I'm a big fan of the feature, was quite thrilled to see it, but aren't they the provider of the redirect? So there is privacy to anyone but Apple: they'll know (if they wish to) that you signed up on Some Site with a burner email in a way they might not have if you used a regular burner email service.
Personally, I'm fine with Apple having that kind of info as I generally trust them and also that my main concern is the same with your frustration of my email ending up in yet another leak seemingly frequently.
> Personally, I'm fine with Apple having that kind of info as I generally trust them
...up until Apple decides to change their leadership, or their business model, or the mobile market implodes and they start looking for new revenue streams, or their relationship with the US government changes, or ...
I get that as a practical matter we are forced to trust somebody somewhere eventually, but at best we should be saying that "Apple doesn't seem motivated to abuse this information for now."
This is a common perspective, and it is generally correct and worth considering.
However, for a company like Apple to change its stance would take a long time. Culture is sticky and, furthermore, they simply don't have the mass data collection and processing pipelines necessary for such an about face. There would be a fairly long period (my guess is years) during which consumers would be able to change providers.
My comment was the work Apple would need to do before collecting that data. Anyways, GDPR gives you the right to deletion at any time. Apple has publicly committed to offering GDPR rights to everyone.
Which is why Apple protects your data in a way they can't access it - in the event that they change into Google and Facebook in future they have no access to the current information.
I don't think it's valid to say Apple can't access your data. Maybe I'm understanding it wrong, but wouldn't that mean all your data would have to be encrypted with a private key that only you have? All I use to access my Apple data is a password, which I can reset at anytime.
Correct, all your data on apple's services are encrypted such that apple can't access them. The final fallback for account recovery is the "iCloud key vault" which is covered in documentation they published. Those are essentially HSMs gated by your account password and passcode, and a counter that triggers recovery key erasure.
I think the primary security white paper describes exactly how it works, but essentially there's a set of shared symmetric keys that are encrypted to public keys for each of your devices. Outside of the key vault path, the way a new device gets access to those keys is one of your other 2fa devices encrypt a decryption key to the new device when you approve it.
The basic result is that there is no point in which the key material is transmitted unencrypted off a device.
Yeah, I do agree here - as much as I love to believe that this is a core belief of all the employees at apple - and in my experience this is a true statement - we have to remember that Apple is a company, and there is undeniably a huge marketing ability in privacy given that their business model doesn't depend on selling information.
But there's also a huge security benefit to apple not tracking this information: A hacker/angry-former-employee/creepy-current-employee can't access it either (eg. like the various stories we here about fb,uber,etc admins and employees spying on people).
To be perfectly cynical, I'm willing to temporarily give the benefit of the doubt to the company that's not currently selling my personal information to marketers, over the companies that are doing so flagrantly.
Exactly. With Apple it's "what if" their customers suddenly become advertisers, whereas Google and FB their customers already are advertisers.
Apple is in a unique position where they can sell hardware at profit making prices to a huge customer base. Even if we are at peak iPhone, current Apple users are not going anywhere (I tried to switch my wife to an Android phone once and it was a disaster hah). Privacy moves like Apple ID will only solidify the current user base. Best in class products like AirPods and the AppleWatch also lock users in - in a good way though.
I've noticed that since this announcement it is also pulling some stout Android users I know who have become disillusioned with how Google is slowly locking Android down. The constant bad press Google has received combined with the Apple privacy drum beat is starting to pay dividends for Apple.
While that's all true, again as a practical matter, a massive multi-decade-old denizen like Apple in some ways has more cultural and institutional inertia than even the US government. Especially now. Life is short; Apple's "for now" has been 43 years running.
The company has been around for over 40 years. Have they done anything to suggest that they’ll just randomly go rogue? Their brand is built on some amount of user trust, if they start violating that, there’d be significant market risk which makes no sense for them to do. They can and are already winning when it comes to privacy, violating that would be incredibly stupid from a business perspective. Privacy is one of their competitive advantages.
