Apple Flexes Its Privacy Muscles

Originally published at: https://tidbits.com/2019/07/12/apple-flexes-its-privacy-muscles/

At WWDC 2019, Apple made numerous announcements that show both how important the company believes privacy to be and how far it’s willing to go to encourage privacy-protecting technologies in its own products. But these efforts will face challenges from all sides.

1 Like

Great article. I forwarded it to many stressing that Security is not Privacy.
FaceBook might get to having a secure service BUT their business model would put them into Bankruptcy if they provided Privacy

Trust in Apple’s privacy protections are one of the main reasons why we stick with Apple.

All of Apple’s laudable privacy moves live in the huge shadow of the billions that Google pays Apple every year to keep Google as Safari’s default search engine.

You can easily change that though, even to the privacy focused DuckDuckGo. See “Search in Private with DuckDuckGo” (20 August 2014).

Apple’s Intelligent Tracking Prevention is frequently updated to prevent Google, etc., etc., etc. from exceeding very strict limits on tracking. Rich Mogul’s excellent article in this week’s TidBITS has a summary about how ITP strictly limits tracking:

https://tidbits.com/2019/07/12/apple-flexes-its-privacy-muscles/

There’s an analysis here about how Safari’s privacy measures are frequently updated and how they negatively impact advertising. Keep in mind that the the companies include Alphabet/Google, who is spending $12 billion this year to continue to be Safari’s search engine, up from $9 billion in 2018:

https://fortune.com/2018/09/29/google-apple-safari-search-engine/

There is no way Google would be shelling out increasingly big bucks every year to be a search engine for a browser that not only limits the amount of data it collects but also greatly limits the time in which the data is available to advertisers unless it’s a sure thing it would be a highly profitable investment. They are basically just acquiring traffic, not accumulating and storing huge amounts of tracked data from Safari. This greatly limited and constricted data is likely to be worth well in excess of double the amount Google is paying for it. Look at Safari’s share of market that Rich discusses in his article.

Here’s the scoop from WebKit on the latest iteration of ITP. Keep in mind that over the last few years Apple first eliminated third party cookies, then crippled cross site tracking by moving it from a week to a day, which has pretty much made cookie tracking crumble:

https://webkit.org/blog/8828/intelligent-tracking-prevention-2-2/

I have very strong feelings about Apple Security. First I find it too invasive and “Big Brother”. For instance it does not allow me to turn of 2FID once it is turned off. When I am doing account maintenance it is constantly asking me for verification which is annoying and time consuming. As such it continues to enforce 2FID on me whether I want it or not. As a customer I should be allowed to control my own machines.

Personally I regard 2FID as a cost saving method to avoid the costs of beefing up their own security and putting the security responsibilities of the companies on the backs of their customers, thereby blaming the customers for any security breaches that if resulting in customer hardships, they can avoid any responsibility which can lead to lawsuits.

Based on personal experience they also make user security decision for the customer without notifying the user result in frustration and signification loss of time. Recently for some reason, still unknown they blocked me from sharing calendars from user accounts, all contained locally on my own computer for which I am the sole user, system admin, and have the root account activated. They did this without any notice. I spent many hours troubleshooting only finallying giving up and calling support. Neither 1st level or Senior Support had any idea what was going on. Only after escalating it to engineering did an agent report back to me that Apple had decided to put a block on my machine to prevent me from sharing my own calendars. It took over a week from the time I contacted Apple to have it removed. I still don’t know why they did it or how to prevent it in the future.

Finally whenever I sign in to AppleID or iCloud it wants me to verify my identity by sending me an email with a code and a window pops up asking me to enter the code on the same screen from which I was trying to log in. All that does is verify that I can receive mail on the same machine that I use to access the services. There is no attempt to actually confirm that I am actually that person with any personal information. If I am going to attempt to get into iCloud or AppleID with my username and password, then it obvious I will be able to receive email to that same machine via Mail. All I need to do is setup an account in Mail or if the machine is stolen, have the account already there to be able to enter the verification code. Total nonsense and annoying in my opinion as it is doing little to secure my identity.

In my opinion it is past time that Apple took the steps and spent the monies to securing its own systems and stop shifting the responsibility onto the backs of its users along with ceasing to act as “Big Brother” and allow users to determine the security levels on their accounts and machines require for their personal protection.

If you have better ideas I’m all ears and I’m sure Apple would like to hear them, as well.

