Apple and Privacy

Today 9to5 Mac ran an article about how Apple’s privacy focus comes with a cost of slower app development and fewer features. That makes sense to me. It is harder to develop with privacy limitations and smaller data sets.

This is an old debate. I used to write about this years ago when Apple refused to process user data with cloud servers. For example, Google Photos, as I understand it, does all of its magic on their servers, which requires them to see your photos. Apple Photos does its magic on your device so Apple doesn’t need to see your photos.

There is always some cost to this. The extent of that cost is dependent on how advanced the underlying technologies get. Using the above example with Apple Photos, the fact that Apple now has rocketship-style Apple silicon with dedicated artificial intelligence components, my iPhone is more than good enough to do that photo processing locally without requiring me to share my photos with Apple. That’s a win.

At the leading edge, however, Apple will always be a little constrained as it makes privacy a priority. That used to bother me. Now it doesn’t. Constraints often make things better. Apple will figure this out in a way that does serve consumers and protect our privacy. The other guys aren’t bothering. This is one more reason why I’m using Apple gear.

The Age of Mass Surveillance

There is a story making the rounds today about a secret CIA program for which very few details exist except for the disclosure that it involves a mass surveillance program on American soil that included at least some data collection of U.S. Citizens. It looks like the Wall Street Journal broke the article but Fortune has a good summary.

What we do on the Internet has been commoditized for years. If you’ve been paying attention, you shouldn’t be surprised. If advertisers are figuring out when you’re pregnant, don’t you think the government is also taking notes?

At this point, governments (and companies looking to monetize you) are punching holes in the Internet much faster than the folks trying to protect your privacy can patch them. When I was a lawyer, and a client would ask me how to make sure sensitive data was safe “in the cloud”, my stock answer was, “Don’t put it there.” Reading the story about the CIA’s data collection plan is not shocking. It would be surprising if they weren’t doing it. (I expect numerous foreign governments are doing the same things, if not worse.)

Just think about email, for instance. You send an email, and it goes through the Internet pipes to get to your recipient. It has to. No pipes, no email. Clever governments and hackers can snoop in those pipes and capture copies of unencrypted email as it is in transit—we just kind of live with that. If we rewound the clock several decades and discovered that the government was intercepting and making copies of all the mail that arrived in our physical mailboxes, there would have been riots in the streets. Now we just sort of shrug.

All we can do now is try to make smart choices.

  • Try to deal with companies with transparent ownership and express an interest in privacy through their actions.
  • Don’t rely on companies that you suspect will one day need to monetize your data to stay afloat.
  • If you want to be even more paranoid, don’t trust small start-ups. You never know who will end up buying them and inheriting your data.
  • Wherever possible, use end-to-end encryption.
  • Seriously, consider why you’re sending data somewhere else.

All that said, I’m not sure how you escape it in the modern world. We live in an age of mass surveillance, whether you realize it or not.

Bokeh – a Private Social Network Attempt


Screen Shot 2019-05-08 at 8.39.25 PM.png

We discuss user data and privacy a lot around here. Here is a Kickstarter project that will actually respect user privacy. Instead of collecting and mining your user data to sell you creepily specific targeted ads, Tim Smith is building Bokeh to be a private, secure, and user-funded social network. For instance, when you post your photos, you get to choose who sees them. Bokeh won’t show who follows you or who you follow. You don’t have to worry about friends of friends seeing your photos. If one of these “friends” has requested to follow you three times and you said no, Bokeh will prompt you to block them.

It’s intended to be a user funded project. No creepy ad-crawling. I sincerely hope this works.

Privacy Versus Cloud Services, Continued

For years now, folks interested in technology have considered the tradeoffs between cloud services and privacy. Tim Cook’s recent comments at the Berkshire Hathaway shareholder conference has me thinking about it again. Tim was clear on Apple’s position:

>
But we don’t want to use you as our product. And we just have a fundamental issue with doing that. And we’ve always thought that the building of a detailed profile about your life could result in tragic things.

The contrast Apple is trying to draw is with other Silicon Valley giants whose business model is grounded on user data (and advertising)—namely Facebook and Google. 

The question gets interesting when you realize there are tradeoffs. Privacy protects users, but access to mountains of user data helps make better, faster, more responsive cloud services, which also benefits users.

If Apple intends to protect user data, are they going to fall behind on the better/faster end of the equation? Probably. But how much?

Those who follow Apple closely have known about their position on user privacy for years. But lately, Apple is more vocal about their preference to protect user privacy. Nearly every time someone puts a microphone in front of Tim Cook, he raises this point. 

When these lines were first drawn years ago, there was a lot more digital ink being spilled on the wisdom of Apple’s position. You don’t hear as much about it lately.

So how is Apple doing? From my experience, Apple still is lagging, but not as much as I worried it might. 

One way to evaluate this is Photo search in Apple Photos versus Google Photos. Google pioneered the ability to search for contents of photos with words. They have a massive database of photos to work with, and their algorithms can easily find a “dog” in the “snow” from your library of 42,000 photos. Apple added this feature a few years ago, but the difference is that Apple built its models on purchased photo libraries, not looking at all of its users’ photos. Moreover, Apple does the machine learning for these searches not on their cloud servers but instead on your devices. You too can now find a “dog” in the “snow” with Apple Photos. I am pretty confident the search terms don’t update as quickly in Apple Photos as they do in Google Photos, but that is the cost of that privacy thing.

Photos is just one measure, and I am sure if I thought about it long enough, I could find other examples that are both better and worse in comparison. For me, at least, when comparing privacy versus cloud services, I would rather err on the side of privacy. So long as the Apple cloud services are viable, I’m okay if they aren’t the best if in exchange I’m getting a higher degree of privacy. 

At first, I tried to quantify it. How close does Apple have to be to Google for me to be happy? 50%? 75%? For me, it is more a question of whether the cloud service is: 1) something I’d use often and; 2) functional. In my case, functionality, even if slower and not quite as good, is good enough. I think Apple gets off easy with my calculus, but everybody gets to set their own threshold, and everyone isn’t as paranoid as I am when it comes to privacy.

One thing everyone can agree on is that this story isn’t over yet.

Three Things You Can Do Today to Increase Your Facebook Privacy

For years I was one of those curmudgeons that refused to use Facebook in any capacity. I’ve been turned around on that a little bit because of the success of the Mac Power Users and Free Agents Facebook groups at creating a safe, fun place to talk about shared interests. They are both special communities. Nevertheless, Facebook can be a dangerous place if you care anything about your privacy.

There’s a lot of questions about Facebook lately and I’ve been receiving a lot of email from listeners on the subject. I should preface this post by saying I am hardly a Facebook power user. I log in to participate in the above two groups, but that’s about it.

Nevertheless, even this limited exposure could get me in trouble because Facebook likes to collect data. Between the news of the last few weeks plus the recent discovery that they can also collect your call and text history, I decided it was time to spend a little bit of time tuning up my own Facebook settings and thought I should share with you. So here are a few things you can do today.

1. Delete All Facebook Applications from your Phone (and iPad).


IMG_0DF389A55F1F-1.jpeg

A lot of the trouble arising from Facebook starts with their mobile applications. The trouble is that your phone has a lot of information about you and Facebook is insatiably hungry for information about you. Moreover, over the years we’ve had plenty of evidence that Facebook hasn’t been a real team player on the iPhone and they’ve done all sorts of dirty tricks to make sure their app is always front and center. This is both creepy, and it kills your battery faster.

I understand for a lot of people this is asking a lot. Their phone is their primary window into Facebook, and if that is really what you want, I don’t begrudge you. However, if you can live without Facebook on your phone, I think you’re better off. I just use Facebook in the browser on my Mac (or the browser on my iPad), and it’s just fine.

2. Audit your Privacy Settings

One thing Facebook has improved over the years is exposing its privacy settings. Years ago it felt like playing a videogame to find your way to the proper screens. Now it’s all combined in your setting screen under the privacy tab. Go through it and make changes to suit your level of comfort. I would recommend erring on the side of caution. You can always go back and make the settings more open if you’re finding that the more conservative settings are getting in the way.


Screen Shot 2018-03-26 at 10.35.09 AM.png

3. Audit your Application Installations

A big part of the recent problems is that the Facebook API is so liberal that apps you authorize are taking a lot more information than you may think. I have not authorized any apps to access my Facebook data and given the limited way in which I use a service; I expect I never will.

You may have some apps that you want to use with Facebook and that is fine but make sure it is your conscious decision to opt in. Take a close look at the apps tab in your Facebook settings and make sure you feel comfortable with every app you’ve authorized to access your data.


Screen Shot 2018-03-26 at 10.56.45 AM.png

Note there is also a setting on this screen, Apps Others Use, to edit the amount of information other people’s applications can use when accessing your Facebook data. I recommend tapping the edit button and making appropriate changes. I leave very little data exposed this way.


Screen Shot 2018-03-26 at 10.45.12 AM.png

The Slippery Slope of Internet Privacy

The U.S. Senate has now voted to remove prior regulations prohibiting Internet Service Providers (ISPs)–the folks you pay for your home Internet pipe–from selling your browsing and Internet data to others for fun and profit. This is pretty terrible news if you care at all about your Internet privacy. For a long time now ISP’s have been storing and saving your Internet history data. They know where you go and how long you spend there. This new regulation, assuming it also passes the house and gets signed into law (it will) lets them sell your data.

I hate this.

One of the big arguments in favor of this change by ISPs is that because Google and Facebook are making money from our data, they should get in on the action too. That argument, however, fails. Google and Facebook are services that consumers can use or avoid. Consumers can, in effect, opt out of the madness. That isn’t true with your home Internet connection. Every website you visit and every web service you use are now information available on the open market.

You may be thinking how you don’t do anything particularly nefarious so it doesn’t matter. I think that is short-sighted. Somebody with a few bucks should not be able to find that I spend time at certain banking websites or researching certain medical issues or even websites about one political belief over another. Future employers, or insurers, or anybody else with a check book should not be able to snoop through my browsing records.

