/or simply decrypts everything. Can even be pushed silently. The victim cannot do anything, not even detect when this has happened.
Why would governments push back, when this hole which has already been used will _always_ be available?
The tricky thing with Apple is that they sell phones in China, given that that govt demands visibility into what it's citizens do, it is reasonable to assume that anything Apple launches to secure your data from prying eyes will have an asterisk to accommodate a big part of their market.
That's because Chinese and US law are fundamentally different. The US has laws that enable Apple to contest those requests. It is not just possible to run a large business in violation of any (competent) government. It doesn't matter who it is.
FWIW, Apple does not treat US and Chinese users the same. If you have a Chinese mainland iPhone, you use a completely different iCloud that isn't even run by Apple.
It’s not that tricky as iCloud in a China isn’t run by Apple at all. [0]
The laws are different there and the only way that Apple could meet the requirements of the Chinese government without also weakening their product for the rest of the world was to cede control of iCloud there.
It looks to me like Apple and China have a complicated and somewhat adversarial relationship.
Apple likely conceded early on that China-based iPhones use China-based iCloud, and the Chinese government likely conceded that Apple phones will use the same OS everywhere, with region-based feature blocking being as far as they'll go in customizing the OS. Both have a lot to lose from the other party terminating the relationship.
>Why would governments push back, when this hole which has already been used will _always_ be available?
I'm not aware of a time when Apple pushed a software update (silently or otherwise) to defeat security for a user (or users). Can you provide a reference?
The parent comment said “hole which has already been used”, that’s a claim that Apple has actually done it, not only a speculation that they could. They are being asked to back up that claim.
With Apple's current lack of encryption on iCloud backups, we are very aware of government access because those files end up as evidence in court cases after being obtained by police and prosecutors.
If government were to compromise end to end encryption in the manner described above, it would either be visible when used to prosecute people, or invisible because it would never be used to prosecute people (but presumably for intelligence purposes). Even if it were used for intelligence purposes through the method above, which I don't think is at all established, it would still be a significant improvement over having data in a form that is actively used to prosecute people.
> Even if it were used for intelligence purposes through the method above, which I don't think is at all established,
The snowden revelations were precisely about information gathering for intelligence purposes. The vast majority of intel gathering is not for prosecutionary purposes.
I didn’t say it’s good that intelligence agencies hypothetically could spy on this data by having Apple push malicious software.
What is absolutely good is that they have e2ee now, and the only way they could even hypothetically open a back door would be one that was completely secret, for the government, which definitionally closes off a whole class of government use of the data, for example in domestic prosecutions of citizens.
This may not be perfect (it’s not open source etc) but it’s a vast improvement over non encrypted data that was openly routinely given to the government.
I think we are talking cross purposes. I agree with your evaluation that this is an improvement over current state. I did not cite whether you think it is good or bad that intelligence agents could spy on this data. I was referring to the fact that most secret surveillance is expressly for the purposes of intelligence rather than prosecution. Surveillance methods that are secretive are, by their very nature of being secretive, typically not used for prosecutionary evidence gathering due to the fact that such use would reduce the method's secrecy. Until Apple can provide some verifiable proof that my keys cannot be handed off to governmental parties wishing to decrypt my data, I will not feel comfortable using their cloud service for my personal data (not that my family vacation photos and pictures of our dog will be that interpreting to anyone).
"You can't prove that they don't already do X, because X is by definition a secret action" is a pretty useless epistemology though. Every electronic device you've ever used could secretly have a cellular modem that can secretly download over-the-air firmware updates that alter its behavior to be maximally evil. You by definition can't prove that your coffee machine doesn't secretly have the ability to change its behavior to start connecting to the internet and DDOSing charities or something.
The thing that people always miss is that the damn SIM card is running its own little processor already. If the government really wants to read your shit they can probably just do some behind the scenes work with your mobile ISP and find a way to access your phones screen output or microphone data or something.
If I really wanted a physical SIM and imported a European SKU which does have it (only North American variant is eSIM-only), would I expect seamless support in the US? E.g. would AppleCare just work?
So there's no level of security that will ever be enough for anyone. The number of people who know the source for the current version of every piece of software, firmware, and hardware they use almost certainly approaches 0.
I don't know what people expect. These moves are good things and everyone is whatabouting situations that there is 0 evidence has ever happened or would ever happen. It's unfalsifiable, impractical, and honestly just annoying.
Why is data residency law cool and progressive when the EU does it and Big Tech complies, but Bad and Dystopian when China does the same? Tim Cook has said on the record that iCloud is the same regardless of data center.
Because the reasons for data sovereignty as legislated by the EU and countries within it, and China, are drastically different. Which one is the authoritarian regime which jails dissidents and which one has regulations giving consumers rights over their data? I'm fairly certain the motives for data sovereignty are wildly different.
I’m not sure if you’re aware, but there are anti-encryption legislative proposals in the EU which are as ill-informed and scary as anything I’ve heard of in Mainland China. It’s very unclear to me if motives matter in this case.
China has a reputation for hunting down religious minorities and political dissidents, Europe is known for a more moderate take on those matters. I think there's cause for concern when China demands domestic ownership of iCloud info.
Would it surprise you to learn that France also bans female genital mutilation, another religious practice enforced on people who typically have no say in the matter? These bans apply to people of any religion and of no religion.
Let's not pretend this is the same thing as kidnapping you and taking you to a reeducation camp because of your religion, leaving your kids alone and confused.
