Sophos Cloud Optix
Apple has just brought a whole new dimension to the issue of opt in versus opt out.
These days, a lot of the internet is “opt out”, meaning that when companies such as software vendors, web sites and social network services introduce a fantastic new feature (one that’s to their advantage for you to use), they turn it on by default.
After all, the feature is so good that you’ll be at a disadvantage if you miss out, so you’ll be delighted – grateful, even – to have it activated automatically, for free, right now.
If you aren’t one of the happy majority, that’s no problem: just opt out at your leisure.
Typically, that means clicking through one or more levels of menus, dialogs and options until you find the place to turn the feature off (or, in some back-to-front cases, find where to turn on a feature to inhibit it).
Here at Naked Security, we generally prefer “opt in,” where nothing happens until you decide it should.
Being allowed to opt in has many advantages: it removes surprise; it isn’t presumptuous; it encourages involved and informed choice; and it just seems like the right and respectful thing to do.
After all, if my fantastic new features are, indeed, fantastic, then you’ll willingly rush to the tick-box that turns them on.
And if there’s one technology company that can attract a willing rush of early adopters to tick its product boxes, it’s Apple.
So with Apple having announced the iPhone 6/6+, the Apple Watch, and its tap-to-pay service Apple Pay during its Apple Live 2014 event, the smart money is on lots of people opting in, with their own after-tax income, as each of these products becomes available.
→ I’m reserving judgement on the Apple Watch, or WATCH as the logo puts it. Retro is cool, and sometimes even surprisingly practical – like buying a bicycle made out of high-tensile steel instead of carbon fibre – but anything that resembles an early 1970s digital watch is, in my book, merely chunkily clunky. But I digress.
Of course, Apple also announced on Apple Day that it was releasing U2’s latest album on iTunes.
For free.
Strictly speaking, you can’t actually buy the album yet: it’s on iTunes only.
That nevertheless makes it the biggest album release in history, apparently.
In fact, it may well be the biggest selling album already, by some measures of “selling,” because it seems its availability on iTunes is not opt-in.
Apple has already published it to everyone who uses iTunes: it’s not so much “free” as “compulsory.”
To be fair, the actual music files for the songs aren’t fetched to your device, unless you have the non-default Automatic Downloads option turned on.
But you automatically own the album, although the songs may show up with cloud icons to denote that you haven’t actually listened to them yet.
In other words, the album is on your device, even if the songs are there in name only.
So you don’t so much choose it as have it chosen for you.
I can’t put my finger on it, but from a security and privacy point of view, that just doesn’t seem quite right, especially for an album called Songs of Innocence.
Somehow, it doesn’t feel like a very innocent way of selling the biggest album release in history.
And it’s a funny sort of “free”, where instead of being free to choose, you’re not free not to choose, something that the mathematician in me finds unsatisfactorily non-equivalent.
What do you think?
Not sure you are fully correct. I have iTunes on a home computer and one at work; I don’t use their cloud service, so maybe you need to be on the mother cloud but I don’t see the new U2 on either of these computers.
The screenshots used in the article support what others here are saying: the album somehow magically got “purchased” and appeared all by itself, under “U”.
Actually you do have it and you DO have an iCloud account and the only option not to have it is to “hide it in the iCloud”. I was quite upset about it myself as I pointed out in Mr Ducklin’s article last week “Apple Pay – just how safe is it going to be?”.
Completely agree. Outside of IOS updates, Apple shouldn’t be in the business of pushing extraneous apps and/or music to your device. Also, what if the end user incurs additional carrier fees due to this push? Not everyone has an unlimited data plan. And I doubt that Apple has insight into someone’s Verizon data usage to check if they are still under their data usage GB limit. Will Apple reimburse people that get charged extra data fees due to this push? Doubtful.
I also completely agree that from a security and privacy standpoint, pushing music to your device without your agreement or knowledge is suspicious at best. At a bare minimum, it should be an opt-in option to allow Apple to push music to your device. Even for critical IOS updates, Apple will ask you “do you wish to install this update now?” So by that standard, the U2 album is more important than a critical update: it’s a *mandatory* update.
