Apple Hypocrisy and Cynicism on Privacy and Everything Else

The recent mess that arrived with the macOS Big Sur upgrade had a lot of people shaking their fists at Apple, and not just for the now standard device bricking and server crashes. The latest version of macOS says a lot about Apple, but it should already have been obvious that at best they are an incredibly cynical organisation. This is not an exhaustive account, but it says enough a lot about Apple hypocrisy and cynicism on privacy and everything else.

To start, Apple claims that Privacy is a fundamental human right with a couple of large caveats. First, Apple are the arbiters of that privacy, and second they are immune to their own principles and rules. There is also something deeply troubling about a corporation that trades on the idea of human rights for gadget users of the global north while actively lobbying against legislation that would hold companies to account for using Uighur forced labour. And, it is worth noting Apple were caught doing this after they produced their much touted Human Rights Policy. This is not simply cognitive dissonance, it is plainly cynical behaviour. But we should not be surprised, Apple continues to defend their supply chain, but the ideological drive of über production in itself is killing people. Apple has long been accused of worker violations in Chinese factories, but foreign workers don’t seem to matter to the optics like greenwashing is.

It should be clear Apple are not the benevolent force so many people seem to think they are. But here’s the really concerning thing for me, Apple is such a religious phenomenon that much of its fanbase is so genuinely fanatical that it is impossible to get through the fog. Cue articles defending the benevolent trillionaires, or look at the divide and conquer public relations that praise Apple’s limited concept of sustainability — claiming carbon neutral targets while at the same time building more obsolescence into products, and denying users the right to repair or parts to be recycled . Or for that matter, witness the mental gymnastics performed on Daring Fireball to justify Apple’s systematic pattern of global tax evasion.

If Apple think differently, they think differently to you. Even the privacy pledges don’t hold up, under the surface Apple has seized on a competitive advantage that is about monopolising control of its on user base, offering privacy to users in some parts of the world as a marketable feature, while being complicit in widespread surveillance in other parts of the world, and actively participating in Chinese State censorship. Even their method for diverting trackers is about control, as they don’t exactly stop you from being tracked, instead they act as a gatekeeper for tracking — check the campaign by My Privacy is None of Your Business .

This brings me the recent updates in Apple operating systems, in particular macOS Big Sur. If you weren’t already aware, there has been a lot of consternation about Apple bypassing VPNs. This might be little misleading, as any decent VPN will still protect you, however Apple has gone to ridiculous lengths to hide their own processes and to ensure firewall apps that control the flow of connections cannot stop system process from calling home. I think the Register put this best in their headline: Apple’s privacy pledges: We sent dev checks over plain HTTP, logged IP addresses. We bypass firewall apps

There is more to the more to this of course, Apple will continue to push its status as champions of privacy as long as it provides a competitive advantage, but nobody should be fooled into thinking this is anything more than a marriage of convenience. Between the introduction of macOS Big Sur and their own in-house silicon, Apple is moving towards unprecedented control over its computing platforms. There has been so much hyperbole from the fanbase about the performance of M1 chips, but that is really a byproduct of what is ultimately a land grab. Apple’s motivation for this is control, not security, and certainly not privacy. They have steadily been eating into the landscape that made OS X such a richly extensible platform in the past few years, in the previous release of macOS they blocked access to spotlight indexes for popular third party search and contact, and they are so well known for pinching apps they like for new system features there is a word for it, sherlocking.

Apple like to tout their innovation chops. But innovation is also gated by Apple as they slowly destroy all independence on the platform by requiring anything that runs on macOS to be approved and notarised by them. This is no doubt another step towards App Store only apps on the Mac, it will happen eventually.

This might seem like a grab bag of gripes, but the wide range of issues mentioned speak got the general cynicism that so many in the bizarro world of the Apple fanbase seem unaware of. Apple’s massive user base could do so much more to hold them to account, instead we have the aberrant contemporary phenomenon of tech company fandom. Large tech companies like Apple are essentially utilities companies these days, think of that when you next see Tim Cook signing his autograph to an unboxed iPhone. We are all in this one way or another, but we would do well to engage in a bit of consciousness raising.

And, while we are on security. Apple’s focus on security starts to look pretty hollow in the face of the recent zero day exploits

Digital Privacy at the Border with 1Password and DEVONthink

digital privacy at the border

For whatever reason, people think of my country as progressive. A recent change to customs law might go some way to challenging that. Customs agents in New Zealand now have the power to demand security information including passwords, PIN numbers or biometric access to digital devices. They call it a ‘digital strip search’. If New Zealand has long been thought of as pioneering, I’m embarrassed to list this among our firsts. Assurances from customs that the threshold for search is high make no difference, the fact remains, the law exists. 1  What follows are some suggestions for apps and services that can help protect your digital privacy at the border.

