What makes you think that internal access control at Apple is any better than Google's, Microsoft's or OpenAI's? Google employees have long reported that you can't access user data with standard credentials, for example.
Also, what makes you think that Apple's investments on chip design and OS is superior to Google's? Google is known for OpenTitan and other in-house silicon projects. It's also been working in secure enclave tech (https://news.ycombinator.com/item?id=20265625), which has been open-source for years.
You're making unverifiable claims about Apple's actual implementation of the technical systems and policies it is marketing. Apple also sells ads (App Store, but other surfaces as well) and you don't have evidence that your AI data is not being used to target you. Conversely, not all user data is used by Google for ad targeting.
It’s not about technology. It’s about their business.
Apple generally engineers their business so that there isn’t an incentive to violate those access controls or principles. Thats not where the money is for them.
Behavior is always shaped by rewards and punishments. Positive reinforcement is always stronger.
All these conversations always end up boiling down to someone thinking they’re being clever for pointing out you have to trust a company at the end of the day when it comes to security and privacy.
Yes. Valid. So if you have to trust someone, doesn’t it make sense for it to be someone who has built protecting privacy into their core value proposition, versus a company that has baked violating your privacy into their value prop?
It's not about being clever, it's about being perceptive. Apple's cloud commitment has a history of being sketchy, whether it's their government alliance in China, the FIVE-EYES/PRISM membership in America, or their obsession with creating "private" experiences that rely on the benefit of the doubt.
Apple doesn't care about you, the individual. Your value as a singular customer is worthless. They do care about the whole; a whole that governments can threaten to exclude them from if they don't cooperate with domestic surveillance demands. How far off do you really think American iCloud is from China? If Apple is willing to backdoor one server, what's stopping them from backdooring them all? If they're willing to lie about notification security, what's stopping them from lying about server integrity too?
And worst off, Apple markets security. That's it; you can't go verify their veracity outside the dinky little whitepapers they publish. You can't know for sure if they have privacy violation baked-in to their system because you can't actually verify anything. You simply have to guess, and the best guess you can make gets based off whatever Apple markets as "true" to you. In reality, we can do better with security and should probably expect more from one of the largest consumer technology brands in the world. Simply assuming that they aren't violating user privacy is an absurd thing to gamble your security on.
If you are the target of a nation state level actor, you are already fucked. Most of us just don’t want our behavior sold to our insurance companies or whatever. Apple doesn’t do that because it would kill their brand for very little return.
This is the part that’s always so humorous to me about the super tinfoil hat security crowd. They think they’re in the plot of Mr Robot or something. When for the most part, no one actually cares about them at all.
My dad fits into this category. So worried about being “tracked by the government.” He’s not a dissident. He’s not a journalist. Not a freedom fighter. Just deeply inconveniencing his kids with some of his tech choices.
But if these people were the targets of APTs, all the massive technology lifestyle changes they’ve made to supposedly protect themselves wouldn’t really matter.
I really also don’t bother about security, but I hate that any argument against people caring about privacy is along the lines of „I have nothing to hide“. Especially on the note of Apple, I remember when a dad was flagged as a pedophile because Apple found photos of his kid in his iCloud and their algorithm decided to get him raided. It’s about control, when you hand your data over to 3rd parties of any kind you are giving up control and one day that will bite you in the ass in some way. I am will to take that risk, you too, but I still think not wanting that is totally valid. A type of angst which I find much more stupid is people being scared of AI taking over the world HAL x Terminator style…
He’s otherwise a good dude. Just makes some tech choices here and there as if he’s a former CIA agent on the run that sort of just make you chuckle and shake your head.
That's the convenient line of blind apathy they rely on, to sell iPhones. If people cared, they would object to owning an iPhone just from the material and labor cost of it... but they don't. It's a running joke that nobody cares what next year's iPhone looks like as long as the trade-in value is good. Apple couldn't kill their brand if they tried, past this point. People don't pay attention anyways.
