THIS WEEK'S SPONSOR:

Re:Schedule

A calendar that will change the way you work.

Posts tagged with "Privacy"

Apple Reveals Major Update to Its Privacy Webpage

Privacy and everything it entails is not easy to explain. Under the hood, it’s driven by complex mathematics and code. However, in practice, app privacy starts with how apps are designed. Some are designed to collect information about you, and others aren’t. With Apple’s update to its privacy page today, the company has created a site that explains how privacy drives the design of its apps in clear, concise language. However, for anyone who wants to understand the nitty-gritty details, Apple has also published white papers and linked to other materials that provide a closer look at the issues that the main page addresses.

Apple’s Privacy webpage starts with a declaration of the company’s position on privacy:

Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.

What follows is an app-by-app explanation of how each is designed to give users control over what they share and limit what Apple collects. Safari, Maps, Photos, Messages, Siri, News, Wallet, Health, Sign On with Apple, and the App Store are all covered with playful animations and a short explanation of what they do to protect your privacy.

Additional information about each app, their underlying technologies, plus iCloud, CarPlay, Home, education and children’s privacy, and other features follow under the Features tab. Included among the more detailed materials are white papers that go even deeper on Safari, Location Services, differential privacy, iOS security, and Face ID security. There is also a tech brief on Photos and links to additional materials about Ask Siri, Siri Suggestions, Apple Pay, ResearchKit and CareKit, Apple News, Apple Music, the Apple TV app, Apple Arcade, iCloud, Screen Time, Family Sharing, security in education, Apple’s student privacy pledge, and your data and privacy page. That’s a lot of information, but it’s presented in a thoughtful, compelling way that lets you go deeper if you want without being confusing or difficult to navigate.

The final new tab is called Control. Some of these tips and guides were available before, but the page has been updated with new practical suggestions on how you can make your Apple devices more secure. The page covers passcodes, Touch ID and Face ID, two-factor authentication, Find My, the alerts that explain the information third-party apps request, using your data and privacy page, advertising, analytics, and more. It’s an excellent place for users looking for ways to take command of the security of their devices.

I know that a lot of MacStories readers care strongly about their privacy and the security of their devices, and many are aware of at least some of what’s covered on Apple’s privacy page. However, it’s still worth a visit because privacy and security are part of so much of what Apple does now, that I expect there are at least a few tidbits on this new page that will be new to everyone. It’s also a great page to share with family members and friends who may not be as aware of the privacy issues related to their devices.

Apple Announces Changes to Siri Grading Program

Earlier this month, Apple suspended its Siri grading program, in which third-party contractors listened to small snippets of audio to evaluate Siri’s effectiveness. Today in a press release, Apple explained its Siri grading program and changes the company is making:

We know that customers have been concerned by recent reports of people listening to audio Siri recordings as part of our Siri quality evaluation process — which we call grading. We heard their concerns, immediately suspended human grading of Siri requests and began a thorough review of our practices and policies. We’ve decided to make some changes to Siri as a result.

Apologizing for not living up to the privacy standards customers expect from it, Apple outlined three changes that will be implemented this fall when operating system updates are released:

First, by default, we will no longer retain audio recordings of Siri interactions. We will continue to use computer-generated transcripts to help Siri improve.

Second, users will be able to opt in to help Siri improve by learning from the audio samples of their requests. We hope that many people will choose to help Siri get better, knowing that Apple respects their data and has strong privacy controls in place. Those who choose to participate will be able to opt out at any time.

Third, when customers opt in, only Apple employees will be allowed to listen to audio samples of the Siri interactions. Our team will work to delete any recording which is determined to be an inadvertent trigger of Siri.

This is a sensible plan. It’s clear, concise, and has the benefit if being verifiable once implemented. It’s unfortunate that Siri recordings were being handled this way in the first place, but I appreciate the plain-English response and unambiguous plan for the future.

Sign In with Apple: Goodbye Account Management

I love trying new apps and services. It may be part of my job at MacStories, but even if it weren’t, I would still constantly be on the lookout for interesting, creative products that can benefit either my work or leisure. In recent years it seems like there’s always a fresh stream of apps and services to check out. Often when I try something new, however, I’m immediately confronted with the obstacle of a login screen. At which point there’s a choice to make: do I go through the hassle of creating an account for this service, or – if the option is available – do I simply authenticate via a third party like Google or Facebook? Sadly, neither option is ideal.

