
Forget iPhone X–Apple's Best Product Is Its Privacy Stance - colinprince
http://time.com/4998189/iphone-x-privacy-apple/
======
exitreturn123
I work closely with Apple so need to post anonymously.

I believed everything in this until something that happened in late July this
past summer.

In China, their fastest-growing market, China demanded all secure messaging
and VPN apps be removed from the App Store and Apple complied.[1]

So privacy matters, unless it's in your fastest-growing market.

I intend to discuss with Tim next time I see him.

1: [https://techcrunch.com/2017/07/29/apple-removes-vpn-apps-
fro...](https://techcrunch.com/2017/07/29/apple-removes-vpn-apps-from-the-app-
store-in-china/)

~~~
artimaeis
I see what you're getting at but that decision has little/nothing to do with
Apple's stance on privacy.

* iMessage still uses end-to-end encryption for messages in China.

* iPhones sold in China still utilize Secure Enclave for privacy/encryption.

* Aggregate data still uses differential privacy in China.

The government made a request of them which did not compromise their user's
security, and they obliged.

Compare that to when the US government requested backdoor access pass Secure
Enclave and they absolutely denied that request.

I agree that it's unfortunate for Chinese users that their government is
placing additional limits on the available software in that ecosystem (as well
as other ecosystems, I'm sure). But so long as the government is not asking
Apple to compromise its users privacy I don't see any strong relation to
corroborate the idea: "privacy matters, unless it's in your fastest-growing
market".

~~~
ewzimm
This also shows that if we care about the preservation of privacy, we can't
depend on technology to solve the problem on its own. No matter how well-
engineered software might be, it's ultimately subordiate to national and
international law. A company can refuse to cooperate up to a point, but a
government can always force it to either comply or cease doing business.

The Verge's recent technology survey showed that at least its audience
believes that Google and Amazon are better protectors of personal privacy than
Apple, so their strong stance on encryption and privacy is not yet completely
effective in differentiating them from competitors. Hopefully articles like
this will enhance the perceived value of privacy, because we need both private
and public entities to agree on privacy for it to be effective.

~~~
AndrewKemendo
_No matter how well-engineered software might be, it 's ultimately subordiate
to national and international law._

For now. I argue that there will be a technology corporation more powerful
than the reach of any nation-state within 50 years.

~~~
ewzimm
I agree with you. I'd even bet that in 10-20 years, the primary purpose of
nation-states will be technology management, if that isn't already the case.
Administration by software seems inevitable, with the main problem being
ensuring that the software is acting in our interests. We'll likely encode
policies into something like Ethereum contracts once we have more reliable
infrastructure.

~~~
jernfrost
Ethereum does not have that broad of an application. You are engaging in
rather wishful thinking. Nation states exist because people have different
traditions, values, language, history, economic and political systems.

~~~
ewzimm
Yes, there are important differences, and I don’t think Ethereum will fill the
various needs, which is why I said “something like Ethereum.” With all the
differences in nation-states, we have come to a kind of equilibrium today
where each one has a convertable fiat currency through historical convergence.
Each one has a similar hierarchical government claming authority through
popular mandate. That’s an amazing consistency considering the different
origins.

I’m not wishing for any particular outcome, but considering past convergences
and future potential, I’m simply saying it’s likely that some kind of smart
contracts operating on distributed computing platforms will eventually become
standard processes for law enforcement once computation is more ubiquitous.

------
sgift
Reading about all of this is so surreal for me as a German. I read about these
"great" policy and all I can think is ... "so, they do the minimum required"
.. what's there to praise? Then I remember how US (companies) tend to think
about privacy and get very sad. Stronger penalties for anyone breaking
relevant privacy rules cannot come fast enough.

~~~
MBCook
In everything that keeps happening in the US with regard to leaks and
advertisers watching you and Facebook profiling you... I’m not sure it’s
fixable.

Until a large chunk of congress, and probably the R chunk due to their privacy
law stance, gets a TON of embarrassing stuff leaked to the public or better
yet ‘shared’ when they weren’t expecting it... I don’t think anything will
change. We won’t get real laws to protect people.

And a decent sized part of me says not even incidents like that would do it.
It would just be blame-the-victim and you-accepted-that-policy and the laws
wouldn’t really change.

~~~
colinprince
I fear that R chunk will only pass legislation to exempt themselves.

Mass surveillance is too enticing to give up so easily.

------
frankmcsherry
> Wired recently deployed a team of experts to deconstruct Apple’s code and
> found its differential privacy practices to be lacking, a characterization
> that the company strongly disputes.

If by "deployed" they mean "interviewed about their work". I don't understand
Time crediting Wired with the research[0], which does a disservice to their
actual sources of funding.