I’m an Apple fan but this was simply a bad business decision – pure and simple.
I agree. Too much of this sort of thing is being forced upon the public. Thank to you for sharing this article to make us aware.
Actually, Apple doesn’t even push iOS updates or security updates to your device without prior consent. The U2 album appears to be the first time Apple has pushed content to customer’s accounts that wasn’t previously requested via policy setting or manual request.
I think the important thing here isn’t whether the album was mandatory or opt-in though; the important thing is that Apple has changed your purchase record manually, both showing it has the capability to modify such values, and that it is willing to do so without user input.
That record shouldn’t have been modified until after an iTunes notification similar to the one you get for iOS updates went out — but I presume their contract with U2 required them to mark the album as “purchased” by all users.
Interestingly, this means that my family has “purchased” the album multiple times, despite the fact that we listen to our music from one iTunes library.
Yes; as someone involved in Apple-related security, this leaves a bad taste in my mouth (despite having “purchased” the album before it was pushed to my account).
I thought you were joking but sure enough, I went to iTunes and lo! I have ‘purchased’ this album. Dear Apple, bugger off! What a cheap, transparent way to give yourselves a number 1 album, not to mention intrusive, presumptuous and arrogant. Why don’t you spend your time improving icloud security instead of this meretricious garbage?
Is there some way to not have this in my itunes? I’m meticulous about my music organization and having an album in the library I don’t want is super annoying.
You can’t remove it from your “purchases” record, but you can just delete it from your library, and when it asks, check the box to delete it from iCloud too, and throw the files in the trash/recycle bin. Then it only shows up in your Purchased list, without cluttering up your actual file listings.
I didnt even get the Album,I GOT a BOOKLETT
Ever heard the old adage “theres no such thing as a free lunch”
Hey, it’s a gift so stop the rediculous fussing. If you don’t want it just don’t download it. OK? My goodness all these desperate, angst-inspiring First World problems.
Today it’s the next U2 album. Tomorrow it’s a piece of propaganda on your Kindle. The next day it’s an app so Big Brother can watch you.
Actually, I see the next step as you getting “free” samples of various digital offerings based on what you like, based on consumption patterns various media group’s algorithms have calculated. Then the conspiracy theorist side of me sees an excellent movie opportunity where someone is framed as a terrorist because of purchases registered against their digital devices that they had never even seen.
Ask the folks at Troy about a free gift…oh I forgot you can’t!
I can’t say I totally agree. But then again, I have a few confessions to make: First, I AM a U2 fan; second, I only own an Ipod touch which I don’t use very often, in the sense that I don’t regularly use the Itunes store in order to download content, apps etc. I do however have an Itunes account. When the news of U2’s album release came about, I enthusiastically opened my Itunes desktop application to get it downloaded. For starters I had to log onto my itunes store account; once logged on, I found no mention of u2’s album release on the “front page” as I had expected; not even a search for “u2” in the Itunes store search field led me to a link where I could download the new album from. I had to access the itunes link in the online article where I first read the “happy news” in order to finally be offered the chance to download the album. When I clicked the “download” button, I was asked to update my billing info because the credit card associated with my itunes store account had recently expired… All that, just to download a free album in my Itunes library…Unlike many – I’m sure – I WISH I had the album “imposed” on me, or as you mentioned in your article ” [already] published [..]to everyone who uses iTunes” . As long as the album was not forcibly downloaded on anyone’s device, I do not consider it a breach of security.
I suspect that if you had waited, you’d have found yourself “imposed upon” in due course…certainly the screenshots in the article itself were taken on an iPhone where the album just simply showed up.
in due course? wasn’t this supposed to be available to everyone at the same time? at least rectify the information in your article about “everyone who uses itunes” ,since – as I have mentioned – if you use the Itunes desktop application, the album is not imposed on you in any way. As for the “security breach threat” I wish that for once security bulletins would condemn apps/toolbars/files signed by the likes of ClientConnect (former Conduit), that really DO impose themselves, even when opting out, while installing some freeware or other…once you compare the two, having the U2 album available for download doesn’t even come close to the notion of breaching security.
