> On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.
> It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn’t realize this, because it’s silent and invisible and it fails instantly and gracefully when you’re offline, but today the server got really slow and it didn’t hit the fail-fast code path, and everyone’s apps failed to open if they were connected to the internet.
> Because it does this using the internet, the server sees your IP, of course, and knows what time the request came in. An IP address allows for coarse, city-level and ISP-level geolocation...
> Apple (or anyone else) can, of course, calculate these hashes for common programs: everything in the App Store, the Creative Cloud, Tor Browser, cracking or reverse engineering tools, whatever.
> This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. They know when you open Premiere over at a friend’s house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city.
"We do not use data from these checks to learn what individual users are launching or running on their devices.
Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures.
These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
In addition, over the the next year we will introduce several changes to our security checks:
A new encrypted protocol for Developer ID certificate revocation checks
Strong protections against server failure
A new preference for users to opt out of these security protections"
I'm with Stallman on this one. Without access to the source code of their entire server stack, there really is no way to be sure of what they are or are not doing.
Even with it there is no way to be sure of what they are or are not doing. Trust in an external endpoint is not improved by some theoretical source code dump on GitHub.
This post is factually incorrect, it does not send a hash of the application (instead an identifier that can be shared across apps) and the server doesn't save any logs.
But a content-hash would have given them a release ID (i.e. which specific version of the app bundle you're running.)
A series of {release hash, launch timestamp} events could be used to build a much more precise profile of your computing habits than just {app ID, launch timestamp} events would.
Also, you're ignoring the power-law: while yes, the majority of software exists in a long-tail of ISVs, most of the apps that people use are made by big corps that make a lot of apps each. 80% of the apps on any computer (Windows or macOS) are Microsoft or Apple or Adobe apps. When you're using any of those, all Apple gets is {Apple, timestamp} or {Google, timestamp} or {Adobe, timestamp}. That's... not very useful for profiling. Especially the first two. Safari and iTunes are both just "Apple" through this system. Are you working? Relaxing? Who knows?
Those are fair points. The original report was much more serious before Apple changed policies to make the reports encrypted in transit and stopped logging IPs.
Apple telling you they don't log IPs means nothing. Facebook did this and nobody batted an eye. [1]
It's also incredibly unlikely. I'm just trying to picture what this server that does no kind of user identification at all looks like. What value would it possibly offer? Just to count how many times an application is opened? How can any kind of analytic application function without some kind of user profiling mechanism and a place to store that data for analysis?
It’s not an analytic application, its purpose is to benefit users not Apple, and Apple doesn’t actually have any profit incentive to collect user data from this service.
Facebook operates a free service that they use to collect data about you to sell for advertising purposes. Apple sells expensive personal electronics directly to consumers, and has made it a part of their core brand to be privacy-conscious. They’re certainly not perfect, and they’ve clearly made missteps along the way, but they’ve done more than virtually any other public company to further their customers’ privacy and demonstrably collect as little data as possible. When they have made mistakes, they’ve carefully explained what circumstances led to it and have generally gone above and beyond in ensuring that kind of mistake can’t happen again.
Your perspective is little different than the indefensible “both sides” mentality many people have toward politics. Apple is not Facebook, and there is a massive difference to anyone actually paying attention.
I too, used to think incentives were good enough to generally guard against bad behavior like this. The problem is that incentives can change quickly and unless data is explicitly (and with some guarantee) removed, there's always the chance for it to be accidentally exposed, nefariously exported, or repurposed as incentives change. The only safe amount of data to send out by default is what's essential to accomplish what you are trying to do.
Relying on Apple to do the right thing when they're sent a bunch of data which has some use to them, and to their users, if they keep it and run statistical analysis against it, is like relying on that handshake agreement to store some of your belonging in your kindly old neighbors shed. Sure, you trust him, but he's not going to be around forever, and who's to say what will happen to it if someone takes over his property after he's gone. And if that kind neighbor had a habit of cleaning up the stuff your kids left in your yard for you by putting the items in that shed of his... well it's nice that he allows your kids to get their stuff from there whenever they want, but still, that's just asking for problems down the line.
> Relying on Apple to do the right thing when they're sent a bunch of data which has some use to them, and to their users, if they keep it and run statistical analysis against it, is like relying on that handshake agreement to store some of your belonging in your kindly old neighbors shed.
No, it's relying on this being disaligned with their profit incentives. They've made a selling point of their products being privacy-focused, and actions that go against that directly impact the profitability of these products.
There have been several cases where data was mistakenly collected. Nobody's perfect! And in every one of those cases, they've gone above and beyond in explaining what went wrong and how they'll prevent those situations from occurring in the future. In several cases, they've even published white papers pushing forward the current state of the art on preserving privacy while collecting the minimal data necessary for services to function.
Apple is not Google and Facebook. The latter two have direct profit incentive to maximize data collection and analysis of you, personally. Apple wants to sell you consumer devices, and—outside of specific counterexamples like Siri—collecting your data rarely aligns with those profit incentives.
There is some phoning home from applications, though. On top of the occasional Gatekeeper SNAFU. I like to rely on Little Snitch, and feel nervous when using a computer without it.
Google, Adobe, and Microsoft tend to be quite bad. The other ones tend to be reasonable and just check for updates every now and then. It has flagged a couple of daemons, mostly related to iCloud, but nothing very suspicious after a quick investigation.
Hash checks for malware is not the same as spyware. If anything, it's the opposite.
One could argue that these hashes should be downloaded and then checked against a local database and I can't really argue against that, sounds like a standard anti-virus MO and I would prefer that.
You can block those connections if they bother you.
Is this ripe for being manipulated by an infected system though? By keeping it central to the home office, they have control over the single location rather than trying to ensure every single system stays current.
They can be blocked but not in a simple way for most users. If it was a preference synced with iCloud or at the very least in system preferences I’d be okay with it but I shouldn’t have to fight with my OS. Plus I had to unblock ocsp.apple.com at one point because it was causing an issue with something else.
https://sneak.berlin/20201112/your-computer-isnt-yours/
> On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.
> It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn’t realize this, because it’s silent and invisible and it fails instantly and gracefully when you’re offline, but today the server got really slow and it didn’t hit the fail-fast code path, and everyone’s apps failed to open if they were connected to the internet.
> Because it does this using the internet, the server sees your IP, of course, and knows what time the request came in. An IP address allows for coarse, city-level and ISP-level geolocation...
> Apple (or anyone else) can, of course, calculate these hashes for common programs: everything in the App Store, the Creative Cloud, Tor Browser, cracking or reverse engineering tools, whatever.
> This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. They know when you open Premiere over at a friend’s house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city.