Comment by tene80i
1 day ago
I have a naive question, and it's genuine curiosity, not a defence of what's happening here.
This ADP feature has only existed for a couple of years, right? I understand people are mad that it's now gone, but why weren't people mad _before_ it existed? For like, a decade? Why do people treat iCloud as immediately dangerous now, if they didn't before?
Did they think it was fully encrypted when it wasn't? Did people not care about E2E encryption and now they do? Is it that E2E wasn't possible before? If it's such a huge deal to people now, why would they have ever used iCloud or anything like it, and now feel betrayed?
I guess I'm one of the people who was upset that it didn't exist before, and I didn't enable iCloud Backup as a result. I didn't use iCloud Photos. I had everything stored on a NAS (which was in-fact encrypted properly) and used a rube goldberg-esque setup to move data to it periodically. I used iMazing and local encrypted backups on a schedule.
Lots of people called for E2EE on this stuff, but let's be real about one thing: encryption as a feature being more accessible means more people can be exposed to it. Not everyone can afford a rube goldberg machine to backup their data to a NAS and not make it easily lost if that NAS dies or loses power. It takes immense time, skill, and energy to do that.
And my fear isn't the government, either, mind you. I simply don't trust any cloud service provider to not be hacked or compromised (e.g., due to software vulnerability, like log4j) on a relatively long timescale. It's a pain to think about software security in that context.
For me, ADP solves this and enables a lot of people who wouldn't otherwise be protected from cloud-based attacks to be protected. Sure, protection against crazy stuff like government requests is a bonus, but we've seen with Salt Typhoon that any backdoor can be found and exploited. We've seen major exploits in embedded software (log4j) that turn out to break massive providers.
So, there were people upset, their concerns were definitely voiced on independent blogs and random publications, and now, we're back in the limelight because of the removal of the feature for people in the UK.
But, speaking as a user of ADP outside of the UK, I am happy that ADP is standing up for it, and thankful that it exists.
(To be clear: government backdoors, and government requests also scare me, but they aren't a direct threat to myself as much as a vulnerability that enables all user data to be viewed or downloaded by a random third-party).
Many of us were very upset about Apple's slow-rolling this feature. There were many claims that they delayed the rollout due to government pressure [1] (note: that story is by the same reporter who broke today's news a couple of weeks ago.)
Rolling out encryption takes time, so the best I can say is "finally it arrived," and then it was immediately attacked by the U.K. government and has now been disabled over there. I imagine that Apple is also now intimidated to further advertise the feature even here in the U.S. To me this indicates we (technical folks) should be making a much bigger deal about this feature to our non-technical friends.
[1] https://www.reuters.com/article/world/exclusive-apple-droppe...
At one point in time, the entirety of web communication was completely unencrypted.
Why were people not mad then? Do you think people would be angrier now, if HTTPS were suddenly outlawed?
Among other valid answers, removing rights and privileges generally makes people angrier than not having those rights or privileges in the first place.
> Why were people not mad then?
Oh, we were. I am in the crowd who had been asking for generally used encryption since 1995. After all, we were already using SSH for our shell connections.
The first introduction to SSL outside of internet banking and Amazon was for many online services to use encryption only for their login (and user preferences) page. The session token was then happily sent in the clear for all subsequent page loads.
It took a while for always-on encryption to take hold, and many of the online services complained that enabling SSL for all their page loads was too expensive. Both computationally and in required hardware resources. When I wrote for an ICT magazine, I once did some easy benchmarking around the impact of public key size for connection handshakes. Back then a single 1024-bit RSA key encryption operation took 2ms. Doubling it to 2048 bits bumped that up to 8ms. (GMP operations have O(n^2) complexity in terms of keysize.)
"We" is an special group. I am technical but never thought much about it back then. There is a boiling frog. The 90s internet was used for searching and silly emails. Now it has you life in the cloud. But that didn't happen in a day.
Counterpoint: when web communication was unencrypted it was before we did our banking, tax filing, sent medical records, and sent all other kinds of sensitive information over the internet. The risks today are not remotely the same as they once were.
always used my own encryption and cyphered any sensitive data/communications, but the problem is that most people won't and you're often compromised by them
simple solutions like Whatsapp, Signal and ADP brought this to the masses - which some governments have issues about - and this makes a massive difference to everybody including those who wouldn't be caught dead using an iphone anyway
if we could go back to the early 1990s when only professionals, Uni students, techies and enthusiasts used the internet I'd go in a heartbeat but that's not the world we're living in
You've always been able to perform encrypted backups to your own local PC or Mac out of the box, so people who do care about privacy have always had that option.
One thing I've found concerning is that Apple had encrypted cloud backups ready to roll out years ago, but delayed releasing the feature when the US government objected.
> After years of delay under government pressure, Apple said Wednesday that it will offer fully encrypted backups of photos, chat histories and most other sensitive user data in its cloud storage system worldwide, putting them out of reach of most hackers, spies and law enforcement.
https://www.washingtonpost.com/technology/2022/12/07/icloud-...
