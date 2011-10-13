Privacy advocates and privacy caring IT specialists have repeatedly asked Apple to offer such an option, but so far Apple has decided that regular people would turn such an option on, forget their password, then ask Apple for help and would be unhappy with their brand experience if Apple could not help them out.
If Apple would implement such an option where Apple could not access your data, shenanigans like the ones outlined in the article could not happen. It would also allow people who feel the state will misuse their info use iCloud for the first time.
There could be something good that comes out of this. These bad news could pressure Apple into finally offering an optional iCloud service where only you can see your data.
Answers to likely responses: "just use a different cloud service": on iOS, for cloud backups, there are no alternatives: it's iCloud or nothing.
Were I an iCloud user, I would pay big $$$ for such a feature. But... they do have a point, and anyone who's helped their friends and relatives with IT issues can confirm that.
I think it's a pretty common state of affairs when dealing with complaints about Apple's choices. It's not that they're (necessarily) malicious, or that they don't care about security etc. It's prioritising the user experience of an average user over the concerns of a relative minority.
I, personally, hope they never stop thinking about their products in that light.
It's probably a marketing or support database that contains basic data. Annoying but not a serious breach.
It seems like a reasonable choice to me, if you don't want to store in iCloud you can keep it locally with a different encryption model.
Lots of stuff can't be just backed up to a different cloud provider/do locally.
Moreover, in the case of Apple this could actually be productive. They have been pushing the privacy angle. Let's not forget that this is the company that pushed out end-to-end encrypted chats to tens (hundreds?) of millions of users before Whatsapp did it.
If Apple offered this option, this would be a boon to tens of millions of people, which is far more productive than a few experts moving to relatively obscure alternatives.
Maybe I'm misunderstanding the threat here, but it seems to me that this is not going to be fixed by simply encrypting iCloud. Sure, that would be part of a comprehensive response, but the main problem seems to be that these people had access to internal Apple databases. To my mind, "internal" means everything from retail POS data to iTunes.
I guess I'm trying to understand why encrypting iCloud would prevent a ring of internal Apple employees from gathering a person's information and selling it?
And, to be frank, it's concerning because it's not just Apple. What stops a group of internal employees of any company from gathering a person's information and selling it?
What are needed are strong guarantees about data security internal to these companies. My background is in health care technology, so the analogy I would make is HIPAA. But we need HIPAA for everything instead of just for healthcare information. Right now if employees of enterprises outside healthcare access a person's information and they don't sell it, they're just checking on a friend, there is no liability for that. Under HIPAA you're fired at a minimum. That's what we need.
That makes me unhappy with the brand experience.
From your link:
To upload photos in the background:
iOS apps cannot perform background tasks for more than 3 to 10 minutes. Using geofences to add locations will trigger and resume upload tasks in the background for another 3 to 10 minutes whenever you leave or reenter the defined areas. Tap > Geofence > Create to add geofences.
Have never used iCloud for the reasons you mention, and haven't missed it.
> users’ names, phone numbers, Apple IDs, and other data
Names, phone numbers, and Apple IDs just require access to directory services, doesn't need to touch iCloud at all. It doesn't say what "other data" is, but presumably that's not iCloud either, because it if was iCloud data that would be a much bigger headline and wouldn't have been omitted from the article.
On mobile, the only realistic alternative is Android, which is a privacy and security nightmare.
On general purpose computers, Linux is better from the perspective of privacy. But for large parts of the general population, Windows is the only realistic alternative. And we know how important privacy is to Microsoft these days :(.
If you're willing to pay the premium, they sell the Pixel and Pixel XL with CopperheadOS loaded.
You use your iPhone but disable iCloud.
If photos are important to you, use a dedicated camera and upload to your home NAS.
Only if your only source of information about Android is WWDC keynotes.
But did Phil Schiller tell you about the Korean "malware" that was very quietly purged from App Store last week?
Don't be silly. Google's own dashboard shows that the vast majority of devices are running old versions of Android with known security vulnerabilities:
Besides that, most likely >99% of the users are using a device with Google Play Services and other Google applications. It is no secret that Google mines pretty much all data available for advertising purposes (as outlined in their privacy policy).
Moreover, most Android devices use no or weak device encryption. The Google App Store has a rich history of applications slurping all kinds of data (though things will probably get better with fine-grained permissions).
And then we haven't even talked about Asian and American vendors that 'accidentally' install third party spyware:
Both platforms can always do better of course, and should learn from each other. But to pretend device security hasn't been a genuine focus for Apple is blinkered.
I am not sure what you mean.
This comes up every time security discussed. But it is not as black as white as you think:
1. Security patches are separate from OS upgrades [1]. Many vendors incorporate security patches without upgrading the OS.
2. Many core Android components are upgraded via the store.
3. Google scans and remove bad apps from your device no matter Android version [3]
--
Huw many iOS?
He told me that he texts a friend who calls and pretends to be the customer in question, and texts him all the verification questions he has to ask as part of SOP.
Many AppleCare employees work from home, so I can see it is difficult to track and stop this sort of thing.
Generally, when I need to get the attention of big tech corporations I talk to a friend who works there. Unfortunately, I don't really know anyone who works at Apple.
