Sunday, October 26, 2014

Yosemite Uploads Unsaved Documents and Recent Addresses to iCloud

Jeffrey Paul (via Rui Carmo):

Presumably to support Continuity, current document state is no longer only saved locally - those in-progress (not yet explicitly “saved”) documents live in iCloud Drive, so that they can be opened on other devices without ever having to hit “save”. This is useful, however, all of my previous open files have now been synchronized to Apple servers.

[…]

Apple has taken local files on my computer not stored in iCloud and silently and without my permission uploaded them to their servers - across all applications, Apple and otherwise.

I don’t think it’s at all obvious that the system would copy the Saved Application State folder to iCloud. Many of the applications don’t even have iOS counterparts. I have not tested this, but I’m guessing you could prevent this by unchecking “Allow Handoff between this Mac and your iCloud devices” in the General tab of System Preferences.

Also:

Check out ~/Library/Containers/com.apple.corerecents.recentsd/Data/Library/SyncedPreferences/recentsd-com.apple.mail.recents.plist. It would appear that iCloud is synchronizing all of the email addresses of people you correspond with, even for non-iCloud accounts, to their recent addresses service. This means that names and email addresses that are not in iCloud contacts, not synchronized to your device, and only available in an IMAP-accessed inbox are now being sent to Apple, silently.

I’m not sure how to turn that off.

Update (2014-10-26): Landon Fuller has a traffic log.

Thinking about this some more, I’m not sure that Paul is correct about the unsaved data being uploaded because of the new Continuity/Handoff feature in Yosemite. It think this is part of the older Documents in the Cloud feature, as mentioned by Dmitry in the comments. It looks like Handoff, as expected, uses a more direct method of transferring the files.

If that’s the case, the preference mentioned above is the wrong one. To turn off auto-uploading of unsaved data, you would need to uncheck the particular application in the iCloud Drive section of the iCloud tab of System Preferences. This would prevent you from using that application’s container (rather than the global iCloud Drive) with iCloud. In other words, I don’t think there’s a way to explicitly upload saved documents without having the system implicitly upload unsaved documents. Pre-Yosemite, there is no application-level control, so you would need to turn off Documents & Data entirely.

Regarding the e-mail address list, I found a disclosure on Mail’s help page:

If you use iCloud Contacts, your Previous Recipients list is available on your other Mac computers (with OS X v10.8 or later) and iOS devices (with iOS 6 or later) that have iCloud Contacts turned on.

So there does not seem to be a way to opt out of storing all your addresses unless you also opt out of syncing your address book with iCloud.

Update (2014-10-28): It looks like there is a way to save certain documents to iCloud without having new documents automatically auto-saved there. As Philippe notes in the comments, you can use the Lion-era NSDocumentSaveNewDocumentsToCloud hidden preference, which changes the default location for new documents:

defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false

In conclusion, I don’t think there’s anything new here with Yosemite. Apple seems to be providing the options that they should, although I would argue that the default behavior should be not to upload user data without asking. I think the main problem is that the OS doesn’t explain what it’s doing and, as a result, few people seem to understand how the iCloud features work and interact. The vast majority of users don’t know that when you click the box to enable iCloud—which you pretty much have to do these days—that this is one of the results.

Update (2014-11-06): Some readers coming from Macworld asked for a summary, i.e. which settings give which results. My advice:

  1. If you want every document to be saved (and auto-saved) to iCloud, use the default settings.
  2. If you never want any documents saved to iCloud, turn off iCloud Drive in System Preferences.
  3. If you want to use iCloud Drive, but only for those documents that you specifically choose to save there, to enter this command in Terminal:
    defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false

36 Comments RSS · Twitter


It's depressingly comic how far Apple can go to such lengths in engineering privacy in their products only to ruin everything with iCloud. iCloud seems to be managed by the same people who thought it'd be a great idea to upload a U2 album to everyone's iTunes library.


Wow. Just, wow.

So, along with what else we already know, Yosemite essentially comes with a built-in keylogger.