Let's be clear about what we're discussing. France prevented a law that would have allowed burkinis to circumvent existing public pool rules that require a swim cap and forbid baggy clothes and certain sun protection suits. People forced to wear certain clothes by others in their religion do not get special exceptions. https://www.nbcnews.com/news/amp/rcna34833
You realize that your citation actually reinforces the idea that the only reason this law was passed was because the government was against them to enforce “secularism”?
No one claimed that they were being “forced” to be part of a religion. What next? Forcing people to eat pork even if it is against their religion to enforce “secularism”?
This was nothing more than discrimination.
In the US, we had to have laws that allowed Black girls to wear their hair the way they wanted and schools were forcing black girls to straighten their hair to fit in.
The pool rules considered no religion and only what is necessary for pool safety and cleanliness. The law that the city passed made concessions for a religion (just one). If your religion requires you to defecate in the pool each time you enter, should they make laws allowing that?
People who are forced to wear certain clothes by others in their religion are also often forced to have that religion.
Confusing race with religion is even crazier. We should accommodate people who are physically different, but there is no reason to go out of our way to accommodate people with arbitrarily wacky beliefs and even less reason to go out of our way to accommodate oppression by people with arbitrarily wacky beliefs.
The pool rules are about sanitation and safety. The law allowing burkinis was removed because "it violates the principle of government neutrality toward religion" by being written to accommodate a single religion.
The secularism rule basically says that the government should not make laws to accommodate one religion because then it would have to make laws to accommodate any and all religions, and there is no limit to how wacky a religion can be.
You can’t believe that. That’s just like saying that laws against “sodomy” weren’t discriminatory and only passed for the welfare of the state when they were clearly passed to criminalize non heterosexual consenting sex between adults.
Once again, there isn't a law against burkinis. There are pool rules that predate the invention of the burkini and disallow many things, wearing burkinis (though not mentioned specifically in the rules) in the pool among them. Writing a law specifically about allowing burkinis is discriminatory against other religions and beliefs.
> The ruling was the first under a controversial law, championed by President Emmanuel Macron, aimed at protecting “republican values” from what his government calls the threat of religious extremism.
Now you're confusing a law passed in a city with a national law. The law passed in the city was specifically making accommodation for one religion, which is not allowed: “the Grenoble vote was made ‘to satisfy a religious demand’ and ‘harms the neutrality of public services.’”
The law passed in the country was set up to disallow laws that favored one religion, but ever since the revolution cast aside Christianity for enlightenment ideals, no such laws had been attempted. It is true that this law was made to prevent laws that favor Islam, but it puts it on equal footing with all other religions. Members of The Native American Church cannot get laws passed to give themselves exemptions to use mescaline.
You seem to have missed my point entirely then. I'm in full support of Apple holding themselves accountable for the data they hold, but they don't. As a result, we rely on "broader political vibes" to read between the lines.
I’m not sure what you mean by “holding themselves accountable for the data they hold”, but you began by implying data residency was compromising security at the behest of a government, but it does not itself do anything of that sort. Your technical claim is outright false.
Seeing as context is conspicuously missing, all cloud services offered by foreign business in China a required to be hosted and controlled by state owned providers. For instance, China has a separate Microsoft 365/Azure region hosted and controlled by 21Vianet. Apple still controls the encryption keys and there is no evidence that they have handed them over to the CCP, but it is largely assumed. Federighi has said that Apple will offer EE2E in China.
You make this sound easy but look at how that worked for NSLs. They got a ton of pushback for that and there’s no way to keep that a secret for very long – especially since things either end up in court or involve foreign governments who won’t share the desire to keep things secret.
On some level the US could also pass a law that says every iPhone user will be summarily executed. That’s how sovereignty works. Is it a realistic concern? Probably not.
That's not the point. The point is that Apple hasn't closed the government out of Apple user's phones. The point of E2EE is to remove the power of the middleman to read the data but that middleman also has complete control over the device and the software running on it with remote root access.
Apple's ecosystem is, by default, design and necessity, insecure to Apple. Keys stored on an Apple device are insecure.
One can easily make a similar argument for Android/Google, however, a security conscious user could still take control over their device and install a more secure OS.
They pushed back on that after falsely telling their customers that they were technically incapable of helping the FBI with such requests. After this incident, they no longer make that claim. https://appleinsider.com/articles/14/09/18/apple-says-incapa...
They never told customers it was technically infeasible. From the contemporaneous Q&A from the 2016 letter opposing coerced access:
“ Is it technically possible to do what the government has ordered?
Yes, it is certainly possible to create an entirely new operating system to undermine our security features as the government wants. But it’s something we believe is too dangerous to do. The only way to guarantee that such a powerful tool isn’t abused and doesn’t fall into the wrong hands is to never create it.”
Apple: "So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8."
Also, "create an entirely new operating system" is an intentionally misleading exaggeration on Apple's part, meant to fool customers but not governments. It makes it sound like the amount of work they would have to do is larger than changing one constant about how many retries are allowed and another constant controlling rate liming, build and sign and flash it to the phone, and delete it after.
Seems like a semantic quibble about the meaning of “technically feasible.” If you understand it as making claims about the system as it exists, it is true. If you understand it as making a claim about what Apple could theoretically do in all circumstances, then you have an absurd definition because everything is technically feasible.
I think the FAQ and letter both make clear that Apple could comply with the FBI request and their objection was over whether they should be forced to.
> If you understand it as making a claim about what Apple could theoretically do in all circumstances, then you have an absurd definition because everything is technically feasible.
