Archive for May 7, 2018

Monday, May 7, 2018

Requesting Your Personal Data From Apple

Jefferson Graham (Hacker News):

I use an iPhone, iPad and two Mac computers, and Apple also offers data downloads in the privacy section of its website. It’s hard to find, and once you do make the connection, you can expect a hefty wait to get the results.

[…]

It took eight days for my data to arrive from Apple, from a European office that is handling the privacy requests. After making the request, the iPhone maker first asked for my street address, phone number, the serial number of the iPhone, and other personal information before releasing it. This compares to Google and Facebook’s data dump. They asked no questions, and the results arrived swiftly—Facebook within minutes, and Google within hours.

[…]

On the Safari browser on my Macs, my browsing history goes back to July 2017, but Apple says it doesn’t track that information.

That’s curious because Safari sends your full browsing history to iCloud, and the only way to opt out is to turn off all the Safari-related iCloud features.

Previously: Keeping Your Safari Data Private.

Update (2018-05-08): Tom Hagopian:

Isn’t the reason your Safari browsing history isn’t included because Apple doesn’t track it? Would the data dump also include, e.g., my typing shortcuts, also synced by iCloud? Mail signatures/smart mailboxes?

He may well be right, but I don’t understand the distinction. In reading about GDPR, it seems to matter what data you are storing, much more than what you are doing with it, and clearly Apple is storing a lot in iCloud.

My Data Request:

Hundreds of companies store & process information about you. In many cases, you’re entitled to this data, as well as information on how it’s being used & shared. We read these companies’ privacy policies to figure out how you can get this data about you.

Update (2018-05-16): Zack Whittaker (via Tom Hagopian):

Apple says that any data information it collects on you is yours to have if you want it, but as of yet, it doesn’t turn over your content which is largely stored on your slew of Apple devices. That’s set to change later this year when the tech giant will allow customers to download their data archives, largely to comply with new European data protection and privacy rules.

[…]

iCloudLogs.xlsx keeps a note on every time one of your devices downloads data from iCloud, including your photo library, contacts, and Safari browsing history -- but doesn’t contain the actual data.

Update (2018-06-02): Tim Hardwick:

Apple has launched a new Data & Privacy website that includes an option for Apple users to download all the data associated with their Apple ID account that the company keeps on its servers.

Olivier Roux:

I just downloaded my whole Apple Privacy Data stuff and in there the IS a json file named SafariBrowsingHistory.json so you can download your Safari history, it is included in the «Other data» category (and then in a zip file named «Apple Features Using iCloud») 1/2

Steve Sande:

For users in any other countries, the site currently offers two choices: Correct your data or Delete your account. Apple will make the other data and privacy services available to all customers within a few months, but it is possible to request a copy of your data at the present time.

Update (2018-06-12): See also: Kirk McElhearn.

Update (2018-10-26): Zack Whittaker:

Good news! Apple now allows U.S. customers to download a copy of their data, months after rolling out the feature to EU customers.

But don’t be disappointed when you get your download and find there’s almost nothing in there.

Update (2024-03-08): Accidental Tech Podcast reports on the limited data that’s provided from the Notes app.

What Do Security Updates Actually Fix?

Howard Oakley:

Apple claimed that all the 12,621 files installed in that security update were required to fix a memory corruption bug in Crash Reporter, and to address a spoofing issue in the handling of URLs in text messages (which Apple associated with “LinkPresentation”). Those were and remain the only fixes which Apple has listed as being included in that security update. Only last year, a typical security update of that size was accompanied by notes on 50 or more bugs which were fixed.

[…]

Apple is also in the habit of updating its security release notes after the release of that update. In some circumstances, where details of the vulnerability haven’t yet been released, and with contentious issues such as Meltdown and Spectre, this appears reasonable. But in several recent cases, Apple has later added details of fixes which appear simply to have been omitted from the original release notes. Unless you are in the habit of frequently re-reading release notes at Apple’s security updates listings, this means that you are likely to miss such delayed information.

[…]

Sarah did the right thing, and reported the bug to Apple, only to learn that she was not the first to do so. But Apple has still not revealed when the partial fix occurred, nor acknowledged that it delivered a complete fix in 10.13.4.

