
What Apple’s Tim Cook Overlooked in His Defense of Privacy - plg
http://www.nytimes.com/2015/06/11/technology/what-apples-tim-cook-overlooked-in-his-defense-of-privacy.html?_r=0
======
k-mcgrady
Some really dumb points in that article. Of course Apple has to provide access
to a search engine in Safari - and pretty much all search engines run from
ads. It neglects to mention that they recently added the option of DuckDuckGo.
And of course Apple collects information on you to help improve its products -
nearly every company in existence does this.

The difference in the two approaches (Apple/Google) is HOW it uses the data
and the amount of data it collects/has access to.

>> "Mr. Cook also failed to fairly explore the substantial benefits that free,
ad-supported services have brought to consumers worldwide."

Of course he didn't explore it - he'd be an idiot to explain to everyone the
benefits of the very thing he was trying to say wasn't good.

>> "If Apple really didn’t think that its customers should trade their data
for free services, you’d guess that it would build its own ad-free web search
engine for its devices."

No you wouldn't. A search engine is difficult to build, expensive to build,
and hard to do right. Instead they offer users Google as default (which the
majority of people would want) and a more private alternative in DDG.

I could continue going through the article explaining how it is utter rubbish
but it should be pretty obvious.

~~~
roslainoPumbera
>> "No you wouldn't. A search engine is difficult to build, expensive to
build, and hard to do right. Instead they offer users Google as default (which
the majority of people would want) and a more private alternative in DDG.

Um, Apple replaced Google Maps with their own Map service which is hard to
build, expensive to build and they still haven't gotten it right. Despite
that, I want Apple to do the same for search so I can remove Google from my
iPhone.

>> "I could continue going through the article explaining how it is utter
rubbish but it should be pretty obvious."

This is why Apple fanboys have such a bad reputation on the web and spoil
perceptions for those of us who own Apple products without subscribing to the
fanaticism. Stop the snark. Respond to the actual argument.

~~~
MCRed
You seem to be implying that because Google Maps exists, Apple is only allows
to provide Google Maps integration.

Apple hasn't "replaced" Google maps, except in its own apps. Google Maps still
is on the iPhone.

Plus, remember the conflict over Google maps was because Google wanted too
much personal information about he users and Apple wasn't comfortable with
that. Apple spent a lot of effort to replace something for the purpose of
protecting users Privacy. I'm not aware of google ever going thru such
extensive efforts (despite the cheap website propagandizing the contrary we
saw the day of the WWDC keynote.)

>> "This is why Apple fanboys have such a bad reputation on the web and spoil
perceptions for those of us who own Apple products without subscribing to the
fanaticism"

I'm tired of this smear from people who hate Apple. For the record, you can
stop pretending to own Apple products. You're not going to convince us your
somehow objective with this lie. When you smear people defening Apple as
"fanatics" then you miss the point that Apple is constantly being attacked.

It is the existence of Apple that you cannot tolerate causing you and your
kind to constantly attack Apple, and this has been going on for 40 years.

Mac users just want to be left alone, instead of constantly having to defend
against dishonest hit pieces like this article in the NYT.

~~~
guyzero
"the conflict over Google maps was because Google wanted too much personal
information about he users and Apple wasn't comfortable with that. "

Please tell us more of your insider information about the negotiations between
Google and Apple regarding maps apps for iOS.

~~~
MCRed
This isn't insider information, it was widely published at the time in
mainstream media.

~~~
guyzero
And the people the info came from were certainly not biased or trying to use
the press to influence the negotiations.

------
mgreg
This article is both simplistic and disingenuous for two primary reasons:

1\. Equates all advertising with invasive data collection. 2\. Suggests that
improving individual's control over their data is worse than not improving it,
or worse, is hypocritical.

For point one Mr. Cook did not vilify ads nor ad supported services. He spoke
against invasive data collection. Now what qualifies as invasive is certainly
open for reasonable people to debate but his point is that he feels the
industry has gone way too far. I read a physical newspaper this mornin with
ads in it. A good portion of that paper's income is from ads and the rest
through subscription. They did zero data collection on me. I say this only to
demonstrate that you can have ad supported business without bein evil. The
nytimes author seems to ignore this.

For point two isn't it better that Apple is improving privacy protections
rather than just throwing up its hands and instead joining google in
attempting to learn everything about us and the sell access to put data to
advertisers who have their own best interests in mind rather than ours? Why is
building a more private maps application but still enabling google searches
better than not providing a map application?

In short I think it is very possible to run an ethical ad based business.
Unfortunately in Silicon Valley we've adopted a default business model of
grabbing as much personal information and selling it to the highest bidder
rather than offering a great service with non-invasive ads or subscriptions.
If Slack can do it why can't others?

------
leoc
If you want to find fault with Apple on privacy and security, one place to
start would be its apparent lack of leadership on the increasing threat from
malicious USB (and no doubt Thunderbolt) devices. Likely no-one is better-
placed than Apple to do something about this: it has the money and the market-
share, a large engineering staff, a consumer-friendly reputation to defend and
enhance, the UI expertise to come up with security provisions that users will
actually understand and tolerate, and a history of clout and leadership in
local-bus standards. But instead it seems to still have its head firmly stuck
in the sand. Would it hurt so much to just throw a USB C condom into the box
of the new MacBook, as an easy starting measure?