If iOS 8 required a user key for updating the system, this would be technically infeasible. It's not technically infeasible as iOS 8 was implemented, so Apple stopped claiming it is, but only after the FBI embarrassed them about that claim.
> their objection was over whether they should be forced to.
Apple's objection had nothing about being forced to do it. They were forced to provide data from devices before iOS 8 and even provided a document about how to ask them to do it. Apple instead made specious claims about how hard it was and how it would affect other customers' privacy.
Can somebody explain the room for debate and expression of sentiment here? If Apple was legally required to do x in regards to privacy, I have to assume they would and everyone could know they would (because it does not seem very big US company to outright defy national law). If they were not, on what ground, could the gov pressure Apple?
The theory would be that it would be extralegal pressure. Out of the Snowden era, for this generation, came the belief that the government would use extralegal coercion to get what they want when it comes to domestic espionage. This showed up in eg how the government battled Yahoo over PRISM [0], and the story of Joseph Nacchio of QWest [1] supposedly being targeted by the Feds for refusing to go along with the program/s.
For prior generations, Hoover, Nixon, MLK (how they targeted him), the Church hearings, and many other things provided evidence as to the extralegal behavior of the government at times.
Like when they started recording what programs you launch on your Mac, sent to them in cleartext? Or when they force you to have an account with them to install apps from the official sources (and of course the unofficial ones are absolutely atrocious).
Apple are better on the privacy front than their competitors, but not by that much.
Given what we learned from the Snowden leaks, I would be willing to believe that any PR in apples favor is awarded by the govt for exchange of their cooperation relating to providing the govt data / access they request.
I don't trust any corporation to actually side against the govt.
You're asking for proof of a negative that cannot be fulfilled without having access to all copies of all versions of the source code deployed for every Apple device in the world for their entire history. This seems an unreasonable burden.
Either we accept some amount of vulnerability at the minimum and deal in likelihoods rather than certainties, or we simply do not use modern communication devices whatsoever. Given we're here on HN, we all have clearly chosen the former, so the question becomes: "is it likely that Apple have violated individual users' privacy in this manner?", to which I think the answer is "no" because (a) it's never been necessary before given the availability of alternate methods, (b) we have absolutely no evidence to suggest otherwise, and (c) we do have evidence of a history of Apple being at least somewhat reluctant to cooperate with the federal government of the US when it comes to individuals' privacy, to the extent that they are able (e.g., the San Bernardino case). So although it is true that we cannot be certain of our privacy, it seems very likely that Apple's efforts to improve user privacy are not disingenuous.
Even then the OP will ask us to prove that you do have all the versions of code and that there was no self destruct mechanism that wiped itself clean. You can’t prove a negative. That’s the point of those assertions. It’s not without reason that most conspiracies use this tactic.
That’s along the lines of asking “Do you have evidence that UFOs have NEVER landed on earth?” in response to someone asking if you have evidence that UFOs have landed…
Yes true. What’s your threat model though? If my government wants to own me they can do that without going to Apple.
For myself I’m quite happy with this as it is a huge improvement over what we had. My only irk is that they called themselves a champion of security and privacy before this..
So could your Android phone - even if it runs GrapheneOS. How do you know that GrapheneOS isn't a CIA project like ArcaneOS that won't push a sneaky software update to your device? You don't and you never know, so it's not really fair to target Apple for this. You will always be vulnerable to such an attack no matter what you choose.
The only true secure option is to build the source yourself, sign it with your own keys, and run it. Assuming you can read all the code and make sure its safe, and read all the code on your compiler to make sure that is safe. And you'll still need to trust the Google-signed bootloader code, which totally hasn't had suspicious custom builds released previously (ArcaneOS?)
You missed out the punchline: all of this follows from that the software is
proprietary/closed-source/non-Free.
You can't see how it works, you can't change how it works, and you have to
trust that it does as advertised. You must do all this in the knowledge that
over the years plenty of proprietary software vendors have outright lied to
their customers about exactly this kind of thing, e.g. [0][1].
I'm not aware of Apple ever doing so though, for what that's worth.
The difference is in asking Apple for something they already have access to, vs. asking them to create something entirely new (a signed software update). That’s what the FBI case a few years back was about.
The alternative is to admit that, while all megacorporations are fundamentally bad, Apple does occasionally do good things. This is clearly infeasible.
They couldn’t without bypassing all their controls and assurance measures, which are required by not just governments but corporations who don’t trust apple or the government, as well as regulators across the world who also don’t trust either apple or the us government. If you’ve ever worked in a highly regulated highly sensitive enterprise tech environment you would know this is hogwash.
Hasn't the solution to this problem always been easy? Just encrypt before you type it into imessages; this applies to _all_ untrusted communication channels. Don't tell me base64-encoding/decoding is what's stopping you from having perfect security?
Exactly, if you're dealing with truly sensitive information where any leak is unacceptable, make your own encrypted blob. Don't trust any communication software to do it for you.
The concern typically isn't backdoors, it's bugs. I've had plenty of terrible experiences with Enigmail.
Indeed, you can opt out of more of it on Android than you can on iOS. Try to get your location on iOS without telling Apple. You can't. Try installing an app without telling Apple. Same.
Even MacOS is infected with this privacy invading nonsense that I can't opt out of. It has an Apple News app that I can't uninstall, and whenever anybody sends an Apple News link, even in a private tab, it opens the Apple News app, a handler that I can't disable, sending the article I want to read together with my Apple ID to Apple.
> Apple loves harvesting your store interaction data within store apps for commercial use
FTFY.
