Privacy and security are not the same thing, although they are related. Confidentiality is that your data remains yours and is not shared or transmitted without your knowledge. Security is about preventing your computer or device from being compromised, infected or hacked.
Sometimes the two are at odds.
“Macs, by default, send a huge amount of data to Apple,” self-proclaimed security researcher and hacker Jeffrey Paul told me recently. TechFirst Podcast, focusing on a Mac technology called Gatekeeper. “Gatekeeper … uses a system called OCSP which checks each time an application is launched whether or not the application you are launching is malware or is known to be Apple malware. And he does it using the network … but these checks were transmitted unencrypted.
To break it down: Apple created a system called Gatekeeper, which is designed to ensure that only safe software runs on your Mac. It does this by calling Apple fairly regularly with data on the developer of the apps you use. The objective: to check if they are approved, good known developers who have not published spam or malware.
This is security.
Unfortunately, the makers of Gatekeeper used standard Internet protocols when implementing this security feature, and back then that meant sending data unencrypted. Since most developers on Macs only have one app, Paul says, that’s equivalent to sending a rocket with data on the apps you use. Not only was the data sent unencrypted, but Gatekeeper intentionally bypasses VPNs or VPNs, which means you can’t hide your activity even if you work hard enough on it.
It’s privacy – or lack thereof.
It’s hard to say how many users this affects, but it’s probably over 100 million. Apple CEO Tim Cook announced there were more than 100 million active Macs worldwide at the end of 2018. Apple Shipped nearly 18 million Macs in 2019, and likely more than in 2020, as laptop sales rose due to an increase in working from home. All Mac owners running Mac OS X Catalina (released 2019) or later use Gatekeeper whether they know it or not.
Listen to the interview for this story:
The content of the privacy leak isn’t particularly glaring: it’s not your name, passwords, credit cards, biometrics, or anything like that. But it’s a continuous, permanent window into everyday behavior that most Mac users ignore.
And for some, it could be dangerous.
“There is a small percentage of people in our society who absolutely need free speech and absolutely need privacy because they are changing the world,” says Paul. “They’re union organizers or political organizers, or they’re telling the truth to power, or they’re investigative journalists investigating a corrupt government or corrupt military, and things like that require confidentiality.
These people could use applications or services that improve privacy, for example, like the Tor browser. Isolating them, along with their IP addresses (which can produce location data) would be trivial to the NSA or other government organizations. Following them from place to place would reveal patterns of movement.
In the United States, it’s illegal for Apple to keep your government data private if the government asks for it, Paul says. The US government does not exercise this power very frequently: Apple’s transparency report shows that from July to December 2019, the United States requested data from Apple on its customers 5,271 times. There is no data for 2020 yet.
But ultimately the government doesn’t even have to ask.
“Because they were transmitted unencrypted, the military watchdog organizations that monitor all of this traffic going through Internet backbones and ISPs, they’re going to save this forever,” Paul told me. “So Apple could delete all data, Apple could stop recording all data, but the last two years of your model life, what you open, when and where and from what IP addresses, will be saved for still by the NSA. “
Apple quickly responded to Paul’s concerns with both an explanation and policy changes.
“Gatekeeper performs online checks to see if an application contains known malware and if the developer’s signing certificate is revoked,” the company said. “We have never combined the data from these checks with information about Apple users or their devices. We do not use the data from these checks to find out what users are launching or performing on their devices. “
In addition, Apple has promised to launch a new encrypted protocol for developer certification checks and a new preference for customers to opt out of those security protections.
Both are big steps.
Another thing Apple is committed to is strengthening the servers that run Gatekeeper. Gatekeeper’s privacy breach only became evident recently because in November the phone failed. Macs trying to contact Apple servers to see if the downloaded software was clean could not pass. Apple uses OCSP (Online Certificate Status Protocol) to manage communication, and if that failed, Apple computers became slow and unresponsive.
The preference that Apple is committed to developing is a bigger step than it seems. The preference will allow customers to opt out, making them more vulnerable to malware and hacking.
“Apple has spent a tremendous amount of time, effort and resources in keeping their devices – and when I say their devices, your devices that you buy from Apple that have the Apple logo on them – by keeping their devices malware-free.” , says Paul. . “Apple is the leading malware prevention platform. It is also the main censorship platform linked to Apple. “
And this is the ultimate dilemma.
Apple can guarantee that its products are free from tampering and piracy with a high degree of certainty when it monitors software that may run on them. This is the App Store model for iPhone, and it’s partially replicated on the Mac, along with the Mac App Store, and with Gatekeeper, which verifies developer good faith even for non-Mac App Store apps. But it can only do that by exercising some control over the products it sells to its customers which, on one level, impacts customer privacy and, on another level, potentially transforms a device. general purpose computing in a specific tool with a limited number of capacities: a device.
It’s basically the iPhone.
“On iPhones, you can’t erase and reinstall an iPhone without the iPhone talking to Apple… passing a serial number to Apple,” says Paul. “On an iPhone, even software that you have created from scratch cannot work on an iPhone without connecting to Apple over the Internet and getting permission to do so first. Now, this makes this platform practically malware free. It also makes it virtually free from dissent against Apple. “
But now the Mac won’t fully follow that model.
Adopting a preference so that Apple customers can choose not to have their Mac phone at home to check the security of the apps you run is a step towards freedom and openness: keeping the Mac, like a Windows PC, in as long as a platform on which you can run any software you want.
But privacy comes at a cost. And the price, in the end, could be safety.
Obtain a full transcript from the interview with Jeffrey Paul.