~~~
rolandr
I'm not sure why Apple should be singled out for addressing this. Plus, you're
talking about a security issue that requires physical access to a machine -
something a bit different from the issues of privacy, malware, NSA snooping,
etc. It would seem more sensible to focus on those working up the USB
specification (Intel, HP, NEC, etc.) to deliver a standard and hardware
implementations less prone to attacks. Plus, pretty much _every_ USB stack has
these issues - wasn't it Linux where we starting seeing proofs of concept?

Actually, Apple has shown foresight in its hardware selection, as they have
consistently selected Intel processors with Vt-d/IOMMU support (to this day,
it remains difficult to find IOMMU-enabled notebook computers). This has
allowed OSX to isolate Thunderbolt and neuter attacks:
[http://ilostmynotes.blogspot.com/2014/11/thunderbolt-dma-
att...](http://ilostmynotes.blogspot.com/2014/11/thunderbolt-dma-attacks-on-
os-x.html)

Possibly a similar thing might be done for USB controllers as well...

~~~
justabystander
> I'm not sure why Apple should be singled out for addressing this.

You're correct in that it's not an Apple-only security issue. I'm not sure if
the person you're replying to meant to imply that. However, Apple has never
been particularly concerned with pointing out security vulnerabilities. Up
until three years ago they were claiming that OSX didn't get viruses and that
you could be safe by doing nothing.
([http://www.theatlantic.com/technology/archive/2012/06/its-
of...](http://www.theatlantic.com/technology/archive/2012/06/its-official-
apple-computers-are-no-longer-virus-free/258902/)) _That 's_ why Apple gets a
lot of flak from security-oriented folk. They mislead tons of people into
thinking that "Macs don't get viruses". And I still hear self-proclaimed
geniuses who tell me this, and why it's the reason they'll only use Apple
products.

Considering Apple changed their slogan to "built to be safe" after being
heavily compromised and criticized by the media, they do deserve a push to
take care of hardware security issues by default. After all, security is built
in, right? Shouldn't they make some proactive security efforts after
advertising to their users repeatedly with the premise that their users
_shouldn 't care_ about security?

> Actually, Apple has shown foresight in its hardware selection

That link you share came around four years after OSX (and Windows) had the
login screen compromised with Firewire hacking devices ([http://www.hermann-
uwe.de/blog/physical-memory-attacks-via-f...](http://www.hermann-
uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-
mitigation)). Of which Apple was the primary vendor involved in pushing the
standard. Not only that, it's talking about more modern devices being secure
from an exploit that was used to compromise early Thunderbolt-enabled
computers roughly two-and-a-half years prior
([http://www.breaknenter.org/2012/02/adventures-with-daisy-
in-...](http://www.breaknenter.org/2012/02/adventures-with-daisy-in-
thunderbolt-dma-land-hacking-macs-through-the-thunderbolt-interface/) and
[http://www.breaknenter.org/projects/inception/](http://www.breaknenter.org/projects/inception/)).
The fact that Apple started utilizing IOMMU to counter DMA attacks and moved
away from Firewire isn't _foresight_ \- it's _reactive_. Admitted, a good
reaction. That's how a lot of security procedures end up. But let's not
pretend that they're ahead of the game on security when they aren't.

> Possibly a similar thing might be done for USB controllers as wel

It's been done for USB, Firewire, Thunderbolt, any hotpluggable PCI/PCI-e
expansion port/socket (because you can plug the above in unless it's disabled
in the OS). Pretty much anything with DMA in it is an issue.

> Plus, you're talking about a security issue that requires physical access to
> a machine

You're assuming direct malicious intent. Which might be the case for jealous
spouses and high-value targets. But a far more likely consumer scenario is
handing your USB stick to a friend with a compromised computer to share a
file. After he plugs it in, his malware-infested computer overwrites the USB
device's firmware as a new attack vector. When you get it back and use it
again, your computer becomes infected.

It's not common now, but it's not really that far fetched.

