
Corpus of network communications automatically sent to Apple by Yosemite - haywardsmyfault
https://github.com/fix-macosx/yosemite-phone-home
======
song
I'm very glad for that thread. I didn't know that I also needed to uncheck
"Include Spotlight Suggestions" in Safari additionally to Preferences.

I do not understand why there's such a backlash against anyone that points out
that:

1\. It's not intuitive to have to both disable "Include Spotlight Suggestions"
in Safari and in Preferences.

2\. People like my father who are privacy conscious but are average computer
users would not think to look for this in Spotlight and Search and instead
would look in the privacy tab instead

3\. Apple released and advertises cool privacy features like MAC address
randomization that actually do not work. It only works with Location Services
and 3G disabled according to the reports which is never going to happen. This
makes me feel that the new focus on privacy from Apple is more for PR purpose
than something they really care for.

That said, I like Apple products, I've been using macs since 2004 and I would
have a hard time going back to using Linux (still have nightmares about all
the work needed to support my laptop correctly) but that doesn't mean I'm
giving them a pass on those privacy issues.

I know a lot of people here feel that all of this is much ado about nothing
but really, it's clearly not obvious and if I hadn't read yesterday's thread I
wouldn't have been aware that Safari sends my search to Apple even if selected
Duck Duck Go and disabled Spotlight Suggestions in preferences.

~~~
deadweight4
The text when you open spotlight explains that it's looking on the internet.
The first icon is safari. Every search you do, including siri, kortana, and ok
google sends information to the respective company. Apparently bendgate didn't
satisfy the fans, so they had to come up with a tortured reason to be all
upset. I really tire of this horse shit, and would expect better.

~~~
song
I disabled spotlight suggestions in the preferences but didn't in Safari
(since it never came into my mind that I'd need to disable it there too).

When I searched on safari, I didn't see spotlight suggestions but I can
confirm that it phoned home.

I don't get why people get so defensive when it's just a simple fact. Even
someone technically minded like me who actually disabled Spotlight suggestions
in Preferences because I didn't want to send information to Apple, ended up
sending information when searching on Safari. This is an issue.

~~~
arrrg
Why would you expect Safari to not communicate with the web? I'm mystified by
this attitude.

~~~
song
I expect Safari to communicate with the web, I just don't expect it to send my
search data to apple's server when I selected Duck Duck Go as a search engine
and when I disabled Spotlight suggestion in the preferences. Having to disable
"Spotlight suggestion" a second time in Safari's preferences is the issue and
is what I blame Apple.

~~~
arrrg
That makes no sense to me to be honest. I really don’t understand this
attitude, even on a basic level.

~~~
scintill76
Would you be bothered if full video of your browser window was constantly
streamed to Apple by default, with no ability to erase footage? If not, I
don't know what to say. But if so, being told "It's just communicating with
the web, what'd you expect from a browser?" wouldn't help, would it?

Obviously this is the extreme, and I'm not likening sending search queries to
fulltime video surveillance, but the point is people have different thresholds
of what they will tolerate. Apparently most HN users' tolerance is high, or at
least they are willing to defend Apple on this for whatever reasons. Some of
ours is low, so that's why we are complaining.

~~~
scintill76
These threads are amazing. I thought this was a reasonable explanation of my
problem with this, and an attempt to show why people disagree, and how we can
empathize better. But I get downmodded with no response. Is my opinion really
so stupid that it doesn't deserve a response or to be read by anyone else? Is
the idea that these things should be opt-in (or much more transparent), to
protect privacy, so foreign, that I'm assumed to be trolling or merely anti-
Apple if I espouse it? I expected at least "That's your ideological position
on opt-in vs. opt-out, on which we simply disagree."

Maybe people got the message, irreconcilably disagree, and are sick of reading
it again. I don't know why you'd still be in the thread, then.

~~~
song
All of my comments in this thread started with negative points from down votes
then stabilised. It seems that whenever there's a controversial topic, there
are a few people who down vote every comment that goes against their
viewpoint.

~~~
scintill76
I've had the impression that people who have the ability to down vote are
reasonable and well-respected in the community, so it kind of surprises me
that these things happen. Maybe down voting just seems lofty to me because I'm
not karmic enough to have it.

It's also funny that I talked about being downvoted, and am now a little above
0 afterward, oops. I figured the thread was dying down and I'd respond before
it was abandoned completely.

~~~
song
Getting enough karma to downvote doesn't really mean that much, it just means
you've been here long enough and maybe submitted a few articles that got on
the front page (it's much easier to get karma by submitting articles).

