> shameful that a device that is marketed as the gold standard in privacy
It's being marketed this way, that's it. It doesn't mean Apple care about privacy, and they prove every once in a while that they don't respect anyone's privacy at all. They spy on their users as much as anyone else (and overall, they have access to much more information than everybody else except Google).
All they want to do is prevent third-party tracking on their devices, so they have a monopoly on their users' data.
But they do collect those data and they share them with third party “partners”. Don't trust me, just look at their privacy policy, it's explicitly written there: https://www.apple.com/legal/privacy/en-ww/
Please familiarise yourself with Apple's history in consumer privacy and what they've done so far, including inadvertently forcing others to follow (looking at you Google).
Apple is now making IDFA disabled by default and requiring users to enable it if they want to.
> Apple went even further than what Mozilla supporters had asked for when it announced that it will give consumers the option to opt-out of tracking in each app, essentially turning off IDFA and giving millions of consumers more privacy online.
Apple is still going ahead with this regardless. My understanding the rollout was delayed because of ongoing financial hardship on everyone in the world because of COVID (and to give more time to advertisers, developers and others to prepare).
Mozilla is also asking everyone to publicly support Apple's decision because it's good for consumers, which in result would also force others to also adopt it (Android), but also because on the other end of this decision are advertisers, game developers and Facebook that are publicly telling everyone it's a bad thing since it'll hit their wallets.
Making noise about issues helps them getting fixed at several level. If people are aware, they can factor it in their purchase decision, they can get some support for some regulations, good publicity is an incentive for some companies to behave, etc. Mozilla is just encouraging people to support this type of initiative, it does not mean that Apple is bad just because they do something that their users like.
They only share data with partners at the direction of users and only to provide specific services, and use for marketing is banned. That privacy policy?
As that article, and others on this have pointed out, there are a whole host of reasons why encrypting iCloud data is problematic that have nothing to do with law enforcement. As you have read the article, obviously you must know this very well. In many other areas, they absolutely do encrypt. The fact is encryption sometimes carries down sides, such as an increased risk of users permanently losing access to their data.
Web services companies face a ton of problems operating in China that are really specific to the kinds of services they offer. Apple simply doesn't offer those kinds of services.
> They spy on their users as much as anyone else (and overall, they have access to much more information than everybody else except Google).
This is easily disproven by making a GDPR access request to see what various companies have retained on you, or if you’re extra paranoid inspecting what the device is sending back over the network.
Well, less than a month ago all Mac apps worldwide refused to open because the listening service at Apple failed to respond, so you don't even have to look at the network to know that Apple is spying…
Apple has access to all apps you open, your position, the content of your iCloud, etc. etc.
Short answer: apps are signed with a developer's certificate they get from Apple; the OCSP check for certificate validation went down. To put this in context, whenever you connect to a secure website, OCSP is used to make sure the certificate is still valid (unless OCSP stapling is used, but that's another issue). BTW, OCSP checks are unencrypted, but Apple says it will change to an encrypted protocol.
And it wasn't all apps—unsigned apps are allowed to run, so by definition, there's no way for Apple to "know" about them. Many people didn't know it was happening because they weren't affected.
It's funny, because Apple privacy policy explicitly covers this data collection, yet you still believe it doesn't exist.
> Usage Data. Data about your activity on and use of our offerings, such as app launches within our services, including browsing history; search history; product interaction; crash data, performance and other diagnostic data; and other usage data
> To put this in context, whenever you connect to a secure website, OCSP is used to make sure the certificate is still valid
This is not how any browser implements it today. Browsers either do not check (Chrome, Safari) or check but fail open (Firefox, Edge). I'm not aware of any browser that fails closed in its default configuration. More: https://www.ssl.com/article/how-do-browsers-handle-revoked-s...
Mozilla and Chrome have schemes to send a subset of revocations from the browser vendor to the user, Mozilla's is named OneCRL, the Chrome one is CRLSets.
For most websites if your end entity leaf certificate is revoked for some mundane reason Chrome likely simply won't know or care and it'll still work, because you aren't covered by CRLSets as the data would be too huge.
The long term fix, which site owners can implement, is OCSP Must Staple. What happens there is, when you request a certificate you insist on this "extension" and the extension tells client software "This certificate is only valid if accompanied by an up-to-date OCSP response". Then you set your server software to fetch OCSP responses for its own certificate and serve those to visitors.
This means excellent privacy (PornHub's certificate issuer still knows that PornHub is PornHub, not an invasion of privacy, and PornHub still knows that PornHub visitors visited PornHub, but the issuer doesn't learn who the visitors are) while being revocable (if the issuer provides REVOKED OCSP answers then you can't show that revoked certificate to a client once the last not-REVOKED OCSP answer expires)
Unfortunately, and this is a huge shame most especially for Apache, there are a lot of HTTPS servers that got OCSP Stapling badly wrong, meaning you need newer versions of software or have to install complicated workarounds because the early implementations were so stupid.
> Incidentally did you know that web browsers tell certificate authorities about every website you visit that uses TLS with support for OCSP stapling.
OCSP stapling is exactly what enables the browser to verify the revocation status without contacting the cert authority. Also, not all browsers check OCSP.
Facebook collected data for ages using their SDK and lists of e-mail addresses/phone numbers submitted to them by advertisers but only started exposing them in their "download my data" tool (their GDPR SAR process basically) relatively recently.
GDPR access requests don't always tell the truth, often due to malice but in some cases incompetence too (there were a couple of times where my GDPR complaints have actually revealed to the company that their third-party SDKs leaked more data than they originally thought).
You can't say things like that, can you imagine how Apple device owners (which are plenty here) would feel about their purchases? I've seen the argument of 'using Apple if you are privacy conscious and rest is subpar' here a thousand times as a main justification for the higher price.
It's being marketed this way, that's it. It doesn't mean Apple care about privacy, and they prove every once in a while that they don't respect anyone's privacy at all. They spy on their users as much as anyone else (and overall, they have access to much more information than everybody else except Google).
All they want to do is prevent third-party tracking on their devices, so they have a monopoly on their users' data.
But they do collect those data and they share them with third party “partners”. Don't trust me, just look at their privacy policy, it's explicitly written there: https://www.apple.com/legal/privacy/en-ww/