Turning off Safari Suggestions is one of the first and most important privacy tweaks on a new iPhone. Otherwise every keystroke you type in the address bar gets sent to Apple in realtime.
“We do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order.”
Either Snowden is lying, or Apple is.
There are lots of potential explanations here. It’s possible and even likely that in an org as large as Apple, the people writing press copy simply are not exposed to all of the details of all of the moving parts that enable realtime surveillance of their userbase. They can also use a different definition of “direct access” (while providing realtime unsupervised access via API, but not via physical (“direct”) entry to a datacenter building).
Apple also claims (in HT202303) that iMessage is end to end encrypted, when for the vast majority of the userbase of iMessage, Apple
has copies (readable to Apple) of the endpoint private keys and can, if they wish, decrypt and read and store anyone’s iMessages in realtime as if they were not encrypted at all. It’s still “end to end encrypted” if there is a key escrow backdoor in the system that defeats the end to end encryption. It’s like putting a $5 gym lock on a cardboard box. It’s not lying to say that you locked it up.
You can make factually accurate statements about certain specific things that paint a picture or strongly imply a state of affairs that is diametrically opposed to the truth. Apple is, as far as I can tell, the best in the world at this type of misdirection. It even fools professional journalists.
For example: if they log the client IP of all requests to the API, the statement you quoted holds true - and yet it is still trivial to make a single query to a) relate all of your API requests together, and b) relate them to your identity via Apple’s many other APIs. The “rotating” implies that it is unlinked, but does not guarantee that it is unlinkable (eg from having client IP and timestamp columns in the data).
Apple is skilled at lying by saying only very specific, true things, as confusing as that may sound.
It is also a mistake to assume
there is no importance because there is no threat model. Even if the data is never linked to you, it is a privacy violation for the keystrokes to leave your device if you don’t want them to. For a contrived example, you don’t need a threat model or ID linkage to not want your neck-down nudes leaked. A non-identifiable privacy violation is still a privacy violation.
> "is associated with a 15-minute random, rotating device-generated identifier"
Can someone clarify why that's done or how it could even be useful? It just seems (to me, naïvely) like if you're going to rotate the identifier every fifteen minutes, why even bother?
Really? No - there is no privacy threat surface with suggestions, unless you assume that Apple and everyone who works there is lying about it?
ref: "any information sent to Apple does not identify you, and is associated with a 15-minute random, rotating device-generated identifier"
[0]https://www.apple.com/legal/privacy/data/en/siri-suggestions...