Previously: High Sierra Stored APFS Volume Passwords in Log Files.

Microsoft App Store Lowers Fees

Microsoft (via Nicole Lee):

Starting later this year, consumer applications (not including games) sold in Microsoft Store will deliver to developers 95% of the revenue earned from the purchase of your application or any in-app products in your application, when a customer uses a deep link to get to and purchase your application. When Microsoft delivers you a customer through any other method, such as in a collection on Microsoft Store or any other owned Microsoft properties, and purchases your application, you will receive 85% of the revenue earned from the purchase of your application or any in-app products in your application.

Previously: That 30% App Store Tax.

Update (2018-05-08): Ryan Jones:

6 months ago, I would have guessed Apple would continually drop the App Store’s 30% fee.

Now? No way- milking “services revenue” is their post iPhone story. See iCloud storage & Apple Music pushiness.

30% is SO high. So high. Anything above 15% feels crazy tbh.

Damien Petrilli:

30% and you have to pay for search ads in hope to be discovered...

Update (2019-03-07): Chance Miller:

The company says that starting immediately, developers will keep 95 percent of app revenue, while Microsoft will take the remaining 5 percent. There is, however, some fine print worth noting.

First and foremost, Microsoft says that in order for developers to lock-in the full 95 percent, the user must have downloaded the app through a direct URL.

Previously: Apple and Google Face Growing Revolt Over App Store “Tax”.

Swift LispKit

Swift LispKit:

LispKit is a framework for building Lisp-based extension and scripting languages for macOS applications. LispKit is fully written in the programming language Swift. LispKit implements a core language based on the R7RS (small) Scheme standard. It is extensible, allowing the inclusion of new native libraries written in Swift, of new libraries written in Scheme, as well as custom modifications of the core environment consisting of a compiler, a virtual machine as well as the core libraries.

[…]

From an architectural perspective, LispKit consists of:

  1. a compiler translating LispKit expressions into bytecode, and
  2. a virtual machine for interpreting the generated bytecode. The virtual machine is stack-based, handles tail calls and continuations, and provides a garbage collector.

Details can be found in the LispKit Wiki.

Ray Ozzie’s Encryption Backdoor

Bruce Schneier:

I have no idea why anyone is talking as if this were anything new. Several cryptographers have already explained explained why this key escrow scheme is no better than any other key escrow scheme. The short answer is (1) we won’t be able to secure that database of backdoor keys, (2) we don’t know how to build the secure coprocessor the scheme requires, and (3) it solves none of the policy problems around the whole system. This is the typical mistake non-cryptographers make when they approach this problem: they think that the hard part is the cryptography to create the backdoor. That’s actually the easy part. The hard part is ensuring that it’s only used by the good guys, and there’s nothing in Ozzie’s proposal that addresses any of that.

Previously: Microsoft Leaks Its Golden Key, Why Are We Fighting the Crypto Wars Again?, FBI Asks Apple for Secure Golden Key.

iCloud Drive Breaks the macOS Command Line

Howard Oakley:

Apple’s current engineering solution breaks consistency of file names and paths. When a file has been evicted from local storage, and only exists in full in iCloud storage, the local stub file uses the previous name prefixed with a stop/period, and gains the extension of .icloud. When that file is downloaded to local storage – something which can be triggered by all sorts of events – the leading stop/period and the extension are stripped.

[…]

Many commands and scripts can safely ignore files which the user has placed in their iCloud Drive. But the moment that a user enables Desktop & Document Folders to be stored in iCloud, with Optimize Mac Storage enabled, file names in ~/Documents are affected, and commands and scripts will fail when run on one of the most important and active directories on most macOS systems.

[…]

Apple’s own most robust tool for locating files, the Finder alias, is broken by iCloud.

[…]

Inevitably, all hard and symbolic links made to evicted files are also broken by their eviction.

Faced with the problems posed by iCloud, a lot of commands, shell scripts and other scripting becomes inordinately complex, and in some cases impossible. Apple needs to continue to evolve the iCloud interface, making it consistent with the fundamental needs of commands and shell scripts. If it doesn’t, but continues to converge with iOS, it will undermine macOS itself.

Update (2018-05-10): See also: MacInTouch.