Sure, and every time you eat at a restaurant they could poison you.
This is mainly a concern if you are a high value target likely to be the first person poisoned. For most of us, that’s not true, and a formerly good actor turning evil would be noticed long before it came our turn.
So there’s the idealist “I can’t be sure my favorite restaurant won’t poison me today, so I’m never eating there again”, and the pragmatic “the benefits I get outweigh the slim chance that today is the day they decide to attack boring people like me” outlook.
I’ll never fault someone for being the idealist; the concerns are unfalsifiable. But to me it looks like a rough way to live. Maybe just because I really am that boring so it’s hard to relate to having any super secret stuff that would put me among the first to be attacked.
Your analogy doesn't really work because a food poisoning attack is hard to scale (across restaurants, locations) without being detected, whereas one backdoor can compromise everyone all at once if they all have the same software.
If Apple adds a backdoor to their E2EE (by sending their servers the key) via a software update, and they don't do anything with the secrets exposed, they can compromise a large proportion of users over just a few weeks and there is a big chance you'll be among the "first", because the "first" is now a large set.
The better analogy might be, "when the morality police call the restaurant, they divulge which table you sit at every day during lunch". And it's also not clear that it would be noticed: national security letters, gag orders, parallel construction, etc.
It's just another principal-agent problem, and I agree that a fully self-sovereign life, with no dependence on trust or agents, is an unrealizable ideal; and, that a decent solution (while not perfect) is reputation stake and aligned incentives, check and check in Apple's case. I too think Cook is sincere, and I trust them as far as I can throw their products, which is to say, a little. (The Apple Tax is so they don't have to rely on a sketchy big-data business model.)
That said, computing and InfoSec have some unique contours, in a way that trusting a mechanic or a lawyer does not. Those can have catastrophic failure modes as well (crashing from a shoddy repair, getting sued based on bad legal advice), but they aren't systemic to society, and have lower switching costs.
And I ultimately think it's a false choice. When it comes to meatspace security, it's possible to have trusted and accountable public institutions, and allow citizens to have some means for self-sovereignty (2A, locked doors). It would be foolish to rely only on one or the other, either as a society or an individual.
So I'm deeply grateful for the Stallman types, pushing forward the capacity for self-sovereignty. Even if it doesn't currently meet my needs from a risk/benefit tradeoff, I still benefit from the ecosystem, and its BATNA, and I look forward to the day I sever my dependence on Apple's ecosystem, whether or not they betray my trust.
> a fully self-sovereign life, with no dependence on trust or agents, is an unrealizable ideal
I agree with this part, but relying Apple is quite far from self-sovereignty compared to many other practical alternatives: not relying on external clouds, GrapheneOS, Linux. By relying on Apple, you not only pay a tax to essentially bribe them to not attack you (perhaps a viable strategy, not too different from taxes to governments), but more importantly you give up the ability to resist without serious compromises (can't have E2EE backups on your own cloud if they said so). This is akin to trying to be paying taxes to the government to get better police coverage, and they decide to ban locks, security cameras, and leaving the walled garden.
The problem with the current computing security paradigm is that it puts too much trust in entities that do not deserve it, because the entities are simply too powerful and do not suffer consequences when they break that trust.
Fair points, I can't say I disagree, and I'm aware of the trade-offs I'm making. (I was actually tempted to use the word "bribe" when describing the Apple Tax!)
There are a couple meaningful points of divergence in the ecosystem: Mac vs iOS (the former has some self-sovereignty, even if there are risks of backdoors/etc); and, cloud vs not (I mostly avoid cloud usage, iCloud or otherwise, and when I do use it, I treat all content as public).
I agree about the trust problem. Varoufakis might make some valid points re: "Technofeudalism", but then Bruce Schneier was making a similar analogy over a decade ago. I've heard cogent arguments, that early feudalism evolved from rational self-interest, that serfs were willing to trade some degree of autonomy for safety, and it does feel that many "normie" users (especially with iOS) are making a similar rational trade, even if it sets up an asymmetric power dynamic, and risk (inevitability?) of future betrayal.
I'm curious if you have any examples in mind for Apple, re: "do not suffer consequences when they break that trust". IMO, they've done okay at putting actions and costly signaling behind their privacy rhetoric, and I think they'd take some kind of market hit if they were to blatantly break that trust. But I'm curious if you think there are past instances in which that already happened, which maybe I've forgotten or am neglecting, or if it's a threat model of the future.
Their image scanning proposal? The recent UK E2EE backup thing?
For the first, although they eventually backtracked, proposing it alone should be ruinous they are actually a privacy-oriented company.
Although the second situation is forced by a government, it is still a self-inflicted problem where iCloud is the only way you can back up your stuff. Not being able to have encrypted backups is a serious QoL issue.
> I mostly avoid cloud usage, iCloud or otherwise, and when I do use it, I treat all content as public
This is also my attitude toward "the cloud" in general.
Someone with everything to lose if they break it. Most large companies do not. Perhaps smaller companies whose main selling point is privacy? Proton? Signal? I don't use either but they seem relatively plausible.
This is mainly a concern if you are a high value target likely to be the first person poisoned. For most of us, that’s not true, and a formerly good actor turning evil would be noticed long before it came our turn.
So there’s the idealist “I can’t be sure my favorite restaurant won’t poison me today, so I’m never eating there again”, and the pragmatic “the benefits I get outweigh the slim chance that today is the day they decide to attack boring people like me” outlook.
I’ll never fault someone for being the idealist; the concerns are unfalsifiable. But to me it looks like a rough way to live. Maybe just because I really am that boring so it’s hard to relate to having any super secret stuff that would put me among the first to be attacked.