
Why Apple and Microsoft Are Healthier Than Facebook - JumpCrisscross
https://www.bloomberg.com/view/articles/2018-03-30/apple-and-microsoft-are-healthier-than-facebook
======
heisenbit
Leadership starts with the top and the values of the company. There is a huge
gap between the CEOs of Microsoft and Apple and Zuckerberg who has never
understood the value of respecting boundaries. That culture likely permeates
the whole company seen in their handling of partners, API permissions, privacy
settings etc..

I doubt that Zuckerberg is able to fix the issues as he is at the root of it.
Looks to me like the situation at Uber but with FB there may still something
to be saved if they are moving fast.

~~~
tootie
I don't think Zuckerberg is as actively scummy as Kalanick was. Fixing this
requires being very actively ethical and I think he's just falling short. I
don't think Zuck is incapable he just needed this kick in the pants to do
something.

------
saagarjha
> In reality, Apple collects more information about its customers than
> Facebook because it offers more products and services

The author seems to be conflating what’s stored on the device with what’s
being “collected”. There’s a difference; with Facebook everything ends up on
their servers, while with Apple much less does. If these companies were to be
hacked tomorrow, with Apple the only information that would be made available
is stuff that’s been sent, such as iCloud data. Things that stay local, such
as call history, would remain secure.

~~~
izacus
Can you explain a bit more? Apple iCloud services collect and upload a huge
amount of data to Apple servers. Emails, calendars, tasks, your private
messages (iMessage), phone diagnostic data, GPS location data (cell tower /
wifi location helper service), SMS, MMS messages, application data and more.

Sure a lot of this is encrypted, but Apple explicitly warns you on support
page that they WILL give iCloud data to authorities if warrant is sent.

Quote:

> iCloud content may include email, stored photos, documents, contacts,
> calendars, bookmarks, Safari browsing history and iOS device backups. iOS
> device backups may include photos and videos in the Camera Roll, device
> settings, app data, iMessage, SMS, and MMS messages and voicemail. All
> iCloud content data stored by Apple is encrypted at the location of the
> server. When third-party vendors are used to store data, Apple never gives
> them the keys. Apple retains the encryption keys in its U.S. data centres.
> iCloud content, as it exists in the subscriber’s account, may be provided in
> response to a search warrant issued upon a showing of probable cause.

(Section G in [https://www.apple.com/legal/privacy/law-enforcement-
guidelin...](https://www.apple.com/legal/privacy/law-enforcement-guidelines-
us.pdf) )

So why do you think there's a difference?

~~~
saagarjha
iOS device backups sort of poke a hole in my comment, since they by definition
store essentially everything on your device that I said Apple keeps local.
I’ll fall back on a weaker argument, that Facebook collects similar
information as well, especially if you’ve ever used an Android device.

~~~
izacus
Yeah, the fact that Facebook app is preloaded (with granted permissions!) on
many Android phones is a huge issue.

------
cmarschner
Microsoft has processes in place to minimize business risk due to privacy and
security problems (both usually go hand in hand). All engineers must go
through regular training, and features must go through security and privacy
reviews. In these reviews, systems and their threat boundaries are described
as well as the data that flows over system boundaries or that are stored. PII
(personally identifiable information) gets anonymized unless absolutely
necessary (e.g. for a profile page). The mantra is that the engineers should
trust the system to put their own data in. Then there is also GDPR which
requires adding abilities to delete personal data on request, even if it is
distributed into different systems. It‘s even tougher when it‘s about customer
data (eg Office 365). That‘s an absolute black box, so to do ML on this data
you might put training into a firewalled cloud and you might get a metric
back, but there is no way of looking at any concrete data. So, MS treats the
prospect of privacy breaches as an existential risk and acts accordingly. It
has been this way for at least 10 years.

~~~
fauigerzigerk
If it's so existentially important to them, why is OneDrive data in personal
(paid) Office 365 accounts not encrypted at rest?

~~~
Const-me
Why would you want them to?

Their web servers needs decrypted data in order to handle these office
documents, so client side encryption is not an option.

Server side encryption, where the server knows the keys, serves very little
purpose because the threats it protects against are extremely unlikely. What
it’s protecting against, armed robbery of the datacenter?

~~~
fauigerzigerk
I want to be protected against the exact same attack vectors that Microsoft's
business customers are protected against and the same attack vectors that all
customers of Google, Apple or Dropbox are protected against.

Perhaps it's all just security theatre as you suggest, but I am not the one
running these data centers, so if all these companies say there is a threat,
then my instinct is to believe them.

~~~
Const-me
> I want to be protected against the exact same attack vectors that
> Microsoft's business customers are protected against

I don’t think there’re such attack vectors. The reasons MS doing that with the
data of their business customers are legal, not technical.

