[bigyabai]

I mean, Apple's PCC audits require them to individually vet each auditor before they're allowed to see the PCC nodes.

If Apple extended that philosophy to other vendors then yeah, it would be deliberately unfair and anticompetitive.

[MBCook]

It sounds like they are whitelisting the hashes of all the Google software and OSes and stuff to ensure nothing is changed out from under them without them knowing.

Even if you could make all the other possible vendors run private cloud compute style stuff that would be a lot to manage.

And I can’t imagine the EU would like, and as a user I would certainly hate, the “OK you can use Grok but you lose all privacy too bad“ dialogue box they could make.

[bigyabai]

I don't even think it offers a meaningful degree of security. It's a form of theater, you have to be hand-selected to perform the audit that Apple promised.

Most sysadmins know that hash matching only mitigates a small subset of rare upstream attacks. Apple could still be MITMing the whole thing (SSL added and removed here :)) and no auditor would get the chance to check. The offered audit is so weak that I would not trust any FAANG business to administrate it.

Apple is once again demanding arbitrary centralization to give them an undeserved veto power. None of this is for security.

[theshrike79]

If they're not "hand-selected", what would be the way to select the auditors?

Just have an open house for anyone interested to come poke the hardware and software?

[bigyabai]

Have a set of clearly-defined requirements that doesn't randomly reject valid candidates? Nobody wants another opaque system like the App Store review process.

By the sound of it, Apple's offered audit doesn't include insight into the most dangerous parts of a system like this. This could easily lead to a situation where real security experts are denied access to promote influencer-adjacent Yes Men who rubberstamp the hashes matching without any question.

Hence my concern for "SSL added and removed here" - none of Google's famously backdoored infrastructure will be audited. For privacy purposes, Apple's promise is woefully incomplete.

[theshrike79]

That's a very bad faith reading on what Apple said.

How I understood it that they want _actual_ security researchers, not some random dude who once installed Kali Linux and ran nmap.

It's state of the art private compute according to actual experts and everyone will be wasting their time if the "researchers" need to be coached through the process and explained the basics of the system's operation.

[MBCook]

At this point the EU doesn’t trust Apple’s fair rules. Which is very much earned.

So if they did that here, I doubt the EU would accept it. And even if they did as soon as a competitor of any side/credibility cried foul I’m sure the EU would make life very hard for Apple to prove they’re not being unfair in even the tiniest way.