[summerlight]

Wow. I understand ITP's high level design, but didn't know it's implementation is so naive. Maintaining global database with a few rules which can be easily reverse engineered and giving its access to any documents? How did it go through the internal review process? Does Apple have any privacy/security review process for its major products?

I understand that privacy engineering is very hard and sometime can get not very obvious with implicit statistical dependency chains, but this kind of direct problem could (or should?) be caught in an early stage of design. Anyway, ITP is all about privacy and deserves attentions from dedicated privacy engineers.

[anoncareer0212]

Things started getting explicitly dangerous a couple years ago, internally we always did no wrong, externally, everyone was praising us for being the one company focused on privacy...when pretty much everyone who cared to think about knew why we didn't encrypt iCloud backups, and knew we were collecting app store searches, News articles viewed, and location for ad targeting (this is easily found in public documentation). I left shortly after I realized how little my colleagues knew, cared, and were willing to think about it – a manager on Safari refused to believe that data was being collected, refused to read our documentation on it, and told those concerned that we needed to read up on differential privacy. (note: that didn't apply at all in the conversation, they werr reaching for buzzwords they remembered)