
iCloud Uploads Local Data Outside of iCloud Drive - sneak
https://datavibe.net/~sneak/20141023/wtf-icloud/
======
kps
Last I looked, iCloud was not HIPAA¹-compliant. Health-care workers who
previously could have iCloud enabled, as long as they did not use it for
HIPAA-covered documents, may be in for a big and expensive surprise.

¹
[http://www.hhs.gov/ocr/privacy/hipaa/understanding/](http://www.hhs.gov/ocr/privacy/hipaa/understanding/)

~~~
epistasis
Clouds are almost universally antithetical to HIPAA, it's extremely rare to
find a SaaS provider that will sign a HIPAA BAA.

And anyone working with data under HIPAA had better know this already!

~~~
patio11
Right, which is why I don't have any HIPAA-covered data in Dropbox, but my
risk assessment does not include "I have Dropbox installed on my machine,
ergo, I need to be careful to _never access HIPAA-covered info from my
machine_ ", which is apparently the level of care I now need for Yosemite. (An
upgrade which just got delayed indefinitely, for the obvious reason.)

~~~
epistasis
You're a braver person than I then. I wouldn't download HIPAA data to a
machine with Dropbox on it, anymore than I would be downloading protected
research data to such a machine. But then, I'm not a doctor so I don't deal
with one-off patient info, so it's easy for me to maintain separation.

Though if this is actually a thing that many people want to do, perhaps the
new Blackberry OS actually does something that people need...

~~~
dfc
What does the new BB do?

------
quesera
Interesting, but:

There are two kinds of users in this scenario. Those who don't care (99%) and
those who do.

If you count yourself among the latter group, as I do, then it's always solid
advice to choose actions which clarify your intentions.

In this case:

    
    
      - don't use iCloud
      - don't use iCloud sync for the app you use for private data
      - do explicitly choose to save the file locally
      - don't enable new features like Continuity that clearly change the file
        persistence and availability model without considering your old patterns
    

The author is rightly sore that his bits got pushed to Apple due to his
oversight. He's wrong to place the blame fully on Apple, but it's hard to be
fair when you're angry. And I'm glad he wrote it up because it should
encourage people to think carefully about where and to whom they trust their
data. Though most people I know sync their private data to Dropbox, Ffs,
so...thinking != _thinking_ , I guess.

My secure notes strategy is vim with encrypted files on an encrypted
partition. It could still leak, and I'd be angry, but there are at least three
vendors involved that would have to alter their products behaviours before I
was hugely surprised. TextEdit on HFS+ on OSX with iCloud enabled is just one
vendor, who can't always cater to my 1% of 1% expectations.

~~~
amirmc
> "There are two kinds of users in this scenario. Those who don't care (99%)
> and those who do." ... "The author is rightly sore that his bits got pushed
> to Apple _due to his oversight_ " (emphasis mine)

This attitude is completely unhelpful. It throws those who are otherwise
ignorant under the bus simply because they don't (can't?) understand how
modern tech works. Is that really fair? Must we really divide the world up
this way? Most of the public hasn't caught up to how modern systems work and
what the trade-offs really are, and they certainly won't if this is the
approach we choose to take.

It's almost reminiscent of Morlocks and Eloi from HG Well's Time Machine.

~~~
nobbyclark
Sadly this type of response seems to be common amongst those that do get it.
"Whatever. Most people don't care anyway."

If you look at the reaction of those 99% to Apple planting a U2 album on their
phone, you see an angry response when people are made aware...

~~~
api
If only users actually changed their buying behavior on the basis of security
or privacy. Until that happens "users don't care about security or privacy"
will continue to be the default since economically speaking it is absolutely
true.

What users care about as revealed by buying behavior is: user experience, user
experience, user experience, user experience, cost, user experience, and user
experience.

~~~
nobbyclark
Has there been a model of consumer behavior related to personal computing
where security played a major part? Yes - anti-virus software on Windows.

That's not an entirely healthy example but it does show it is possible to make
consumers take topics like security and privacy seriously.