I feel more importantly they go to great lengths to create a brand image (because after all, everything else aside, they are a for profit company) and I imagine that reneging on the privacy angle would be considered to be damaging to the brand.
I feel of all the major tech companies, Apple is way more invested in retaining their brand image.
Not knocking the system, quite thrilled by it personally: the other option is Google or Facebook at this point and if I got off OAuth and email with Google (leaning towards buying a personal domain and going with proton mail or similar, may wait until this built in burner option is available), I could probably rid myself of them (Facebook is more of a mental break I’d need to make, honestly). I’d love this.
I’ve personally tried personal burner email addresses for forums sign ups but the thing I found is that it is a maintenance (if that’s the correct word) nightmare. If you go with the ones that last for a brief period of time, you better guard the credentials because there’s no clicking forget password.
I’m hopeful of the feature, but even if it proves to not be that great, I’d still rather they be my identity provider over Facebook or Google so it’ll still feel like a net win.
Conceivably they could theoretically even spy on your emails with the companies you 've signed up with, including apple's competitors. It could even lead to potential legal issues for apple. At least plain email is considered distributed and does not rely on gatekeepers.
As opposed to Google and Facebook that convinced users to install apps that went around the App Store so they could record everything that you do with your phone or Facebook buying Onava (a VPN provider) with the express purpose of spying on you?
Apple could in the future become evil after 40+ years. The other two companies are actively evil.
iirc they actually paid those users. And i don't think any company should be trusted. Apple was part of prism and is known to strong-arm their users to stay locked in their ecosystem. This sign in is a good step for security, but i don't think there can be such a thing as corporate-owned privacy.
Do jack booted thugs come to my door to force me not to buy an Android device?
Do you really think most users were aware that they were giving up their privacy? Even if you assume they do, Google broke a contract with Apple by using a developer certification.
Ur arguments are extreme. Apple does lock-in users and developers more than anyone else by enforcing rules and taking away/not implementing features, that's trivial for anyone who has an ios device to see. Agreed though, facebook and google also lock-in users by providing enough free services to users that they don't want to leave. That's a different level of coercion though.
Apple is the one that handed over iCloud keys to the Chinese government. Next to Apple, those two are lightweights at being evil.
Google was upfront about what their app did and paid their users for that data. It's just like a Nielsen box. I had installed it on an unused tablet myself, tapping the notification to check in weekly, and collecting enough Amazon credit to pay for Prime. https://www.google.com/landing/panelresearch/
> we can record all of your internet activities including messages, banking information
What the app was capable of collecting is different from what the app actually collected, which was clearly specified when signing up. The app is still available in the Play Store, and people still use it because nobody was surprised by what it collects. https://play.google.com/store/apps/details?id=com.google.and...
> Were they upfront with Apple about their use of the enterprise certificate?
Who cares? There's nothing evil about circumventing some arbitrary Apple policy to give users an app that they want.
> Yes Apple stored data on Chinese servers, but your private keys never leave your device.
Not your private keys but Apple's private keys, which gives the Chinese government unfettered access to everything Chinese users store in iCloud https://techcrunch.com/2018/07/17/apples-icloud-user-data-in.... Worse, the change was applied retroactively to data the users had stored in iCloud prior to the change. No other US tech company comes close in evilness.
What the app was capable of collecting is different from what the app actually collected,
Yes they pinky promised not to collect all of your data. So will you email me your social security number if I promise not to use it?
Who cares? There's nothing evil about circumventing some arbitrary Apple policy to give users an app that they want.
Yes there is nothing wrong with breaching a contract....
Not your private keys but Apple's private keys, which gives the Chinese government unfettered access to everything Chinese users store in iCloud https://techcrunch.com/2018/07/17/apples-icloud-user-data-in.... Worse, the change was applied retroactively to data the users had stored in iCloud prior to the change. No other US tech company comes close in evilness.
That’s not how public/private key pairs work and the article said no such thing.