We do write about toolbars, foistware and other such issues here on Naked Security (and discuss them in the Chet Chat podcast), and I think our position on them is clear.
Some examples over the years:
http://nakedsecurity.sophos.com/2011/12/06/popular-security-tool-nmap-at-the-middle-of-a-security-brouhaha/
http://nakedsecurity.sophos.com/2013/01/23/oracle-please-stop-sneakily-foisting-third-party-toolbars-on-us-with-your-java-updates/
We’ve reminded you how to get the “foistware free” version of Adobe Flash when update time comes:
http://nakedsecurity.sophos.com/2014/05/14/patch-tuesday-wrap-up-may-2014-adobe-and-microsoft-both-patch-multiple-remotable-holes/
And here’s a piece from earlier this year, going into some detail about misleading ads, dodgy downloads and the Conduit toolbar:
http://nakedsecurity.sophos.com/2014/02/05/misleading-advertisements-lead-to-hijacked-browser-settings/
Apple’s pushiness may be pallid in comparison, but then Apple, by market capitalisation, has spent time at the very, very top: the biggest, most valuable company in the whole world.
And there are those who do say, “With power comes responsibility.”
C’mon, Paul, what they did was give you access in the cloud. They didn’t force you to download it or listen to it.
What would you have said if Amazon had offered a free download for a limited time??
So if we sign you up to the Naked Security mailing list without asking, or add ourselves into your RSS feed list unilaterally, that’ll be OK, will it? We’ll only send you summaries of our articles that you can “access in the cloud.” You won’t be forced to read anything 🙂
If we push the installation software for our free Virus Removal Tool onto your Windows desktop because you’re a Naked Security reader (and therefore will obviously appreciate our free gift), will that be OK because it’s not the *actual* software, it’s just an installer?
I get the part about it being a “free offer,” but it sure manages to smell like a compulsory purchase at the same time…
That would obviously be a security breach if you did not give them your email address or permission to use your email address to send unsolicited emails. Apple can access your iTunes account because they own the service. Its all in that EULA nobody reads, so in essence, you do agree to it. If I’m subscribed to a cloud based service and they give me free cloud based content with the option to download it, I am not going to complain, because that would be absurd, if I didn’t want it, I wouldn’t download it.
I sort of agree. But I sort of don’t 🙂 At least, this seems to cross the “we downloaded it for you without asking” line, even if the actual audio bitstream of each song isn’t pushed to your device by default. You as good as bought the album and synched it into your music library…only you didn’t. Apple did. Feels like a step too far. As others have commented here, “What next?”
wait! is it ok for them to leave random messages ,like placing downloads /until user proceeds” Now who is the user? what downloads? and IS it ok to make Random USER NAMES that I NEVER USED ,so as to put both home tele and cell on the dang blasted device?do you think this is apple? and he also had a second apple support guy come onto the situation on screen share and phone call/chat tell me to open terminal and sign into var folder/files’ gave me things to type, WHY Would anyone ask me to do this I am a backwards novice,wouldn’t have a clue?!
I realy need help,and it seems apple is either screwing with me’ or I am really in deep with a bad situation? or a NOT SO funny Joker’
The first time I saw the album in my iTunes Library, I went in full panic mode. The day or two before I added a couple of tracks and notice that in album view (with the CD covers) was perfect even so the last row was perfectly fill with no empty spaces. Therefore when I open my iTunes library I imminently noticed that things were off (easy when you now have a row with just one album). I was able to quickly find the U2 album. This is where I started panicking. Since I never got into U2, I knew it wasn’t something I purchased. Immediately started checking my purchase history, thinking my account was hacked. Since Apple didn’t listed the album, I spent a minute or two more poking around and found out what Apple did. This saved me from an embarrassing e-mail to Apple, changing passwords, and whatever else would have ran through my mind at the time. What would have been better of Apple would have been a popup altering users to the “gift” so they do not panic they been hacked. It probably would save them from answering a large volume of e-mails on this same issue. On a side note, I’ve stopped watching the Apple Keynotes podcast and just wait for the various news sources I follow to summarize the key points. Their Keynotes have been getting too long recently.