Then you clearly don’t understand the purpose of 2FID. It has nothing to do with protecting your computer. Only physical protection means, lock screen and use of Find My… are useful for that. When Apple wants to verify that it’s you using an AppleID it allows all trusted platforms to produce a code that can be used for such verification. If you have told Apple that it’s a trusted platform you are attempting iCloud, e-mail, etc. access, then that machine should be able to produce a validation code. If you are using the hotel business center machine, then it’s not trusted and you will need some other device to produce the code.

If your machine is stolen and the thief has your username and password, then you have much bigger problems.

1 Like

Unfortunately their now seems to be 2 Apple’s: The Apple before Steve Job’s passed and the Apple after. As far as the current Apple listening to users, that seems to only happened in a bygone era. Now the only thing Apple seems to pay attention to is stockholders clamoring for more dividends. Unless threatened with a lawsuit, or 10’s of thousands give ‘feedback’ on a topic, most of users input seems to now be consigned to the ‘bit bucket’ as evidenced by mobile products now costing upwards of 4 figures, and a fully equipped new Mac Pro Desktop being essentially a closed system due to unique Apple connectors for RAM, SSD, and GPU’s, and costing as much as a luxury level automobile.

The obvious suggestion would be to have Apple beef up its own systems so and protect its users so that they would not need to use 2FID. But that costs money and takes diligence - something that Apple and many other companies are not willing to invest in. 2FID is a very cost effective substitute.

If Apple already knows that the code is coming from a trusted machine why send the code at all to that machine? It only creates an annoying effort for the user to verify something that Apple already is aware of. If the wish to verify the user why not ask them for a PIN code that should have been memorized or secured in some way by the user that only the user and some data field on a server has access to by the verification process.


jweil

    July 16

I have very strong feelings about Apple Security. First I find it too invasive and “Big Brother”. For instance it does not allow me to turn of 2FID once it is turned off. When I am doing account maintenance it is constantly asking me for verification which is annoying and time consuming. As such it continues to enforce 2FID on me whether I want it or not. As a customer I should be allowed to control my own machines.

2FID is one of the security and privacy protections I greatly appreciate from Apple. If someone gets their hands on any one of our many personal or business Mac or iOS devices, it is extremely unlikely they would be able to gain access into any of our information even if they can guess my password. I’ll bet Jennifer Lawrence and other movie, TV and pop stars who had their accounts compromised via one factor sign and nude photos they assumed would be private were splashed all over the internet were very happy when Apple implemented 2FID.

Security isn’t usually the most convenient option; in fact, I think it’s almost always not. Even though it might be a PITA and take a little more time, IMHO, security is well worth it. Even though I hate the long lines and checks I have to go through at airports, I know how important they are. I live in NYC and still feel the effects of 9/11.

Personally I regard 2FID as a cost saving method to avoid the costs of beefing up their own security and putting the security responsibilities of the companies on the backs of their customers, thereby blaming the customers for any security breaches that if resulting in customer hardships, they can avoid any responsibility which can lead to lawsuits.

2FID was costly to develop and is costly to maintain. Apple would probably have a significantly larger stash of hundreds of billions in cash if never developed it. Apple’s implementation of it has been popular and caused Google to scramble to make an option they advise turning on in Android, even though it could make tracking difficult for them in certain circumstances. IIRC, Microsoft also rushed to develop something that’s not quite like 2FID. It sounded to me that the Google and MS built “light” versions, and Google made it an option to minimize any impact it might have on data collection.

I’m not a lawyer or anything resembling one, as far as I have read or seen, I have not read or heard of lawsuits like what you described against Android or Microsoft, which have not as strict 2FID as Apple’s.

I have no issue with high security, in fact I endorse it. My issue is the way it has been implemented, making life more difficult and frustrating for users. As you indicated by your examples some individuals require high security, but many others do not , do not feel they need it, or just don’t care about their privacy and security. As such the level of security needed should be the choice of the user/customer so long as it does not compromise the security of others who wish to have high security. Companies should not be acting as the police or “big brother’, enforcing protocols on their customers that do not wish to use them. That said there is now technology that makes 2FID archaic. This includes voice printing, retina scans, facial recognition (most computers have cameras and mikes, fingerprints (most computers now have touch capability or it can be added), finger codes from pressing keypads, flash drive keys, etc. May of these are passive that do not require the user interaction, resulting in multiple devices, lost time and frustration.

Al Varnell already posted an excellent and concise explanation.

Apple, who has a history of investing very significant sums to develop state of the art security measures like like Touch and Face ID that its competitors are still scrambling to keep up with. They lead the competition in security and privacy, and could even be working on something other than than 2FID for all we know.