So you’re absolutely sure that every single person who downloaded the app was aware of what it was able to collect and that everyone who downloads it was legally of age able to consent to data gathering?
> Yes they pinky promised not to collect all of your data. So will you email me your social security number if I promise not to use it?
That's dense. If you use Apple email, they also collect your social security number if someone sends it to you, and they (and the Chinese government for Chinese users) have the ability to reset your password and gain access to any service is sign up for, despite pinky promises otherwise, and Apple's software has permission to read absolutely everything you do on your phone. In just the same way, what they have the ability to do exceeds what they tell their customers they do. What the app actually collected was specified, and there remains no evidence that they did anything more than they told the panelists.
> Yes there is nothing wrong with breaching a contract....
There is certainly nothing evil about giving users what they want in spite of the whims of a capricious (and actually evil) middleman.
> That’s not how public/private key pairs work and the article said no such thing.
Apple encrypted user's iCloud emails and iCloud data in a way that Apple still has access to for search. It is Apple's keys that matter in this case, not the user's keys for communicating with Apple.
The article said exactly such thing:
"Before a switch announced in January, all encryption keys for Chinese users were stored in the U.S., which meant authorities needed to go through the U.S. legal system to request access to information. Now the situation is based on Chinese courts and a gatekeeper that’s owned by the government [emphasis added]."
There is certainly nothing evil about giving users what they want in spite of the whims of a capricious (and actually evil) middleman.
So users want to install software that can intercept all of their communications? I’ve never heard someone say, “I would give up all of my privacy and install a network sniffer/key logger on my device of someone paid me*
Apple encrypted user's iCloud emails and iCloud data in a way that Apple still has access to for search. It is Apple's keys that matter in this case, not the user's keys for communicating with Apple.
That’s also not how email works. Email is not a secure communications and is never encrypted. Besides that, you don’t need to use an Apple provided email account.
The article said exactly such thing: "Before a switch announced in January, all encryption keys for Chinese users were stored in the U.S., which meant authorities needed to go through the U.S. legal system to request access to information. Now the situation is based on Chinese courts and a gatekeeper that’s owned by the government [emphasis added]."
That’s not how public/private key encryption works - despite what you read from techcrunch. The whole purpose of a public private key pair is that you (or your device) creates the key pair, you send the public key out for anyone to use. They then use the public key to encrypt a message and you keep your private key. Anyone can encrypt a message and only you can decrypt a message with your private key. Am I really explaining how public/private key encryption works on Hacker News?
> So users want to install software that can intercept all of their communications? I’ve never heard someone say, “I would give up all of my privacy and install a network sniffer/key logger on my device of someone paid me*
I just told you that I did exactly that. If you read the reviews of the app on the Google Play Store, you will find many other users confirming that they knowingly and happily made the same deal. The Nielsen box itself contains a microphone that can hear everything in the room, and people happily sign up for the payment.
> That’s also not how email works. [Blah blah blah.]
You missed the point. The point was that Apple has the exact same access as Google from the operating system. There is a difference between what the operating system allows an app to do and what it actually does, which you have repeatedly conflated.
> That’s not how public/private key encryption works.
Now you've confused end to end encryption with public key encryption. It's a bit ridiculous that I have to explain the difference to you, but here it goes. iMessages is end to end encrypted. ICloud services like mail, drive, and docs are not. By handing over the iCloud keys to China, Apple has given the Chinese government unfettered access to this information and, by extension, all services which can be accessed using those credentials.
Now that you understand the problem, do you understand how that is evil?
In some cases, your iCloud data may be stored using third-party partners’ servers—such as Amazon Web Services or Google Cloud Platform—but these partners don’t have the keys to decrypt your data stored on their servers.
If Apple is in fact lying,I’m sure a lot of government agencies would be glad to know.
Personally, I'm fine with Apple having that kind of info as I generally trust them and also that my main concern is the same with your frustration of my email ending up in yet another leak seemingly frequently.