So the UK government isn't the only government that has objected to users having real privacy protections.
Yes, I was mad before it existed and didn't use icloud backups. With the E2E and ADP I turned it on. If it gets nuked in the US I'll go back to encrypted local backups only.
A few factors
- e2e encryption is not ubiquitous yet, but awareness is ascending.
- distrust for government also is on the uptrend.
- more organized dissent to preserve privacy.
No people didn't assume data was encrypted.
Yes E2E has been possible for many decades, but businesses don't have privacy as a priority, sometimes even counter incentives to protect it. Personal data sells well.
Things have changed because more people are getting to understand why it matters, forcing the hand of companies having to choice but at least feign to secure privacy.
People learn stuff over time. If you are not living like RMS you probably are allowing something to spy on you. If that spying gets removed you become aware. You don't want it back.
It is like anything that gets better. Fight for the better. It is like aviation safety: who cares about a few crashes this year when people didn't complain in the 70s.
An E2E encrypted thing that later gets a special backdoor added is obviously much worse than a not E2E encrypted thing.
It's like when google suddenly decided that their on-device-only 2FA app Google Authenticator should get an opt-out unencrypted cloud backup.
It means people who don't pay a lot of attention can suddenly have much less protection than they were originally sold on.
Think most people had no idea how it worked, it was magic to them.
iCloud hacks (like in 2014) have raised awareness for the need for E2EE.
I was mad for years that ADP didn't exist / was being witheld due to Apple+FBI negotiations for years.
I 100% treated iCloud as dangerous until they released it, and I cheered in the streets when they finally did.
I think it is more about going backwards. It is often difficult to remove laws than to add them. This is a similar situation.
In this situation, I agree that it is bad day for personal privacy/security
iCloud and iPhones have traditionally resisted US governmental overreach, only giving data to iCloud in cases of actual criminal prosecution against specific individuals. As well, iPhone backups in iCloud is relatively new, as are many other arbitrary storage features — it used to just be your songs and your photos! Now it’s data from all of your apps and a full phone backup. Hence the resistance: the stories of police being unable to recover data from a locked iPhone may now be over
Apple has been advertising security and privacy as a top feature for years now. It would make sense for people to get upset if those features were removed.
I think it makes sense for the services we rely on to get more secure as the world gets more dangerous. It's an arms race. You don't want to go back.
Apple and the FBI were squabbling over this for a few years, and then Apple decided to end the conversation one day and implement ADP
Hacker News is a small subsection of the internet. I think the majority of people, probably 90% or more, simply do not care that much.
iCloud did a lot less, in the past. Disabling it now gives you access to more data than it did a few years ago. And I also suspect it has far more users today than it did a few years ago.
i mainly use apple devices, but never put anything on icloud before adp came out.
People were mad. Remember the Snowden leaks and PRISM program from NSA? [1]
In fact, Apple began to adopt “privacy” first marketing due to this fallout. Apple even doubled down on this by not assisting FBI with unlocking a terrorist suspects Apple device in 2016. [2]
It was around that time I actually had _some_ respect for Apple. I was even a “Apple fanboy” for some time. But that respect and fanboi-ism was lost between 2019 and now.
Between the deterioration of the Apple ecosystem (shitty macOS updates), pushing scanning of photos and uploading to central server (CSAM scanning scandal?), the god awful “Apple wall”, very poor interoperability, and very anti-repair stance of devices.
[1] https://www.theguardian.com/world/2013/jun/06/us-tech-giants...
[2] https://money.cnn.com/2016/03/28/news/companies/fbi-apple-ip...
The situation was not something existed since the beginning of time, it evolved gradually. Long ago not that much and not that many critically private data was circulating the net, it increased and got essential living online by time, in some instances forced in an increasing portion of situations. Worry then had no grounds yet. As exposure of the population grew, so did the benefit for adverse elements breaking online data stores, growing in numbers fast, not all made properly in the headless chase of success. Damage and hence awareness grew gradually.
But basically yes, people are stupid and gave no shit but believed all f nonsense, the marketing frauds made them eating up their crap happy if it had pretty words and pictures, promising something halfway to Paradise. Like the Cloud mirage. Those of careful personality were cautious since the first time Apple and alike pushed on people giving up control over their own data for tiny comfort (or no comfort eventually due to all hostile patterns in the full picture) not putting all and every precious or slightly valuable stuff to some unknown server on the internet protected only by hundreds of years old method: password (so not protected at all essentially). Memories, contacts, schedules, communications, documents, clone of their devices in full, putting all into 'cloud' (much before secure online storage became a thing)? Many times to the very same one? Who are that much idiots, really?!
The problem here is not with iCloud but with the U.K. government. People like to tell themselves the government isn’t actually trampling their rights but events like this make it impossible to ignore.