In an open letter Apple CEO Tim Cook publicly pledged that our privacy is important to Apple. At the same time the company published details on how it currently tries to protect our privacy. Initially I thought this was a very significant first step. Now I am not so sure…

Why could this be significant?

Let me explain why I initially thought this was a significant step too.

The pledge of the CEO of Apple, Tim Cook, reads as follows.

Our business model is very straightforward: We sell great products. We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t “monetize” the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple.

If a CEO of a company publicly says something like this, then this is a commitment. A commitment to protecting our privacy. A commitment you can call upon, or sue the company for, when it is broken. If Apply wilfully breaks this promise to us, consumers, they pay a very hefty price for this. Both in terms of legal damages (think class action suits) as well as PR damage and brand devaluation because of bad publicity. Also, they will be held accountable by their shareholders.

Secondly, the real threat to our privacy is the business model that sees users of a service as the product they sell to their real customers: the advertising agencies, the profilers, etc. that pay them for the personal data they extract from us. Apple makes clear they are pursuing a different business model. Which makes their claim to protect our privacy much more credible than any technical counter measure could: as Apple controls the whole platform (and especially the endpoints), they can easily subvert any technical countermeasure anybody would design. Whether Apple truly lives by its proclaimed business model can be easily checked by scrutinising all their financial reports: these should not contain earnings derived from the sale of personal data.

Thirdly, I think Apple is one of the few companies that are in the position to really make a significant impact. They have a large installed base of mobile devices. They know how to make systems easy to use. And judging by how they secured some (but certainly not all, see below!) of their applications, they know how to do this without compromising usability. In other words, they know how to make systems both usable and secure. They put the user central. And especially for privacy, this is an important design principle.

What made me become sceptical?

But now I am quite a bit more sceptical. Not for the reason why others are, by the way (that is a topic for a separate blog post…), but in fact for the following reasons.

It started when I discovered that iOS 8 contains a new app, Health, that tracks your activities by default. Which activities it tracks depend on the specific device you have. On my iPhone 5s, it tracks both distance walked and number of steps taken. On other devices it also tracks the number of stairs climbed. What is worse, you cannot switch this off. This kind of default, inescapable logging, leaves a very personal track on your device.
(For all we know they may similarly log your location for a prolonged period of time. They did three years ago…) Such logs are very valuable for certain people, like law enforcement, health authorities, insurance companies (show me the dashboard of your health app, and we will immediately give you a personal quote on your health insurance!).

Combined with the fact that Apple allows all kinds of privacy invasive apps to be distributed to your phones (the case of Facebook Messenger is nice case in point), this made me realise that Apple creates a platform that allows others to track and profile you. In fact, in order to sell ‘great products’, they need great apps that everybody wants to use, and that are not too expensive to buy. Nobody would buy an iPhone if every app would cost 5 dollar each…. So in order for their business model to succeed (sell as many ‘great devices’ as possible), they have made a ubiquitous surveillance platform that allows app developers to distribute their app for free, by treating us as their product. Apple may claim that it itself is not in the profiling business, but it is for sure aiding and abetting others to track and profile us like crazy.

When viewed in that light, Tim Cook’s pledge suddenly sounds quite hollow. In fact, it is a smokescreen that sounds remarkably similar to the age old excuse of weapon manufacturers claiming that “Guns don’t kill people. People kill people”. Remember: unless tightly controlled, smart phones (iPhone is most certainly not alone in this) are weapons of mass privacy destruction.

The situation is not limited to iPhones and iPads. Desktop and laptops running OS X Yosemite have their own set of privacy issues. It turns out that Apple’s default settings in OS X Yosemite leave quite a bit to be desired.

For example, the search queries you enter in Safari are forwarded to Apple as you type. This happens even if you configure Safari to use a privacy friendly search engine line DuckDuckGo, and even if you have disabled this (similar) behaviour for Spotlight.

Additionally Apple stores unsaved documents in your iCloud account by default. Apple does this for all your documents, even those that you store on your local disk only and never intended to sync with the cloud. So if you have some local documents that contain very private notes, like sensitive passwords, or private thoughts: as soon as you start editing them they are synced with iCloud. Because iCloud is not a secure cloud storage system, Apple can in principle access this data, for example when requested to do so by law enforcement. Being a US company, any data from a European citizen is fair game… In other words: if you use the latest Apple OS you just have to assume all your accounts are compromised!

What does Apple need to do to convince me?

All these issues not withstanding, Apple is in the unique position to change all this. So what does Apple have to do to convince me?

First and foremost, make iCloud a truly secure cloud storage system. Encrypt data on the local device (against a key that never leaves the device) before sending it to iCloud. This does mean that if you loose your device, you also loose access to all your data in the cloud. Think of different, secure, ways to create a backup of this key. Allow users to choose which option suits their security and usage needs best. Refer for some more details here.

Design user friendly yet secure ways to grant others access to documents that you intend to share. Apple has given this some thought in the context of iMessage (allowing you to access your messages from several devices), but this mechanism still relies on centrally hosted infrastructure (the PKI) that needs to be trusted by all users.

The measures described above prevent access to the contents of the document, but do not protect the metadata (like file names, who you shared a file with, or when you accessed or modified the file). Such metadata is highly sensitive too. As a second step, redesign iCloud to also protect this metadata. With these measures in place, iCloud is a secure extension of your device. (And it would be the only mass deployed secure cloud system in the world; I think this is would be a unique selling point for Apple devices: finally store and share your data effortlessly and securely.)

Second, Apple should much more tightly control which apps it allows in its App Store. It should no longer help companies like Facebook to access hidden features to allow them to track their users even better. In fact, these features should not be accessible at all! It should have very strict rules for apps on how they treat the personal data of their users, and strictly enforce these rules. These rules should be public, like the privacy policy for the Apple products themselves. Then they become a similar privacy commitment that extends beyond the devices to all the apps they run. Make the rules as easy to understand as possible. With such a uniform set of rules for all apps an iPhone (or iPad) can run, it is very clear how apps infringe our privacy, if at all.

Third, stop logging all kinds of events by default. Stop logging the steps we make, the distance we walk, the places we visit, etc. The default should be off. And the devices should still offer valuable services if people leave this default off. Health may be an app that many people like and find useful. Me, it just gives me the creeps…

Conclusion

Apple has a made a commitment to protect our privacy. So far this pledge is quite hollow, and borders on being misleading. However, if Apple gets its act together it is certainly in the position to make a difference (especially because they have put user experience central to their design). Maybe by voicing our concerns, like this post does, we will convince Apple to make the necessary steps.

Apple, will you be the cynical arms trader, or the doctor (truly bound a by your Hippocratic oath)?