Bryan Pietrzak

I'm not sure what the problem is. Just the other day Gruber was mentioning on twitter that he was surprised that keyboard bindings or something from the keyboard pref pane wasn't synced across his macs.

On the one hand people want the magic of continuity and handoff, but then on the other hand you get complaints like this posting? I'm not sure what to say. You want your cake but you don't want to buy any of the ingredients required to build the cake? Do you want this stuff to work magically? Why wouldn't someone want email addresses they've used on their mac to appear on their own macs and iOS devices? Isn't that exactly what we constantly ask of our devices? I expect the next post to be "stupid apple doesn't know I've emailed my friend on my laptop when I use my phone".

And just look at the linked page....

"Notice that all of my locally-stored, “unsaved” documents open in my text editor have now been uploaded in full to a partner in NSA’s PRISM program."

Give me a break


Apple's KB (not sure if this applies to handoff the same way) http://support.apple.com/kb/TS4372


"I'm not sure what the problem is."

Yosemite essentially has a keylogger built-in by default. No simple, clear disclosure of this is made to the end-user. And opting-out of all elements of the keylogger requires awareness and knowledge beyond 98% of end-users.

Enabling this and the Spotlight features by default without user intervention and without simple, clear disclosure is a huge part of "the problem".

"On the one hand people want the magic of continuity and handoff, but then on the other hand you get complaints like this posting?"

Not quite sure how uploading all unsaved documents, including 3rd party docs that don't take advantage of continuity and handoff, or any part of iCloud for that matter, are part of "the magic of continuity and handoff". That's a a huge part of "the problem" too.

Also, if this isn't a big deal, not sure why Apple wouldn't clearly spell out the implications of how this "magic" works to its end-users, so they could make an informed decision for themselves on whether or not to take part in the "magic" as a rational trade-off in exchange for surrendering their privacy of everything they do on their Mac. Instead, we only learn this, after the fact, by intrepid folks inspecting their internet traffic and playing detective. That's a a huge part of "the problem" too.

"And just look at the linked page.... "Notice that all of my locally-stored, “unsaved” documents open in my text editor have now been uploaded in full to a partner in NSA’s PRISM program." Give me a break"

Have you bothered to follow along with the reporting of the Snowden docs? Especially the PRISM ones?

Either the NSA has partnered with Apple to have access to iCloud, or the NSA is lying in its own internal docs that most certainly weren't for public consumption. If you think the latter, give me a break.


Bryan Pietrzak

The hyperbole makes it really hard to take anything you say seriously.


@Bryan I’ve updated the post. I’m no longer sure how much of this is related to Handoff/Continuity and how much to the older Documents in the Cloud feature. The original post from Jeffrey Paul made it sound like it was because of Handoff. I found that troubling because (a) Apple had discussed that feature as relating to devices in physical proximity, so I would have assumed that they would exchange information via Bluetooth or the local Wi-Fi network rather than iCloud, and (b) I know that many of the applications that use “Saved Application State” do not have iOS counterparts, so I would not expect them to participate in Handoff at all.

I now believe that this is an older feature, not related to Handoff. And I suspect that it’s not linked to the “Saved Application State” folder at all. I think it may be just the regular iCloud documents feature that’s only enabled for apps that are written to use iCloud. This bothers me less.

However, my confusion does underscore that even more technical Mac users don’t fully understand how all of these pieces fit together. Apple certainly does not disclose it in an obvious way. So there is no opportunity for the customer to make an informed decision. Tim Cook says, “We believe in telling you up front exactly what’s going to happen to your personal information and asking for your permission before you share it with us.” I don’t think that’s what happened here.


"The hyperbole makes it really hard to take anything you say seriously."

Genuinely not aware of any hyperbole I employed.

Yosemite, out-of-the-box, transmits to Apple anything the user types in any document window whose application uses autosave, along with anything the user types in the Spotlight and the Safari search box. (Not to mention non-text for graphics and other such applications. Not to mention anything else that has yet to be tracked down.)

Of course that's essentially a built-in keylogger, I genuinely don't understand what semantics you're employing to find that to be hyperbole, let alone wrong on the facts.

And Apple holds the encryption keys to all of these transmitted keystrokes and other data, not the user.