That’s just annoying. Maybe next time, it’ll be a Justin Bieber album for free, and we won’t notice until it gets shuffled in. Apple, if I want the album, I’ll ask for it!
I suspect people will raise up an even bigger stink if it’s Justin Bieber’s album. Gol durn it.
Apple is God; you don’t have to choose God, he chose you. He chose you and since he chose you, you hereby own everything he wanted to share with you. This time, God decided to share his music with you, and you have no other choice but to carry it with you, just like the old prayer beads.
I saw there was an iTunes update available last night – is this what it was? Finally got iTune behaving the way I want it to, so I didn’t download it! Glad I didn’t now!
I don’t think this was visible as an iTunes update. The screenshots you see above were from an iPhone where the album “just turned up.”
What a lot of just, Apple have made it available to all their customers. You are not obliged to download or listen to it, you can delete it from your feed if you wish to OS what/where is the problem here? I like Naked Security, but really? Is this worthy of an item. I don’t believe it is as there is choice here. Mind a lot of folk don’t seem to know how to work their account to find it and are getting aerated about that as if it is Apples fault. I give up!
I think the aeration is not that people don’t know how to work their account to find it, it’s that (whether they know how to work their account or not) they’re finding it anyway, stashed there without a by-your-leave under “U” 🙂
As for whether this issue is “worthy of an item” on Naked Security…
…well, hey, you aren’t obliged to download it or read it, so what/where is the problem here? (Sorry, bit of a cheeky comment but I couldn’t resist.)
I never thought I would ever leave a comment! Firstly I am a very senior citizen, had an old windows XP which I naturally retired at the appropriate time, and now am just using my iPad.
For the last couple of years I have been following Naked Security daily and wish to thank you so much for your work……also listen to all Chet Chat, etc and have learnt heaps., But back to the reason for this comment.!!
Yes I checked and found that an entire album has been downloaded on this device!!!! I feel upset that this is sitting there. What can I do to get rid of this?
This feels very intrusive to my life……..also would it be best to turn off automatic downloads?………I know it’s too late for this but maybe something else could appear!
Once again Thankyou for all the help I have received from Naked Security.
Well, the album appears all by itself, at least in what you might call “skeleton” form as you see above, with or without Automatic Downloads. With Automatic Downloads the songs are pre-fetched too, if I understand this correctly, so you can play them offline. By default, without Automatic Downloads, the album is there, but you would have to be online if you went to listen to it for the first time.
So turning off Automatic Downloads would stop your device using your mobile bandwidth to fetch content you don’t want or didn’t expect. (Apparently 72MB in this case, which would be 48 minutes of album at 200kbit/sec – sounds about right.) But it wouldn’t stop you “owning” the album and having it inamongst your music collection without having been asked,
Madness often give away free tracks, however they send out some newfeed to say it’s available for free, then you add an email address to say you want it. You get an email to say you want it and click to verify it’s a legitimate email address which then gives you a link to get the track free.
It may seem a more convoluted way to get it, but I have the option every step of the way to back out of I don’t want something.
I’ll get thumbs down not being an Apple/U2 fan but I think Paul’s idea looks right. It appears to be more Apple wanting the number 1 album on iTunes than people wanting it free. It comes across more like someone shoving dog mess through my letter box and saying “It’s OK you don’t have to smell it if you don’t want to”. It comes over very arrogant and highly presumptuous. Adobe are as annoying with Flash updates keep pushing Google Chrome. I know it exists and if I wanted it ever I’d have gotten it by now. I don’t need the tick box filled in by default presumptuously. Of course it can be unticked but it’s the natural assumption they have you want this stuff that’s annoying They want you to have it as it suits THEM, not the customer.
Rumour is Apple paid U2 one million bucks stage this stunt.
This was the straw that broke the camels back for me.
