Sunday, October 19, 2014

Spotlight Suggestions and Privacy

fix macosx (via Landon Fuller):

If you’ve upgraded to Mac OS X Yosemite (10.10) and you’re using the default settings, each time you start typing in Spotlight (to open an application or search for a file on your computer), your local search terms and location are sent to Apple and third parties (including Microsoft).

Mac OS X has always respected user privacy by default, and Mac OS X Yosemite should too. Since it doesn’t, you can use the code to the left to disable the parts of Mac OS X which are invasive to your privacy.

I think previous versions of Mac OS X did have Safari send partial searches to Google by default. However, Spotlight searches have not previously left your Mac.

Update (2014-10-19): To be clear, you don’t need this script to improve your privacy. The Spotlight Suggestions and Bing Web Searches boxes are readily uncheckable in System Preferences. Rather:

There’s no single “local search only” toggle, and you have to cross-reference the documentation provided in System Preferences against the list of “Search Results” to figure out which of the options actually sends your queries to Apple.

I wanted something simple, that I knew worked, and I could just tell family to run themselves, so I put this together. It’s a convenient way to apply the settings, a jumping-off point for a more involved effort to resolve some of the other remaining privacy issues on Yosemite, and a handy way to get the privacy message across.

Since Apple hasn’t provided a single switch, it makes sense to have a single script that can be kept up-to-date.

Update (2014-10-19): There is also another checkbox called “Include Spotlight Suggestions” in Safari’s preferences.

Update (2014-10-20): Ashkan Soltani and Craig Timberg:

Apple officials said Monday that the data collection is intended only to improve the quality of searches conducted through Spotlight, a standard feature on both Mac computers and Apple’s mobile devices, such as the iPhone and iPad. The user identification number rotates after 15 minutes to a new identifier, they said, and the location and search query information is not used to create profiles of users or to deliver targeted advertising.

[…]

Testing by The Washington Post found that the locations revealed in Spotlight searches can be strikingly precise, placing a user within a particular building in Washington, D.C., even though the disclosure box on Spotlight refers to collecting “your approximate location.”

Update (2014-10-21): John Gruber:

The only thing Apple could do differently is make this another one of the you-have-to-explicitly-opt-in stages when you first upgrade to Yosemite or create an account on a new Mac.

Update (2014-10-22): Rich Mogull:

To manage your session, Apple uses a one-time session ID that lasts for 15 minutes. Neither the session ID nor the search query use your IP address or any other device identifier. Session IDs also aren’t coordinated or correlated, so there is no way for Apple to track historical usage by chaining session IDs together. In short, your query exists within a 15-minute bubble that isn’t tied to you directly. This is different, for example, than Siri, which uses a more persistent device identifier since it requires more context over time (due in large part to the overhead of voice recognition).

Apple:

Information on the three most recently used apps on the device is included as additional search context. To protect the privacy of users, only apps that are in an Apple-maintained whitelist of popular apps and have been accessed within the last three hours are included.

Search feedback sent to Apple provides Apple with: i) timings between user actions such as key-presses and result selections; ii) Spotlight Suggestions result selected, if any; and iii) type of local result selected (e.g., “Bookmark” or “Contact”). Just as with search context, the search feedback is not tied to any individual person or device.

Apple retains Spotlight Suggestions logs with queries, context, and feedback for up to 18 months. Reduced logs including only query, country, language, date (to the hour), and device-type are retained up to two years. IP addresses are not retained with query logs.

In some cases, Spotlight Suggestions may forward queries for common words and phrases to a qualified partner in order to receive and display the partner’s search results. These queries are not stored by the qualified partner and partners do not receive search feedback. Partners also do not receive user IP addresses. Communication with the partner is encrypted via HTTPS.

Update (2014-11-21): Mac OS X 10.10.1 (via Ashkan Soltani):

The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user’s approximate location before a user entered a query. This issue was addressed by removing this information from the initial connection and only sending the user’s approximate location as part of queries.

5 Comments RSS · Twitter


Ric Ford's comment on the Security thread at MacInTouch seems worthy of note to me:

After reading these tips, I found some of the information and settings that default to violating privacy, but it took me some time to actually understand where and what the settings are. You have to look at the individual checkbox items in the main System Preferences > Spotlight > Search Results list of items, identify the specific new items that compromise privacy (which involves scrolling to the bottom of the list, among other things), and uncheck those problematic items. (It's not clear if the setting applies to other user accounts on the computer or not.) Some sample questionable items, enabled by default, include "Bing Web Searches", "Other" (whatever that means), and "Spotlight Suggestions." In addition to all that are other new settings in System Preferences > Security & Privacy > Privacy, which include Location Services, Diagnostics & Usage and more. -Ric Ford

The issue for me is all about the default to send all that info, along with location and tracking ID, without any warning to the user. Plus, making it a challenge to reverse all the defaults.

(And beyond third parties and potential Apple security breaches, of course Apple does run iAd these days.,,)


Moving beyond the 'just go find and reverse all the defaults' issue, here's an interesting ongoing assemblage of stuff Yosemite phones home, even with all privacy options enabled...

(Not 100% certain, but I think this is Landon's work as well.)


Purported screenshot from the Hacker News thread showing Spotlight phoning home even with the phone home options disabled...

And Landon just tweeted:

Even with Little Snitch, it has become almost impossible to pick out "traffic I meant to send" from the noise.

Still very early in the game, and maybe this really is only a matter of 'highly confusing scattered privacy settings that shouldn't be set as default without much clearer user notice', but it's becoming hard not to seriously wonder if something much uglier is going on.



[…] also: Spotlight Suggestions and Privacy and SpamSieve’s documentation on Web […]

Leave a Comment