[https://arxiv.org/abs/1709.02753](https://arxiv.org/abs/1709.02753)

------
lefstathiou
I’m a big fan of this - want to point out that the motivation behind this is
as much economic as it is philosophical. Apple’s stance on privacy is 100% in
their economic interest because it negatively impacts Google, Facebook and
Amazon’s data-driven business models without Apple looking like a bad actor in
the ecosystem. These companies are its biggest threats in software and it puts
moats around Apple’s hardware business

------
TazeTSchnitzel
From what I've heard from a friend who works for Apple, it's more than skin-
deep, they have a strict internal culture of user privacy. It's difficult to
get permission to report any kind of user data or to bypass the sandbox, for
example.

~~~
damnyou
This is true of all large corps. Accessing user data without a really good
reason will get you walked out the door instantly.

~~~
TazeTSchnitzel
I don't mean accessing data on their servers, but rather analytics and the
like. They don't get shader content in their crash reports because it might
have been generated from user data somehow.

------
thisisit
This might as well be titled - Forget Iphone X-Apple's Best Product is that
they are not out to sell you anything else - ads (Google) or other products
(Amazon). If a stance on something is due not having a particular type of
business, is it really worth the praise?

~~~
fredleblanc
But it's chicken and egg, right? They don't have that particular business
because they made the choice of privacy long ago? Even if they're not in the
ads business because of a series of lucky decisions that just happened to
steer them this way, there's nothing wrong with touting a selling point.

~~~
adamlett
No. Apple has had the same business model always, which is to sell you
hardware differentiated by software at a premium. Apple doesn't have an
advertising-based business model[1] because such a model is fundamentally
incompatible with their existing business model. The reason is that for an
advertising based model to be truly successful, you have to reach as many
consumers as possible, which ultimately means that your product must be free
to use for consumers.

Apple's stance on privacy is making a virtue out of necessity.

[1] Yes, yes, I know: iAd. But how well did that work?

~~~
013a
I think its more complicated than that.

There are reports that Apple has an internal committee, including a high level
executive, dubbed their "privacy czars" which are required to unanimously sign
off on any instance of user data collection, and this committee has actively
limited products like Siri over concerns [1]

There's also the San Bernadino customer letter, which has become a defining
point in their privacy history [2]. They didn't have to publish that letter;
they could have fought it privately or not fought it.

There's really no fundamental reason why iAd couldn't have become a more
powerful revenue generating part of their platform. They sell enough iPhones
to reach a broad market. But, per [1], reports say that the team ran into
internal privacy concerns which constantly forced limiting its capabilities.

Apple is fundamentally different, in ways that can't solely be explained by
their product history and revenue sources. Companies like HP and Samsung make
consumer hardware, but also generate revenue by selling their customers' data
to third parties. Its clear to me that Apple does consider Privacy a revenue-
generating product that they sell.

Of course, you can argue that maybe they wouldn't take that stance if they
weren't so successful in hardware; that Privacy is a privilege afforded to
them because of their success, and less successful companies need that
advertising revenue. But now we're arguing hypotheticals, and I'm not going to
partake in that.

[1] [https://www.reuters.com/article/us-apple-encryption-
privacy-...](https://www.reuters.com/article/us-apple-encryption-privacy-
insight/apple-privacy-czars-grapple-with-internal-conflicts-over-user-data-
idUSKCN0WN0BO)

[2] [https://www.apple.com/customer-letter/](https://www.apple.com/customer-
letter/)

~~~
damnyou
Do you really think other companies don't have internal privacy reviews?

~~~
mikestew
My experience leads me to believe that many other companies have privacy
reviews only to the level required to keep them out of legal trouble. It is an
inconvenience, not a feature.

------
singularity2001
Would this be a fair assessment: ?

Facebook, Microsoft and Google collect all your private information and share
it with themselves, the government and some with the advertisement industry.

Apple collects some of your private information and is forced to share it with
themselves, Nuance and the government (subvertly see snowden and interpolate).

Amazon is in a special position.

~~~
criddell
> some with the advertisement industry

I'm always interested when people say this. Say I want to buy some person's
data. Is there a way I can do that with Facebook, Microsoft, or Google?

~~~
MBCook
No, because it’s far too valuable to them. If they sold it it wouldn’t be
valuable for long.

They do it ‘the other way’. You say “I want to buy some eyeballs like X” and
they sell you access to the eyeballs.

But they don’t give you the person’s information.

~~~
criddell
That's what I thought. So my private information isn't really shared with
anybody, is it? I mean I guess if I were to place an ad targeted to black men
that speak french and you answered it, I would learn that about you.

~~~
MBCook
It’s shared with anyone _inside facebook_ who want to use it for something.
I’ve never gotten the impression there are strong internal privacy controls.

External companies? Perhaps if they partner with Facebook but not normal ad
buyers.