Please stop spinning that as if Apple were siphoning every single of one's moves everywhere, irrespective of any telemetry setting one has set.
Both the linked piece and the reporter's Twitter thread seem to have taken great care to bury behind clickbait headlines and scary words the fact that this applies only to App Store, Books, Apple TV, and iTunes Store apps, which are all "store" apps (presumably that's where commercial stuff typically happens) that used to outright be webviews (not entirely sure they are 100% native as of today). I don't think anyone would be appalled if a React-based web app would send vast amounts of requests based on user interaction.
So yeah, they should probably not collect as much data as that and probably should have a toggle to nerf such data collection within the store apps (which is not the same as OS/actual app/service telemetry), but the way things keep getting spinned is beyond ridiculous and does not help in improving anything.
What is the common vector? Who is the common adversary even? I suspect governments compromise more accounts with warrants than hackers ever do with stolen creds
Apple is extending the data privacy/security you have on your phone for images, videos, files (content) to the cloud. Bluring the lines between physical device and the cloud.
This makes perfect business sense - people will want to buy extra storage. Lock-in is deeper.
but then how does the AI scan your private images without permission to detect real CSAM, AI imagined CSAM such as medical images, and random pictures of cantaloupes and the like?
perhaps they just mean "end-to-end encryption*" where the * represents the back door that only apple and various three-letter-agencies have access to.
Okay, so when is Apple going to certify against any standards[1][2] higher than "Applies when you require confidence in a product's correct operation, but do not view threats as serious."[3] with a security standard, AVA_VAN.1, whose objective is: "A vulnerability survey of information available in the public domain is performed by the evaluator to ascertain potential vulnerabilities that may be easily found by an attacker. ... Penetration testing is performed by the valuator assuming an attack potential of Basic." [4][5].
On page 25 of [1], we can see the security auditing done as part of their only official security certification for the iOS was: "The evaluators searched for publicly known vulnerabilities applicable to iOS using the following sources... The search was performed on multiple occasions between... using the following search terms... The valuator's CVE search found no vulnerabilities apart from the ones listed in the developer's security content disclosure statements, all of which have been fixed in subsequent releases on iOS. The validators reviewed the work of the valuation team, and found that sufficient evidence and justification was provided by the valuation team to confirm that the evaluation was conducted in accordance with the requirements of ..." tl;dr The evaluation process is that they do a web search of key words, check that all the publicly disclosed vulnerabilities have been patched, then call it a day.
To put that into perspective, their are certifying against AVA_VAN.1. It is only at AVA_VAN.2 that the evaluator is required to do any independent vulnerability analysis as seen in [5] Page 155 AVA_VAN.2.3E (bold is changes from the previous level). At AVA_VAN.3 you need to evaluate against "Enhanced-Basic" attack potential. It is only at AVA_VAN.4 that you need to evaluate against attackers with a "Moderate" attack potential. At AVA_VAN.5 (the highest level) you need to evaluate against attackers with a "High" attack potential. Apple's only security certification, which in their own words "provide a measure of confidence—that is, security assurance—that the security needs of a system are being satisfied" and are "used by many organizations as a basis for performing security evaluations of IT product" is wholly three levels below "Moderate" and is effectively self-graded.
Until they actually certify against a standard requiring moderate security, it is only prudent to take them at their word and assume that their products are only fit for systems that "do not view threats as serious". If they want their security to be taken more seriously they should prove it against internationally recognized standards assessed by independent third parties rather than issuing unsupported marketing fluff.
The number of people in the comments complaining or finding new places to move the goalposts to is astounding.
> what good is that encryption, if Apple obviously can do almost anything with your device?
> They can still simply push a software update that sends the victim's keys to the mothership and/or simply decrypts everything
> This all just seems like pandering while they continue to accept billions from Google in exchange for their user's privacy.
> Couldn’t they simply use an encryption algorithm that has two private keys and they control one?
Apple could say they are going to cease operations tomorrow, close down the company, and people would comment "Yeah but they could always create a new company". I guess for those people nothing is ever enough.
This is a huge step forward (specifically iCloud E2EE) that I'm super excited about and people are busy coming up with threat models that 99% of us have zero use for and pretending as if this doesn't matter. It's disappointing.
What's disappointing is that Apple has zero accountability for any of these services. Nobody would be so critical of iCloud if it wasn't your only sync option on iPhone, but they force everything to go through them. Apple says 'trust us ;)' and gives the user no way to confirm that they're not decrypting your data as soon as it hits their servers.
The argument is the same as it's ever been. Apple took away too much of the user's control; if the iPhone were a more open platform, nobody would be squabbling over our only sync option.
Edit: Background Sync has apparently been available as an API since iOS 13, but that doesn't change Apple's lack of accountability wrt security practices.
The only sync option? My Pictures go to NextCloud, my contacts and calendar are on NextCloud, and in contrast to Android (I recently switched) I don't even need an app (like davx5, great app though, as said here) to sync them, it all just works from the standard contacts and calendar app. Oh and the mail app doens't push me anywhere, it just works with my local provider via IMAP.
My vpn is a Wireguard server (and some Tailscale, recently tested mullvad, works great as well), my position is updated to my family via Home Assistant, Bitwarden pops up automatically anywhere I need to enter a password. Podverse is great for podcasts.
Sure, it's a walled garden and I have my annoyances but much less so than I was led to believe before I got my first iPhone last year. I find it easy to swap out default components where I don't like them (like iCloud and Apple podcasts) and use them when they are superior (like the calendar and mail app, I was always trying 3rd party apps on Android).