I have had an iPhone 2,3,4,4S & 5 but ever so slowly as Apple started enforcing these and similar features and not providing an Opt-Out, no more rotten apples for me.
I bought my brothers Galaxy S4 off of him and setup CM11 enabled the privacy options and transferred my music collection. Should have done this years ago!
The problem is Apple seem to have such brand power over their customers that arrogance is creeping into their marketing.
Still, as others have pointed out, at least is wasn’t Justin Beiber.
This to me is an unacceptable misuse of peoples’ systems for Apple’s own agrandissment.
It’s as bad as the latest ploy from HP who have apparently released a printer that realises it’s getting low on inks so orders it automatically for you without any user intervention! What gives them the right to spend my money without my specific authority every time? ANd what makes them think I want HP ink rather than some perfectly adequate, but cheaper, alternative? It’s all down to arrogance. Both HP and Apple are guilty of that and we can all think of other software suppliers who are equally arrogant.
Glad I don’t have an iTunes account any longer and I don’t use an HP printer, so for me they are not a problem. I can see how others would have problems though. One of the courses run by FutureLearn in the UK uses iTunes as a means of communication between students and the lecturers, byt the U2 track would be totally irrelevant and contrary to why they signed up in the first place.
Not good Apple. Not good HP.
The real problem is there are some people who think this is an abuse and other people don’t. I also think those of us who do have a problem with this are losing because when 2 out of 10 or 8 of 10 people agree with Apple agree with this sort of thing then Apple and others will always point to that and have an argument for continuing to do it.
In sort of related news, Apple has discontinued the iPod Classic. Some of us who likes iPods but have refued iTunes from the start will rely on these devices and third-party apps to manage them. Makes me sad to see the Classic go.
Just download an older version of iTunes to run locally.
Just got off the phone with Apple Corporate Customer Complaints.
As a life-long Apple user, I shared with them that I’ve found they have become increasingly Big Brother-ish over the past 5 years or so.
Forcing people to sync iPhones via the cloud was rather disturbing when Mavericks was released last year.
The U2 album is yet another example of their increasing tendency toward creepiness and taking away customer choice. Very disempowering.
They have a complete blind-spot with regards to boundary violations. Because Apple thinks something is “cool,” then their users must also consider it cool…or something. Perhaps it’s about control.
Maybe their new corporate tag line should be:
“Apple Knows Best”
Having used Apples since 1986 (and been a fan-boy), I’ve started to seriously consider switching to a PC.
Apple, allow us to “think differently” from you. Give us choice. Stop taking it away.
I don’t think it was right. Any more than I would think it right if someone put some free food in my refrigerator. (Or made it “free to download” by putting it on my counter.)
I don’t want to see the U2 album on my device, either downloaded or “clouded.”
Not to mention that the 8 phones under my control are work phones.
Oh dear, something is wrong. I’ve been paying money for iTunes music and videos for years (a select few) but no “free” U2 album. No where. Not in my “purchased’ folder or my music folder. Hmmmm. Does that mean I haven’t bought enough in the past 6 months to qualify for the freebies. I have automatic downloads – music – checked. I don’t buy Apple clouds. We have had enough locally this summer. Could that be it? You don’t get anything for free unless you buy Apple clouds when they come drifting overhead of the iMac to hydrate the Apples and make them grow.
So it is like your going over a toll bridge and someone, (Apple) has already paid your toll.
Doesn’t mean you have to drive over the bridge, but it is paid for, if you choose to. Someone has given you a free coupon, paid for in advance, with no strings attached and you think it is diabolical.
Again jealously prevails. Jealous because you could never be as cool as the cool guy, so he must be a bad person. Dishonest people don’t trust others, because they expect others to be like themselves. There are a lot of crooks out there, especially companies trying to take credit for everything, deny responsibility for anything, and trick their clients into compromising situations that benefit no one but the company itself. Take a look at Facebook, or Google
The essence of cool, vs. the “merely chunkily clunky, you definitely digress.”
Correction to your analogy.
It’s more like Apple broke into your car during the night and left a toll booth pass on your center console.