First, note this is not legal advice, neither am I qualified to offer any. I am also basing this upon New Zealand customs law, which only covers the search of physical devices, and does not compel anybody to provide access to cloud services. 2 To state the obvious, you would do well to know the laws the that govern your border crossings, no matter where you travel. For the U.S, you could do worse than familiarise yourself with the recommendations from civil liberties group, the Electronic Frontier Foundation.

Digital Strip Search, an Apt Phrase

Most Academics have cause to travel often, and many carry sensitive information with them of one kind or another. My own work might be considered seditious in some parts of the world, 3 and I know plenty of academics and even grad students working under embargo, simply because that is how universities operate. To say nothing of our actual ‘private’ lives; iPhones with photos of family, personal messages, journal entries, medical information and so on. The phrase ‘digital strip search’ is apt, being submitted to such an invasion of privacy would make anyone would feel naked. If you would rather not put yourself through such an ordeal, 4 there are steps you can take to protect yourself.

Apps and Services to Manage Digital Privacy

This assumes you are traveling with iOS devices and not a Mac. That is not to say this cannot be done with a Mac, just that the entire process is more involved for Mac users. The principles still apply. If you’re travelling with a laptop, you could do worse than follow the advice of Bruce Schneier. Either way, it is getting to the point where traveling with as little tech as possible is the right way to go, even if it is impractical. And what gear you do travel with should be kept as clean as possible. Time willing, I may come back to the idea of travelling with a Mac.

1Password

 

1password Digital Privacy At The Border
1Password’s Cloud Vaults provide security and convenience for border crossing

I cannot bang the 1Password drum loud enough. In my experience it is the best password manager available. It actually includes a feature called Travel Mode, designed for this situation. There is a school of thought, however, to suggest it is a nice idea that is a bit misguided in practice. Whether or not you decide to use it, it is a nice option to have.  Although it’s not obvious that travel vaults are missing, that the feature exists is not a secret, so I do understand the argument.

At the same time, if you have a subscription to 1Password, the cloud vaults provide a better option by making it possible to remove the app entirely and download everything at the other end. This way you are not setting a flag that advertises you are ‘hiding’ something.  It does mean holding on to an extra piece of information, as you will need the encryption key, as well as your password to set it all up again. See below for places you might put that.

Secure Private Data with DEVONthink’s Strong Encryption

I have written about using DEVONthink for this purpose. DEVONthink goes beyond being outstanding software for managing data by including strong AES 256 bit encryption. Again, you hold the keys, which means anything you put inside a DEVONthink database can be locked behind first class encryption. DEVONthink can store practically any kind of data or document, making it ideal for this scenario. Syncing is easy to setup with your choice of providers, including iCloud Drive.

Devonthink Digital Privacy
DEVONthink’s iOS app can help maintain privacy with its strong encryption and flexible syncing

Among DEVONthink’s strengths is its ability to compartmentalise data in different ways. Whether you do that by group, or you setup a separate database for the documents. It can give you granular control over what you sync and when. It will even let you use multiple cloud services simultaneously as it sync’s each database separately.

You can work out for yourself how best to set this up, but my preference would be to setup a special database and download it to my device when I need it. That way I can be deliberate about what data I need, and organise it accordingly. I can also avoid using excess data.

Boxcryptor and Sync.com

If you have no use for DEVONthink, you might consider using encrypted cloud storage. If you’re serious about privacy, using DropBox or  iCloud is not enough. In the past I have happily endorsed Sync.com for approximating the convenience of Dropbox while offering much better security with end-to-end encryption. I still hold that service in high regard, especially now the app has better integration with the iOS Files app. They offer 5Gb of storage for free, which should be plenty for this scenario.

If you prefer the flexibility of sticking with your existing cloud storage service, then take a look at Boxcryptor. It is free to use if you only need to secure one service, but you will need a paid account to encrypt file names so bear that in mind when naming your files.

A Method for Digital Privacy at the Border

Once you have handed over your passcode, or consented to unlock your device with TouchID or FaceID, anything on it is fair game. Many apps provide an extra security layer, but the passcode is all that is needed to change either the finger, or face to get beyond most of them. The safest approach is to have nothing on your device. Setup these apps before you leave, and remove everything from your device. Myself, I would even setup a different iCloud account altogether.