They keep medical data, legal data, government data for many jurisdictions
around the world. Before doing that, they had to comply with FIPS 140-2,
HIPAA, and a whole bunch of others: [https://products.office.com/en-
us/business/office-365-trust-...](https://products.office.com/en-
us/business/office-365-trust-center-compliance-certifications)

> if all these companies say there is a threat

I can’t remember them saying there is a threat, or mentioning what it is. I
only heard them saying marketing BS about how safe my data will be on their
servers.

~~~
fauigerzigerk
_> I can’t remember them saying there is a threat_

I doubt that any of them will ever publish their most detailed threat models.

If I had to guess, I would say the most likely threat is nosy or corrupt
staff.

Protecting a key server is easier than protecting tens of thousands of servers
and physical disks.

Legal requirements are not necessarily baseless either. They are in place to
protect someone against something.

The data I have on these cloud services is extremely sensitive. All my
identity documents, proof of address, examples of my signature, financial
data, health data, etc. If someone were to get hold of these documents, they
could steal all my money, my identity and make life hell for me.

------
harryf
> Most people won't fiddle with the controls because they may not even realize
> what all the fuss is about.

Good to see this _starting_ to become part of the discussion; that most users
are not educated and motivated enough to take privacy seriously. I'd like to
see regulation that makes "here - agree to this 200 page TOS" unacceptable as
form of gaining user approval, especially - as in the case of Facebook -
you're agreeing not only to sharing your own data but also data on friends who
aren't even using Facebook.

~~~
IshKebab
> I'd like to see regulation that makes "here - agree to this 200 page TOS"
> unacceptable as form of gaining user approval

Your wish is my command!

[https://www.eugdpr.org/the-regulation.html](https://www.eugdpr.org/the-
regulation.html) (see Consent)

~~~
harryf
That's a great start! Haven't yet looked seriously at the details of GDPR -
good to see it going that way.

------
blackflame7000
Idk about Microsoft, of all the personal assistants, Cortana is batshit
insane. Furthermore their Quantum team is the only one yet to produce a Qbit
while IBM is using 50. The last decade of Microsoft acting like the college
one and done has depleted its ability to innovate. Nevertheless, at least they
still rely on tangible assets to turn a profit.

~~~
ahelwer
Regarding Qbits, the number doesn't mean much. Error rate is far more
important. Microsoft hasn't yet created a real-world topological qbit, but
they have much-improved noise properties in theory.

~~~
JumpCrisscross
Tree span is better.

------
gaius
The article conflates the encrypted binary blobs which are your iCloud
backups, with the kind of structured data Facebook gathers. They are not
remotely comparable.

~~~
opencl
Encryption is meaningless from a privacy perspective when they also store the
keys on their servers.

------
feelin_googley
"In reality, Apple collects _more_ information about its customers than
Facebook because it offers more products and services."

Was/is all that data collection necessary?

Did they (or Microsoft) make decisions about data collection based on
perceived competition from Facebook or Google.

Considering e.g. how ads were integrated into MS software products (e.g. the
"free" versions of Office software that appeared a number of years ago) I
think the answer is yes, at least for MS.

I believe all these companies (AAPL, MS, FB, GOOG, AMZN, a few others) react
to each other and often adjust their short-term and long-term goals
accordingly, even when they might be thought _not_ to be competing.

~~~
kerng
They show ads, but not based on your detailed personal profile, or content of
your mail and things like that. Microsoft is a software company, not an ad
company. I remember Microsoft making a big deal out of that at one point,
saying that Google "reads" your email and stuff. That was really quite long
ago, now things are even more personalized for Google and FB, whereas Apple
and Microsoft has never been so deeply involved in the personalized ads
business. There core business models are different.

~~~
polskibus
I'm pretty sure that changed with Windows 10 and telemetry you can't switch
off completely.

------
mel919
> Microsoft, with its cloud, software licensing and subscription businesses,
> is even less likely to go rogue in data collection because it no longer has
> a mobile platform to speak of.

But they have a desktop platform and they used it to go rogue with data
collection, all the way. Just because they've failed on mobile doesn't
automatically make them a privacy-oriented company.

~~~
mistrial9
Microsoft is a company that in their very long history, has repeatedly pushed
legal boundaries at the expense of their business partners, their individual
customers, and the software ecosystem. But the company has(had?) a very
different mode of operation than Facebook or Apple. Neither of the two lines
above sound like M$ft here.

------
hanspeter
> "The truth is, we could make a ton of money if we monetized our customer —
> if our customer was our product," Cook said on Wednesday. "We've elected not
> to do that."

You elected to pocket up to 30 % of all app revenue generated from your users
and their data ($11.5 billion in 2017). How is that not monetizing your users?

~~~
pwinnski
It's monetizing developers, not users. They collect nothing whatsoever from
free apps.

~~~
hanspeter
You could also say: Facebook is monetizing advertisers, not users. And: They
collect nothing whatsoever from free social media marketing.

The point is that Apple has users and user data, and companies come to Apple
to make money on their users while paying Apple to get access.

~~~
pwinnski
But that's backward, again. Apple is monetizing developers because the money
comes from the users. Users pay to have access to the developers.

Facebook is monetizing users because the money comes from the advertisers.
Advertisers pay to have access to the users.

------
donbronson
Apple could have a similar situation. Via the iOS SDK, developers can ask for
access for a phone’s address book. These contact connections could be
harvested by bad developers. They could also be sold by those developers. This
is merely one example. All companies with data and APIs are vectors of attack.

~~~
panic
The difference is that the data is on your phone, not Apple's servers (unless
you back up with iCloud, but even then I believe it's encrypted). You can
decide which apps to run on your device; you have no control over what
Facebook does on its servers.

~~~
donbronson
Definitely a difference but there is a similarity in vectors of attack: The
contact address book can be taken off the phone using the Apple SDK. Then,
that data can be anywhere the developer wants to store it.

~~~
valuearb
It can only be taken off the phone if the user explicitly gives you access to
it. And it’s just contact info, not an “attack vector”.

Are you really arguing developers shouldn’t be allowed to write address book
utilities on iOS?

