I doubt that Zuckerberg is able to fix the issues as he is at the root of it. Looks to me like the situation at Uber but with FB there may still something to be saved if they are moving fast.
The author seems to be conflating what’s stored on the device with what’s being “collected”. There’s a difference; with Facebook everything ends up on their servers, while with Apple much less does. If these companies were to be hacked tomorrow, with Apple the only information that would be made available is stuff that’s been sent, such as iCloud data. Things that stay local, such as call history, would remain secure.
None of this is end to end encrypted. They only encrypt Keychain and payment data end-to-end. iMessage encryption is moot when it later gets uploaded to iCloud from your device.
Also, rel to broader disc, Apple and MS make gobs of $ from hardware and software. FB has no such revenue streams.
Can you elaborate on why "iMessage encryption is moot when it later gets uploaded to iCloud from your device."? What do you mean by Keychain data being encrypted end to end? When does keychain data leave the local host?
Also might you have any citations or resources you could share on these Apple practices? Thanks.
Sure a lot of this is encrypted, but Apple explicitly warns you on support page that they WILL give iCloud data to authorities if warrant is sent.
> iCloud content may include email, stored photos, documents, contacts, calendars, bookmarks, Safari browsing history and iOS device backups. iOS device backups may include photos and videos in the Camera Roll, device settings, app data, iMessage, SMS, and MMS messages and voicemail. All iCloud content data stored by Apple is encrypted at the location of the server. When third-party vendors are used to store data, Apple never gives them the keys. Apple retains the encryption keys in its U.S. data centres. iCloud content, as it exists in the subscriber’s account, may be provided in response to a search warrant issued upon a showing of probable cause.
(Section G in https://www.apple.com/legal/privacy/law-enforcement-guidelin... )
So why do you think there's a difference?
The problem with Facebook is not, and has never been, that they will give the data they have to the government as part of a properly-conducted investigation into allegations of criminal misconduct. It's that they themselves will use it, and will sell it to a wide variety of other corporate entities who will use it, for a wide variety of other corporate purposes.
Including, as recently demonstrated, attempting to sway elections.
https://support.apple.com/en-us/HT202303 would probably be the right support page, however, Apple mentions what is done – and not what is NOT done, in particular end-to-end-encryption of iCloud backups.
I still agree that Apple plays in a different league than Facebook with regard to privacy. At the same time, there is still a lot to do for Apple, especially regarding data security. Just a current example:
I think I s unarguably true that having our data online and backed up is a risk that needs to be weighed up against the very real advantages we get. That applies to both Apple and Facebook. However only one of those companies has explicitly built a business model around selling that data. Let’s not set up any false moral equivalencies.
By itself having data we have chosen to entrust to them isn’t a problem. It’s what they choose to do with it that matters, alongside the gathering of information we have chosen not to entrust to them regardless of our choice.
Speaking of which, can we stop equivocating between "selling that data" and "selling ads which are targeted partially based on that data," as you did in your post?
Good to see this _starting_ to become part of the discussion; that most users are not educated and motivated enough to take privacy seriously. I'd like to see regulation that makes "here - agree to this 200 page TOS" unacceptable as form of gaining user approval, especially - as in the case of Facebook - you're agreeing not only to sharing your own data but also data on friends who aren't even using Facebook.
Your wish is my command!
https://www.eugdpr.org/the-regulation.html (see Consent)
Their web servers needs decrypted data in order to handle these office documents, so client side encryption is not an option.
Server side encryption, where the server knows the keys, serves very little purpose because the threats it protects against are extremely unlikely. What it’s protecting against, armed robbery of the datacenter?
Perhaps it's all just security theatre as you suggest, but I am not the one running these data centers, so if all these companies say there is a threat, then my instinct is to believe them.
I don’t think there’re such attack vectors. The reasons MS doing that with the data of their business customers are legal, not technical.
They keep medical data, legal data, government data for many jurisdictions around the world. Before doing that, they had to comply with FIPS 140-2, HIPAA, and a whole bunch of others: https://products.office.com/en-us/business/office-365-trust-...
> if all these companies say there is a threat
I can’t remember them saying there is a threat, or mentioning what it is. I only heard them saying marketing BS about how safe my data will be on their servers.
I doubt that any of them will ever publish their most detailed threat models.
If I had to guess, I would say the most likely threat is nosy or corrupt staff.
Protecting a key server is easier than protecting tens of thousands of servers and physical disks.
Legal requirements are not necessarily baseless either. They are in place to protect someone against something.
The data I have on these cloud services is extremely sensitive. All my identity documents, proof of address, examples of my signature, financial data, health data, etc. If someone were to get hold of these documents, they could steal all my money, my identity and make life hell for me.
Was/is all that data collection necessary?
Did they (or Microsoft) make decisions about data collection based on perceived competition from Facebook or Google.
Considering e.g. how ads were integrated into MS software products (e.g. the "free" versions of Office software that appeared a number of years ago) I think the answer is yes, at least for MS.
