Archive 8 min read

Apple WWDC Privacy Update

At Apple's Worldwide Developer Conference (WWDC), Apple made several announcements that focus on user privacy. In this episode, we'll explore these features and what impact they may have on you.

Apple WWDC Privacy Update

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning everybody. How you doing today? In this episode of the show, we're gonna recap some of Apple's latest privacy announcements. So this week in California, Apple has pulled in thousands of developers for its annual worldwide developer conference over the course of a few days, developers get to talk to Apple software engineers and platform engineers directly as they give out a series of talks to explain how the software development kits and various features within the operating systems work.

And as part of this conference, they always have an opening keynote and that happened yesterday. We had a host of Apple leaders on stage talking about the upcoming new versions of Mac Os of I OS of TV, Os of Watch Os and the new ipad Os, which is basically an ipad only fork or subset of I Os.

So we get all these cool features to hear about what's coming out in the fall. And developers get to start playing with these features now. So that by the time when we get the new Os on our devices, there are apps ready to go to leverage these features and time and time again, Apple hits on a key message around privacy and that's what I wanted to recap for you today.

See, Apple's model is very different than Facebook's or Google's uh or even something like Twitter or any of the other social networks or big media giants. Um Apple makes money selling devices and they firmly seem to believe in their privacy message, which is fantastic. But let's be cynical for a minute.

Even if they don't, this is how they make money, they make money by selling us more devices and selling us I ma selling us everything they can, which is great because their model is not around selling our data. Um And they're reinforcing that time and time again. In fact, here's Craig Federer talking about that very thing as part of the Apple keynote.

So you can see from that short clip that on the slide, they've called out a number of features they've built in to the devices and into the software in order to respect privacy. One of the key things is is that data is processed locally for machine learning models and anything that is sent to the cloud is sent to your icloud account, um which has limited access and limited um has a significant set of restrictions around it, um which is something that's going to be more and more critical to understand moving forward.

But Craig goes on further to talk about um specifically around location privacy. Let's see what he has to say about that. This is a great announcement. Uh The switching to allowing apps to use your location just once is critical. We've all had those apps where you're like, yeah, I just want to do this this once.

Um similarly in mobile Safari, when you're maybe looking for a store and it's like, well, we want to use your current location and it won't let you type in uh a postal code or an address. Um uh Doing a one time grant is really, really critical.

Also sealing off that poll around pinging Wi Fi networks and pinging Bluetooth networks. And then comparing that to a back end database that is a really important move towards privacy. It's great to see these kind of initiatives for Apple, but they went even one step further, at least in the keynote.

I'm sure they went several steps further as we'll find out over the next few days when they talk more about the changes up coming to safari. But here's an interesting new announcement. Now that's absolutely huge. We've all seen the proliferation of all these sign up accounts that hey, sign in with your Google account, sign in with your Twitter account, sign in with your Facebook account.

And theoretically we have some controls in those instances. When you're signing up with Facebook, you can actually go in and say don't grant these permissions, but nine times out of 10 or probably 99 times out of 100 those apps then fail and won't allow you to actually create an account because you didn't give them all the information they requested.

Now, the documentation is available for sign in with Apple and there's a lot of requirements on the developer side to implement some pretty strong anti tracking and privacy protections. And that's a really positive thing. It goes even further though. And this is a really, really clever uh addition to the feature um but not for the reason they stay on stage.

So this concept of a random address that forwards to your unique address, it's really, really interesting because what it does is it reduces the blast radius of you signing up for new accounts. Because every time you sign up for a new account using this method, app will actually generate a brand new unique random private id to forward to your account.

So for every app that you sign up using this method, you're going to get a unique email address. Now, that's been a long time hold. Now people have worked around this and done it themselves. But that's been a gap because while you're supposed to use a different password for every site, you're always using the same email, this will help you reduce that even further that potential risk.

But there is a flip side risk on your part because when you get that email in your inbox, you're going to have to reply as that email and hide your initial um a real address, just something to look out for. Now. The good news here is that most apps uh send you out information to uh from a no reply address.

So you have to take steps to contact them anyway. You just need to make sure they use the same shadow address here. But this is a fantastic way to protect your privacy. It's another step forward. This is a great theme in the keynote is that every chance they had, they kind of hit.

Hey, we're doing steps, we're taking steps, we're making um developers take steps to protect your privacy. And that's a really, really positive thing. Now I mentioned before how Apple has a tendency to push for on device processing. This is part of the reason why Siri is not nearly as good as OK, Google or Alexa is because all the processing and the modeling is done on the devices.

