Comment by supriyo-biswas
1 month ago
If the data is encrypted, does the concern still apply?
You bring up the example of Onedrive, but there is no use of e2e encryption or HE techniques there.
1 month ago
If the data is encrypted, does the concern still apply?
You bring up the example of Onedrive, but there is no use of e2e encryption or HE techniques there.
> does the concern still apply?
Yes it does and the blogpost specifically explains why.
In short, both iOS and macOS are full of bugs, often with the potential of exposing sensitive information.
Also, it’s on by default - nobody in their sane mind would have bits of their photos uploaded somewhere, regardless of “we promise we won’t look”.
Finally, Photos in iOS 18 is such a bad experience that it seems the breach of privacy was fundamentally unjustified as no meaningful improvement was introduced at all.
>regardless of “we promise we won’t look”.
AIUI, even if Apple's servers tried to look, they cannot, because of the encryption.
Encryption does not automatically mean secure. Encryptions can and will be broken. Any flaw in their implementation (which nobody can verify) would render encryption useless…
5 replies →
Yes, of course, the concern is the data being exfiltrated to begin with. Like someone else in this thread mentioned, if they upload a single pixel from my image without my consent, that is too much data being uploaded without my consent.
If they sent a completely randomly generated integer from your phone without consent, would that be okay with you? Genuine question.
I'm not who you asked, but no, I wouldn't be.
I'd want an explanation of why they want to send this data. They need to seek informed consent, and the default needs to be no data collection. Opt-in, not opt-out.
If I do opt-in, I can withdraw that consent at any time.
I can also expect them to delete any collected data within a reasonable (to me) time frame, tell me what they do with it, who they share it with, supply me with any personally identifying data they have colllected, and allow me to correct it if it's wrong. And if they use the data to make important decisions automatically, e.g. bank loan yes/no, I have the right to make them use human reasoning to reconsider.
There is no reason to let businesses non-consensually collect any data from you, even if that's their entire business model. Don't let their self-serving lies about "you can trust us" or "it's normal and inevitable" swindle you out of your privacy.
Incidentally,"a completely randomly generated integer" could describe Apple's Advertising Identifier, which allows third parties to track the bejesus out of you.
> If they sent [...] without consent, would that be okay with you?
No. That would never be acceptable to me.
> If the data is encrypted, does the concern still apply?
Yes! For so many reasons!
If an adversary is able to intercept encrypted communications, they can store it in hopes of decrypting it in the future in the event that a feasible attack against the cryptosystem emerges. I don't know how likely this is to happen against homomorphic encryption schemes, but the answer is not zero.
I'm not suggesting everyone should spend time worrying about cryptosystems being cracked all day long, and I'm not saying Apple's encryption scheme here will prove insecure. Even if this particular scheme is cracked, it's very possible it won't reveal much of great interest anyways, and again, that is simply not the point.
The point is that the correct way to guarantee that your data is private is to simply never transmit it or any metadata related to it over a network in any form. This definitely limits what you can do, but it's a completely achievable goal: before smartphones, and on early smartphones, this was the default behavior of taking pictures with any digital camera, and it's pretty upsetting that it's becoming incredibly hard to the point of being nearly impractical to get modern devices to behave this way and not just fling data around all over the place willy-nilly.
And I know people would like Apple to get credit for at least attempting to make their features plausibly-private, but I feel like it's just the wrong thing right now. What we need today is software that gives agency back to the user, and the first part of that is not sending data off to the network without some form of user intent, without dark patterns to coerce said intent. At best, I can say that I hope Apple's approach to cloud services becomes the new baseline for cloud services, but in my opinion, it's not the future of privacy. The future of privacy is turning the fucking radio off. Why the fuck should we all buy mobile devices with $1000 worth of cutting edge hardware just to offload all of the hard compute problems to a cloud server?
I'd also like to ask a different question: if there's no reason to ever worry about this feature, then why is there even an option to turn it off in the first place?
I worry that what Apple is really doing with pushing out all these fancy features, including their maligned CSAM scanning initiative, is trying to get ahead of regulations and position themselves as the baseline standard. In that future, there's a possibility that options to turn off features like these will disappear.
> I'd also like to ask a different question: if there's no reason to ever worry about this feature, then why is there even an option to turn it off in the first place?
I mean for one, because of people like you that are concerned about it. Apple wants you to have the choice if you are against this feature. It's silly to try to use that as some sort of proof that the feature isn't safe.