------
madeofpalk
That Mail one is probably the least alarming, and I would assume that Outlook
does the same thing. When you first set up a mail account, it sends your email
domain to [https://mac-services.apple.com/iconfig/dconf](https://mac-
services.apple.com/iconfig/dconf) and, provided Apple has a match for it, it
will return auto-configure POP/IMAP/SMTP settings.

If you enter your email as @apple.com, it returns back:

    
    
        <domain> 
          <name>apple.com</name> 
          <service> 
            <hostname>mail.apple.com</hostname> 
            <port>993</port> 
            <protocol>IMAP</protocol> 
            <ssl /> 
            <requires>MACOSX</requires> 
            <authentication>PLAIN</authentication> 
          </service> 
          <...>
        </domain>

~~~
JetSpiegel
Thunderbird has a similar service, but you can click on Manual Config and
input that by hand.

~~~
valleyer
Option-click the "Create" button in the setup wizard in Mail.app for the same
thing

------
tkubacki
Funny - just compare how Ubuntu was bashed for Amazon lens in Unity and how
differently Apple is treated for the same (or even worse) things here on HN

~~~
the_mitsuhiko
My mac has not yet shown me advertisements for when I was looking for my
files.

~~~
esolyt
They weren't advertisements. They were product search results.

And the concern wasn't about the fact that it shows products, but about the
fact that data was being sent to Amazon (unencrypted as well, I believe).

~~~
spacefight
" They weren't advertisements. They were product search results."

That line is blurred these days.

~~~
beagle3
But it wasn't in the shopping lens.

It was a bad idea. But let's not throw random general statements in a concrete
discussion.

Did you ever get a result from the shopping lens which could be mistaken for
an advertisement rather than a product result you can buy on Amazon?

~~~
spacefight
It's a product you can buy on Amazon trough an affiliate link. If't that's not
advertisement...

~~~
beagle3
No, it's not [0]. You searched for something, and the default installation
searches for it among your menus and in Amazon.

Copyright infringement is not theft.

Amazon lens is not advertisement.

[0] [http://www.merriam-
webster.com/dictionary/advertisement](http://www.merriam-
webster.com/dictionary/advertisement)

------
simme_
Original discussion can be found here:
[https://news.ycombinator.com/item?id=8479958](https://news.ycombinator.com/item?id=8479958)

~~~
pilsetnieks
This one might be more relevant: "Disable sharing of Spotlight searches with
Apple"
[https://news.ycombinator.com/item?id=8473580](https://news.ycombinator.com/item?id=8473580)

Hint: you have to uncheck two checkboxes that OS X explicitly tells you about
in the very same Spotlight preferences, plus another one in Location
preferences.

~~~
facepalm
The spotlight preferences are not explicit. I would never have opened them
without reading this news item first.

However, I can understand the philosophy of searching the wen and the desktop
in parallel.

Ubuntu does the same (they search Amazon, not sure if also the web in
general), and they also got a lot of flak for it.

~~~
pilsetnieks
What I meant with explicit was that they are explicitly described in the text
that is shown on clicking the button called "About Spotlight Suggestions and
Privacy."

If one would never even open Spotlight preferences, then yeah, it is not
possible to see, enable or disable those preferences. But then one should also
not complain that it is impossible to enable or disable these preferences. By
that logic, every application that does anything with any privacy implications
should have it's primary interface littered with preference toggles to make it
completely obvious how it's functionality can be altered.

~~~
izacus
I think a basic warning, information or other type of system making a user
aware, that all their searches are being shared with 3rd parties is not an
unreasonable demand.

Having people go to two preferences dialogs just to find out that contents of
search box are being sent to USA datacenters is a dangerous dark pattern.

~~~
batmanthehorse
It gives a basic warning to make the user aware. Any time they use Spotlight
until they disable the related features.
[http://core0.staticworld.net/images/article/2014/10/spotligh...](http://core0.staticworld.net/images/article/2014/10/spotlight_fullscreen_new-100525222-large.png)

------
eknkc
Am I missing something here? The web search / autocomplete functionality
contacts some servers.. You can disable them. Mail client tries to fetch known
IMAP / SMTP info for a given domain to ease setup.

Are there some weird data being sent? Honestly, I might have missed some
concerning communication but as far as I can tell, this is just for the sake
of added functionality and can be disabled.

Expecting OS level stuff to work without network data at year 2014 seems
somewhat bizarre. This is like complaining that apt-get leaks info to home,
telling about the packages you install.