The issue right now is there aren't enough voices telling them how serious
these topics are.

~~~
api
The celebrity nude hack is a good case in point. "The cloud means some
knucklehead from 4chan might steal all your data because they don't like your
blog posts" has a certain ring to it.

It also might be helpful to drop "privacy." It's security. These are
vulnerabilities. Apple could have encrypted this stuff with keys the customer
controls, but that takes more engineering to make it friendly and usable. They
won't until people care.

------
jen_h
I'm pretty sure that this has been happening at least as early as Mountain
Lion. I felt really violated when I discovered it - I use TextEdit as a
scratchpad, so it's always full of random notes (and a temporary copy-paste
spot for private keys, double-plus-ungood!). Not to mention financial data
into Numbers - those were being synced automatically, too.

Another gotcha I noticed around the same time - Notes from iPhone are
automatically stored to the primary email account. So I had my private
scratchpad phone notes stored on my corp account's Notes folder with no easy
and obvious way to re-associate them to the correct account.

It's easy to disable, but as the writer notes, that's not the point - if you
don't know it's happening, there's not much you can do, just feel your stomach
drop, disable it, then get to work figuring out how much damage was caused
(i.e., get to swapping keys, ugh...).

------
sehugg
[http://support.apple.com/kb/TS4372](http://support.apple.com/kb/TS4372)

~~~
sneak
Good find. The fact that this is a KB article seems to confirm what a huge
violation of customer trust this is - they know this violates the principle of
least surprise.

~~~
X-Istence
Except that this does not violate the principle of least surprise at all.

I expect that files I edit are saved at some point, somewhere, iCloud makes
perfect sense in that it allows me to pick up where I left off on any device.
Not only that, but Mavericks had the same behaviour for unsaved files as far
as I remember.

------
cjensen
Guy is confused. New documents which are not explicitly saved to the local
filesystem were already stored to iCloud on Mavericks.

------
parasubvert
Given this feature has been around for well over a year with eg. TextEdit, I'm
amazed at the reaction.

This is exactly the behavior I want and expect from Apple as a user, it would
surprise me if they DIDN'T do this.

~~~
flatdeviant
> I'm amazed at the reaction

And I'm baffled by yours, and others' in the thread. With the PRISM/Snowden
revelations, Apple still refusing to encrypt their data center links, not
using perfect forward secrecy, etc, the cloud simply doesn't seem like a good
default.

They could make this opt-in, as it's supposedly linked to Continuity, but it's
very clearly unintuitive, as evidenced by others in this thread
([https://news.ycombinator.com/item?id=8511115](https://news.ycombinator.com/item?id=8511115)
for one). If even HN people (probably at least the 95th percentile in tech
literacy compared to the general pop) didn't know this, then what about your
typical PEBKAC user?

And, sorry to be incendiary, but I'm sure the NSA isn't displeased by Apple's
UX choice here.

~~~
dfc
I love it when people get all "incendiary" about a privacy issue in the post-
Snowden world. I really do not understand what your privacy world view was in
2009. Did you think governments did not have intelligence agencies? Did you
think every government employee was an angel? Did you think F500 companies
regarded personal privacy sacrosanct? ?

~~~
amirmc
Back then a reasonable person might have had faith in the rule of law, and in
the oversight system and that _targeted_ surveillance was the norm. It turns
out there are secret courts, with secret interpretations of laws and
indiscriminate mass data-collection. The tin-foil-hat brigade turned out to be
right.

------
joelberman
For continuity to work, it should be obvious that what you are working on must
be stored somewhere other than the machine you have turned off. The obvious
place is on iCloud. Just do not enable continuity if you do not want to enjoy
is features.

~~~
josho
Since the continuity feature requires Bluetooth 4, I figured the magic was
done over Bluetooth and wifi.

I personally don't mind using iCloud, but I understand the authors
reservations. But feel the root problem is the NSA, not apple. It's too bad
that America has lost control of its government and is unable to fix this.

~~~
parasubvert
The sadder truth is that the root problem is Not the NSA, it's the majority of
Americans who don't understand the implications of their passivity. America by
and large wants the NSA to spy on them. Given the number of protests swarming
Washington about almost every issue under the sun, there have been a dearth
about the NSA. America doesn't understand the problem and thus doesn't want to
fix it.