Which is why it's good for us to demand more from capable companies. Apple looks good when they're scared, and the market wins when they're forced to compete in novel and interesting ways. Success breeds complacency, the rest is distant history.
> And worst off, Apple markets security. That's it; you can't go verify their veracity outside the dinky little whitepapers they publish. You can't know for sure if they have privacy violation baked-in to their system because you can't actually verify anything.
Oh, boy, but this is deeply false. Apple literally provides security researchers models of their devices to verify their security claims on their most important cash cow, the iPhone.
This is just an incredibly bold and verifiably false claim.
On top of that, they fail to commit to iOS security on the level of AOSP and don't let researchers create hardened variants or custom patches. With actively-distributed exploits like Pegasus still being used, that's the sort of behavior that turns your userbase into a stationary target. Giving researchers iPhones is insultingly usel
Apple vehemently opposes the concept of anyone securing their iPhone except them. They have a well-documented habit of ignoring vulnerabilities and offering zero compensation for the discovery of zero-days. Apple's ambivalence towards the security research sector is like one of the only things they're known for, among hacker communities. It is "verifiably false" in the sense that Apple spends quite a lot of money marketing the opposite of what they actually do in reality (not that you should be surprised by that).
You lose all credibility when you start yakking about FIVE EYES, etc. If you're the target of intelligence services, the advice you need is eloquently delivered in the movie "Goodfellas". That is: "Don't talk on the fucking phone."
American companies are subject to US law, full stop. Global technology companies have to balance interests to operate globally. China requires a local partner to operate services in the PRC, thus Apple and Microsoft (and others) operate with a business partner in that market.
From a business perspective, there's little or no incentive for Apple to take measures to collect information on you systematically - they do not monetize it and won't devote resources to its collection. However, not being responsive to government requests, demands, or order for information will result in punitive action. So they comply.
No company cares about you. They don't love or hate you. There's no moral purity - the competitive platform is owned by a company that owns the advertising market and has a long history of extracting every sinew of data to create profiles that allow for maximally efficient ad delivery. Engaging in whataboutism isn't productive.
They're not trying to be clever, they're trying to point out the very important philisophy of maximizing self reliance that so many people like you eschew.
How do you distinguish between a company who 'has built protecting privacy into their core value proposition' and one who just says they've done so?
What are you going to do if a major privacy scandal comes out with Apple at the center? If you wouldn't jump ship from Apple after a major privacy scandal then why does your input on this matter at all?
Some people feel that is inevitable so it's best to just rip that bandaid off now.
I'm taking aim at the Google bros who try to raise these arguments to muddy the waters into a sort of false equivalence between Apple and Google.
If you're already using a dumb phone and eschewing modern software services, then I'm not really talking to you. Roll on brother/sister, you are living your ideals.
> How do you distinguish between a company who 'has built protecting privacy into their core value proposition' and one who just says they've done so?
The business incentives. Apple's brand and market valuation to some extent depends on being the secure and privacy oriented company you and your family can trust. While Google's valuation and profit depends almost entirely on exploiting as much of your personal data as they possibly can get away with. The business models speaks for themselves.
Does this guarantee privacy and security? Does Apple have a perfect track record here? No of course not, but again if these are my two smartphone choices it seems fairly clear to me.
> but again if these are my two smartphone choices it seems fairly clear to me.
If you really perceive this as a binary choice, I have no idea how you could conclude that iOS is more secure than the Android Open Source Project.
...of course, it's not just a choice between a Google-spyware phone or an Apple-spyware phone. Many people like to reduce it to that so they can rationalize whichever company they pick, but in reality you have many choices including no smartphone at all. On Android's side, the Open Source images have enabled rigorous cross-referencing in OS capability, as well as forks that reduce the already-limited attack surface. Apple has a long track-record of letting zero-days fester in their inbox and failing to communicate promptly to security researchers, even for actively-exploited vulnerabilities.
