← Back to context

Comment by gigel82

1 month ago

That's not the point of the outrage though (at least not for me). They enabled by default a feature that analyzes my pictures (which I never upload to iCloud) and sends information about them to their (and others') servers. That is a gross violation of privacy.

To be clear, I don't care about any encryption scheme they may be using, the gist is that they feel entitled to reach into their users' most private data (the photos they explicitly said they don't want to upload to iCloud) and "analyze" them.

This is the same as that time Microsoft enabled OneDrive "by mistake" and started slurping people's private documents and photos saved in default locations (arguably worse since no one takes pictures with their PC's webcams).

23 comments

gigel82

Reply
s3p  1 month ago

If you really didn't want your photos to be analyzed, would you be using an iPhone? Or any modern smartphone? Google photos doesn't have nearly the privacy focus and no HE whatsoever but I rarely see that mentioned here. It almost seems like Apple gets held to a higher standard just because they have privacy preserving initiatives. Do you use a keyboard on your iphone? You may not have heard but apple is tracking which emojis you type most often [0] and they get sent to apple servers.

[0] https://www.apple.com/privacy/docs/Differential_Privacy_Over...

  • WA  1 month ago

    > Google photos doesn't have nearly the privacy focus and no HE whatsoever but I rarely see that mentioned here. It almost seems like Apple gets held to a higher standard just because they have privacy preserving initiatives.

    What is so surprising about this? If you make big claims about anything, you are held to your own standards.

  • dwaite  1 month ago

    > It almost seems like Apple gets held to a higher standard just because they have privacy preserving initiatives

    It doesnt' seem this way at all. It is rare to see someone talking about current behavior, they are always talking about the slippery slope - such as landmark detection obviously being the first step in detecting propaganda on a political dissident's phone.

    This isn't driven by trying to hold them to a higher standard; it is an emotional desire of wanting to see them caught in a lie.

  • ctxc  1 month ago

    Like parent mentioned - I don't upload photos to Google photos, assume parent doesn't upload photos to iCloud.

    Should photo info be sent to Apple/Google in this case?

supriyo-biswas  1 month ago

If the data is encrypted, does the concern still apply?

You bring up the example of Onedrive, but there is no use of e2e encryption or HE techniques there.

  • isodev  1 month ago

    > does the concern still apply?

    Yes it does and the blogpost specifically explains why.

    In short, both iOS and macOS are full of bugs, often with the potential of exposing sensitive information.

    Also, it’s on by default - nobody in their sane mind would have bits of their photos uploaded somewhere, regardless of “we promise we won’t look”.

    Finally, Photos in iOS 18 is such a bad experience that it seems the breach of privacy was fundamentally unjustified as no meaningful improvement was introduced at all.

  • gigel82  1 month ago

    Yes, of course, the concern is the data being exfiltrated to begin with. Like someone else in this thread mentioned, if they upload a single pixel from my image without my consent, that is too much data being uploaded without my consent.

  • jchw  1 month ago

    > If the data is encrypted, does the concern still apply?

    Yes! For so many reasons!

    If an adversary is able to intercept encrypted communications, they can store it in hopes of decrypting it in the future in the event that a feasible attack against the cryptosystem emerges. I don't know how likely this is to happen against homomorphic encryption schemes, but the answer is not zero.

    I'm not suggesting everyone should spend time worrying about cryptosystems being cracked all day long, and I'm not saying Apple's encryption scheme here will prove insecure. Even if this particular scheme is cracked, it's very possible it won't reveal much of great interest anyways, and again, that is simply not the point.

    The point is that the correct way to guarantee that your data is private is to simply never transmit it or any metadata related to it over a network in any form. This definitely limits what you can do, but it's a completely achievable goal: before smartphones, and on early smartphones, this was the default behavior of taking pictures with any digital camera, and it's pretty upsetting that it's becoming incredibly hard to the point of being nearly impractical to get modern devices to behave this way and not just fling data around all over the place willy-nilly.

    And I know people would like Apple to get credit for at least attempting to make their features plausibly-private, but I feel like it's just the wrong thing right now. What we need today is software that gives agency back to the user, and the first part of that is not sending data off to the network without some form of user intent, without dark patterns to coerce said intent. At best, I can say that I hope Apple's approach to cloud services becomes the new baseline for cloud services, but in my opinion, it's not the future of privacy. The future of privacy is turning the fucking radio off. Why the fuck should we all buy mobile devices with $1000 worth of cutting edge hardware just to offload all of the hard compute problems to a cloud server?

    I'd also like to ask a different question: if there's no reason to ever worry about this feature, then why is there even an option to turn it off in the first place?

    I worry that what Apple is really doing with pushing out all these fancy features, including their maligned CSAM scanning initiative, is trying to get ahead of regulations and position themselves as the baseline standard. In that future, there's a possibility that options to turn off features like these will disappear.

    • scratchyone  1 month ago

      > I'd also like to ask a different question: if there's no reason to ever worry about this feature, then why is there even an option to turn it off in the first place?

      I mean for one, because of people like you that are concerned about it. Apple wants you to have the choice if you are against this feature. It's silly to try to use that as some sort of proof that the feature isn't safe.

      My iPhone has a button to disable the flash in the camera app. Does that imply that somehow using the camera flash is dangerous and Apple is trying to hide the truth from us all? Obviously not, it simply means that sometimes you may not want to use the flash.

      They likely chose to make it opt-out because their research shows that this is truly completely private, including being secure against future post-quantum attacks.

      > If an adversary is able to intercept encrypted communications, they can store it in hopes of decrypting it in the future in the event that a feasible attack against the cryptosystem emerges. I don't know how likely this is to happen against homomorphic encryption schemes, but the answer is not zero.

      Also, if you're going to wildly speculate like this it is at least (IMO) worth reading the research press release since it does answer many of the questions you've posed here[0].

      > it's pretty upsetting that it's becoming incredibly hard to the point of being nearly impractical to get modern devices to behave this way and not just fling data around all over the place willy-nilly.

      And honestly, is turning off a single option in settings truly impractical? Yes, it's opt-out, but that's because their research shows that this is a safe feature. Not every feature needs to be disabled by default. If most users will want something turned on, it should probably be on by default unless there's a very strong reason not to. Otherwise, every single iPhone update would come with a 30 question quiz where you have to pick and choose which new features you want. Is that a reasonable standard for the majority of non tech-savvy iPhone users?

      Additionally, the entire purpose of a phone is to send data places. It has Wi-Fi, Bluetooth, and Cellular for a reason. It's a bit absurd to suggest that phones should never send any data anywhere. It's simply a question of what data should and should not be sent.

      [0] https://machinelearning.apple.com/research/homomorphic-encry...

      3 replies →

    • sgammon  1 month ago

      > And I know people would like Apple to get credit for at least attempting to make their features plausibly-private, but I feel like it's just the wrong thing right now.

      Appeal to bandwagon; opinion discarded