~~~
praneshp
> I’ve never gotten the impression there are strong internal privacy controls

At least my friends that work there claim otherwise, but obviously they are
biased. But so are you, I suspect.

~~~
MBCook
Yep, I’m very distrustful of FB.

But that’s good to hear. That’s what I would hope.

------
jclay
Apple's position on privacy also led me to switch to iCloud recently. I
migrated my mail and drive to iCloud (from GMail, Google Drive) for this very
reason and while there isn't always a 1-1 feature parity, I prefer to know
that my data won't be used to analyze and categorize me for the purpose of
advertising.

~~~
duality
What makes you claim (implicitly) that Google, Dropbox, etc. are selling data
from your email or storage accounts?

~~~
jclay
I suppose I should clarify that I'm referring to the data being used to
classify me into various (increasingly specific) categories and that resulting
output being sold to the highest bidder in the form of a targeted
advertisement. Dropbox I'm less familiar with, so I can't speak to their
model.

------
andreareina
The iPhone is unbelievably fragile, _before_ you look at the high price. Apple
bends over backwards to deny the existence of design flaws, to the point of
blaming users for doing it wrong. Despite this I am seriously considering an
iPhone, their stance on privacy is the _only_ reason.

~~~
CaptSpify
The only real reason I haven't switched is because they won't give me control
of _my_ phone. At least with Android I can root it, install custom roms, and
mess with pretty much any non-google software that I have on there.

Android is _far_ from perfect, and I still hate it, but at least I can still
control most of it.

~~~
nyolfen
> At least with Android I can root it,

and not just you :P

------
away2017throw
It helps when you don't have an ads business branch.

~~~
Mindwipe
Apple did until last year though.

~~~
pwinnski
...which failed due to their strict privacy rules making the ads less
effective than advertisers wanted.

------
dingaling
Apple itself may well have a pro-privacy stance regarding the data associated
with their products & services, but if I can't even install a firewall on one
of their phones then that doesn't protect my privacy much against malicious or
deceptive third-parties.

I don't much like Android as a system but at least I can strip it of Google
services and install a firewall and feel reasonably private. It's not an ideal
option but it works.

~~~
BillinghamJ
It does have a firewall. The configuration is static: no incoming connections.

You might be thinking about not being able to have an antivirus? In which
case, that is certainly a feature - not a bug. Allowing the privileges
required to enable an AV to operate on iOS would severely degrade the security
of your device. The losses would massively outweigh any potential benefits of
having an AV.

~~~
Yetanfou
Blocking incoming connections on a mobile device is less important than
blocking outgoing connections given the threat model of a multitude of mobile
devices running basically black-box applications which have access to a range
of sensors. The main threat here is applications gathering data - of any sort,
from positional to audiovisual to network traffic to (financial) transactional
- and sending it off to their masters. The threat is, so to say, inside the
walls already, not outside. The task it to make sure it does not communicate
to the outside world.

iOS does not allow fine-grained control over outgoing network access. The
assumption is that the user trusts the application to not do anything
untoward, after all it was vetted by Apple before it appeared in the store.
There are ways to get this type of control on iOS but since the first step you
need to take is to 'jailbreak' the device this is not a real solution.

Android does allow this type of control through a multitude of firewall (i.e.
Linux _iptables_ ) configuration applications. Android devices running version
3.x or earlier need to be 'rooted' to gain access to the firewall
configuration, later versions (from 4.0) don't require rooting. The 'no-root'
firewall works by routing all traffic through an on-device VPN (which can be
instantiated without root access as of Android 4.0). This does mean the
firewall application gets access to all network traffic, making that type of
application a good target for those who wish to subvert Android network
security.

------
karpodiem
fun little incident this morning - with my wifi off, I logged into iCloud.com
to change my primary AppleID e-mail address from an .edu to icloud.com address
([https://www.macrumors.com/2017/10/31/apple-id-third-party-
em...](https://www.macrumors.com/2017/10/31/apple-id-third-party-email-
address-update/)

Interesting location identification for the request origination -
[https://www.dropbox.com/s/v9rtg1igl73gf67/where.png?dl=0](https://www.dropbox.com/s/v9rtg1igl73gf67/where.png?dl=0)

Now, I've seen 2FA requests a couple hundred miles off, but this is _way_ off.
I'm in the suburbs of metropolitan Detroit.

For a lark, I googled 'NSA Texas' \-
[https://goo.gl/maps/rb1AhG3EiE62](https://goo.gl/maps/rb1AhG3EiE62)

Hello NSA! You might want to review the process on that one.

~~~
matthewmacleod
Or in actuality, it’s just sloppy IP geolocation.

~~~
astral303
Indeed, Occam's razor says poor IP geolocation. What are the chances that you
are being monitored by NSA from Texas, or that the geolocation database is
stale or wrong?

~~~
frickinLasers
Out of curiosity, what are the chances this geolocation error also exists 170
miles away? I had the exact same thing happen a few weeks ago, from just east
of Chicago.