It's not a "false equivalency" to highlight how Google, Apple and Microsoft all fold over like wet paper when the intelligence agencies come around. It's not a coincidence, either; all of those companies are enrolled in the NSA's domestic warrantless surveillance program.
I worked for Google for almost 14 years. Never did they, any other engineer, or even product manager I know of, ever suggest to snoop into cloud customer data, especially those using Shielded VMs and Customer Managed Encryption Keys for attached storage (https://cloud.google.com/kubernetes-engine/docs/how-to/using...). I've never seen even the slightest hint, and the security people at Google are incredibly anal to a T about the design and enforcement of these things.
This stuff is all designed so that even an employee with physical access to the machine would find it very difficult to get data. It's encrypted at rest by customer keys, stored in enclaves in volatile RAM. If you detached the computer or disk, you'd lose access. You'd have to perform an attack by somehow injecting code into the running system. But Shielded VMs/GKE instances makes that very hard.
I am not a Google employee anymore but this common tactic of just throwing out "oh, their business model contains ad model ergo, they will sell anything and everything, and violate contracts they sign to steal private data from your private cloud" is a bridge too far.
That's becoming less the case. As Apple's advertising and services revenue grows and hardware sales slow, they have increasing incentive to mine your data the same as any company does. They already use quite a bit data on the location and content personalization front. I would argue that Apple perhaps cares about protecting your data more from malicious third parties (again like any company should - it's never good for FAANG when data leaks or is abused), but they are better at it (and definitely better at marketing it).
> What makes you think that internal access control at Apple is any better
There are multiple verified stories on the lengths Apple goes internally to keep things secret.
I saw a talk years ago about (I think) booting up some bits of the iCloud infrastructure, which needed two different USB keys with different keys to boot up. Then both keys were destroyed so that nobody knows the encryption keys and can't decrypt the contents.
The stories about Apple keeping things secret usually go about protecting their business secrets from normal people, up to doing probably illegal actions.
Using deniable, one-time keys etc. are... not that unusual. In fact I'd say I'm more worried about the use of random USB keys there instead of proper KMS system.
(There are similar stories with how doing a cold start can be difficult when you end up with a loop in your access controls, from Google, where a fortunately simulated cold-start showed that they couldn't access necessary KMS physically to bootstrap the system... because access controls depended, after many layers, on the system to be cold-started).
What's funny is that, in all these orgs, it ends up being the low-tech vulns that compromise you in the end. Physical access, social engineering, etc. However, I'm really impressed by the technical lengths Apples goes to though. The key-burning thing reminds me of ICANN' Root KSK Ceremonies.
Destroyed? Where? In all places where they were stored? Or just in some of them? How can you tell? You still need to trust them they didn't copy them somewhere.
Such a lazy take. Yes, they show ads based on what you search for in the App Store. They will also show apps based on location if the customer opts in to that feature. No other data is used. No browsing history, no purchase history, nothing like what other companies are collecting.
Glancing at your comment history I can't help but notice that most of your comments are related to defending Apple, even at points where the consensus on HN is that Apple is obviously in the wrong. I applaud you, sir.
Eventually the addressable market for iPhones will saturate, but the growth imperative will remain.
If I were king of Apple and I truly valued user privacy, I would be careful not to tie any revenue streams to products that entail the progressive violation of user privacy.
Also, what makes you think that Apple's investments on chip design and OS is superior to Google's? Google is known for OpenTitan and other in-house silicon projects. It's also been working in secure enclave tech (https://news.ycombinator.com/item?id=20265625), which has been open-source for years.
You're making unverifiable claims about Apple's actual implementation of the technical systems and policies it is marketing. Apple also sells ads (App Store, but other surfaces as well) and you don't have evidence that your AI data is not being used to target you. Conversely, not all user data is used by Google for ad targeting.