← Back to context

Comment by jchw

1 month ago

> If the data is encrypted, does the concern still apply?

Yes! For so many reasons!

If an adversary is able to intercept encrypted communications, they can store it in hopes of decrypting it in the future in the event that a feasible attack against the cryptosystem emerges. I don't know how likely this is to happen against homomorphic encryption schemes, but the answer is not zero.

I'm not suggesting everyone should spend time worrying about cryptosystems being cracked all day long, and I'm not saying Apple's encryption scheme here will prove insecure. Even if this particular scheme is cracked, it's very possible it won't reveal much of great interest anyways, and again, that is simply not the point.

The point is that the correct way to guarantee that your data is private is to simply never transmit it or any metadata related to it over a network in any form. This definitely limits what you can do, but it's a completely achievable goal: before smartphones, and on early smartphones, this was the default behavior of taking pictures with any digital camera, and it's pretty upsetting that it's becoming incredibly hard to the point of being nearly impractical to get modern devices to behave this way and not just fling data around all over the place willy-nilly.

And I know people would like Apple to get credit for at least attempting to make their features plausibly-private, but I feel like it's just the wrong thing right now. What we need today is software that gives agency back to the user, and the first part of that is not sending data off to the network without some form of user intent, without dark patterns to coerce said intent. At best, I can say that I hope Apple's approach to cloud services becomes the new baseline for cloud services, but in my opinion, it's not the future of privacy. The future of privacy is turning the fucking radio off. Why the fuck should we all buy mobile devices with $1000 worth of cutting edge hardware just to offload all of the hard compute problems to a cloud server?

I'd also like to ask a different question: if there's no reason to ever worry about this feature, then why is there even an option to turn it off in the first place?

I worry that what Apple is really doing with pushing out all these fancy features, including their maligned CSAM scanning initiative, is trying to get ahead of regulations and position themselves as the baseline standard. In that future, there's a possibility that options to turn off features like these will disappear.

5 comments

jchw

Reply
scratchyone  1 month ago

> I'd also like to ask a different question: if there's no reason to ever worry about this feature, then why is there even an option to turn it off in the first place?

I mean for one, because of people like you that are concerned about it. Apple wants you to have the choice if you are against this feature. It's silly to try to use that as some sort of proof that the feature isn't safe.

My iPhone has a button to disable the flash in the camera app. Does that imply that somehow using the camera flash is dangerous and Apple is trying to hide the truth from us all? Obviously not, it simply means that sometimes you may not want to use the flash.

They likely chose to make it opt-out because their research shows that this is truly completely private, including being secure against future post-quantum attacks.

> If an adversary is able to intercept encrypted communications, they can store it in hopes of decrypting it in the future in the event that a feasible attack against the cryptosystem emerges. I don't know how likely this is to happen against homomorphic encryption schemes, but the answer is not zero.

Also, if you're going to wildly speculate like this it is at least (IMO) worth reading the research press release since it does answer many of the questions you've posed here[0].

> it's pretty upsetting that it's becoming incredibly hard to the point of being nearly impractical to get modern devices to behave this way and not just fling data around all over the place willy-nilly.

And honestly, is turning off a single option in settings truly impractical? Yes, it's opt-out, but that's because their research shows that this is a safe feature. Not every feature needs to be disabled by default. If most users will want something turned on, it should probably be on by default unless there's a very strong reason not to. Otherwise, every single iPhone update would come with a 30 question quiz where you have to pick and choose which new features you want. Is that a reasonable standard for the majority of non tech-savvy iPhone users?

Additionally, the entire purpose of a phone is to send data places. It has Wi-Fi, Bluetooth, and Cellular for a reason. It's a bit absurd to suggest that phones should never send any data anywhere. It's simply a question of what data should and should not be sent.

[0] https://machinelearning.apple.com/research/homomorphic-encry...

  • jchw  1 month ago

    > I mean for one, because of people like you that are concerned about it. Apple wants you to have the choice if you are against this feature. It's silly to try to use that as some sort of proof that the feature isn't safe.

    If they know some people will be against the feature, why not ask instead of enabling it for them?

    > My iPhone has a button to disable the flash in the camera app. Does that imply that somehow using the camera flash is dangerous and Apple is trying to hide the truth from us all? Obviously not, it simply means that sometimes you may not want to use the flash.