Does your NextCloud sync in the background like iCloud does? I don't believe third-party apps have access to background usage, unless something has changed since I last used iOS.
Photos are synced in the background via location change events (and thus requiring Location permission). It can be a bit unreliable from time to time, but generally works. Contacts and calendars are synced in the background via iOS' CalDav/CardDav integration.
Nextcloud app also exposed itself as file provider in Files.app, so it's possible to use it in place of iCloud Drive for apps that use the appropriate API. (Unfortunately most apps use CloudKit, which sync over iCloud.)
Ah, I see this now. Me and my boyfriend tried switching to Nextcloud a few years ago, but this wasn't implemented on iOS yet so we had to look elsewhere. Nice to see this opened up, it's about time. Hopefully they'll reverse their sideloading opinions as well.
It really got a lot better over the past years indeed. I do miss support for Heic, recently NC just decided to upload Jpeg instead of Heic, and I have mixed feeling about that (Jpeg just works, the new pictures app is great because of it... But I would prefer to have heic and live images everywhere...).
I’m syncing almost all data via Nextcloud. That includes actual files as well as contacts and calendars. The files are obviously on my iPhone, but not in iCloud. In fact, iOS makes CalDAV and CardDAV as easy as they could be. It’s natively supported, whereas Android requires an extra, paid for app (worth the money though).
Other synchronisation like Joplin and Zotero happens via WebDAV. My iCloud is basically empty yet I have every file I could ever need on both iOS as well as iPadOS. Some apps I don’t care for sync via iCloud, that’s all so far. I’m not bought into the whole ecosystem (i.e. apps) too much though. If all you use are apps that only support iCloud, that’s a problem indeed.
Apple offers local backups. Every cloud backup depends on "trust us", even if open source, externally audited, etc. They can offer a third party online sync option but that seems like functionality would open up more security holes than it fixes. You would just have bad actors convincing users to sync to their servers.
If you don't trust Apple, you should also not trust other cloud back up services. Just turn off iCloud
FWIW, you can sync files with Nextcloud on IOS and it works fine. Also automatically syncs photos which makes it a viable alternative for cloud storage on iPhone. What it doesn't sync are things like settings, though.
Did your photo's also recently got synced to JPEG (by NC), whereas at first the heic's were uploaded? Heic works poorly in browser on other platform so JPEG is ok, would prefer heic to work everywhere though...
> The argument is the same as it's ever been. Apple took away too much of the user's control; if the iPhone were a more open platform, nobody would be squabbling over our only sync option.
It's just moving the goalposts. If Apple gave you more control then people would demand that the source code for the chips be open source, or that you could stand over the shoulder of the person assembling your iPhone and make sure they don't plug in a USB drive and install some malware. It's a never-ending battle. You're just going to have to start trusting Apple and other companies, or build your own device from raw materials you mine yourself.
This isn’t actually true. Yes they don’t give you personally the ability to conduct assurance on their controls. That couldn’t scale. But they do allow large corporations looking to standardize on apple tech, governments, and other like entities the opportunity to verify the controls, their effectiveness, and continued compliance. Further they generally have to attest to their controls under a variety of regulatory regimes with third party auditors verifying.
Your startup may be able to weaken or circumvent your controls and no one would know. But is not true of apple.
How is this the only sync option? My pictures go to iCloud, OneDrive, Google Photos and Amazon’s photo storage.
My Contacts and calendar can sync with any provider that supports whatever porn standards are behind it.
When I save and load files using the iOS file dialog, it shows every storage provider I have installed - Dropbox, OneDrive, iCloud Drive and I assume Box if I had it.
Apple couldn't take away what it never gave in the first place. Anyone using an IOS device should have a basic understanding that Apple highly integrates their devices, OSes and services.
Since when has closed source unverifiable crypto been a good idea? Since when has it been a good idea to trust a provider that fully controls the encryption algorithm to also be the only possible store for your supposedly encrypted data?
This is no better than Facebook claiming that Whatsapp is now "E2EE" encrypted. It's a useless PR tactic. If you mistrust Facebook, why would you suddenly trust their unverifiable claim that the data is now E2EE? You could have an argument if at least 3rd party clients were allowed, so that you could detect when they silently change the protocol. But not even that.
There's absolutely no _technical_ thing they could do to gain any trust. The goalpost has never been there.
> why would you suddenly trust their unverifiable claim that the data is now E2EE
> It's a useless PR tactic.
Maybe because a single whistleblower would bring down the mother of all class action lawsuits?
Hardcore anti-corporate types like to imagine that these companies are evil geniuses, where all 100,000 employees are operating in perfect alignment, with no mistakes or disagreements, and all secrets are kept perfectly.
It just doesn't work like that. Threat model it for a second: how many more phones is Apple going to sell with this? Maybe a 1% increase, to wildly overestimate it? And what would be the financial harm from a single engineer popping on HN and saying "it's all BS, phones send the keys to the cloud, I worked on the system to store them."?
> There's absolutely no _technical_ thing they could do to gain any trust.
Well, that's true. But there's also no non-technical thing they could do. It is literally impossible to prove perfect technical compliance on an ongoing basis using any combination of technical and non-technical means.
That goes for open source too. Evil compilers, etc, can turn perfectly solid source into malicious binaries. The compiler's source can even be perfectly secure.
At some point you have to think about probabilities and motivations, and move away from this "anything not 100% perfect, which BTW is not possible, is 100% useless" world view.
> Maybe because a single whistleblower would bring down the mother of all class action lawsuits?