------
sneak
It's worse:

It would appear that iCloud is synchronizing all of the email addresses of
people you correspond with, even for non-iCloud accounts, to their recent
addresses service. This means that names and email addresss that are not in
iCloud contacts, not synchronized to your device, and only available in an
IMAP-accessed inbox are now being sent to Apple, silently.

~~~
sneak
This fact — that your phone is silently syncing third-party email account
inbox metadata (sender address lists) to a major US cloud provider — is being
downvoted.

Welcome to HN, where blaming the user isn't just our profession, it's our
hobby!

------
SCAQTony
This may sound naive but it is just bizarre that if you own a computer it is
just not really "YOUR" computer anymore. It's like you are "leasing it" but
you pay the hardware company with your data.

~~~
sneak
Does that mean I get the four grand for this maxxed out 15" rMBP back?

------
whizzkid
Like Adobe streaming their Photoshop software from their servers, Like Google
is trying to push Chrome OS so that you DO NOT need hard drives.

Big boys in market, sooner or later, will move all software and hardware power
to their side leaving you with a screen, mouse and keyboard to interact with
everything.

As soon as companies do not have control over whatever you are doing, they are
losing benefit on it.

Get ready to this big move already, every big company will try to do this to
my opinion which is sad.

~~~
hnarn
As long as there are computer parts and open source software, you can still
opt out if you want to.

~~~
justcommenting
don't forget the importance of open hardware, e.g. bunnie's novena project

------
brohoolio
whoa. i'm going to have to flag our security folks about this.

------
rdl
Uh, wtf.

I guess if you don't opt in to iCloud Drive you're safe?

------
IDrive
Hi, I'm Thomas from IDrive Online Backup. If you're concerned about the
privacy of your data while using OS X Yosemite, you might want to consider
IDrive as a cloud backup service. We offer 256-bit AES encryption with a
private key option so the key to your data is not stored anywhere but locally
on your computer. Hope that helps!

------
abalone
Number one, if you are using Apple products in a high-security environment
(e.g. HIPAA compliance) you should enable 2-factor authentication.[1] This
will provide good security for data stored in the cloud.

Number two, there is an easy way to prevent data from ever even touching the
cloud. Just immediately save the new document to a local non-iCloud folder
before you populate it.

In terms of whether defaulting unsaved docs to iCloud is a good/bad design
decision:

Defaulting unsaved documents to the cloud means if someone steals your account
login _and_ you don't have 2-factor auth enabled, they can access your unsaved
docs.

Defaulting unsaved documents to local storage means continuity doesn't work
and kills a lot of value of iCloud.

I think it's a good decision.

[1] [http://support.apple.com/kb/ht5570](http://support.apple.com/kb/ht5570)

~~~
sneak
Continuity is only designed to work within a few meter range for handoff (and
indeed requires bluetooth), which could easily be achieved over local
bluetooth-bootstrapped p2p wifi.

Red herring.

~~~
abalone
Continuity data sync happens via iCloud. From the developer docs: "Handoff
passes only enough information between the devices to describe the activity
itself, while larger-scale data synchronization is handled through iCloud."

Can't say for sure whether a p2p wifi connection would really be an good
substitute but I'm skeptical and I bet Apple's thought it through. I know
AirDrop works that way but it seems to take a few seconds to set up the
connection. Handoff is super fast, in my experience. So since AirDrop is
designed to connect with unknown devices that p2p setup performance hit makes
sense, but since handoff is for trusted devices, going through iCloud might be
faster.

[https://developer.apple.com/library/ios/documentation/UserEx...](https://developer.apple.com/library/ios/documentation/UserExperience/Conceptual/Handoff/HandoffFundamentals/HandoffFundamentals.html#//apple_ref/doc/uid/TP40014338)

~~~
sneak
Yes, I am aware that that is how they chose to implement it.

It was not necessary to do it that way and the exact same user experience
could be achieved without the data leaving the room. Continuity only needs to
work within bluetooth (and therefore wifi) range.

If Continuity didn't require bluetooth (e.g. for picking up a document on your
mac that was started on your phone left in the car in the parking garage) then
this design decision could be defended, at least a little bit - but it doesn't
work that way.

~~~
abalone
> the exact same user experience could be achieved without the data leaving
> the room

But you ignored what I noted about the performance of setting up p2p wifi vs.
iCloud. Given that Apple does implement p2p wifi for AirDrop, it lends support
to the theory that they had good reason to pass on it for Continuity.