Creating a new account for every service you try is a major pain. It’s made easier with the aid of iCloud Keychain and 1Password, but while those tools eliminate lots of friction, they can be a little clunky, and in the end you’re still trusting your data to the (usually unknown) privacy policies of the service you sign up for.

Third-party login buttons solve the convenience problem, mostly. They may require entering your credentials for that third-party service, but at least you don’t have to create and remember new credentials for multiple services. The data privacy issue can be a question mark with these buttons though; when you authenticate through, let’s say Facebook, do you really know exactly what data you’re sharing with the new service? Or how the service will use that data? As consumers continue losing trust in Facebook itself to secure their data, why would they trust a service that taps into their Facebook data?

Sign In with Apple is a modern alternative to the current mess of login methods, offering Apple users a solution that addresses the current options’ shortfalls. It makes account creation and sign-in trivially simple – even more so than buttons from Google or Facebook – while also keeping your data in the hands of a company with a decent privacy track record.

When apps update to adopt Sign In with Apple, I suspect many users’ initial thoughts will be some variation of what immediately popped into my mind after trying it for the first time: “Where has this been all my life?”

Read more

Apple Suspends Program In Which Contractors Listened to Recorded Siri Snippets

Last week, The Guardian reported on Apple’s Siri grading program in which contractors listen to snippets of audio to evaluate the effectiveness of Siri’s response to its trigger phrase. That article quoted extensively from an anonymous contractor who said they and other contractors regularly heard private user information as part of the program.

In response, Apple has announced that it is suspending the Siri grading program worldwide. While suspended, Apple says it will re-evaluate the program and issue a software update that will let users choose whether to allow their audio to be used as part of the program.

In a statement to Matthew Panzarino, the editor-in-chief of TechCrunch, Apple said:

“We are committed to delivering a great Siri experience while protecting user privacy,” Apple said in a statement to TechCrunch. “While we conduct a thorough review, we are suspending Siri grading globally. Additionally, as part of a future software update, users will have the ability to choose to participate in grading.”

In an earlier response to The Guardian, Apple had said that less than 1% of daily Siri requests are sent to humans as part of the grading program. However, that’s not very comforting to users who are left wondering whether snippets of their daily life are part of the audio shared with contractors. Consequently, I’m glad to see that Apple is re-examining its Siri quality-control efforts and has promised to give users a choice of whether they participate.

Apple Disables Walkie-Talkie App Due to Security Vulnerability

Matthew Panzarino, writing for TechCrunch:

Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability that could allow a person to listen to another customer’s iPhone without consent, the company told TechCrunch this evening.

Apple shared an official statement with TechCrunch:

We were just made aware of a vulnerability related to the Walkie-Talkie app on the Apple Watch and have disabled the function as we quickly fix the issue. We apologize to our customers for the inconvenience and will restore the functionality as soon as possible. Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously. We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent. We apologize again for this issue and the inconvenience.

Panzarino rightfully points out the parallels of this issue with the highly-publicized FaceTime bug from earlier this year. The one key difference: whereas with the FaceTime bug, when it was reported by a user, Apple didn’t respond or take action until the problem received widespread media attention; with this Walkie-Talkie bug, Apple followed up on a customer’s report and addressed the issue seemingly before anyone else knew about it. Hopefully this is the sign of improved processes inside the company for handling serious bugs and vulnerabilities.

Permalink

All the Little Details of How ‘Sign In with Apple’ Works

Sarah Perez of TechCrunch has assembled an excellent, in-depth walkthrough answering key questions about how Apple’s upcoming authentication service, Sign In with Apple, will work:

From a security perspective, Apple offers a better option for both users and developers alike compared with other social login systems which, in the past, have been afflicted by massive security and privacy breaches.

Apple’s system also ships with features that benefit iOS app developers — like built-in two-factor authentication support, anti-fraud detection and the ability to offer a one-touch, frictionless means of entry into their app, among other things.
[…]
Despite the advantages to the system, the news left many wondering how the new Sign In with Apple button would work, in practice, at a more detailed level. We’ve tried to answer some of the more burning and common questions.

Perez addresses questions regarding what information a developer receives when a user chooses Sign In with Apple, whether it’s possible to use the authentication service on Android devices, when an app will and won’t be required to use Sign In with Apple, and more.