The PRISM docs show that the government has access to this data with Apple's co-operation. The rules of NSL's and other related gag orders legally prevent Apple from including that detail in their published privacy policy, or in any other public communications. And even if you, for some odd reason, dispute the NSA's internal docs and the subsequent clarifying and supporting Barton Gellman reporting, it doesn't change anything above this paragraph.

Feel free not to take any of this seriously, due to semantic or other reasons, but the facts do seem sound from what we know at this point.


"I think it may be just the regular iCloud documents feature that’s only enabled for apps that are written to use iCloud."

(my bolding)

Curious what makes you think this. If true, it indeed would be somewhat less troubling, though still wouldn't make Yosemite default privacy much less of a cl*sterf*ck.


@Chucky I changed my mind based on reading the discussion of Handoff in Apple’s iOS security guide and also remembering how TextEdit worked with iCloud documents before Yosemite.


@Michael I do tend to trust your judgment. I wonder how Jeffrey Paul came to the this conclusion, and whether or not he can support it:

Update, 26 October 2014: This happens for all applications (think iA Writer, Pixelmator, et c) that had saved application state.

As best as I can understand, (and I may well be wrong), this has nothing whatsoever to do with whether or not Handoff or Documents in the Cloud is responsible for transmission, and is merely about whether or not the entire Saved Application State folder is being transmitted in Yosemite by default...


@Chucky I have a large number of apps with “Saved Application State” that do not support iCloud (many are not even from the Mac App Store). I do not see their state anywhere in iCloud, though perhaps I just don’t know where to look. Jeffrey Paul does not say where he found the information. The apps that he mentioned do specifically support iCloud.


Thanks, Michael. Up to Jeffrey Paul, or someone else, to prove the assertion that the cl*sterf*ck extends beyond apps that support iCloud.


I think (!) that you can prevent the “Saved Application State” from being uploaded by the following defaults command (force the destination of ‘save’ to be local rather than iCloud by default):

defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false

I have this set since OS X 10.7 (?). In a brief test: created a new Pages document on my Mac but did’t save it. Then I went to iCloud.com; the document was nowhere to be seen. As soon as I saved the document to iCloudDrive (fromPages on my Mac), it popped up on iCloud.com (and No Idea™ if having the pref set to true - the default - uploads the unsaved document).

The above command moves the iCouldDrive entry in the save dialog to the bottom of the list. Afaict, there is no visible entry anywhere for this.

Apple could probably be a bit more clear about this, particularly in the set-up process (perhaps it is mentioned during the process, but I missed it).

PS I don’t remember where I got that one from, possibly MacOSXHints.


@Philippe Thanks. Indeed, I had blogged about that setting here. It makes sense that it would affect the location for unsaved documents as well as the default save location.


@Chucky The Hacker News commenters seem to agree that this is the old iCloud documents feature.


"The Hacker News commenters seem to agree that this is the old iCloud documents feature."

So the keylogging of unsaved doc windows dates back to 10.7? Or are you just talking about the method used by the 'feature' in 10.10 only? I assume the latter, but am unclear.

If the unsaved doc window behavior really does date back to 10.7, it's both funny and amazing how the Spotlight and Safari search box cl*sterf*ck finally got the infosec community interested enough in this stuff to bring this behavior to light, years after the fact.

-----

"I think (!) that you can prevent the “Saved Application State” from being uploaded..."

Big props to Philippe! Assuming it works, that would allow a user to disable the unsaved doc aspect of the keylogger without fully disabling iCloud, thus being able to use iCloud only for desired documents that the user doesn't mind being insecure to prying eyes.

(I'd suggest Michael update this post, if he feels relatively confident in the solution.)

With that one tackled, it now seems as if a highly informed user can turn off pretty much all the aspects of Yosemite's keylogger functions. (Or, at least the ones so far discovered.) Still a cl*sterf*ck for the 98+% of users who are not highly informed, and/or those who just use the shipped defaults, of course.

I've been highly critical of many of Apple's actions over the past 4 years or so, but I've got to say that the Yosemite keylogger, in league with the shipped defaults and lack of clear disclosure, appalls me significantly more than any of their other appalling actions.


