Apple’s CEO Tim Cook has recently been touting the company’s new privacy policy. In a letter to customers, he said that while the company collected user data, that was not the basis of their business model. In an obvious swipe at Google, he claimed:
Our business model is very straightforward: We sell great products. We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t “monetize” the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple.
More importantly, he went on to write:
I want to be absolutely clear that we have never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will.
In fact, Apple now claims the company is making it impossible for them to turn over data from most iPhones and iPads to police even with a warrant. They claim to have reworked encryption for iOS8 so that they no longer have the keys and thus cannot help authorities. In other words, only users have the passcodes to their accounts (which means if they forget them, they’re in real trouble).
But is this truly as radical a statement as it seems? Observers note that it comes immediately after the launch of their newest iPhones and the iWatch and shortly after the infamous celebrity selfie hack on iCloud. They blamed the success of that exploit on old-fashioned phishing, where the hackers were able to guess or steal user names, passwords and security questions.
No doubt the new stance, along with the announced security improvements, will help sell the iPhone 6 and 6 Plus. And Tim Cook certainly appeared sincere on Charlie Rose. But observers point out that the company will still have the ability – and the legal responsibility if called upon – to turn over user data stored in the iCloud servers, including email, photos, etc.
Moreover, security expert Jonathan Zdziarski says that there are plenty of ways the police can still take data from locked iPhones, with or without Apple’s help. One method requires a turned-on phone and a trusted computer – a situation that millions of travelers might find themselves at an airport terminal, for instance.
Plus, Apple’s repeated claims (such as above) that they have never built in backdoors or allowed government access to their servers was flatly contradicted by one of Edward Snowden’s first revelations – that Apple joined the NSA’s PRISM program two years ago.
It has also been noted that Apple’s warrant canary has disappeared from the company’s regularly issued transparency report. This is a notice that indicates that Apple’s data has not been subpoenaed under a certain provision of the Patriot Act. Its sudden absence is a circuitous way to indicate that it had been served which it would be legally prohibited from saying. However, due to the ambiguity surrounding the entire issue, it is impossible to ever be really sure.
Whether this gesture by Apple is sincere or not, they are after all but a single provider. For anyone’s data to be truly secure, other providers, starting with the phone companies, Facebook, Twitter, other applications, and ISPs would all have to take equally-if-not-more robust steps.
But the amount of deception, the smoke and mirrors, surrounding the entire issue is too great. It’s absurd that companies can at best perhaps signal that they haven‘t been actively co-opted into surveillance on their customers. Meanwhile, since other companies, including Facebook and Google, absolutely depend on monitoring user choices, it’s probably wisest not to rely on any official assurances from either government or providers
As security expert Bruce Schneier – and a certain famous show back in the 90s – have said, “Trust No One“.