~~~
leoc
> You're assuming direct malicious intent. Which might be the case for jealous
> spouses and high-value targets. But a far more likely consumer scenario is
> handing your USB stick to a friend with a compromised computer to share a
> file. After he plugs it in, his malware-infested computer overwrites the USB
> device's firmware as a new attack vector. When you get it back and use it
> again, your computer becomes infected.

> It's not common now, but it's not really that far fetched.

And as the average USB device becomes "smarter" (or more like an embedded PC,
in any case...) in the future I would assume it will become easier to infect
without hardware access. (I am not an expert.) Or think of the many thousands
of lab and internet-cafe PCs which are already out there and being used as
public or semi-public charging points: those can already certainly be
compromised without any hardware access. Even attacks using hardware access to
a USB device don't have to be ignorably small-scale. A single compromised
public USB charging point could hit hundreds of people: one could consider ATM
skimming as an advance warning of what is feasible.

And more generally, access to the hardware on the far side of the USB
connection is _not_ (in the general case) the same as access to the hardware
on the near side. If in practise one is always as good as the other, well
that's exactly the bloody problem! And it's a problem with the USB protocol
etc., not the inherently-mostly-insoluble problem of direct access to the
internals of the user's local machine.

------
donohoe

      And that’s not all. When I go to Apple’s App Store, 
      I’m presented with a bevy of free apps that are 
      supported either in whole or in part by ads.
    

There are a lot of weird conclusions that this article tries to make. This is
the one that strikes me as the dumbest.

Its like bemoaning Microsoft (or any OS maker) that allows people to create
apps - apps that may or may not use advertising.

~~~
bobajeff
Aren't those pretty much the apps that apple promotes? I remember a article a
while back that went over how the App Store was geared towards really cheap
Apps and that was in Apple's best interest because they need many apps to sell
hardware.

~~~
Karunamon
Is there really a difference to the end user if your store has 10M apps vs. 9M
apps? I think we've hit the point of diminishing returns on the quantity front
years ago.

------
LesZedCB
The point that I find hard to dismiss when talking about the differences in
Apple's privacy policies versus Facebook, Twitter, Google, et.al, is that
there is, in fact, a significant difference between the privacy of an email,
text message, or phone call, and the privacy of a post on facebook, or a
tweet. With a phone call, people require warrants, which require judges, in
order to listen into a phone call, and similarly with a text message (I
assume, I don't know the law about SMS vs phone calls). However, it's
understood when using services like Facebook or Twitter that unless otherwise
and explicitly stated, your posts/tweets are public, searchable by the public,
and kept on servers that are well beyond your control.

Because of this fundamental difference in security, I think it is fair to say
that Apple can make a real and authentic claim to caring about user's privacy.
I believe under no circumstances should my phone calls or emails be
accessible, searchable, or indexed anywhere other than by myself and the
people they are distributed to. SMSs ought to be encrypted and be able to be
decrypted by myself or the recipient only. These modes of communication are
fundamentally different, and apple has the ability to implement these
precautions, and I believe they are truly trying to do so. I don't see how
it's even a fair comparison to say Apple is hypocritical compared to the
social media giants and Google. They offer fundamentally different services,
and should be expected to respect privacy on fundamentally different
standards. I don't advocate lower bars, I want high bars for everybody. That
is why I applaud Tim Cook for making it a point for Apple to adhere to a high
standard of privacy protection. I genuinely hope that what he says reflects
the true implementation of that policy.

------
josho
The article's only value in my opinion is to make us realize that yes, today,
Apple guards our privacy. However, what stops them from changing policy
tomorrow?

Perhaps we need privacy principles enshrined in our laws, not a benevolent
player in the market.

~~~
quonn
> what stops them from changing policy tomorrow?

> [...]

> not a benevolent player in the market.

The reason they have this policy today is not because they want to be a
benevolent player in the market, but because it has a negligible impact on
their business model and it can't be adopted by the competition (Google). I
would also argue that that's what prevents them from changing it in the
future. It makes perfect sense from a business perspective.

~~~
snom337
I don't think we should say that it's either or. I think it's far more likely
given their past history, that privacy is both something they care about and
something that makes good business sense to them. Recall the pretty stern
answer Tim Cook gave when questioned about their environmental programs:
[http://www.macobserver.com/tmo/article/tim-cook-soundly-
reje...](http://www.macobserver.com/tmo/article/tim-cook-soundly-rejects-
politics-of-the-ncppr-suggests-group-sell-apples-s)

------
nickpsecurity
People aren't going to like me for saying it but this article is right more
than it's wrong. I was a provider of paid, private alternatives to ad-driven
services. There were tons of us in late 90's and many in early 2000's. Almost
all that didn't switch to ads went bankrupt. Customers seemed to universally
want more content/service/everything... for free (or near-free)... while being
OK with being spied on & sold out. They also got what they asked for: more
articles, games, search, socializing, videos, and so on than have existed in
all of history. Huge benefits willingly obtained by giving up privacy and
control to anonymous, greedy organizations at a cost they didn't [and mostly
still don't] care to think about.