    Do you really not see how this is not a good faith comparison? I'm not going to address this.

    > They likely chose to make it opt-out because their research shows that this is truly completely private, including being secure against future post-quantum attacks.

    So basically your version of this story is:

    - Apple knows some users will not like/trust this feature, so they include an option to turn it off.

    - But they don't bother to ask if it should be turned on, because they are sure they know better than you anyway.

    I agree. And it's this attitude that needs to die in Silicon Valley and elsewhere.

    > Also, if you're going to wildly speculate like this it is at least (IMO) worth reading the research press release since it does answer many of the questions you've posed here[0].

    I don't need to, what I said generalizes to all cryptosystems trivially. The only encryption technique that provably can never be cracked is one-time pad, with a key of truly random data, of size equal to or greater than the data being encrypted. No other cryptosystem in any other set of conditions has ever been proven impossible to crack.

    Homomorphic encryption is very cool, but you can't just overwhelm the user with cryptosystem design and mathematics and try to shrug away the fact that it is not proven to be unbreakable. The fact that homomorphic encryption is not proven to be unbreakable is absolutely not wild speculation, it is fact.

    > And honestly, is turning off a single option in settings truly impractical?

    We all just learned about today! We don't even need to speculate about whether it is impractical, we know it can't be done, and that's before we consider that loss of privacy and agency over devices is a death-by-a-thousand-cuts situation.

    > Additionally, the entire purpose of a phone is to send data places. It has Wi-Fi, Bluetooth, and Cellular for a reason. It's a bit absurd to suggest that phones should never send any data anywhere. It's simply a question of what data should and should not be sent.

    Clearly I don't think the internet is useless and I don't disable networking on all of my devices because I'm talking to you right now. But the difference is, when I reply to you here, I'm never surprised about what is being sent across the network. I'm typing this message into this box, and when I hit reply, it will send that message over the network to a server.

    The difference here is agency. Steve Jobs had a quote about computers being "bicycle[s] for the mind". Well, if you just found out today that your device was sending meta information about your private photos over the network, you would be right to feel like it's not you controlling the bike anymore. The answer to this problem is not throwing a bunch of technical information in your face and telling you its safe.

    • scratchyone  1 month ago

      Honestly I'm a little tired so I'm not gonna completely/perfectly address everything you said here but

      > If they know some people will be against the feature, why not ask instead of enabling it for them?

      Honestly I would just say this is because you can only ask so many things. This is a hard to explain feature, and at some point you have to draw a line on what you should and shouldn't ask for consent on. For many people, the default reaction to a cookie popup is to hit "accept" without reading because they see so many of them. Consent fatigue is a privacy risk too. Curious where you'd choose to draw the line?

      > Do you really not see how this is not a good faith comparison? I'm not going to address this.

      Yes, my point is that your reasoning isn't good faith either. We both know it's silly and a bit conspiratorial to imply that Apple adding a setting for it means they know a feature is secretly bad. If they wanted to hide this from us, neither of us would be talking about it right now because we wouldn't know it existed.

      > We all just learned about today! We don't even need to speculate about whether it is impractical, we know it can't be done, and that's before we consider that loss of privacy and agency over devices is a death-by-a-thousand-cuts situation.

      That's fair, but there's honestly no perfect answer here. Either you appease the HN crowd on every feature but overwhelm most non-technical users with too many popups to the point they start automatically hitting "yes" without reading them, or you make features that you truly consider to be completely private opt-out but upset a small subset of users who have extremely strict privacy goals.

      How do you choose where that dividing line is? Obviously you can't ask consent for every single feature on your phone, so at some point you have to decide where the line between privacy and consent fatigue is. IMO, if a feature is genuinely cryptographically secure and doesn't reveal any private data, it probably should be opt-out to avoid overwhelming the general public.

      Also, how would you phrase the consent popup for this feature? Remember that it has to be accurate, be understandable to the majority of the US population, and correct state the privacy risks and benefits. That's really hard to do correctly, especially given "21 percent of adults in the United States (about 43 million) fall into the illiterate/functionally illiterate category"[0].

      [0] https://www.libraryjournal.com/story/How-Serious-Is-Americas...

      1 reply →

sgammon  1 month ago

> And I know people would like Apple to get credit for at least attempting to make their features plausibly-private, but I feel like it's just the wrong thing right now.

Appeal to bandwagon; opinion discarded