Sure, like that is going to happen. I mean, "Facebook can read your supposedly-encrypted Whatsapp messages" will raise how many eyebrows exactly?
> But there's also no non-technical thing they could do
No, that's untrue. For starters, release the source. Allow me to run my own backup software on their servers. Allow me to transparently run my own encryption before I upload stuff to their servers. And a very long etc.
> anything not 100% perfect, which BTW is not possible, is 100% useless
This is 100% useless not because it is not 100% perfect (it very well could be), but because it is 100% useless by conception. What threat model does this protect against exactly? The scenario where Apple servers get compromised? I'm quite sure this risk does not even enter the mind of the target audience here, and if it did, the hacker could very well push the silent update anyway. The scenario where Apple itself has access to the data? This does absolutely nothing to prevent it. The scenario where someone can social engineer an Apple employee to give your iCloud key to someone else? It was already not possible.
> What threat model does this protect against exactly?
Two big threats: 1) insider attacks like the Saudi Twitter infiltration[0], and 2) Overreach by legitimate government process like subpoena[1].
> release the source
Useless. How do you know it's the exact source running on-device?
> Allow me to run my own backup software on their servers
Useless. How do you know your own backup software isn't compromised via a secret deal with Apple?
> Allow me to transparently run my own encryption before I upload stuff to their servers.
Useless. How do you know the OS isn't grabbing the raw files? How do you know your own encryption isn't compromised? How do you know that Xcode isn't inserting backdoors in the encryption you compiled from source?
> And a very long etc.
All useless. Tell me your perfect solution and I promise I can show it's useless (by your standards).
> Two big threats: 1) insider attacks like the Saudi Twitter infiltration[0], and 2) Overreach by legitimate government process like subpoena[1].
This does not prevent any of these threats, it does not even necessarily make them more difficult whatsoever. "Insiders" will still have access to the source code doing the encryption and communications, and it is just not possible to protect against government overreach that can literally force you to do anything and keep quiet about it, even in otherwise relative sane countries. Search for NSA letter.
I actually don't expect any corporation to be above the government, fwiw, but this is off-topic.
> Useless. How do you know it's the exact source running on-device?
Because you built it yourself?
> Useless. How do you know your own backup software isn't compromised via a secret deal with Apple?
Because it's YOUR OWN backup software?
> Useless. How do you know the OS isn't grabbing the raw files? How do you know your own encryption isn't compromised? How do you know that Xcode isn't inserting backdoors in the encryption you compiled from source?
Because I have the source of the OS and I built it myself? Because I have literally used the same compiler I use for other platforms and not Facebook's? Because I can then actually monitor the actual communications between the device and the mothership? etc. etc.
The point of this entire thing was to show that _there is_ non-technical policies they can do to actually increase the trust level (or at least have a discussion about it -- as you are), but there is very few technical stuff they can do to increase it, and that's because it would miss the entire point. It's not about "trusting trust perfection" or whatever you think you are trying to argue here. You are trying to protect stuff from Alice by trusting Alice without even being capable of verifying it. It just can't academically work. You need to either be able to verify it or at the very minimum separate both roles.
> This does not prevent any of these threats, it does not even necessarily make them more difficult whatsoever. "Insiders" will still have access to the source code doing the encryption, and it is just not possible to protect against government overreach that can literally force you to do anything and keep quiet about it, even in otherwise relative sane countries. Search for NSA letter.
There you go again :)
You literally just said something that used to take a subpoena from any law enforcement now takes an NSA letter. And that an insider attack that used to mean retrieving a backup file now means inserting back doors in source code that go undetected.
And somehow those aren't even more difficult?
> Because I have literally used the same compiler I use for other platforms
It is literally provable that Apple will never be able to satisfy you. For any mitigation they introduce, you can (rightfully) create a hole in that mitigation.
What you're missing is that the same flaws and attacks appear in all of your "it would be better if" solutions. Once you're invoking NSA letters and malicious source code, all bets are off... including for open source.
> It just can't academically work.
Yes, we agree on that. But it also doesn't work if you're protecting stuff from Alice by trusting Bob, who might be secretly an agent of Alice.
> You literally just said something that used to take a subpoena from any law enforcement now takes an NSA letter
I didn't say that. You said "overreaching government".
> It is literally provable that Apple will never be able to satisfy you
Nothing _technical_, that is, which has exactly been my point.
> Once you're invoking NSA letters and malicious source code, all bets are off... including for open source.
That's not true at all. There's an entire world of difference where "oh the software is just hidden from my eyes, communicating constantly and opaquely with the mothership, changeable at any moment by the same mothership, and all of it running in the same hardware also made by the same mothership" versus "I have these separate components that are only communicating through these channels in these clearly specified ways". The first only allows useless technobabble fake solutions, the second system actually allows discussion about trust and is usually the very minimum expectation of any cryptosystem.
> But it also doesn't work if you're protecting stuff from Alice by trusting Bob, who might be secretly an agent of Alice.
I don't see that as necessarily true either. But anyway, I can now choose between multiple providers for encryption, which _finally_ goes towards measurably increasing trust. Remember, despite the accusations, I have never claimed it had to be 100% trusting trust perfect, I am just claiming this one proposal is 100% useless. If you didn't trust Apple backups before and you would now, I'd question your judgement.
Something like hacking into a journalist's phone would require a lot of cooperation between infrastructure, software, and security to actually perform a targeted attack.
