Comment by bambax
1 month ago
If they said To uphold our commitment to privacy while delivering these experiences, we have implemented a combination of technologies to help ensure these server lookups are private then it would be fine. It would also be a tautology.
When they add that server lookups are also "efficient and scalable", it means that they have had to ponder the privacy aspects with technical concerns regarding efficiency and scalability, and that therefore, privacy is mitigated.
I think a fair reading of this sentence would be: "we provide a version of 'privacy' that we feel is acceptable, within reasonable efficiency and scalability constraints".
They're not going to dedicate a server per customer for example. Would it make sense to do it? No. But it would be honest to say "because of efficiency and scalability limits, the 'privacy' we provide is relative and subject to breaches". (I actually think that's exactly what their wording is trying to say.)
> I actually think that's exactly what their wording is trying to say.
And herein lies the problem, because they are literally saying what they say - private AND efficient AND scalable. You are the one adding hypothetical caveats.
They are talking about offloading functionality that cannot occur on device. The scalability and efficiency is not being used as a reason to take privacy away, it is simply an additional requirement of how they must meet their pledge.
The quote you are referencing is literally about how these features are implemented using homomorphic encryption to perform lookups on anonymously accessed black boxes: https://machinelearning.apple.com/research/homomorphic-encry... . Which part of that is them sacrificing privacy to make it scalable and efficient, and how would using a dedicated server per user increase privacy? Is there some specific privacy issue you can see with their implementation?
To "uphold one's commitment to privacy" the only thing to do is just that: uphold one's commitment to privacy. One doesn't need to make sure the lookups are "efficient" or "scalable" (or "clean" or "polite" or what have you). That is absolutely not needed for privacy.
Why would they need to add these qualifiers if not to explain/justify that privacy isn't the only concern, there are technical matters to consider as well.
Not needed for privacy, but not an obstruction to it either.
They have thoroughly documented the architecture, so if you have a concern about that, then state it.
At the moment you are saying that because it’s efficient and scalable it must be at the cost of privacy - but have stated no reason for that to be true.