@Chucky My guess is that the method used by 10.10 is the same. So, yes, I think the real story here is that much of the Mac tech community has been in the dark about this since 2011 or so.


[…] TO ADD (10/28): This is a more nuanced discussion of this issue. At this point, it seems clear that there is a lot less […]


"So, yes, I think the real story here is that much of the Mac tech community has been in the dark about this since 2011 or so."

holy jeebus.

A week ago, I speculated that perhaps something much uglier might be going on, but even I didn't expect this.

I wonder if there is a good writer / reputable reporter whose beat falls in the overlap of the Venn diagram of infosec and OS X specialists, cuz there's a helluva story here. In the meantime, all we have is this.


Viia the above trackback, Bruce Schneier massively undersells the story.

It really will take someone who is an expert in both infosec and OS X in order to clearly explicate the implications. And that hasn't happened yet.


Bryan Pietrzak

Hyperbole Alert!

I really don't see a single problem here. But I also don't buy your wish of Apple's involvement with "Prism"

You're looking for a boogeyman, so you're going to find one. It's that simple.

This is good enough for me:
https://www.apple.com/apples-commitment-to-customer-privacy/

Likewise I don't buy into your "keylogger" fantasy. Maybe Bruce undersells the story because there isn't in?


John Montgomery

I'm not sure what the uproar is about regarding the Spotlight searchbox. It seems to me that the functionality is explained quite clearly by Apple, or at least in a plain-english way for users. Not the hyperbole that the use of "cl*sterf*ck" implies.


I'm sorry, but this is all completely false.

First, NOTHING gets saved to iCloud without your permission. If you enable iCloud Drive and do not also enable 'Ask to keep changes when closing documents (System Preferences - General),' you are telling your computer to save unsaved documents to the Cloud by default. You can relocate them at ANY time by simply saving your documents elsewhere. You can't fault Apple for trying to make Cloud storage easy.

iCloud does NOT transfer files from local folders on your computer to iCloud Drive automatically. Only files that have been explicitly saved to iCloud Drive will be there. What you're likely seeing are the folders for the other apps on your computer that are now compatible with iCloud Drive (TextEdit, Automator, Script Editor, etc.)

Making the jump from this to Apple installing key loggers on the world's computers is ridiculous. Key loggers are designed to allow perpetrators to spy unknowingly on victims to obtain privileged information. First, Apple isn't looking at the information because they're not in the information business, so why would they? Second, iCloud Data is encrypted and only available to those with proper login credentials. Third, Key Loggers work no matter what application the user is in, whereas the situation at hand is referring to unsaved documents from iCloud Drive compatible apps. Fourth, iCloud is not being forced on consumers, you have a choice not to use it if you don't like it or trust it for whatever reason, even if you still want to use Apple products. It is simply a convenient asset management solution for people with multiple Apple devices. Fifth, Apple has publicly stated NUMEROUS times its commitment to customer privacy and the safeguarding of customer data, and look at their track record. Only the most targeted attacks on celebrity individuals with the weakest of credentials have been successful. The EFF recently rated Apple top honors in its dedication to privacy. If you're REALLY worried about your privacy and data...

Don't use any Google product or service.
Don't use Facebook or Twitter.
Don't use any search engine except (maybe) DuckDuckGo.
Don't shop at Target or Home Depot.
Don't buy insurance on the internet.
Don't give your email address to any merchant.
Don't share your passwords with anybody.
Don't order anything from catalogs.
Don't use magnetic strip credit cards.
Don't access the internet without a VPN.
Don't use the same password for every account you own.
Don't use an easy-to-guess password.
Don't click on links in emails.
Don't use Wi-fi. Ever.

... I could go on, but you (hopefully) get the idea. These are all valid security and privacy DON'Ts that have loads of evidence and case-studies backing their reason for existence. iCloud is a shining beacon of hope compared to the rest of the world on these matters.

I hope this helps clear things up.