Despite Apple's harsh warnings about leaking secrets, people at Apple have already been spilling the beans about Apple's upcoming Ad platform for over a year, and that's just for something as morally grey as ads that they're going to spin as "privacy preserving" anyways. For something that actually goes against <everything> Apple has ever stood for, like targeting a journalist's phone to read their communications or extract data and secret keys from their advanced protection-protected iCloud Backups, at least one of the hundred involved would find a comfy bunker to live in with a phone line leading straight to News Corp or NYT.
Do you honestly believe that a malicious actor who can access data storage can also necessarily access a silent mechanism to affect the security internals of a given iPhone? And also the theoretical hacker wouldn't be able to just push said theoretical silent update to your device to just exfil the data anyway?
Really having a hard time understanding the detailed security implications of your scenario beyond this vague notion you're presenting that a theoretical hacker can use theoretical tools to silently pwn any Apple device collected to the internet at any time.
> that a malicious actor who can access data storage can also necessarily access a silent mechanism to affect the security internals of a given iPhone?
A malicious actor who can access _already encrypted_ data storage where you cannot even associate files with a given account ID _without_ having already put a backdoor in the corresponding code may be able to actually put such backdoor in the software that is distributed to iPhones? Yes, I believe that.
The goalposts have been moved because the leading argument for the past few years has been "it's not actually encrypted because you or the person you're talking to could be using iCloud Backup". Now all you have to do is make sure you and the people you talk to have this simple option enabled in settings (with the only risk being that you lose all your data if you need Apple Support to give you access to your iCloud again after losing all backup codes and encryption keys).
As for your actual argument, there are always tradeoffs when we implement "good" but not "perfect" encryption solutions. Here, your trust is indeed in Apple to not perform an evil maid attack, but for many of us, we trust that Apple doing this to a regular person (or journalist, or government official) would be absolutely devastating to their entire brand. Even if most people wouldn't care if Apple cooperated with the CIA to perform a coup in $x country via sending out targeted malware to the leader's phone, they still stand to lose hundreds of billions of, if not a trillion, dollars over the following decade in lost iOS product sales, due to them purposefully hacking their own product to steal user data.
In an ideal world, E2EE would be in high demand and used anytime sensitive info is exchanged between parties, but the reality is that most people don't know about it or the protections it provides. If FB and Apple can educate people about E2EE, even as a PR tactic, it helps grow that awareness.
Shouldn't people demand more and more privacy protections? It's not like these changes solve the problem. Since Apple is managing so much data, they must keep it secure and give users the ability to maintain privacy and confidentiality, even with respect to Apple itself. I think the goal post has stayed pretty constant, Apple just keeps moving in a zig-zag pattern that occasionally involves backward steps.
> Shouldn't people demand more and more privacy protections?
Yes!
> It's not like these changes solve the problem.
Perhaps because it is impossible to 100% solve the problem?
A lot of people, me included, are just tired of the endless litany of "50% secure is not secure! 75% secure is not secure! 90% secure is not secure! 99% secure is not secure! 99.9% secure is not secure! 99.999% secure is not secure!"
There is no 100%. Hearing the same level of outrage over a 0.001% gap that we heard over a 50% gap is just fatiguing.
Especially in this audience, everyone knows there is no such thing as verifiable perfect security. Asymptotic progress towards that is interesting; decrying the latest improvement as no better than no security at all just feels... IDK, lazy.
In my experience having released an E2EE contact info sharing app, most people don't think about privacy protection and they won't tolerate much inconvenience to add them. So the more a large company supports efforts to mainstream E2EE, the better it is for everyone.
HN is increasingly not the best source for technical discussion due to the bias you're noting here. It's unfortunate given the general level of discussion that's historically been happening here.
I find Matthew Green's take more useful than just about anything in this thread - someone who's very critical of Apple but able to articulate why this is overall net good:
But in some cases, that's the point. A well written press release will often gloss over potentially relevant/important details that a neutral source will not.
The difference is that the HN comment thread will rarely have insights that a reporter can often provide after following up with their inside contacts.
Edit: on reflection, I don’t agree with this and wrote this too hastily. I’d still prefer 3rd party by default and believe it’s often a better basis for a discussion.
Reporters rarely add much unless they've got several days to do an analysis piece, which there are very few of. And is never the case for breaking news.
HN threads regularly supply oodles of context and counterpoints you don't find in any articles anywhere. Which is one of the big reasons we come here, right?
I probably wrote that too hastily, and will give you that many threads are indeed deeply insightful by themselves.
I still believe that a 3rd party source that at least has a chance of being more objective than a company issued press release is the ideal basis on which to form a discussion.
This was the point of their plan to introduce CSAM detection on-device. Unfortunately the reaction to that was histrionic and couldn't see the writing on the wall.
Governments will eventually pass legislation targeting E2E and CSAM was the one issue where Apple's method would have defanged support for that kind of law. But one good thing about making those plans public is that any proposed legislation will likely land on Apple's method as being a good compromise. Better for Apple to wait until they're forced by governments to do it.
It's a good thing that the "histrionic" privacy advocates succcessfully pressured Apple to back down from introducing a vulnerability in the product before releasing this feature.
Yep. Their CSAM implementation guaranteed that E2EE for photos was coming. I thought the death of that CSAM approach meant they just wouldn't ship E2EE photos. I guess you're right, they know governments will mandate it and they at least have an approach that's compatible with E2EE.
But that doesn't match OP's description very well. It was a grand jury subpoena and only for metadata.
"As the Justice Department investigated who was behind leaks of classified information early in the Trump administration, it took a highly unusual step: Prosecutors subpoenaed Apple for data from the accounts of at least two Democrats on the House Intelligence Committee, aides and family members. One was a minor."
