Comment by Aachen
1 month ago
> I don't understand most of the technical details of Apple's blog post.
I did understand the cited bits, and sorry to say but this could have been an optimistic post ("look at this cool new thing!")
I dislike Apple's anti-hacker (in the HN sense of the word) practices as much as the next person and don't own any Apple device for that and other reasons, but saying "it doesn't matter how you solved the privacy problem, I feel it's not private" doesn't make it true. Because most other people don't understand the cited words either, if they read that far down anyway, this seems like unfair criticism
Homomorphic encryption is something I heard about through a research paper a few years ago.
Back then I understood that an operation like SUM would be able to compute the sum of a list of numbers where each number was encrypted. The way the encryption worked made it possible to add all the values together without decrypting them, and the result ended up being encrypted too in such a way that the owner could decrypt it and have a number with a certain known accuracy.
If Apple is using homomorphic correctly then there should be no way for them to see the data they get from your phone. The other things they mention in the post as ways to prevent leaking of other information through metadata or a side channel.
The fact that this feature was enabled by default isn’t exactly great. Definitely should have been something that the user should have been asked if they wanted to enable after upgrading.
One specific use Apple is making of homomorphic encryption as of iOS 18 (I think) is for spam callers. You get a phone call, your phone sends Apple the encrypted phone number, they run it against their spam caller database, and you get the encrypted spam/not spam response back. They published a bunch of open source code around this functionality a while back.
https://www.swift.org/blog/announcing-swift-homomorphic-encr...
That's really cool! Thanks for sharing :)
the main criticism is about sending private and sensitive data to Apple without consent and warning
I imagine Apple might argue that no private information is sent thanks to the use of homomorphic encryption. But Apple’s explanation rings hollow without the user having the ability to verify that this system is working as described.
It's not just users having the ability to verify it but also the users comprehending it in the first place. Sending something somewhere without the recipient being able to do anything they please with that information is highly unintuitive, and I don't see homomorphic encryption becoming popular anytime soon.
In a bit of personal news, in a previous job I once worked on doing something similarly private to user's browsing history, that is, the browsing history is sent to the server without the server being able to capture or store it. I was the tech lead for writing a prototype, but the whole idea was then vetoed by a VP.
Users have no meaningful way to verify that their data is genuinely protected
How can you trust something you don't understand? That must come from "authority" (some person or org that you trust to know about such matters). That authority isn't Apple for many people. While I have cautious trust in Apple's privacy policies, many people don't, and not without reason. Hence, not understanding Apple's technical explanation of an Apple feature you didn't opt in to sharing personal data, increases the feeling of privacy violation (which in turn leads to more distrust).
So would it be unfair criticism?
> Hence, not understanding Apple's technical explanation of an Apple feature you didn't opt in to sharing personal data
But this is the fundamental issue. The author has no idea if personal data is being shared, they’ve made an assumption based on their lack of understanding. It’s entirely possible that all this service does (and arguably likely), is provide a private way for your phone to query a large database of landmark fingerprints, then locally try and match those fingerprints to your photos.
It doesn’t require send up private data. The phone could perform large geographic queries (the size of countries) for batches of fingerprints to be cached locally for photo matching. The homographic encryption just provides an added layer of privacy, allowing the phone to make those queries in a manner that makes it impossible for Apple to know what regions were queried for.
iOS photos already uses databases to convert a photo location into an address, so you can do basic location based searching. That will involve doing lookups in Apple global address database, do you consider that a violation of people’s privacy?
So you understand your own device’s security? You have no more reasons to trust the security of the Apple device in your pocket than you do of an Apple device in a datacenter IMHO.
> sorry to say but this could have been an optimistic post
> don't own any Apple device
So you don't have any skin in the game, but you're criticizing someone who does?
My blog post is written from the perspective of an Apple user whose trust has been violated. It's nice that you think—from a safe distance—the technology is neat, and maybe it is, but that's irrelevant to the main issue, which is the lack of user consent.
Hacker News unfortunately does not respond to this logic unless it is a company they are trained to hate. We could run the same story reporting Google and Meta's opt-out abuses, and it would also reach the frontpage with just as many comments. Except those comments would be violent condemnation, not apologetics and hand-wringing over whitepaper quotes.
It's tragic, because computing is in a professedly imperfect place right now. Digital privacy is under fire, many payments see a 30% digital service surcharge that is wholly arbitrary, and revolutionary cross-platform standards are being supplanted with proprietary and non-portable solutions that does not benefit any user.
As an American, I am ashamed that our government's dysfunction extends to consumer protection.