Sophos Cloud Optix
Apple has launched a new privacy website to highlight how it handles its users’ privacy as well as government requests for user data.
The website launched with a letter from CEO Tim Cook which – in typical Apple style – is remarkably easy to read, given the often very dry nature of privacy statements.
In his letter, Cook made it clear that Apple views privacy differently to other tech companies – the following comment could apply to several firms including the likes of Facebook and Google.
A few years ago, users of internet services began to realize that when an online service is free, you’re not the customer. You’re the product. But at Apple, we believe a great customer experience shouldn’t come at the expense of your privacy.
Cook explained that Apple looks to make money by offering products to consumers rather than by constructing user profiles based around web browsing habits or the content of personal emails.
We don’t "monetize" the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple.
Cook said that even with iAd – Apple’s advertising network – the company applies the same privacy policy, and does not use any user data from Health and HomeKit, Maps, Siri, iMessage, call history, or any iCloud service like Contacts or Mail.
Cook’s message also touched on recent security concerns, such as the nude celebrity photos which were published on the 4chan website. He wrote how the company will continue to improve security and encouraged customers to take advantage of two step verification to protect both their Apple ID and the data in their iCloud.
(There are still some limitations with Apple’s implementation of two-step verification – see Paul Ducklin’s article from earlier this week.)
Cook’s letter also explained that Apple is unable to bypass a device’s passcode on the new iOS 8, even if it is asked to by law enforcement.
On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.
While that may sound great for privacy-conscious Apple fans, they should still be aware that it’s possible that law enforcement could still extract data from the device if it has access to a computer that has previously been used to move data to and from the smartphone. It’s also worth noting that withholding a passcode may be an offence in some jurisdictions.
Cook finished by addressing government surveillance.
I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.
Image of Apple store courtesy of Songquan Deng / Shutterstock.com.
But I want governments to access data carrier servers (eg: Apople, Google, Vodaphone, etc…) if it is for the legitimate reasons of investigating Serious & Organised Crime….believe it or not I don’t want the terrorists, paedophiles, drug dealers to have a digital safe haven….do you?
Yeah… and I believe that once someone is cleared of any any crimes on your list LE (regardless of the level… Federal, local) should be required to inform that person(s) that they were, a) suspected of (whatever)… b) what services (Google, Apple, FB) were used to gain private information about them, c) WHY they were a suspect in the first place and d) how long this surveillance took place and what was information accessed.
Encryption does not provide a “safe haven”.
Suppose you have papers that law enforcement is interested in. They cannot legally break into your apartment to get it. They may ask your landlord for a key to avoid an actual “break-in”, but that is still illegal unless they have sufficient evidence to obtain a warrant. If they fail to do this, the evidence is considered “poisoned fruit” can cannot be used in court. This is all part of “due process”, a basic right under the U.S. Constitution.
If law enforcement obtains a warrant, they can compel the landlord to open the apartment. If law enforcement then finds that the papers are written in code, they can compel the suspect to translate the documents. If the suspect refuses, then the suspect can be held in contempt of court and face additional legal charges.
Refusal to provide information to law enforcement unless they have a warrant does not create a safe haven – it follows the law and the requirements of the Bill of Rights. Law enforcement can and should get a warrant for this information.
The advent of digital communication does not change the law, though it complicates the application of the law. Concepts of what is public and what is private become blurred. A debate on a stage is public; no warrant is needed. A letter published in a paper is similarly public. But a quiet conversation at home is private, and a sealed letter sent through the mail is private. To read that letter legally, the government needs a warrant.
It becomes more difficult to determine what is private when a post on Facebook is intentionally limited to a select group – a private conversation – but the technology of the platform uses information in that post to target ads. The lines blur. But intention is important in law, and the choice of using an encrypted storage is clear intention that the information contained therein is intended to be private – and thus a warrant is necessary.
“Do not tempt me! For I would use this thing for good, but through me it would do terrible evil.”
The essential problem with Things of Power is that humans can’t handle power. We always end up using it for evil. Some of us are outright corrupt, most of us mean well but are bad at seeing consequences (including being sloppy). We’re naturally terrible at risk assessment and very biased. Some things could do great good but worse evil. I believe massive government surveillance is one of those things because its effectiveness against the truly evil is questionable, but it’s ability to undermine trust relationships and free speech is great.
I’m glad Apple saw the monetary value in privacy and decided to be clear. I do think they’ve done a better job on the security of their mobile platform than Google or Microsoft have (though at the cost of less open development, but order and freedom can rarely coexist). What consumers really need is the right to know where their data goes, how it’s used, and exactly how it’s protected. I’d also like to see companies help criminally negligent for identity theft damages resulting from data breeches. Until we have that sort of celerity from all developers, announcements like this are nice but hollow gestures.
I suspect what will happen, in at least some countries, will be required to either add the ability or stop selling their hardware in that country.
And personally, I think the US should be among them. This kind of “feature” has only one purpose: To allow criminals and terrorists safe haven. No law-abiding person has need for such privacy restrictions.
Even the Constitution puts a limit on privacy: “unreasonable”. If the search or seizure is “reasonable”, it is allowed.
I don’t think you get what this debate is all about. Once a back door is put in place all your private data WILL BE EXPOSED. This can be something as simple as your private contact list, or as extreme as your online baking information. The bad guys don’t care about the law.
Its like having a dead bolt on your front door. there SHOULD be no need for that kind of security, but the bad guys don’t care that entering your home without permission is against the law. So….. we all put locks on our doors to protect ourselfs. the same should be true for our digital life. our phones, our computers, and our internet connections should all be encrypted to keep the bad guys out. If not, whats next? will governments make corporate VPN’s illegal?