"Apple turned over only metadata and account information, not photos, emails or other content, according to the person familiar with the inquiry."
I'm not sure what you mean by conversations, if you mean the content of messages then no that is not metadata, if you mean who talked to whom, then yes that is metadata.
Apple has introduced three new security features to better protect users' data in the cloud. The new services will provide the company's highest-ever levels of data security for the iCloud. The services, called iMessage Contact Key Verification, Security Keys for Apple ID and Advanced Data Protection for iCloud, will be available for users to choose from. Apple is committed to providing users with the best data security in the world, said Craig Federighi, the company's senior VP of software engineering.
iCloud was convenient and I was even paying for it, but when the "we will scan your photos and snitch on you" debacle I started backing up my photos at home and removed all my spreadsheets from iCloud (who knows what crappy software can interpret as CSAM).
This will go a long way into restoring my trust on Apple. Yet, I can't help but notice that the "we will scan your photos and snitch on you" workflow they published then is still compatible with enhanced iCloud security. Hell, they can always send a command to the photo's app in your phone to upload all your photos straight to FBI's servers. So in this case technology is like 50% of the trust, the other 50% is sheer commitment to customers and that was tainted by that episode.
Sorry mate but you have no idea how anything works. Literally every photo hosting service on the internet will scan your photos against an abuse list and work with LE - otherwise they get to become the “cp-friendly” hoster.
When apple released client-side scanning (which only ever applies to photos uploaded to iCloud Photos) the only thing that changed was now the scanning takes place on your device where you have transparency and ability to see what hashes are checked. The folks paying attention knew what this was - Apple redesigning a workflow to make LE cool with e2e encrypted photos. You read some false outrage articles and are now somehow still upset at a company doing work that is currently in your best interest. Baffling.
I'm baffled how people can be so okay with letting their whole device being scanned always. I don't want it to be scanned no matter what the intention is, it's not the phone or Apple's business. Device ownership and to decide for my own what the device is doing with MY data is my liberty. If you want your device to scan your data always is maybe cool with you. But not cool with me.
I've read all the technical documentation too. However who says that the mechanism is implemented like intended forever? Maybe Apple or (local) law will change and voila: Your device scan report is reported to Apple and authorities because it is anyway already in place on your device.
>Sorry mate but you have no idea how anything works.
>The folks paying attention knew what this was - Apple redesigning a workflow to make LE cool with e2e encrypted photos.
They have just canceled this spyware wholesale,[0] ivalidating your entire point. Interesting how Apple fans can come up with a thousand ways to justify being spied on and then call anyone who points it out cluless.
> In a second victory for privacy advocates, Apple said it was dropping a plan to scan user photos for child sex abuse images. The company had paused that plan shortly after its announcement last year, as security experts argued that it would intrude on user’s device privacy and be subject to abuse.
This all just seems like pandering while they continue to accept billions from Google in exchange for their user's privacy. If they really wanted to protect users' data that would be a simple starting point.
Does it protect you from Google's tracking? No. And it isn't about me, I don't have Apple or Safari. It's about the fact the privacy shouldn't be "opt in." Claiming that safari has good privacy protections while it by default does the opposite becuase you can opt in to a less inavsive version which many don't even know about is, in my opinion, disingenuous.
If Apple would just go ahead and say "we've extracted tens of billions of dollars from you indirectly by letting google do the dirty work, but here's some encryption that doesn't make up for what we've done and continue doing" that would be more accurate.
“Dates and times when a file or object was modified are used to sort a user’s information, and checksums of file and photo data are used to help Apple de-duplicate and optimize the user’s iCloud and device storage—all without having access to the files and photos themselves.”
So Apple only encrypts the files but not the metadata? If that's true the encryption is basically worthless because Apple is still able to "see" what files you upload and scan them for CSAM, copyright infringement or videos of 1989 Tiananmen Square.
>Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications.
Generally the biggest threat that end to end encryption (E2EE) addresses is the people that actually run the servers "inserting their own device to eavesdrop". So Apple in this instance. We would normally have to assume that Apple would do this on a request from state level entities as part of the threat model.
Apple has to provide some sort of E2EE identity verification if they want to claim that they are providing E2EE messaging. I note that they have been making such a claim for some time now. After this, all that will remain is the issue of control of the software. We will still have to trust Apple to not subvert the clients in some way. So nothing has substantially changed yet.
From the little we know about the usability of this new feature I note that the warning about new/changed devices is in small grey text. So very easy to overlook. hopefully Apple will provide enough context to allow the user to do something meaningful in response to such a warning.
1) they just ate every other 3rd party "secure" backup services lunch just like they did to the Hi-Res music industry.
2) details of what they backup securely, besides photos (which is top priority for me): iCloud Drive: Includes Pages, Keynote, and Numbers documents, PDFs, Safari downloads, or any other files manually or automatically saved to iCloud Drive.
3)BUT, perhaps the BIGGEST news here is that Apple is making a backup statement to what they've been saying for years and what they've recently gotten negative attention on: They don't want your data. They're not Goodle/FB/Amazon. They're giving you 2TB+ of space and you can encrypt it to the point that you'll lose your data and they don't care -- they don't want to mine your data, they don't want to know what you store on there, the don't care to scan your pictures with AI 20 different ways, they don't want to monetize it, etc, etc., just pay them money for their service and transactionally they give you only thing that you want in return -- reliable, secure, private service.
seriously, anyone at this point advocating for any other phone/os/service out there besides apple is really going out of their way to swim up river.