13/06/2021, last updated 13/06/2021 Robin Oldham ~4 Minutes
Making a Twitter thread from earlier in the week a little easier to digest. There are some interesting new privacy features from Apple at their World Wide Developers Conference this week:
- Mail Privacy
- Private Relay
- Hide My Email
- On-device Siri
- App Privacy Report
I’ve seen lots written on 1-3, less on the latter, plus the potential hidden amongst the announcements.
First up, the solutions here aren’t new tech: Voice Control has been in iPhone for alarms, music, etc for… 7(?) years now. It went off-device with Siri, and good to have back on-device. (Which, by the way, I also assume is a huge cost saving for Apple in bandwidth and compute.) Proxies and mail relays are the ‘boring’ end of tech for many company IT teams and while they are well established for businesses, they are far less common at scale for consumers. (Shout out Opera!)
The separation is neat to talk about though of course you’re trusting the system operator: they have to be able to identify and route stuff back individually to you. People will cry foul over this. And there will be edge cases, but for the majority, this is a Good Thing.
But, of course, not if you’re in China. Or Belarus. Or Egypt. Or others. Again, some are crying foul that these are — rightly — the places where you may benefit most. It jars against Apple’s stance that privacy is a fundamental human right. Though, given the level of coverage, perhaps driving this discourse is the ‘policy feature’ here?
(Back to the economics, I suspect the CPU and RAM saved from Siri processing will be more than used up in Private Relay!)
App Privacy Reports are a good and logical extension of the nutrition labels introduced recently. Giving users info on when/how freq. an app is using the permissions granted gives greater insight. The report also shows domains that the app has connected to. Obviously, the insight is hoped to drive better, more informed, user decisions.
The domains list is great for the tech-savvy, but contrary to the easy, consumer-friendly nature of the previous features that Apple is famous for. Doubleclick[.]com Your Dad probably thinks this happens when you tap to open an app.
It’ll drive tech press reporting and then mainstream discussion though.
The ad tech / data broking / tracking space is a mess. Especially in the U.S. This is a step towards providing user’s greater visibility. But there are huge steps to be made in making it more accessible here.
Security and privacy need to be easy. And the world is getting more complex. (PS: That’s probably the nub of it, the main challenge for infosec and privacy practitioners: Keep. It. Simple. (Stupid.) We are failing at that at the moment. And it’s causing criminals to be able to shut down national healthcare.)
Now, the ‘hidden’ bit of the privacy equation I wanted to talk about is ‘lawful access’…
Apple and other tech cos are growing up. People do get locked out. You can’t keep them out of their whole life. It’s their wallet, their keys and more! You’ve gotta let ‘em back in. Similarly, people do die. From going through old photo albums to just being able to identify and respond to close accounts, it’s all online now.
Apple is introducing Account Recovery and Digital Legacy to cover off these situations (53:16 on the WWDC stream). While designed for consumers, both of these present interesting vectors for law enforcement too.
For example, Australia’s Assistance and Access Act allows tech firms to be served with ‘technical notices’ to develop new capabilities to access encrypted content.
There would undoubtedly be public outcry and brand fallout if it came to light Apple was secretly developing tools to access user’s content.
Are those consequences diminished if that access was via legitimate features and due process?
Account Recovery presumably resets the user’s password and so would be noticed if triggered to gain access. While it may be ‘too late’ the user would be aware.
Digital Legacy though… Well, that sounds like a wholesale way to copy and decrypt an entire user’s iCloud content.
Now, Apple famously faced off against the FBI and has been zealous in its promotion of privacy. (To great net benefit, I believe.) But it’s also a company and subject to local laws and regulations that increasingly collide with the company’s public ideals and values.
As it goes: only two things are certain in life: death and taxes.
In the last week, Apple announced features for one and will be swept up in the G7 15% min tax for the other.
As well as growing up and accepting the inevitable, perhaps Apple has also realised it needs tools to comply with nations where Private Relay is allowed?