Before you leave

Back everything up, obviously. Now do it again. Don’t rely on iCloud backup alone. Ideally you will have at least a secondary location. I use iMazing for this, and all my backups are included in my Time Machine Off-site clone, and my Backblaze continuous cloud backup. Incidentally, if you use Backblaze you have another means for client-side encrypted storage. You can retrieve anything you need to on demand from your Backblaze locker. The way I figure, that even leaves me room to make the kind of screw ups that come with having attention madness.

If you’re an iOS only user, I would seriously consider investing in some external storage to add a secondary backup. The Sandisk iXpand Drives tend to be the best, not only for the drive quality but they include software to handle the backup.

Once you are backed up, setup a new iCloud account. Note, your devices can be logged into more than one account for different services. For example, you can log into the App Store with one iCloud account, and use a different one for Photos, iCloud Drive and so on.

When you Arrive

This should be obvious. Either download the necessary apps to your alternate iCloud account, or log back into your ordinary account and do the same. This is time consuming and annoying — and it will cost you data — but consider the alternatives. In this part of the world, it now means a choice between being digitally naked or a NZ$5000 on the spot fine for refusing access. Considering how you will maintain your digital privacy at the border is no longer optional.

Photo by Matt Artz on Unsplash

  1. New Zealand customs have form that should make anyone wary
  2. Anyone with eyes can see how stupid this makes the law, so stupid it hurts.
  3. Posting this probably doesn’t aid my cause
  4. And you don’t have a spare $5000 to throw at the problem

How To Change Your Facebook Settings To Opt Out of Platform API Sharing | EFF

With the Facebook scandal casting a shadow on anything even remotely tech related, we’re not short on opinion. What’s surprised me most about the whole situation, is that anyone should be surprised at all. What’s more, I can’t see how the proposed changes will do much.  The most expedient thing right now would seem to be sharing information like this from the Electronic Frontier Foundation. Locking your profile down, insofar as it can be locked down. While you defintely should — lock it down — sadly the horse has bolted, and with your data.

Over the weekend, it became clear that Cambridge Analytica, a data analytics company, got access to more than 50 million Facebook users’ data in 2014. The data was overwhelmingly collected, shared, and stored without user consent. The scale of this violation of user privacy reflects how Facebook’s terms of service and API were structured at the time. Make no mistake: this was not a data breach. This was exactly how Facebook’s infrastructure was designed to work.

My point exactly, this is how it was designed to work. Nobody should be the least bit surprised at this situation. If you’re similarly cynical about the efficacy of the plan to address the situation, and at the same time caught in a bind like most people on the question of whether to keep using the service. The minimum requirement is another look over those settings.

You shouldn’t have to do this. You shouldn’t have to wade through complicated privacy settings in order to ensure that the companies with which you’ve entrusted your personal information are making reasonable, legal efforts to protect it. But Facebook has allowed third parties to violate user privacy on an unprecedented scale, and, while legislators and regulators scramble to understand the implications and put limits in place, users are left with the responsibility to make sure their profiles are properly configured.

Not only should you not have to do it, but you shouldn’t expect that settings will routinely change to such a degree that maintaining the level of privacy you desire requires you to check over it every time Facebook rearranges the furniture.

 

Alphabet’s ‘Outline’ Homebrew VPN Software Offers Open-Source, Easy Set-Up Privacy You Control

Alphabet’s ‘Outline’ looks an interesting project. I want to revisit some of the security/privacy recommendations on this site, my own perspective on private VPN companies has shifted since I last wrote about one in particular. I would agree this is not a ‘privacy panacea’, but have every intention of seeing if I can break it.

Jigsaw, the Alphabet-owned Google sibling that serves as a human rights-focused tech incubator, will now offer VPN software that you can easily set up on your own server—or at least, one you set up yourself, and control in the cloud. And unlike older homebrew VPN code, Jigsaw says it’s focused on making the setup and hosting of that server simple enough that even small, less savvy organizations or even individual users can do it in minutes

The Laptop Locator You Probably Didn’t Know About Could Save You | Backblaze

The Laptop Locator You Probably Didn’t Know About Could Save You – Something I haven’t spent enough time on here is the other kind of security, backups. If you’ve never needed anything from a backup you might not fully grok their value, let alone the peace of mind. It only takes one failure. Given the realtime backup capabilities of Backblaze, anything else is a bonus. But as far as bonus features go, you would be hard pressed to find a better one than the Backblaze Locate my Computer feature. This post from their blog highlights a few of the success stories. Where Find my Mac failed, Backblaze was still able to help. 1

While we kept hearing praise and thanks from our customers who were able to recover their data and find their computers, a little while passed before we would hear a story that was as incredible as the ones above. In July of 2016, we received an email from Una who told us one of the most amazing stories of perseverance that we’d ever heard. With the help of Backblaze and a sympathetic constable in Australia, Una tracked her stolen computer’s journey across 6 countries. She got her computer back and we wrote up the whole story: How Una Found Her Stolen Laptop.