------
scottmf
TextEdit used to auto save things to iCloud on Mavericks for me. No one made a
big deal out of that.

------
Someone
_" those in-progress (not yet explicitly “saved”) documents live in iCloud
Drive"_

So, what is it? On the drive or outside of it?

Does it matter? I googled a bit, but couldn't determine whether Apple can
decrypt that data. It is encrypted both in transit and in the cloud, but do
they hold the keys?

I know I have to trust them to do what they say they do, anyways, but if they
do not have the keys, they cannot change their mind (say in response to a
visit from the NSA)

~~~
flatdeviant
> I know I have to trust them to do what they say they do, anyways, but if
> they do not have the keys, they cannot change their mind (say in response to
> a visit from the NSA)

Apple absolutely holds the keys to everything stored on iCloud. See their iOS
security whitepaper [1], in the iCloud section:

> iCloud

> iCloud stores music, photos, apps, calendars, documents, and more, and
> automatically pushes them to all of a user’s devices. iCloud can also be
> used by third-party apps to store and sync documents as well as key values
> for app data as defined by the developer. An iCloud account is configured
> via the Settings app by the user. iCloud features, including Photo Stream,
> Documents & Data, and Backup, can be disabled by IT administrators via a
> configuration profile.

>The service is agnostic about what is being stored and handles all files the
same way. There are two components for each file. The first is the file’s
metadata, which consists of its name, extension, and filesystem permission
settings. The second component is the file’s contents, which are treated by
iCloud simply as a collection of bytes.

> Each file is broken into chunks and encrypted by iCloud using AES-128 and a
> key derived from each chunk’s contents that utilizes SHA-256. The keys, and
> the file’s metadata, are stored by Apple in the user’s iCloud account. The
> encrypted chunks of the file are stored, without any user-identifying
> information, using third-party storage services, such as Amazon S3 and
> Windows Azure.

[1]:
[https://www.apple.com/ipad/business/docs/iOS_Security_Feb14....](https://www.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf)

~~~
Someone
Thanks. I scanned that, but mixed up the discussion of iCloud and iCloud
KeyChain, of which Apple claims:

 _" iCloud Keychain allows users to securely sync their passwords between iOS
devices and Mac computers without exposing that information to Apple."_

So, I guess somebody should write a 'notepad' for iOS and Mac OS X that stores
its data as secure notes in the KeyChain (assuming that secure notes get
synced, too)

------
gchokov
Could this all be related to continuity features? Not all apps support
continuity APIs but I suspect we'll be seeing more and more apple stuff
working across devices and one way for this work is by using iCloud. iCloud
Drive is just an iCloud service.

~~~
aisenik
No, not directly. If you're logged into iCloud, Documents and Data sync is
enabled, the app uses iCloud documents, and you don't save the file locally,
the file is saved in iCloud. As far as I recall this is how iCloud has always
worked.

------
arrrg
If you enable documents in the cloud (now iCloud Drive, I think) document
based apps will pick that location as the default location to save to.
Autosave has long been a feature, so that happens, too.

It all makes perfect sense and is perfectly logical. How is it even possible
to be surprised by this?! I’m mystified. It’s also _not_ data outside iCloud.
It is very much _inside_ iCloud. Obviously. Newly created documents have to be
saved somewhere, and if iCloud is your default location that’s exactly where.
Where else?!

~~~
abalone
No.. it happens if you enable iCloud _at all_ , not just iCloud Drive. There
is no "enable documents in the cloud" setting.

According to Apple's KB, just signing into iCloud makes iCloud the default
location for all unsaved docs (for iCloud-enabled apps).[1] So even if you've
just turned on iCloud for photo streams or syncing contacts or whatever,
iCloud becomes the default location for all unsaved docs.

[1] [http://support.apple.com/kb/TS4372](http://support.apple.com/kb/TS4372)

------
acd
I do not see any proof in the form of ip addresses to the location where this
documents are uploaded and that being part of PRISM.

What IP addresses?

~~~
kuschku
They are uploaded to iCloud, which belongs to Apple. Apple — as an US
corporation — has to comply with US laws and has to support ongoing US
criminal investigations, including secret agencies.

------
_mikz
It is most probably because of the new Handoff feature, no? Application state
is shared between computers.

------
ge0rg
The link is 404 now, anyone got a mirror?