As I said elsewhere, I’m reminded of Banksy’s letter re: advertising: “They have re-arranged the world to put themselves in front of you.”
Not sure if anyone has seen this, but Apple now says that you can delete the CD via this link.
https://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/offerOptOut
This would indeed be disturbing if the album had actually been forced on all Apple customers, but it seems to be a function of the settings people have on their devices (possibly including iTunes Match, which I don’t use because it DOES make modifications to your music library without your explicit consent — read the fine print). I had to actively go to the iTunes store and select the U2 album before it appeared in my iTunes library on either my computer or any of my devices. I understand that some people are annoyed by getting an album they didn’t want, but I would have expected Sophos to understand the importance of choosing your device settings (such as push) carefully and to have provided a more nuanced response.
We couldn’t find any way by which we could have avoided getting the darn thing. It just turned up. We had Automatic Downloads off so, as you can see from the screenshots, the songs come up with a little cloud icon, but, still…not really “opt in,” is it?
So we couldn’t come up with a “more nuanced response,” I’m afraid. Indeed, for a majority of users, it seems the album turned up *because Apple automatically added it to their purchased albums*. Even if you hide the album, you still own it. Doesn’t that make you wonder, “Hey! What am I going to ‘buy’ next without knowing it?”
The fact that Apple has had to provide a special “Album Removal Tool” web page rather suggests to me that there *is* no nuance, and that is was, loosely speaking, forced on everyone (or at least many, if not most users) as a sort of compulsory purchase.
I’m sure you can see why having 100s of millions of people in the position of automatically “owning” the album, rather than just receiving an offer to own it if they like, makes a big commercial different for Apple, iTunes and U2. This isn’t a free album. It’s big business – as Bono himself said of the stunt, “We got paid. I don’t believe in free music.”)
http://nakedsecurity.sophos.com/2014/09/16/apple-relents-lets-you-depurchase-that-u2-album-you-never-bought-in-the-first-place%e2%80%8f/
Yes, I can see that it would be annoying for those on whom it was forced, but it is factually incorrect to state that the song was “published it to everyone who uses iTunes” as was done in the original article. It was apparently forced on many people, perhaps even on a majority, but not on “everyone” (as some of the other people commenting above also confirm). I did not take screenshots of my music library before I actively downloaded the album, but I do have proof that I actively downloaded it (an e-mail from Apple confirming that “Your Apple ID…was just used to download Songs of Innocence by U2 from the iTunes Store on a computer or device that had not previously been associated with that Apple ID”). So some combination of settings seems to require an active download, and for such people the album is a free opt-in, which I don’t find problematic.
I do see your point that it is not pleasant having something you did not choose pushed to your device, and if that really happened for the most commonly used settings, it is indeed problematic. But it might be interesting to see whether you can find out from Apple which settings prevent an automatic download.
Interestingly, all (I think all, if not almost all 🙂 of the people who are saying they didn’t “just find it” actually seem to have wanted it and thus went looking, and opted in to getting it. But for all we know, they might have got it later on if they’d done nothing at all.
At Naked Security, we didn’t look for it, and assumed we weren’t going to get it because it didn’t turn up at first – for about two days, IIRC. In fact, we too were starting to wonder what the fuss was about. So we assumed that you wouldn’t see *anything* if you didn’t have Automatic Downloads on, and were about to write this off as a non-story, when…
…hey, will you look at that! Click on “U”! There it is! If there is a setting that would have prevented that happening…well, it’s less than non-obvious 😉
It’s not so much that it was “not pleasant” as that…well, we as good as bought something we didn’t order, if you know what I mean. Which isn’t a big deal in this case, but it sure feels like a bit like a shrink-wrap contract agreement taken to extremes. (Like those hotel minibars where you take a bottle out of the fridge so you can see what it is – beer? not today, thanks – and put it back, only to find that you’ve bought it anyway.)
Y’know, in the current regulatory climate, if someone deposits even a modest amount of money in my bank account without telling me, I could end up with a lot of explaining to do. I’m supposed to be able to account for my income and my possessions. This isn’t quite the same thing, but it’s not too far away, either…