Backblaze offers a 15-day free trial, then unlimited backup storage for US$5 per month.

  1. The location map is also encrypted with your private key, so there are no privacy issues either.

A Case Study in Phishing | MacSparky

A Case Study in Phishing | MacSparky — While this is a great example of how sophisticated phishing scams can look on the surface, just beneath the veneer are all the crude signs that scream scam. Perhaps the crudest is how greedy these scammers are, you might think they’d look up the subscription prices before trying to ape them.

The first tool you need in fighting Spam is common sense. YouTube Red does not cost $149.99/month, and a simple search will tell you that. If there is any question, also take a closer look at the details. The sender lists their name as “App Store” but disclosing the actual email address; it’s “noreply11@fillappealform.com”. Does that really sound like an address Apple would send you to confirm a subscription? Also, it lists “Payment Method” as “By Card”, not the usual xxxx-xxxx-1234 you usually see. It also creates this sense of urgency, explaining I’m on a free trial but I will be charged $150 in just two days if I don’t act. While I can see how this email may fool some people, on the barest scrutiny, it starts looking shady.

Permalink

Do Not, I Repeat, Do Not Download Onavo, Facebook’s Vampiric VPN Service

Old news, yes I know. However if anything bears repeating, this is over qualified. If clarification is needed, the Onavo VPN does not enable any kind of new practice from Facebook. No, it simply makes it dramatically more efficient for Facebook to do what they always do, track everything. What’s particularly nauseating in this instance, is how they’re taking advantage of general misunderstanding around security and privacy. To my mind, this meets the modern definition of a lie. Onavo is spyware.

If you’re someone who can’t live without Facebook or simply can’t find the courage to delete it, the Onavo appears under the “Explore” list just above the “Settings” menu. I’d recommend you never click it. Facebook is already vacuuming up enough your data without you giving them permission to monitor every website you visit.

Show and Tell – Wednesday, 10 Jan 2018

Anyone wondering when more content might be added to this site, fear not. Like any sane person with a family, I took a little time away from the desk over the past few weeks. Having returned to task this week I have been feverishly working in the background, putting more permanent fixes in place for some of the things I mentioned last month. Dealing with amateur mistakes I made when both setting up this site initially, and migrating it to WordPress. 1 Even if there is still work to be done, by now the site should be much faster for most users, and in subtle ways it should look nicer. If you are having any trouble viewing the site, please drop me a line here

Now that I am able to get back to the writing, I have a lot to share. In the meantime, here is some of the Show and Tell backlog I have been sitting on.

We Know Where You Live

Amazon wants a key to your house. I did it. I regretted it. | The Washington Post — Never has that subtitle been more apt. Another in case you missed it link, but not for the reason you might think. Sometimes I despair. You’d think this was a critical look at the idea of totalising one’s life with a tech shopping company. Alas, it appears more of a thinly disguised lament that using one place to shop doesn’t allow you to get the best prices. If this is your only concern here, I fear you are lost.

Cryptojacking WordPress | WIRED  — Ordinarily I’m opposed to neologisms, but sometimes somebody nails it. To be fair, I’m much more opposed to Cryprojackers.

Meltdown and Spectre: What Apple Users Need to Know  — By now this is everywhere, and the patches are arriving. This whole issue is remarkable for how long these vulnerabilities have existed. Whenever you hear that crazy relative of yours telling people not to upgrade their OS, remind them of these vulnerabilities.

What Spectre and Meltdown Mean For WebKit | WebKit — More technical insight into how this all works.

Worst Passwords of 2017: From ‘123456’ to ‘starwars’ | the Independent  — This also did the rounds, but it bears sharing again. I realise how unlikely it is that anyone reading this would engage in such practices, but we all know somebody who needs a little help with this stuff.

Haven: Keep Watch  — This is interesting. I’d like to think we could see it on Apple devices, but that seems incredibly unlikely. In fact, it’s the first development in some time that has me casting an envious eye at the ugly green robot.

