The ostensible aim of such controls is to protect the user, but as Cory Doctorow recently emphasized to CoinDesk over email, these controls can override agency in certain scenarios (for example, when Apple removed thousands of apps from its Chinese app store). Applications and software from unverified publishers, for instance, must be manually approved by users. They’ve also encouraged recent pushes for mixnets, which mix network traffic specifically to avoid passive metadata observation.Īpple’s devices have always been a walled garden of sorts. These kinds of concerns have led to arguments against centralized servers for contact tracing in the European Union. The problem is that it serves as *inadvertent* telemetry to anyone who’s listening on the wire, which, in the United States, is every major ISP and the national military,” he continued. “The real privacy risk here is not that Apple might be collecting this data. They’re likely not, as I believe that this is an attempt by Apple to prevent malware from being able to execute on their platform. Any entity tapping into these lines of communication can see what applications someone is using and when they use them. Paul said the problem with Apple’s system here is that because this data is not encrypted, third parties can read it. Telemetry is a diagnostic process by which servers track how a device is used. “This is, of course, terrible practice, and despite being the industry standard, Apple should know better, as they are cryptography experts (who run their own certificate authority and regularly use relatively advanced cryptographic tools like client certificates and cert pinning),” Paul wrote over email. The problem, though, is these OCSP requests are unencrypted and so “vulnerable to passive monitoring.” This leaves the data open to collection and parsing at the hands of “large-scale passive monitoring organizations” such as the U.S. Paul told CoinDesk in an email he doesn’t think “Apple has ill intent here,” but that its goal is to monitor malware and other illicit software on its devices. In this case, though, Apple’s siloing of data through Big Sur may not even be the primary issue because these OCSP requests are transmitted unencrypted, meaning the contents can be read by any surveilling party that intercepts them. ![]() Now, with Big Sur, there’s no practical way for average Mac users to thwart the feature.Īpple has touted itself as pushing privacy as the core of its mission, perhaps most publicly by rebuffing law enforcement demands to unlock one of the San Bernardino, Calif., shooter’s iPhones after the December 2015 attack.īut these new revelations demonstrate some of the inherent flaws in centralized data collection – you have to trust Apple not to share this information (or trust them to not be coerced into revealing it to a government agency). This feature was introduced in Apple’s Catalina update, but certain tools (like Little Snitch) could be used to bypass it. Related: My Data, My Money: Data Dividends and the Digital Economy Apple devices were shutting down because these OCSP requests weren’t reaching Apple serversĪs some users looked closer, it became very clear why the devices failed when the OCSP servers were failing: Every time a user opens an application (even an offline one), that action is being tagged and traced by Apple’s OCSP servers. This sluggishness coincided with the release of Big Sur, the latest Mac update fro Apple.Īfter the update was released, a technical error disrupted the servers Apple uses for OCSP requests, the packets of data that verify a computer’s SSL certificate when it accesses online applications. 12, Mac users complained their computers were acting sluggish. ![]() Security researchers suggest that users who care about their digital privacy explore other, open-source alternatives. VPNs and other firewalls cannot circumvent the feature. The monitoring is yet another example of Apple’s privacy-compromising design choices, despite the company’s efforts to present itself as a privacy ally. ![]() Apple’s most recent update, Big Sur, makes a feature that logs device activity for offline (and online) applications practically impossible for privacy solutions to bypass.
0 Comments
Leave a Reply. |