I believe all these companies (AAPL, MS, FB, GOOG, AMZN, a few others) react to each other and often adjust their short-term and long-term goals accordingly, even when they might be thought not to be competing.
When Apples CEO says "we could have monetized our users but we didnt" that should raise a red flag. Why are they even in a position to monetize users? Its hardware. His comments are pure marketing; hes trying to differentiate Apple from these other companies (yet hes admitting Apple could easily do as they do). If Apple was really "doing the right thing" as to privacy, they would not be collecting data by default, they would not have integrated Facebook and other such ad-driven companies into iOS (perhaps they have finally removed them now), they would be training users to think twice before uploading private data into "the cloud". That is, if Apple was really concerned about user privacy.
All collection would be optional and certainly would not be encouraged or enabled by default. The default would be no data collection.
There is a consistent, predictable effort to flag or downvote every comment that expresses any skepticism of Apple. This is really sad. No company is perfect. I am not anti-Apple; I have been using their hardware since the Apple ][. If users want Apple to improve then suppressing all commentary is not going to help. I think constructive criticism could actually improve the situation. Companies are "listening".
The truth is that Apple has been aggressively collecting user data just like these other companies, likely at least in part for "competitive purposes". They have invested heavily in building data centers to hold user data. Todays Apple computers start dialing in to Apple servers the moment the user powers them on. Whether they use the data to serve ads is not the issue. Apple is not training users to be wary of such collection. Quite the opposite.
It just doesnt fit with "Privacy is a fundamental human right." Users who want privacy (all thirteen of them, for now) may not want their data in the possession of third parties, stored in some data center. This is just common sense. Those users are the models to follow if privacy is really, truly important. Why would a company try to frustrate the user who wants to manage their own privacy?
If such users are marginalised (e.g. limited hardware functionality unless one participates in data collection, because Apple is upselling users after purchase on "Apple services"), if Apple subscribes to the belief of other web companies that all users want their data stored with third parties (truly, the third parties are the ones who want it), then this is making privacy much more difficult to achieve.
Apple privacy terms state users are not "required" to submit data, but if they dont some services wont work. It is the same type of "subtle language" as referred to in the recently leaked Facebook memo.
Ive got plenty of karma points to sacrafice. Its worth it. Apple can most certainly improve but not without honest feedback.
For the user, there is simply no need for a local program, e.g. a "word processor", to be connecting to the internet at startup. That connection attempt is for the needs of Microsoft, not the user. It sacrafices user privacy for the benefit of Microsoft.
IMO, they would not have made these sort of changes were it not for the success of Google and similar ad-supported web businesses.
As another commenter points out, Windows 10 is apparently full of this type of behavior. Telemetry is data collection.
Lets not forget about Bing. More Google mimicry.
LinkedIn, like Facebook a seemingly benign and useful "service", is one of most egregious data collectors, and is a major threat to user privacy. They are part of Microsoft. Microsoft wants user data and has paid billions to get it.
And they harvest maximum legal amounts of data in the meantime, so they can execute any future loophole they decide beneficial to profit at that time.
It’s all exploitative authoritarian capitalism.
But they have a desktop platform and they used it to go rogue with data collection, all the way. Just because they've failed on mobile doesn't automatically make them a privacy-oriented company.
You elected to pocket up to 30 % of all app revenue generated from your users and their data ($11.5 billion in 2017). How is that not monetizing your users?
The point is that Apple has users and user data, and companies come to Apple to make money on their users while paying Apple to get access.
Facebook is monetizing users because the money comes from the advertisers. Advertisers pay to have access to the users.
Are you really arguing developers shouldn’t be allowed to write address book utilities on iOS?
Each one of those explicitly requests the users permission. Facebook would track you across the internet just using Share buttons on webpages.
Apple is equipped with far more resources at present to deal with app review than Facebook has. They've traditionally been far more draconian about their own rules than has Facebook. This means something like what you describe is less likely to fall through the cracks or propagate the way abuse did with FB in the pre-2014 days.
You're 100% right that any access is effectively a vector, but that's needless reductivism. In 2018 society seems to accept some level of visibility but not unfettered visibility. This is the balance that social media and data gatekeepers will have to contend with.
That said, it doesn't take much to tip the scales these days. People tend to have a healthier skepticism toward the giants of tech these days, and if you burn a little bad PR it can have some terrible consequences. Which is why Facebook has pulled some plugs in a panic on the developer side of things in response.
As has been mentioned countless times in the wake of this kerfuffle, MySpace was the defacto social media company until one day they weren't. It's eas(ier) to introduce competition to Facebook over, say, Apple or Microsoft.
Finally, Facebook's product is, well, data. One could argue that it's a platform and data, but the former is a loss leader for the latter.
So for a number of reasons I find it unlikely that even were Apple to have a PR misstep like this that they'd face the same existential crisis.
Something beats nothing.