~~~
maxden
Basically he says that files that were open but not explicitly saved by the
user, were temporarily saved locally in ~/Library/Saved Application State/ but
since updating to Yosemite, these are now all saved/uploaded to iCloud. So all
his temporary notes he open in TextEdit have been uploaded.

------
xenadu02
Apple is not a "PRISM" partner; I thought we all agreed that this was when the
NSA discovered goto fail and/or some jailbreak exploits.

~~~
sneak
The Washington Post documents claim otherwise:

[http://www.washingtonpost.com/wp-
srv/special/politics/prism-...](http://www.washingtonpost.com/wp-
srv/special/politics/prism-collection-documents/images/prism-slide-5.jpg)

~~~
Anechoic
That link doesn't contradict xenadu02's claim. Do you have a link that better
spells out that Apple is a willing partner in PRISM?

~~~
sneak
I doubt any of the companies are willing partners in PRISM - it's terribly bad
for business, as Americans are only 4% of humans and being forced on threat of
personal imprisonment to spy for the American government is not a really wise
customer acquisition strategy.

It is really quite likely that the access to Apple and Google and other large
providers' systems is done at an operations level, without knowledge of their
management and providing for complete plausible deniability. How many network
admins and ops people at Apple have physical access to the machines where keys
are generated, stored, and used?

[https://en.wikipedia.org/wiki/Tailored_Access_Operations](https://en.wikipedia.org/wiki/Tailored_Access_Operations)

The #1 realtime end-to-end encrypted messaging service on the planet (where
the software development and cyphertext transmission are both physically
present inside the legal jurisdiction of the US) would be your first choice,
no?

~~~
Anechoic
_I doubt any of the companies are willing partners in PRISM_

AFAICT that was xenadu02's point - that data from Apple et al are being
collect by PRISM, but Apple is not a "partner" in the sense that "partner"
implies cooperation. If intelligence agencies have to steer clear of
management, that's not a partnership, that's espionage.

------
dserodio
I had already regretted upgrading to Yosemite (this thing is _ugly_ ), but
this is the last drop: I'm going back to Mavericks.

------
keithmancuso
if your so concerns with privacy why are you writing passwords in plain text
documents?

~~~
mikeash
A plain text file stored on an encrypted disk image is a pretty decent way to
save passwords, as long as you can trust your text editor not to upload your
data behind your back (which has _generally_ been a reasonable assumption in
the past).

------
DRAGONERO
Just FYI, are you aware that when you create an email the draft is also stored
on the server unless you explicitly choose not to?

All of these things are just normal. It's not like an evil mastermind decided
that there was the need to access your unsaved documents.

I mean, you can still get angry about it but it seems pointless since you
(probably) already use all of the google services that are available.

Also, a "security researcher" should know better :)

------
mcintyre1994
"Apple has taken local files on my computer not stored in iCloud and silently
and without my permission uploaded them to their servers - across all
applications, Apple and otherwise."

Presumably they actually did have permission through some ToS you have to
agree to if you want to use OSX - which begs the question of what insane
amount of permission they actually have here. Seems that it probably boils
down to that they can make an argument for literally anything on the mac being
useful for continuity, so they can probably upload anything they like by
default using that claim?

------
aisenik
How many hyperbolic, bad faith posts about Yosemite are going to be made and
voted to the top at HN? (This is the third I've seen this week, and they all
make extremely negative insinuations based on incorrect assumptions and the
shallowest possible examination of the functionality being excoriated.)

It appears that the only new functionality in this case is increased
visibility via iCloud Drive. Presumably these documents were always saved on
iCloud, which has been default behavior when you don't save to the local file
system for a while.

As usual, there's an unfounded insinuation that this is intentionally
nefarious activity on Apple's part. Documents and Data sync is easily disabled
-- what did anyone think it was doing previously?

~~~
sneak
It's both intentional, and nefarious - separately.

"Intentionally nefarious" implies bad faith - I think it's just wickedly
reckless and violates the huge amount of trust that end users place in their
OS vendor.

The synchronization of the email recents list across iCloud via recentsd is
the big problem. If I add a third-party email account that I access via IMAP,
it is not the job of my phone or workstation to send the metadata (sender
list) to my OS vendor's servers, even if it does enable the feature of easy
address autocomplete on my other devices.