This seems to me the kind of thing that you’d want to protect no matter where you stand on the political spectrum. Even though the vote on this is down party lines, I have multiple conservative friends that are up in arms over it.

So what can you do?

1. Complain

I’d encourage you to complain to your congressperson. The House of Representatives hasn’t voted yet and 5calls.org is a great place to start.

2. Get a VPN

Virtual Private Network services allow you to get on the Internet without the ISP seeing where you are actually going. The VPN company will know but, assuming you use a reputable one, they won’t sell your data. I’ve been using VPNs for years. They’re particularly helpful if you spend a lot of time on the road using WiFi that you don’t control. Recently I purchased a one-year subscription from Cloak and right now I’m feeling pretty good about that. I could turn that on at home any time (or selectively) to hold on to my privacy.

3. Go Elsewhere for your Internet Pipe

For a lot of communities, the options are very limited but if you have other options for your Internet service, investigate them. Maybe some of them will make your privacy their selling point.

Before you email me to say I’m being alarmist or to remind me that most of our Internet privacy was already fictional, I understand what you are saying. Nevertheless, I can’t help but feel in the slippery slope of Internet privacy, we’re about to take a pretty long slide.

Jonathan Zdziarski at Apple

Jonathan Zdziarski is a well respected security and privacy expert. Now he works for Apple. Jonathan’s explanation of why he took the gig pushes all my buttons.

data-animation-override>
This decision marks the conclusion of what I feel has been a matter of conscience for me over time. Privacy is sacred; our digital lives can reveal so much about us – our interests, our deepest thoughts, and even who we love. I am thrilled to be working with such an exceptional group of people who share a passion to protect that.
— Jonathan Zdziarski

I think Apple is serious when they talk about protecting user privacy and hiring people like Jonathan. I don’t know if this priority gives Apple much market advantage in the world today where most consumers are pretty cavalier about their privacy but it sure makes me happy to be using Apple products.

Yahoo.Gov

It is becoming increasingly clear that last year, the government ordered Yahoo to search its entire user email database and Yahoo’s response was, “no problem”. According to the New York Times, Yahoo was forbidden from disclosing the order and the collection is no longer taking place, but if they’re forbidden from disclosing, how would we really know that? Moreover, if that particular collection has stopped, who is to say that there aren’t other searches ongoing that still have not been disclosed. Is the government co-opting other technology companies to do their snooping for them? Yahoo has responded that Reuter’s original reporting of this was “misleading”, But again how would we really know? All of this is done under the veil of secrecy.

Every time the issue of privacy comes up, I feel like a bit of a dinosaur. I think privacy is a fundamental right and one upon which the United States was founded. It is baffling to me that these big companies, with presumably teams of lawyers, can just roll over so easily when the government asked them to search their entire email database.

If you could pretend for a moment that the Internet and email didn’t exist and discovered that the US Postal Service was opening and scanning every piece of mail that went through on the lookout for some particular piece of correspondence involving a terrorist or a foreign government, you would probably be outraged. I would be. The difference between that hypothetical world and the one we live in is that the Internet and email does exist and it is technically possible to pull something off like a search of all of Yahoo’s email for all of its users. Put simply, they are doing this because they can. Moreover, the government has shown very little restraint in asking for that type of information. This request may have been for an entirely legitimate reason. However, once you open up that door, it is going to be very difficult to close it.

At a minimum, I believe there should have been public disclosure and the courts should have had an opportunity to weigh in before the government was given such sweeping power. I can’t help but feel that Yahoo let the government off way too easy here and if I were a Yahoo email subscriber (I am not) I would be looking for new options … today.

data-animation-override>
Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.
— Benjamin Franklin

Apple Aces Its EFF Report Card


The Electronic Frontier Foundation rates tech companies annually on how they handle their customer’s data. The 2015 report is out and, not surprisingly, Apple did well. The EFF explained:

data-animation-override>
This is Apple’s fifth year in the report, and it has adopted every best practice we’ve identified as part of this report. We commend Apple for its strong stance regarding user rights, transparency, and privacy.
— The Electronic Frontier Foundation

This emerging theme from Apple about protecting user data is only going to get bigger. Apple doesn’t make its money serving ads and it has no economic interest in collecting user data. Moreover, I spoke with several Apple engineers last week at WWDC and, universally, they were all personally offended by the idea of government and other third parties getting access to user data. This is more than a marketing thing. Apple, as a whole, appears disgusted with the way our personal data privacy rights are getting trampled. I think we are going to see Apple turning up the dial on this issue in hopes of getting the word out to consumers. To me this is a big deal. The question in my mind, however, is whether I’m an oddball or this will resonate with the public at large.

The NSA Reads BlackBerry BES Encryption Too

So now we hear that they’ve also hacked the BlackBerry BES encryption. I’ve noticed, in myself at least, that the more of these revelations that become public, the less I am surprised each time. I can’t help but wonder that we have already lost the fight for any hope of actual online privacy.