[jtbayly]

modeless linked to this article earlier today:

https://james.darpinian.com/blog/apple-imessage-encryption/

My current understanding of the facts:

1. Google defaults to encrypted backups of messages, as well as e2e encryption of messages.

2. Apple defaults only to e2ee of messages, leaving a massive backdoor.

3. Closing that backdoor is possible for the consumer, by enabling ADP (advanced data protection) on your device. However, this makes no difference, since 99.9% of the people you communicate will not close the backdoor. Thus, the only way to live is to assume that all the messages you send via iMessage will always be accessible to Apple, no matter what you do.

It's not like overall I think Google is better for privacy than Apple, but this choice by Apple is really at odds with their supposed emphasis on privacy.

[indemnity]

Enabling ADP breaks all kinds of things in Apple’s ecosystem subtly with incredibly arcane errors.

I was unable to use Apple Fitness+ on my TV due to it telling me my Watch couldn’t pair with the TV.

The problem went away when turning off ADP.

To turn off ADP required opening a support case with Apple which took three weeks to resolve, before this an attempt to turn off would just fail with no detailed error.

Other things like iCloud on the web were disabled with ADP on.

I just wanted encrypted backups, that was it.

[Angostura]

That chimes roughly with my experience, but to be fair ADP is designed not just for encrypted backups, but to harden the ecosystem for people who may be under the greatest threat. Worth noting that it has been outlawed in the UK and cannot be enabled, which makes me think it's pretty decent

[traceroute66]

> Worth noting that it has been outlawed in the UK and cannot be enabled

For the record, there is an ongoing court battle between Apple and UK government about getting it overturned.

Which also says many positive things for Apple that they are willing to put their money where their mouth is and put up a fight.

[jmaker]

And that’s a significant PR and marketing posture for Apple.

[mvandermeulen]

You wouldn’t happen to work in North Norfolk would you?

[int_19h]

FWIW I've been running ADP for over a year now, and so far I haven't noticed any problems.

iCloud on the web not being available is kind of expected; how would it work with E2EE?

[blueone]

Huh, that’s crazy because ADP doesn’t break anything for me. Then again, I’m not trying to connect an Apple Watch to a tv. What a simple life I live.

[miki123211]

Apple's other emphasis is customer experience, and there are more "I forgot my code, help me recover my stuff" people than you can imagine.

It would be bad PR for Apple if everybody constantly kept losing their messages because they had no way to get back into their account.

[jtbayly]

You think there are fewer people who forget using Google devices? I don’t it. The article talks about how Google prevents that from happening.

[lxgr]

That’s all fine, but then show the sender whether their connection is actually end to end encrypted, or whether all their messages end up in Apple’s effective control.

One might consider differently colored chat message bubbles… :)

[dd8601fn]

ADP isn’t the default, and almost nobody who isn’t a journalist/activist/potential target turns it on, because of the serious (potentially destructive) consequences.

How does Google manage this, such every normie on earth isn’t freaking out?

[buckle8017]

Nobody expects their text messages to be backed up.

They get deleted and people shrug.

[weikju]

Or IOW, Googles solution affects only messages. Apple’s solution affects your whole digital life so the consequences are a lot more dire.

[trympet]

> Apple’s solution affects your whole digital life

I don’t know if that’s generally true. I could lose my apple account and not really give a a damn. Not that I see how such a thing would happen, save for apple burning down all their datacenters. I’m running ADP

[deafpolygon]

Google’s solution also ensures that they know all the metadata of your messages, except the content of the message itself.

[jmaker]

Apple too collects unencrypted metadata but now promises to reduce its scope.

[weikju]

How convenient...... indeed

[saagarjha]

I keep my messages and would like them to not go away.

[trympet]

Why?

[saagarjha]

I reference them every so often

[trympet]

> because of the serious (potentially destructive) consequences

Huh? What are you talking about? I don’t see anything destructive about it.

[LoganDark]

People don't always have enough Apple devices to justify confidence that they couldn't lose them all at the same time, which with ADP is a permanent death sentence if you don't have your recovery key.

(Apple says you can also use a device passcode; I'm not sure if this works if the device is lost. Maybe it does?)

[trympet]

I have 2 or 3 yubikeys associated with my account. I think apple does a decent job at communicating the importance of having recovery keys to the point where they deter those who can’t be bothered.

Yubikeys are great

[LoganDark]

I'm always put off by the incredibly low limits on yubikeys. What's the point of having a security key if you can only have 25 accounts in its lifetime? What are you supposed to do, buy tons of keys and then figure out a system to remember which key each account is? Like fucking hell just let me use passkeys in iCloud Keychain. My bank's mobile app specifically supports only security keys and explicitly not passkeys for literally no reason because passkeys are practically just as secure as any security key. It's actually harder to specifically exclude passkeys and allow only security keys than it is to just use passkeys which automatically include security keys.