Apple, on the other hand, was fine with lying to customers about security
("immune to malware!"), building leaky clouds, suing those that put Mac OS on
cheaper hardware, locking in users with software toolchain choices, keeping
low income users out due to high prices, discriminating against competitors in
App Store, and even charging for updates. _On top of that_ , despite tens of
billions in profit, they _also_ sold customers out to advertisers. They are
one of the least trustworthy companies in existence for privacy-conscious
individuals.

So, Tim Cook is full of shit. Apple has enough profit to build inherently
private/secure OS's, toolchains, and services. This is obvious given that
small to midsized firms with a tiny fraction of the money have outdone Apple
in many areas of privacy and security by simply putting in effort. Most
likely, Tim Cook is merely doing P.R. work to position Apple's _image_ (not
reality) as more trustworthy compared to ad-driven services. Those services
can't do this because they'd go bankrupt by not invading privacy.

So, let's rehash. Users have more cool and useful stuff than ever before due
to ad-driven model. Users got there by repeatedly choosing to be spied on
instead of paying or investing time in a private alternative. Apple's past and
current track record on privacy/security are terrible. They also do
advertising, although not dependent like competition. Apple's CEO says they
believe in privacy/security despite them hardly practicing it. Conclusion: our
situation is the from users' demand, their massive use of such services
maintains our situation, a niche want private alternatives, and Apple is doing
PR to make money off those people (while still selling them out).

Capitalism in action! ;)

~~~
zimpenfish
> Apple has enough profit to build inherently private/secure OS's, toolchains,
> and services.

That does rather imply that such a thing is possible and the entire history of
computer science would indicate that it isn't (yet.)

~~~
nickpsecurity
There's been many examples in the past enforcing specific types of properties
or immune to entire classes of attack. A few survived years of NSA pentesting.
I'll give a simple example: Burrough's 1961 product with a tag on memory
words. One bit said it's a pointer that processor hardware protects against
forgery or improper modification. Array's were bounds-checked by hardware. One
bit said something is code, execute but don't modify, enforced by processor.
Function calls arguments were validated by compiler during installation and
hardware during procedure call. This combination makes almost every code
injection attack I've ever heard of fail while using very little hardware
overhead. One exception to overhead is runtime procedure checks. Leave it out
& you still knocked out almost every way to take over systems with software
vulnerabilities.

There's dozens of designs doing similar things in academic literature, on the
web (see crash-safe.org or Cambrige's CHERI), in government (see Sandia Secure
Processor), and even commercial (see CodeSEAL architecture). Yet, the tiniest
modifications (pointer/array/code protection) would give attackers
considerable headaches. This must be integrated with other security methods,
of course, along with toolchains (esp compilers) modified to use it and any
custom software (esp assembler) modified to use it. Those changes are well
within Apple's budget. They also bought an ARM license and a fab deal, meaning
they can do the hardware mod.

At this point, there's no excuse for our machines to be vulnerable to pointer,
buffer, or memory-based attacks given 1960's technology was immune to these by
design. And we could adopt such methods relatively inexpensive today. And
academic prototypes running FreeBSD and Linux only cost a few mil versus
Apple's tens of billions available. Yes, it has been done, can be done, and is
simply not done as usual.

~~~
zimpenfish
> I'll give a simple example: Burrough's 1961 product

But the key there is "simple" \- I imagine that's a tiny fraction of the size
and complexity of a modern smartphone ecosystem. Scaling it up to a device
that can be manufactured at a profit and will sell hundreds of millions is
surely more involved than "we could adopt such methods relatively inexpensive
today".

~~~
nickpsecurity
That was a mainframe, actually. They're quite complex. The mechanism is
simple. I have designs that apply it to a smartphone by a tiny change to the
processor and its I/O system. Far as the hardware, that's it. For the
software, the C (or Objective-C) compiler just has to use the appropriate tags
or instructions when generating the binary. Any hand-written assembler, a tiny
portion of the program, must do the same. That's it for the pointer & code
protection. On a smartphone, this is the main SOC, drivers, part of the
compiler, and any assembler functions. That's it.

There's no need to speculate, though. Several academic projects involving a
few amateurs with six to seven digit funding have (a) modified processors for
security, (b) modified toolchain to support it, and (c) ported BSD/Linux to
it. Others did it for embedded systems. Their schemes are usually much more
complex (see Cambrige CHERI processor). Unrealistic to think Apple can't do
with 9+ digits less than what academics do with 6-7.

------
baldfat
Facebook installed ruins the privacy play.

