Thank you for sharing this, and I appreciate good, high quality information about privacy but please don’t spread misleading information about one of the few companies that provides easily accessible private tools for the not-so-tech-savvy, as well as the busy.
Apple applies E2E encryption for almost all iCloud data with Advanced Data Protection, applies something similar to Tor for web browsing, kills tracking pixels in your mail, uses differential privacy to avoid identifying you, and so much more.
No, macOS does not send Apple a hash of your apps each time you run them.
You should be aware that macOS might transmit some opaque3 information about the developer certificate of the apps you run. This information is sent out in clear text on your network.
You shouldn’t probably block ocsp.apple.com with Little Snitch or in your hosts file.
what is misleading exactly?
the part where every app you open gets sent to apple along with third parties along with your IP?
because I’m pretty sure that’s all 100% true, and I think its been true for over 5 years…
you’re just suggesting that because they do one thing well they do everything well, which is a fallacy.
Also, any proprietary program that does “E2EE” is misleading you by omitting the part where they could totally steal anyones keys at any time with the push of a button, if they haven’t already. it is completely laughable to suggest any proprietary E2EE program is secure!
so who is spreading the missinfo again?
EDIT: I found the pedantic mistake that they claim makes this “highly misleading”: gatekeeper doesnt send the “application hash” it sends the “applications certificate id”
Bravo in finding this detail, but it doesnt change anything!
Apple was sending (1) what apps youre opening (2) in plantext to (3) third parties!
youre being missleading by suggesting that everything is encrypted!
We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
In addition, over the the next year we will introduce several changes to our security checks:
A new encrypted protocol for Developer ID certificate revocation checks
Strong protections against server failure
A new preference for users to opt out of these security protections
The fact that existed for years is the problem. the fact that execs signed off on this at all means apple is terrible for privacy
I read the article and the only pedantic detail that was wrong in the initial report was that gatekeeper didnt send the “appication hash” it sent the “applications certificate id” which is a worthless distinction and changes nothing. you’re acting like that somehow exonerates apple, and then just blindly believing what their PR person says. youd have to be a complete idiot or working for them to believe that crap.
The author comments to the blog post you linked and it partially makes sense: if you fetch the developer’s certificate, Apple knows when you started an application of that developer (and which public IP address you have).
Whether or not there are many devs that only made one application, so you can identify this, I cannot estimate, I’m not an Apple user. But you don’t need to send a hash calculated in client side to get this info.
You’re absolutely right that it’s still an issue to transmit information about the developer certificate. Apple published a response to this, which admittedly is not ideal:
We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
In addition, over the the next year we will introduce several changes to our security checks:
A new encrypted protocol for Developer ID certificate revocation checks
Strong protections against server failure
A new preference for users to opt out of these security protections
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !technology@lemmy.world
This is a most excellent place for technology news and articles.
Unfortunately, this is highly misleading.
Thank you for sharing this, and I appreciate good, high quality information about privacy but please don’t spread misleading information about one of the few companies that provides easily accessible private tools for the not-so-tech-savvy, as well as the busy.
Apple applies E2E encryption for almost all iCloud data with Advanced Data Protection, applies something similar to Tor for web browsing, kills tracking pixels in your mail, uses differential privacy to avoid identifying you, and so much more.
Please see: https://blog.jacopo.io/en/post/apple-ocsp/
TL;DR
No, macOS does not send Apple a hash of your apps each time you run them.
You should be aware that macOS might transmit some opaque3 information about the developer certificate of the apps you run. This information is sent out in clear text on your network.
You shouldn’t probably block ocsp.apple.com with Little Snitch or in your hosts file.
what is misleading exactly? the part where every app you open gets sent to apple along with third parties along with your IP?
because I’m pretty sure that’s all 100% true, and I think its been true for over 5 years…
you’re just suggesting that because they do one thing well they do everything well, which is a fallacy.
Also, any proprietary program that does “E2EE” is misleading you by omitting the part where they could totally steal anyones keys at any time with the push of a button, if they haven’t already. it is completely laughable to suggest any proprietary E2EE program is secure!
so who is spreading the missinfo again?
EDIT: I found the pedantic mistake that they claim makes this “highly misleading”: gatekeeper doesnt send the “application hash” it sends the “applications certificate id”
Bravo in finding this detail, but it doesnt change anything!
Apple was sending (1) what apps youre opening (2) in plantext to (3) third parties!
youre being missleading by suggesting that everything is encrypted!
I’m sorry but did you read the article l linked to or the TL;DR I lifted from the article?
They do not send the app you open to Apple, and there is no evidence they send it to third parties as the app information is not sent at all!
Nevertheless, they do send information about the developer certificate for notarization and gatekeeper checks.
https://support.apple.com/en-us/HT202491#view:~:text=Privacy protections
Quote:
We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
In addition, over the the next year we will introduce several changes to our security checks: A new encrypted protocol for Developer ID certificate revocation checks Strong protections against server failure A new preference for users to opt out of these security protections
The fact that existed for years is the problem. the fact that execs signed off on this at all means apple is terrible for privacy
I read the article and the only pedantic detail that was wrong in the initial report was that gatekeeper didnt send the “appication hash” it sent the “applications certificate id” which is a worthless distinction and changes nothing. you’re acting like that somehow exonerates apple, and then just blindly believing what their PR person says. youd have to be a complete idiot or working for them to believe that crap.
Misleading as to WHY macOS is phoning home. It’s done to validate that the developer of the app you’re attempting to run is a trusted developer. Disabling or bypassing this check would open users up to potentially malicious software. https://www.howtogeek.com/701176/does-apple-track-every-mac-app-you-run-ocsp-explained/
youre being misleading by saying why!
unless you were in the room, your speculation is as good as mine, and Im not saying why, Im just stating facts!
Did you actually just say this outloud?
do you realize that im not the one making the speculation?
Bro I quoted your words.
I guess I dont get the point of your comment then
The video is basically some dude reading a blog post (boy, I hate those, provide no value). The blog post he reads is this: https://sneak.berlin/20201112/your-computer-isnt-yours/
The author comments to the blog post you linked and it partially makes sense: if you fetch the developer’s certificate, Apple knows when you started an application of that developer (and which public IP address you have).
Whether or not there are many devs that only made one application, so you can identify this, I cannot estimate, I’m not an Apple user. But you don’t need to send a hash calculated in client side to get this info.
You’re absolutely right that it’s still an issue to transmit information about the developer certificate. Apple published a response to this, which admittedly is not ideal:
https://support.apple.com/en-us/HT202491#view:~:text=Privacy protections
We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.
In addition, over the the next year we will introduce several changes to our security checks:
A new encrypted protocol for Developer ID certificate revocation checks
Strong protections against server failure
A new preference for users to opt out of these security protections