~~~
userbinator
_Expecting OS level stuff to work without network data at year 2014 seems
somewhat bizarre. This is like complaining that apt-get leaks info to home,
telling about the packages you install._

No, the difference is that people do have a general idea about whether things
should be done locally or sent out into the Internet, and searching files
stored locally does not belong in the latter category.

~~~
matthewmacleod
Spotlight is no longer a tool for searching local files, and is now a search
tool which combines local and remote data.

You can disable this feature.

~~~
vertex-four
Which is an issue as this is not clearly stated, and it appears at first
glance to be exactly like the desktop search tools we've been using for the
past couple of decades.

UX design is partially about making pitfalls like this clear to users (and,
where possible, getting rid of pitfalls altogether).

~~~
batmanthehorse
It is actually very clearly stated when you first use it (and every time
thereafter, until you disable it):

[http://core0.staticworld.net/images/article/2014/10/spotligh...](http://core0.staticworld.net/images/article/2014/10/spotlight_fullscreen_new-100525222-large.png)

------
esolyt
I recently replaced Spotlight with Alfred and realized how much I was missing
out. It's surprisingly faster and cleaner. I would really suggest it to anyone
who haven't tried it yet.

~~~
nodata
Have you compared Alfred with Spotlight in Yosemite?

~~~
Tyrannosaurs
I recently replaced Alfred with Spotlight when I upgraded to Yosemite.

Alfred feels like it was very much an "inspiration" for the new Spotlight but
as is often the way with little helper type apps, if it's good enough, sooner
or later it will get rolled into the OS.

The business model Joel Spolsky referred to as grabbing nickels from the path
of an on-coming steamroller.

------
davidw
It searches the web as well as your local drives, so sending those searches
out is exactly what I'd expect. Now, I can also see the case for not making
'do a web search too' the default, but if you can't have that and not share
your searches with Apple.

~~~
ctz
> you can't have that and not share your searches with Apple

Why on earth not? Why can't the search box just talk to DDG?

~~~
davidw
Isn't what people are getting hot and bothered about is that " _local_ "
searches are sending data out on the internet, rather than where they happen
to be sending it?

~~~
gutnor
Yes, people that knows the difference between local searches and online
searches are probably upset about it.

As a HN user, I'm in that category of people. However, I was surprised, when
using my phone that I expected Spotlight to search both locally and online.
The difference is that I never use spotlight on my mobile, I just don't have
that much stuff to look locally, so I had fresh user expectation: "cool I can
make search anywhere", so when spotlight did not do it was a bit of a let down
and since then I have never used Spotlight on IOS again, I just open the
browser.

Not saying that Apple is right or anything, but the reasoning may simply be
"if I have a global search button not looking online by default, will regular
user not think of that as a bug"

------
adsr
Can't this just be turned off with the Spotlight setting in system preferences
though? For browsers it seems to be the same for all that uses the unified
search field, it was last time a checked Chrome with tcpdump. I personally
preferred to have the URL field separate from the search field for that
reason.

~~~
masklinn
> Can't this just be turned off with the Spotlight setting in system
> preferences though?

Yes. Although note that it will not disable Safari's "spotlight suggestions"
which have to be disabled separately via Safari's own preferences.

------
f3llowtraveler
I am extremely disturbed by this report.

I have been a faithful Apple user for years, but this single report causes me
to seriously consider switching to Linux for good.

~~~
coldtea
You mean to get something like Ubuntu that does the same thing?

Let's set this straight: anything that gives you suggestions (for search,
products, dictionary definitions, songs, etc) from the internet, is by
definition sending your query to some internet server.

Next drama: Google searches send my search queries to Google.

~~~
inclemnet
> You mean to get something like Ubuntu that does the same thing?

He obviously means something not like Ubuntu (or at least Unity in particular)
that does not do the same thing. There are many many distros meeting this
requirement, it's disingenuous to try and imply everyone is doing it.

~~~
coldtea
> _He obviously means something not like Ubuntu (or at least Unity in
> particular) that does not do the same thing._

You'd be surprised:

[http://arstechnica.com/business/2012/09/ubuntu-bakes-
amazon-...](http://arstechnica.com/business/2012/09/ubuntu-bakes-amazon-
search-results-into-os-to-raise-cash/)

------
dustinfarris
Is the data sent to Apple personally identifiable? How long is it retained? If
the NSA (inevitably) decides to crash the party, what is the nature of the
information that they walk away with?

These are all questions that should have readily available answers.

------
jason_slack
Has anyone found a way in 10.10 to completely disable spotlight and
notification center? I know I can disable in system preferences but what about
getting rid of the icons and completely stopping the services all together?