Despite some controversy regarding how strongly Apple is pushing this new secure login option, if it works as advertised, Sign In with Apple could be one of the upcoming OS features that has the biggest societal impact in the long run.

Permalink

Privacy No Longer a Marketing Angle for Apple, It’s a Service

Darrell Etherington, writing for TechCrunch:

Apple’s truly transforming into a privacy-as-a-service company, which shows in the way that it’s implementing both the new single sign-on account service, as well as its camera and location services updates in iOS 13. The SSO play is especially clever, because it includes a mechanism that will allow developers to still have the relevant info they need to maintain a direct relationship with their users – provided users willingly sign-up to have that relationship, but opting in to either or both name and email sharing.

For years, a major point of debate in tech circles has been the friction between privacy and convenience, particularly as relates to web services offered by companies like Apple and Google. Apple’s privacy-sensitive approach has, in some people’s view, hamstrung it from offering the same level of convenience in its services that’s found in competing services from Google, Amazon, and others who rely on sending your data to the cloud for analyzing.

This year at WWDC, Apple’s new privacy-focused initiatives seem to be striking more of a balance between convenience and security. The company’s new Sign in with Apple feature is a great example: it provides developers a way to contact their users directly, while still protecting those users’ actual email addresses so they can’t be sold to third parties. In my view that’s a brilliant win-win, and the type of innovation I hope we see more of in future products.

You can also follow all of our WWDC coverage through our WWDC 2019 hub, or subscribe to the dedicated WWDC 2019 RSS feed.

Permalink

Apple Illustrates iPhone Privacy with Real-World Analogs

Finding a way to convey the benefits of privacy isn’t easy, which is why I like Apple’s ‘Privacy on iPhone – Private Side’ video so much.

The video, which runs under a minute, opens with images of several ‘No Trespassing,’ ‘Keep Out,’ ‘Beware of Dog,’ and other signs. In a series of quick cuts, the video shows two people who pause an intense conversation when interrupted by a waiter as well as people locking file cabinets, closing blinds, locking doors, shredding documents, and more. Near the end, a woman rolls up the window of a car when she sees someone nearby watching her put on makeup.

As Apple’s description of the YouTube video says:

Your privacy matters. From encrypting your iMessage conversations, or not keeping a history of your routes in Maps, to limiting tracking across sites with Safari. iPhone is designed to protect your information.

Every clip of the video, which adds a bit of levity to an otherwise serious topic, reinforces the closing message that ‘If privacy matters in your life, it should matter to the phone your life is on.’

The video is an effective rebuttal of the ‘I have nothing to hide’ argument against privacy. Even the mundane aspects of day-to-day life aren’t something that you necessarily want to broadcast to the world, which this video is very effective in conveying.

Permalink

Facebook Receives Retribution from Apple for Violation of Enterprise Program Guidelines

Facebook is in the news again, and unsurprisingly it’s not the good kind of publicity.

Yesterday Josh Constine of TechCrunch exposed a “Facebook Research” VPN that Facebook has been using to harvest extensive phone data from users age 13 to 35 in exchange for payment from the company of up to $20/month. The practice was made possible by Facebook’s enterprise developer certificate from Apple, but after the story came to light, Apple swiftly responded by revoking that certificate from Facebook and publicly condemning the company’s misuse of Apple’s Enterprise Developer Program. That action caused the immediate end of the Facebook Research initiative on Apple platforms, but it also has reportedly brought widespread consequences throughout the entirety of Facebook’s company operations. Tom Warren and Jacob Kastrenakes, reporting for The Verge:

Apple has shut down Facebook’s ability to distribute internal iOS apps, from early releases of the Facebook app to basic tools like a lunch menu. A person familiar with the situation tells The Verge that early versions of Facebook, Instagram, Messenger, and other pre-release “dogfood” (beta) apps have stopped working, as have other employee apps, like one for transportation. Facebook is treating this as a critical problem internally, we’re told, as the affected apps simply don’t launch on employees’ phones anymore.
[…]
Revoking a certificate not only stops apps from being distributed on iOS, but it also stops apps from working. And because internal apps by the same organization or developer may be connected to a single certificate, it can lead to immense headaches like the one Facebook now finds itself in where a multitude of internal apps have been shut down.

This is more than a slap on the wrist, but it seems like a fitting response to Facebook’s blatant abuse of the Apple enterprise agreement. My main hope is that it causes Facebook to think twice before implementing any similarly shady initiatives in the future.

Permalink