Assuming this story is true, I would personally like to catch the person responsible.
What is happening?
fb is another good example.
So you know, even though China is a dictatorship it sometimes still does good things, like catch common criminals.
Obviously this is bad overall, but at least now I can point to a specific example of this happening.
Google Engineer Allegedly Fired For Accessing Private User Information To Stalk Teens
One perspective is that every company gets to screw this up once and then has to get serious about privacy.
But it's possible this is happening all the time, victims don't know their saas vendor was complicit in releasing their information. If the companies ever catch the perps, they're quietly fired in exchange for a non-disclosure agreement that serves the interests of all parties (except the consumer).
So it's not just email addresses / metadata from iCloud. This implies that 1) at least some iCloud data is stored unencrypted at rest, and 2) employees can query this data using internal tools.
This seems pretty bad.
From Darthy's comment 30 minutes ago
https://news.ycombinator.com/item?id=14513803
Having someone purposefully steal your data from the inside doesn't mean you don't care about privacy.
They likely won't reveal anything but I'm curious how they could get the info out of Apple systems. Most companies of Apple's size lock down work stations to the point of slowing down workers efficiency to keep customer data safe. Especially with their over seas operations.
I work at a fairly security conscious company, and the only data I can't access is that encrypted at the consumer's end.
True, Apple cares much more than average. It shows that our current tech world has such a poor emphasis on privacy that even the companies that care most still screw up big.
They've touted before that they are the company to use if you want your data to remain private and secure, but continue to act in direct violation of that. This seems highly problematic to me, and, IMO, they should be raked over the coals for this.
If people believe they still can be hacked or tracked while using Apple equipment less people might be tempted to use it.
Not telling the sale of data didn't ever happen. I think if it's true that Apple should one up their security even more.
I strongly believe that this is an excuse Chinese authorities had been looking for that will use to pressure Apple in China at the same time create the illusion to the general public to not trust Apple.
I find it especially suspecious that the Chinese media put so much emphasis the privacy concern of this event and in modern Chinese culture, privacy is much less regarded as compared to western countries.
Anyone remember the propaganda while Google was being driven out of China? Straight up false info about Google were broadcasted on CCTV-1, the prime time national channel. A lot of my friends in China became very patriotic and viewed Google as some sort of evil corporation trying to undermine Chinese culture.
So was UK authorities, US authorities, and lots of other authorities, there is no need to single out China in this case.
> I strongly believe that this is an excuse Chinese authorities had been looking for that will use to pressure Apple in China at the same time create the illusion to the general public to not trust Apple.
Yes, it could be the excuse for Chinese authorities, but this case could have happened anywhere else in the world given the way Apple stores information, and similar incidents have happened before for other companies like mentioned in other comments. So I don't see a strong evidence that this particular incident is related to some ulterior motive of Chinese government.
> I find it especially suspecious that the Chinese media put so much emphasis the privacy concern of this event and in modern Chinese culture, privacy is much less regarded as compared to western countries.
The entire incident is about privacy issues, what else do you expect the media to talk about? New iPhone colors?
> Anyone remember the propaganda while Google was being driven out of China? Straight up false info about Google were broadcasted on CCTV-1, the prime time national channel. A lot of my friends in China became very patriotic and viewed Google as some sort of evil corporation trying to undermine Chinese culture.
As far as I remember, Google did not want to comply with Chinese regulations on censorship, so it was not allowed to operate in China, simple as that. I don't think people had that bad of an impression about Google, more like they felt bad losing a good search engine or simple just don't really care.
Uh, would they be given unrestricted access to user data? Or does every Apple employee have access to this data and are left to exercise restraint?
And what about Apples claim that data is encrypted at rest?
Sorry, but having worked for 3 large companies (not apple, or Google, or any in the same field), the auditing is purely just for show. They claim it publicly, but very little is actually done to ensure the safety of that data. When I started as an entry-level tech at 2 of them, I was given direct access after just a couple of days.
I'm sure there are plenty that do treat their customer data securely, but in my limited experience, that's not many of them.
1. collecting data on users for months and years after purchase, 2. storing it electronically on remote computers, 3. some connected to the internet. yes, this surely points to a company is concerned about user privacy.
if something goes wrong can you sue apple?
we should expect every hardware vendor from laptop mfrs to the rpi foundation to be silently collecting data from their customers long after the merchandise is purchased. they need to do this, because...
wtf?
1. collecting data on consumers and 2. storing it online.
#1 is incompatible with a pro-consumer stance on user privacy.
#2 is a guarantee that others besides the company are going to get that data, whether the consumer is told about the breach or not.
You have to trust the company, the employees, its security, the goverment.. Better to think of everything you upload as already posted in pastebin. It's relatively accurate.
It does kind of sound like victim blaming, but if you store a bunch of cash under your mattress, don't be surprised if someone tries to take it.
Likewise, if you store a bunch of customer data, someone will try to come and take it. If you make it accessible to anyone other than the customer, you can't act surprised if someone takes it.
Since that is impossible, all companies and all systems are negligence.
A term that applies to everyone means nothing.
Nevertheless you can say it and make businesses you don't like sound bad.
Your point is very valid, but the crime being committed against their customers is also very valid.