------
abritishguy
I like what I have seen with Apple's (apparent) focus on privacy with regards
to iOS and the later iPhone models but this is pretty worrying - I'm not one
to care about sending my data to some cloud service when it offers some
tangible benefit to me, but some of this data is pretty intrusive and I can't
see what benefit it is adding.

Assuming everything here is accurate then Apple have screwed up and really
ought to rectify this pretty quickly if they want anything they say about
privacy to be taken seriously in the future.

~~~
stephen_g
How else would they provide Apple Maps and web results in Spotlight though?

It actually has an explanation of exactly what it's sending and where in the
Spotlight preference pane (click 'About Spotlight Suggestions and Privacy'),
and exactly how to turn it off (you switch off 'Spotlight Suggestions' and
'Bing Search' in the list of things to search). It's not like this secret...

------
blinkingled
> About this Mac

When the user selects 'About this Mac' from the Apple menu, Yosemite phones
home and s_vi, a unique analytics identifier, is included in the request.
(si_vi is used by Adobe/Omniture's analytics software).

Wow. I am waiting for "Team Apple" to invent a radical defense on this one.
But regardless this is shameful on Apple's part.

~~~
rimantas
Does it by any chance depend on checking "Send usage and diagnostics data to
Apple" checkbox? Is that identifier used for anything else, i.e. can it be
associated with something identifying the user, not just saying that all these
requests came from the same machine?

~~~
blinkingled
If you read the link it says upfront that this happens after disabling all
privacy related options including usage and diagnostics data.

Besides why does Apple need to know the user clicked About This Mac? A crash
log I can understand but this is unprecedented level of tracking on a desktop
OS.

------
higherpurpose
Microsoft has been doing this, too, since Windows 8.1, and it's going to do it
even more aggressively with Windows 10.

I'm not saying it to mean that it's okay - in fact quite the opposite. Both
are doing it wrong, and I hope they stop, or at least give me an _intuitive_
(not hidden within 100 other settings) way to disable it.

~~~
dvhh
citation required

------
JamesBaxter
I wonder if the iPhone does something similar

~~~
madeofpalk
Yup. Fire up Charles SSL proxy and you'll observe very similar behaviour (at
least with Mail and Spotlight/Safari)

------
tsenkov
Disclaimer: I am building the mentioned app.

Pagehop ([https://pagehopapp.com/](https://pagehopapp.com/)), a launcher
targeting only the Web, doesn't send your search queries to any server of
ours, and allows searching in many different sources (Google, Bing,
DuckDuckGo, Wikipedia, StackOverflow, YouTube, even some very specific sources
such as jQuery's API documentation, the Mozilla Developer Network or the NPM
archive). You can add sources (recipes) yourself.

We don't use a central server, instead the app taps into free web services
(where possible) or scrapes the sites (where not).

It basically is a pack of many horizontal and vertical search engines with a
single UI and the ability to use tools for post-processing of web results such
as Regexes and Fuzzy Matching.

Pagehop queries are a simpler version of executing commands in the Terminal
and you can pipe tools, one after another, just the same.

You should check it out (or not) - it has an unlimited, free and fully
functional evaluation period (nothing is locked, just like SublimeText).

------
teamhappy
We've read plenty of interesting explanations in this thread. Anybody care to
explain to me what great feature is hidden behind the "About This Mac" cookie
or where to find the button to disable it?

------
nashequilibrium
mmmmmmm

------
steffenfrost
What are they sending to the NSA?

------
rplnt
If you like the title of this post, you might like this subreddit:
[https://www.reddit.com/r/titlegore](https://www.reddit.com/r/titlegore)

edit: all right, jokes aside, the title is horrible and unparseable for many
reasons:

"Yosemite" without stating it's OS X Yosemite throws you off with the first
word. It "Sends Spotlight" (comma). All right, sends spotlight what? Is sends
a verb, why is it capitalized? Let's move on... "Safari Searches", Safari
searches what? Again with the random capitalization of searches? Or I guess it
was a verb and "Spotlight, Safari" is a list. The fact that both are also
common words doesn't help - it would be more obvious that we are talking about
products/brands if "searches" and "sends" weren't capitalized. Continue... "to
Apple" \- yeah, this makes sense (first time in this sentence). Even "to" is
not capitalized (but it makes you question your decision about
sends/searches). Comma. Third parties. What?!

Seriously, it's awful.

~~~
zimpenfish
Whilst it's not great, it's hardly awful or unparseable. Headlines have been
written in this kind of truncated form for decades; people know how to read
them.