My iPhone has a button to disable the flash in the camera app. Does that imply that somehow using the camera flash is dangerous and Apple is trying to hide the truth from us all? Obviously not, it simply means that sometimes you may not want to use the flash.
They likely chose to make it opt-out because their research shows that this is truly completely private, including being secure against future post-quantum attacks.
> If an adversary is able to intercept encrypted communications, they can store it in hopes of decrypting it in the future in the event that a feasible attack against the cryptosystem emerges. I don't know how likely this is to happen against homomorphic encryption schemes, but the answer is not zero.
Also, if you're going to wildly speculate like this it is at least (IMO) worth reading the research press release since it does answer many of the questions you've posed here[0].
> it's pretty upsetting that it's becoming incredibly hard to the point of being nearly impractical to get modern devices to behave this way and not just fling data around all over the place willy-nilly.
And honestly, is turning off a single option in settings truly impractical? Yes, it's opt-out, but that's because their research shows that this is a safe feature. Not every feature needs to be disabled by default. If most users will want something turned on, it should probably be on by default unless there's a very strong reason not to. Otherwise, every single iPhone update would come with a 30 question quiz where you have to pick and choose which new features you want. Is that a reasonable standard for the majority of non tech-savvy iPhone users?
Additionally, the entire purpose of a phone is to send data places. It has Wi-Fi, Bluetooth, and Cellular for a reason. It's a bit absurd to suggest that phones should never send any data anywhere. It's simply a question of what data should and should not be sent.
[0] https://machinelearning.apple.com/research/homomorphic-encry...
> I mean for one, because of people like you that are concerned about it. Apple wants you to have the choice if you are against this feature. It's silly to try to use that as some sort of proof that the feature isn't safe.
If they know some people will be against the feature, why not ask instead of enabling it for them?
> My iPhone has a button to disable the flash in the camera app. Does that imply that somehow using the camera flash is dangerous and Apple is trying to hide the truth from us all? Obviously not, it simply means that sometimes you may not want to use the flash.
Do you really not see how this is not a good faith comparison? I'm not going to address this.
> They likely chose to make it opt-out because their research shows that this is truly completely private, including being secure against future post-quantum attacks.
So basically your version of this story is:
- Apple knows some users will not like/trust this feature, so they include an option to turn it off.
- But they don't bother to ask if it should be turned on, because they are sure they know better than you anyway.
I agree. And it's this attitude that needs to die in Silicon Valley and elsewhere.
> Also, if you're going to wildly speculate like this it is at least (IMO) worth reading the research press release since it does answer many of the questions you've posed here[0].
I don't need to, what I said generalizes to all cryptosystems trivially. The only encryption technique that provably can never be cracked is one-time pad, with a key of truly random data, of size equal to or greater than the data being encrypted. No other cryptosystem in any other set of conditions has ever been proven impossible to crack.
Homomorphic encryption is very cool, but you can't just overwhelm the user with cryptosystem design and mathematics and try to shrug away the fact that it is not proven to be unbreakable. The fact that homomorphic encryption is not proven to be unbreakable is absolutely not wild speculation, it is fact.
> And honestly, is turning off a single option in settings truly impractical?
We all just learned about today! We don't even need to speculate about whether it is impractical, we know it can't be done, and that's before we consider that loss of privacy and agency over devices is a death-by-a-thousand-cuts situation.
> Additionally, the entire purpose of a phone is to send data places. It has Wi-Fi, Bluetooth, and Cellular for a reason. It's a bit absurd to suggest that phones should never send any data anywhere. It's simply a question of what data should and should not be sent.
Clearly I don't think the internet is useless and I don't disable networking on all of my devices because I'm talking to you right now. But the difference is, when I reply to you here, I'm never surprised about what is being sent across the network. I'm typing this message into this box, and when I hit reply, it will send that message over the network to a server.
The difference here is agency. Steve Jobs had a quote about computers being "bicycle[s] for the mind". Well, if you just found out today that your device was sending meta information about your private photos over the network, you would be right to feel like it's not you controlling the bike anymore. The answer to this problem is not throwing a bunch of technical information in your face and telling you its safe.
2 replies →
> And I know people would like Apple to get credit for at least attempting to make their features plausibly-private, but I feel like it's just the wrong thing right now.
Appeal to bandwagon; opinion discarded