← Back to context

Comment by brundolf

4 years ago

> Because your temporary IP address is part of the hash request, and that's usually enough to identify which major organisation's network you are on, not counting any geolocation.

Okay. You realize that you literally have to turn off the network connection completely to prevent dozens of companies from getting this information every waking moment? Windows and even Ubuntu constantly send back basic telemetry, not to mention the many more less-trustworthy apps that are refreshing in the background, the websites you interact with (even with ads/tracking blocked, the site itself still knows your IP address and time of access!), and so on.

Maybe it's not the exact point I was making originally, but my point now is that this is a ridiculous thing to focus on in the grand scheme of privacy concerns. It might be the single least-privacy-significant network request that any of your devices ever makes. Personally, if that's the only cost, I'll take the tradeoff for the security benefits. But even if I didn't feel that way, it's not what I would be spending my energy worrying about.

> You realize that you literally have to turn off the network connection completely to prevent dozens of companies from getting this information every waking moment

I do. (A look at my comment history would show I know quite a bit about networking.)

Again, the question being addressed, or actually the assertion being challenged, was: "hashes of the binaries I run don't exactly reveal any sensitive personal information about me"

I replied to show that those hashes do reveal that information.

But I threw in that how the hashes are sent (revealing the IP constantly) also reveals sensitive and personal information.

You might think that's inevitable, maybe so trivial it doesn't merit a mention. But in fact it isn't. It's purely a consequence of a technical decision. There are many ways Apple could perform the hash check without revealing your ephemeral IP to Apple.

Still, you asked what I thought was "how does sending your hash to Apple reveal where you go?".

Since you asked, I answered.

But perhaps I misunderstood your question, and you were asking how does Apple having the hash reveal where you are, not the act of sending it to them.

Fair enough.