Is Apple Spying On You? No

Last week, November 12th specifically, there was a global outage of Apple’s back end systems during the release of macOS Big Sur. Besides leaving users unable to download macOS Big Sur, a large number of Mac users reported failures opening third-party apps. This issue also affected iMessage and Apple Pay, which started to behave erratically for a short period of time. The root cause of the issues was apparently, Gatekeeper which is Apple’s anti-malware system. Here’s how it works:

  • You click on an icon to start an app.
  • Your Mac pings Apple to see if it has a valid developer certificate.
  • If it does have a valid developer certificate, the app is allowed to run. If not, you get prompted for further action.

Normally this isn’t a big deal and is transparent to users. But last week it wasn’t. And when researchers began analyzing the data their computers were sending to Apple’s servers, claims that data was being sent to Apple in plain text. This was quickly debunked by Jacopo Jannone. But by then, all sorts of conspiracy theories about Apple spying on you were floating around the Internet.

That’s forced Apple to clarify things in typical Apple fashion. By that I mean that instead of making some sort of public statement, they updated a support document and let the Internet play a game of hide and seek to go find it. Which is typical for that company.

Some key take aways from the document:

  • Apple says that it doesn’t mix data from the process of checking apps for malware with any information about Apple users and doesn’t use the app notarization process to know what apps users are running.
  • Apple also says that Apple IDs and device identification have never been involved with these software security checks.

And it plans to improve this to be more secure. Which as far as I am concerned is a backhanded admission that Apple does do all of this in a manner that isn’t a secure as it could be. And that the process isn’t as resilient as it could be. Specifically:

  • A new encrypted protocol for Developer ID certificate revocation checks
  • Strong protections against server failure
  • A new preference for users to opt out of these security protections

So, here’s the bottom line:

  • Apple doesn’t spy on you.
  • They’ll do better in the future to make sure that Gatekeeper is more secure and more resilient.

Am I reassured? I suppose, but that’s not the real problem. At least not if you work at Apple Park. Privacy is a big deal for Apple as they use it as a cornerstone of their marketing. This whole incident has cast a bit of a negative light on Apple when it comes to privacy. And whatever the actual facts are, people have already taken a side. That’s a problem for Apple as they push to sell as many iPhones, MacBooks and the like this holiday season. I suspect that this is far from over and Apple will have to do something that they don’t like doing, which is to step out into the light and explain this in detail.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: