[re]

The author of the blog post makes a wild leap (from "A daemon connected to Apple's servers when I used QuickLook on a file" [paraphrased] to "Apple Has Begun Scanning Your Local Image Files Without Consent [...] Stock macOS now invades your privacy via the Internet when browing local files [...] macOS now contains network-based spyware"), with the strong implication that information about those files is being sent to Apple while stopping just short of actually claiming that.

I've seen these kind of accusations of spying be made a lot based on misinterpretation of very scant evidence, and without something more concrete I think that's almost certainly what's happening here. A far more likely explanation IMO is that the daemon is doing something like checking for regional availability of the Live Text feature (still somewhat problematic but definitely nowhere near the same ballpark), as partially suggested by this commenter: https://infosec.exchange/@yProd/109698545121198396

[metadat]

Regardless, it shouldn't be pinging the Internet whenever the user previews an image file. No good can come of such behavior.

[infotogivenm]

Agree with gp that this is a astonishingly huge logical leap by the author. I would guess the author left the default “report metrics to apple” on, and apple is noting that “a user leveraged the photo preview feature for the first time in X days.” I do wish these metrics were optin but I somewhat get the decision from a PM standpoint, and to their credit Apple presents this choice to the user during the setup process in a really hard-to-miss way.

Incredibly lazy blog post IMO, if you’re going to write an article and video on an infosec site, take the time to MITM the connection so you can avoid purely tinfoil speculative reporting. Apple likely does not make this easy but it is possible to do anything when SIP is disabled.

[sneak]

Analytics are off, as is iCloud, the App Store, Siri Suggestions, and every other Apple service there is a knob exposed for.

Live Text is on, because the machine was recently updated to Ventura and it defaults to on and it never asked if I wanted it. (It's a brand new preference setting.)

If you're going to call someone lazy, look first into what it takes to MITM a TLS connection from an Apple system service to Apple. It seems you are unaware. It's not trivial these days.

[infotogivenm]

Maybe media codec checks then, or a bug that ignores the metrics setting. We can go all day at this until someone finishes the research.

> It seems you are unaware. It's not trivial these days.

I know very well what it takes, thats why I said Apple does not likely make this easy. The last time I tried was a few releases ago: disable SIP, write a frida hook to disable pinning, maybe a couple hours the first time you do it. If I were in a pinch I might not even bother with that and instead just pop mediaservicesd into IDA or Hopper and attach to the process as it hangs in littlesnitch. However I did not write a tinfoil essay on a strange observed behavior without actually investigating it, so I will not be doing any of those for you.

[nhchris]

If as you say Apple is deliberately making it so difficult to inspect what their OS is doing, maybe we should assume the worst, until proven otherwise.

[re]

The blog post reports it happening once, not every time. I'd agree that it would feel significantly worse/more suspicious if Apple's servers were contacted every time I previewed/opened a file.

[sneak]

There is no legitimate reason why quicklook should be hitting an API when I preview a bitmap in the Finder.

Analytics and Siri Suggestions are off. I don't use iCloud.

Text recognition models would likely be served from an Apple CDN, not api.smoot.apple.com.

I don't know what it's sending (an API hostname suggests some dynamic server code, not just a file download), but it should not be sending anything at all. I don't want it to, and I never consented to such transmission.

I didn't make the claim that file information is being sent because I didn't want to publish anything but facts. I have not done any RE on the binary itself as yet.

[re]

I'm responding to you in good faith in the hope that you will take this with an open mind, but now that I see the previous thread, I'm worried that you might not. I'm not sure if you saw this comment but I thought it was particularly constructive and deserves consideration: https://news.ycombinator.com/item?id=34403107

> I didn't make the claim that file information is being sent because I didn't want to publish anything but facts.

When you say "Apple Has Begun Scanning Your Local Image Files Without Consent" what 95% of people will hear is exactly the claim that scanned data is being sent to Apple. I don't think you can in good conscience say that you're only publishing facts if you are aware of the rate of misinterpretation and don't attempt to clarify.

Ironically you're doing exactly what you're accusing Apple of: saying technically truthful things that say one thing that cause people to believe a different thing (which is, as far as we know, not factual).

[sneak]

I was wondering how long it would take someone to notice.

It's deliberate.