@Sean If you want to use iCloud drive at all, and you want to use the standard auto-save feature so that you don’t accidentally lose any work, documents—which you have not explicitly saved—will be uploaded to Apple’s servers as soon as you start typing. The only way out of that is using the hidden NSDocumentSaveNewDocumentsToCloud preference. Yes, Apple is trying to make cloud storage easy. But the fact that some people are upset about the uploads happening proves that they didn’t knowingly give permission.


"I also don't buy your wish of Apple's involvement with "Prism"

Ignorance is Strength!

And you are very strong, Bryan.

(Fascinatingly, Steve-o always refused to become an NSA collaborator, despite the endless government carrots and sticks attempting to force compliance. Apple had to wait until he died to to become an NSA collaborator, which they did unseemly alacrity once his corpse was cold. And FWIW, my actual "wish" is that Apple had continued Steve-o's stance.)

"Likewise I don't buy into your "keylogger" fantasy."

If you don't alter a wide variety of system defaults, the following occurs. Every keystroke you type in every document window (with the exception of apps with zero iCloud integration) gets transmitted to Apple servers. Every keystroke you type in the Spotlight and Safari search boxes gets transmitted to Apple servers. No one with a reputation and knowledge is disputing this. And we'll see if there are further examples yet to be unearthed.

And yes, despite your impressive strength, the NSA has access to these servers and your every keystroke, without the necessity of a warrant, through Apple's well-documented involvement with "Prism". Also, it well-documented that Apple's privacy policy and public communications are legally prevented from disclosing this, even if Apple wanted to, which I strongly suspect they don't.

In conclusion, if you want to remain so very, very strong, Bryan, I highly suggest you continue to avoid reading the voluminous newspaper reporting on infosec issues in the post-Snowden era. "Scare quotes" around proven issues will only work to maintain your impressive strength if also you make sure to maintain your impressive ignorance.

But I have every confidence you will indeed remain a pillar of strength.


@Michael

"documents—which you have not explicitly saved—will be uploaded to Apple’s servers as soon as you start typing"

Under shipped defaults, even if you have explicitly saved a document, merely starting to type in that document will make it 'dirty', and will thus transmit it to Apple servers, no? Or am I misunderstanding the mechanism here?


@Chucky iCloud Drive is technically not enabled by default because the OS doesn’t know your Apple ID and password. It is possible to avoid entering them, although the OS really encourages you to do so, and lots of stuff will not work until you do. Once you sign in, (e.g. to sync your contacts) I think iCloud Drive does get enabled unless you uncheck it.

My understanding is that if you’ve explicitly saved a document locally, the auto-saving also remains local. If you explicitly save it to iCloud, everything you type gets auto-saved to iCloud.


"My understanding is that if you’ve explicitly saved a document locally, the auto-saving also remains local. If you explicitly save it to iCloud, everything you type gets auto-saved to iCloud."

I learn something new every day!

The keylogger is less omnipresent than I thought.

"iCloud Drive is technically not enabled by default because the OS doesn’t know your Apple ID and password. It is possible to avoid entering them, although the OS really encourages you to do so, and lots of stuff will not work until you do."

Noted. Though your caveats, as you are seem quite aware, make it relatively meaningless in practice for someone who isn't inclined to mess with shipped defaults in the first place.


Bryan Pietrzak

http://tidbits.com/article/15182

And can something be a keylogger when it's a feature you turn on and want?

Something tells me that Chucky doesn't really know what a keylogger is.


[…] Reason for this: Yosemite Uploads Unsaved Documents and Recent Addresses to iCloud […]


[…] Tsai, a long-time Mac developer, looked into it, and it’s not new to Yosemite; Tsai offers advice on disabling this feature. (Paul’s […]


[…] Tsai, a long-time Mac developer, looked into it, and it’s not new to Yosemite; Tsai offers advice on disabling this feature. (Paul’s post has a […]


The Macworld write-up strikes a decent balance on the issue.


[…] prime critiche all’operato di Apple, piuttosto aspre, si sono ammorbidite nelle ore successive quando i […]


[…] could be a serious problem, but it’s better than nothing. In my case, it showed a bunch of unsaved documents that I had […]

Leave a Comment