So when they trade new models and they, they have to push updates down to the devices via system updates in order to get better Siri understanding. Now, the funny thing is, is in my experience, Siri is actually really good at understanding me. It's the back end searches that really suck.

You see this most commonly in Apple Music. If you ask for a specific album by a specific artist, Siri types it out correctly, but then it won't actually find the thing that it knows you're looking for. So there's definitely some gaps here and there is a lack of quality compared to some competitors, but that the trade off for privacy because on device processing means that everything stays here and at worst is pushed up to my icloud account, which is actually encrypted with my credentials as well.

And Apple has severe restrictions around how they can access that account. But here's a new feature they've announced that follows this model and you can see from the illustration and the keynote why this is so important now that reinforces that theme again of on device processing and backing it up into your icloud account, which is locked down this again, great moves for privacy.

But it highlights how critical it is to understand the access to your icloud account and to keep icloud secure. So using two factor authentication, using a strong password or pass phrase, that's absolutely critical moving forward because all your apple data is being backed up into that account.

Now, there was one last announcement that caught my eye and a bunch of people reached out to ask if this one actually goes against what they've announced around privacy. This is around the new Find, my feature. They've merged, find my friends and find my device was called Find my iphone.

But I found all your devices into one app and they simply called it. Find my, here's what Craig has to say about that. So it's not that amazing that it's an end to end encrypted and anonymous that's the only way you could reasonably build this feature. So interestingly enough, find my has always been available for mobile devices, right?

So this is constantly pinging back when it's online to Apple to say, hey, this is where the device is located and I can go into my icloud account and access it. Now, if you've ever traded in your iphone or sent it for recycling one of the steps they always ask you to do is to turn off my phone.

And the reason being is because you have to be authenticated on the device to actually disable that because otherwise it wouldn't work as a security feature as planned, right, if anybody could turn it off. But the downside is, is that it's either off or it's on.

There's no in between. Now with the new version, you're going to have your devices, even if they're not connected to Wi Fi or not connected to the cellular network, they're going to be pinging out using Bluetooth beacons. Now Bluetooth beacons is a whole another episode. But the interesting thing here is that uh it's going to be end to end encrypted and anonymous, which basically means they are going to be using Apple devices uh as a internet basically, right?

This is uh end to end encrypted means that you're not going to have any risk from uh identification um as your Mac pings, uh nearby phones or nearby ipads to send it back to icloud um that's a really solid design pattern. Now, there is some ex exposure risk because your system is going to be constantly sending out a ping and a beacon.

And even though it's encrypted and anonymous, that pattern might actually have some operational security concerns, but not for 99.99% of the population. This is a great way to close a loophole, especially for Macbooks, um, where they weren't actually opting in uh or they weren't actually reporting back because they had to be connected to Wi Fi.

So this covers it. If somebody steals your Macbook, if it's anywhere near an iphone, which pretty much it always will be, um it's going to be able to ping back and still report its location, but without betraying any of your privacy and it's a really clever design to look forward to more details.

But on the surface, this looks like a really smart move. So overall, there was a lot of great announcements around privacy and on device processing and really uh that privacy by design um built in now, like I said, there are some sacrifices. Apple is a massive company so they can take the hit of Siri not being quite as good as uh other um competing things like Alexa and OK, Google.

And also the fact that they have uh their custom A six, their custom A 10 and A 11 chips um all over the place. So they're in an ipod or they're in the home pod. Sorry, they're now in the new ipod. Uh they're in your iphones, they're in your ipads.

They've got a ton of processing power locally to be able to pull this off. But the advantage from a private perspective is that your data is always staying on your device. And if it's not on your device, it's sent to your own icloud account not to a back end massive service for mining.

And your icloud account is actually restricted to your, your access and law enforcement upon a legal or judicial request. So I will link to the icloud security paper that I believe um Apple has around. I think it's a dedicated icloud one, but it might be part of their biggest security services.

I'll put that in the comments down below, but that was a highlight of some of the great announcements uh from Apple. Yes, I really like their, their stuff. But because of this privacy first approach, I'm willing to take some sacrifice and functionality to gain that privacy.

What about you? What do you think? Let me know, hit me up online um at Mark NC A in the comments down below. And as always by email me at Mark N dot C A, hope you're set up for a fantastic day and we'll see you on the next episode of the show.

Read next

Apple Let's Loose
Apple

Apple Let's Loose

Apple just held its latest product launch/event online. This iPad-centered event launched three new products: Each of these are