Everyone who follows me knows I value #privacy. Everyone who follows me also knows that means I tend to appreciate Apple’s efforts in the matter more than anyone else’s.
After all, Tim Cook’s Apple has often promoted privacy as a major selling point in recent years. It’s even part of one of the intro screens of iOS and iPadOS.
Compared to other operating system providers, both mobile and desktop focused, I tend to considers Apple’s approach the least evil.
After Apple released its newest desktop operating system, Big Sur, the first operating system optimized for its new Apple silicon and opening up the iOS App Store to desktop devices, it seems times have changed.
It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it.
The data reportedly send is sufficient for users to be profiled.
Date, Time, Computer, ISP, City, State, Application Hash
But that isn’t all.
In Big Sur, Apple has changed how the operating system’s processes can send data and created a new API for the processes. This means that tools like the excellent Little Snitch — a must have and one of the first apps to install on MacOS for everyone who takes data protection and privacy serious — can not access the specific communications anymore and can not block the data from being sent.
That those specific operating system processes benefit their own system-level communications API also means that they do bypass VPNs.
This, obviously, poses problems on multiple levels. One of them being Apple’s partnership with the NSA
Since October of 2012, Apple is a partner [in the US military intelligence community’s PRISM spying programin the US military intelligence community’s PRISM spying program which grants the US federal police and military unfettered access to this data without a warrant, any time they ask for it. In the first half of 2019 they did this over 18,000 times, and another 17,500+ times in the second half of 2019.
I have been told that some people on Reddit state this implementation was made to improve Big Sur’s security and allows Apple to act on malware and check for software signature signing. While on a technical level this may sound valid, it just isn’t good enough without stringent data usage and retention policies backing the user’s right to privacy. It also is worth highlighting that according to sneak this data is being sent unencrypted.
Sneak also mentions that when using iCloud Backup iMessages are stored unencrypted in the backup. While we don’t want to take away from the gravity of this privacy breach, we do consider sneak’s post a “blind item” since no screenshots of data being sent are provided. Neither are any of the culpable APIs or processes actually named. But if true, some fixes are required. Serious fixes.
At the same time, it also poses questions about the security of people who rely on their VPN for protection, such as human rights fighters and investigative journalists in oppressive nations.
When personal security is sidelined in the name of technical security and restricts personal freedom serious questions need to be asked.
With one change Apple may have damaged its carefully curated privacy image irreversibly, unless action is taken and these processes are changed. Especially because Big Sur is the only operating system which runs on Apple’s newly introduced devices with the new ARM CPUs.
Head over to sneak’s blog for more information: Your Computer Isn’t Yours.
Update: Things got worse.
(1) Albeit without screenshots of the actual data being sent