Snowden-Backed App ‘Haven’ Turns Your Phone Into a Home Security System | WIRED  — See above

Group Madness

Elon Musk Shows Off the Tesla Roadster He’s Prepping for Space  — I’m a space fan, but sorry this is fucking stupid. If you look closely you will notice a disturbing ideology that says we need to send junk to Mars, because we have too much junk down here. If we want to become a multi-planetary civilisation, it can’t be so we don’t have to sort our shit out on this planet.
To be clear, I want to see people on Mars, I was once a single digit child who wanted a laser sword. But I don’t want us to go there just so we have two planets to fuck up.

Oh, and by the way, Musk wants to Nuke the joint too, I guess he really is serious about getting it ready for humans. The funniest response to this I have seen was this: “Shouldn’t we try to blow up the moon first?”

First Digital Pill Approved to Worries About Biomedical ‘Big Brother’ | New York Times  — It says a lot about this historical moment that such a monumental breakthrough should be legitimately accompanied with this kind of suspicion.

The Attention Economy is the Addiction Economy | Medium — That more people involved in tech are starting to wake up to this isn encouraging. If it’s a bit much to suggest articles like this never go far enough, we have to start the conversation one ay or another.

Clean Energy Is a Bright Spot Amid a Dark Tech Cloud | WIRED – An actual example of Blockchain being applied to something other than destructive speculation.

Now Look Here

Panic Blog | the Future of Transmit iOS  — This has been about the wires the past week or so. In case you missed it, Panic will stop updating Transmit for iOS. The app will keep working for sometime, but it won’t be getting any further love unless something changes. This is a shame, but it’s sad to say that by the sounds of things, it won’t affect many people. One imagines — at least one hopes — that the iOS Files app will gradually develop to takeover the crucial functionality that pro users might miss. On top of which apps like Workflow and Pythonista can step in.

Remote Control a Mac From an iPhone via Workflow | Six Colors  — This is probably the year we will learn the fate of Workflow. Here’s hoping this kind of inventiveness adds to the case for its continued development and success, in whatever form that may be.

Marxico | Markdown Editor for Evernote — Having written up a guide for how to leave the green elephant behind, I thought I might engage some irony. This is pretty neat actually, if you’re an Evernote user who wants to use Markdown this is an option. As a bonus, sometime ago I write up intersections for turning web apps into native apps. 2

And Now For Something Completely Different

The Last Jedi Trailer Song in GarageBand iOS | YouTube — I’ve been threatening to write about iOS music apps for some time. The things you can now do on the iPad, even with GarageBand, are incredible.

How BeatMaker Caught the iOS Music Trend Before It Even Started | CDM Create Digital Music  — BeatMaker 3 is one of my favourite iOS apps full stop, let a one music apps. Whether you’re into music making on iOS or interested in development, this is an interesting insight into the history of development on the platform

New App Descript Lets You Edit Audio Like a Word Document – Gearnews.com  – If anyone can explain to me how this works?

The Smallest PaaS Implementation You’ve Ever Seen | Dokku  — This is awesome

Star Wars Episode IV.1.d: The Pentesters Strike Back | CyberPoint International on Vimeo  — Something that brings together two very specific geek spheres. You know who you are.


  1. And all the other amateur mistakes in between. 
  2. So to speak, if you was to split hairs they’re not actually native. 

Ad targeters are pulling data from your browser’s password manager | The Verge

This from The Verge. Not for nothing, I urge the use of a password manager, but I have never been an advocate of the built version from your browser. Even if this method is new, unfortunately browsers are generally under siege,

The researchers examined two different scripts — AdThink and OnAudience — both of are designed to get identifiable information out of browser-based password managers. The scripts work by injecting invisible login forms in the background of the webpage and scooping up whatever the browsers autofill into the available slots. That information can then be used as a persistent ID to track users from page to page, a potentially valuable tool in targeting advertising.

Permalink

Apple Blows Security | The Mac Observer

I get this is old news, this is more appreciation for the Mac Observer’s rounded coverage. Not much I can add. The security lapses over the past few weeks have been appalling. The Mac Observer is unusual, with so much commentary on Apple offered by fans with an almost religious devotion to the company 1, these guys are a welcome breath of fresh air at times.

This post covers the past few weeks of security blunders at Apple. Mistakes that are all the more serious for how readily we are fleeced by absurd margins to use Apple hardware. I love the tech. The business, not so much. This categorisation seems pretty accurate,

In what could only be described as the worst security blunder in the history of commercial computing, Apple released macOS High Sierra on September 25, 2017. Unknown to users, included in that operating system was that no password was required to gain super user root access. This might be likened to leaving your front door open with a sign that says “Please, please rob me.”

One can only hope they sort out their QA problems.

Permalink

  1. It can border on disturbing