Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
StopDisinfo910 5 days ago

Could anyone here waxing lyrically about Apple so called privacy stand explain to me what that actually is apart from a marketing point Apple keeps repeating?

Because from where I stand they do load everything into their cloud. They insist on having you pay for iCloud through obnoxious means. They have you go through their store for everything. They even have an ad platform.

What supposedly so good about it? Their track record seems awful to me.

thewebguyd 5 days ago | parent | next [-]

E2EE (advanced data protection) without having to use something like Proton, so can stay in the very convenient "ecosystem." With it turned on, keys are on your device, Apple doesn't have them and can't use them and it covers all the main stuff - photos, messages, notes, etc.

It's still a compromise, sure, but it's a better compromise than what Google offers.

Plus small things. Apple's tracking protection for example is opt in instead of opt out on Android. Google's core business is ads, they won't push features that can negatively impact that. Apple also has an ad division but it's not their main focus, hardware is. They can implement better privacy without impacting their bottom line. Apple's refusal to unlock phones at the request of the FBI, etc.

It's not that Apple is the be all end all for privacy, but they are far ahead of Google and are by far the most convenient option if you are within the walled garden.

bmicraft 5 days ago | parent [-]

> With it turned on, keys are on your device, Apple doesn't have them and can't use them and it covers all the main stuff - photos, messages, notes, etc.

Or so they say. Has that actually been proven?

NobodyNada 5 days ago | parent | next [-]

It's impossible to prove a negative, like "Apple doesn't have a backdoor". One can prove the existence of a backdoor by reverse-engineering suspicious code or network traffic, but not the nonexistence without poring over every byte of machine code, and quite a lot of the hardware too.

This is not unique to Apple, it's impossible to prove any system is free of a backdoor, including Linux distributions (see: the xz backdoor, or "Reflections on trusting trust"), unless you hand-crafted your whole smartphone from raw silicon.

gruez 5 days ago | parent | prev [-]

You can raise that gripe with even something like signal. Sure, it's open source, but when was the last time someone reproducibility built it?

tga_d 5 days ago | parent [-]

People reproducibly build Signal all the time. There's a bug right now that makes the play store version differ from the one you get by downloading off their website/build from source, but you can examine the differences to see they're minor.

gruez 5 days ago | parent [-]

>People reproducibly build Signal all the time

source? Is there a site that tracks this, or only shows up when someone raises an issue on github?

tga_d 5 days ago | parent [-]

Pick a decently up-to-date fork of Signal on GitHub and look at its Actions. You can also just do it yourself if you'd like, the process is effectively just doing a build in a docker container and comparing the result.

https://github.com/signalapp/Signal-Android/blob/main/reprod...

gruez 5 days ago | parent [-]

The github action finishing is not the same as "reproducibility built it", which implies verification against the official build.

tga_d 5 days ago | parent [-]

There is a dedicated reproducible builds action that verifies that it does match (currently failing because of the aforementioned bug). I'm not sure why you're still litigating this when, again, you can not only just go look at it, you can very much do it yourself.

iamdamian 5 days ago | parent | prev | next [-]

> Could anyone here waxing lyrically about Apple so called privacy stand explain to me what that actually is apart from a marketing point Apple keeps repeating?

The end-to-end encryption guarantees on this page seem pretty real to me and have little to do with marketing: https://support.apple.com/en-us/102651

lern_too_spel 5 days ago | parent | next [-]

Google backup on Android is also end-to-end encryption. The difference is that on Android, I can self-host anything that Apple won't end-to-end encrypt, like maps or application installs.

snypher 5 days ago | parent | prev [-]

Can any of this be verified or confirmed independently?

atomicthumbs 5 days ago | parent | next [-]

how do you propose they prove that they don't have your encryption keys

ritcgab 5 days ago | parent | prev [-]

You just cannot prove a party doesn't own something.

nicoburns 5 days ago | parent | prev | next [-]

> Because from where I stand they do load everything into their cloud. They insist on having you pay for iCloud through obnoxious means. They have you go through their store for everything. They even have an ad platform.

It's very easy to completely disable iCloud. I've never used it and don't intend to, despite running a mac as my primary computer for ~12 years now.

StopDisinfo910 5 days ago | parent | next [-]

> It's very easy to completely disable iCloud.

My experience widely differs.

Apple will nag you all the time if you don’t have iCloud or just use the free tier and the free tier is very limited. You lose the only way to actually easily sync the phone when you disable it.

Most of the iPhone owners I know including me have caved and pay the additional tax every month.

throwaway290 5 days ago | parent | prev [-]

This is correct. Maybe settings will show you a login button but except for that you're fine.

paulddraper 5 days ago | parent | prev [-]

Apple is much more strict on app tracking (and apps in general).

v5v3 5 days ago | parent [-]

Yes.

As an example I think Androids have a single device ID which is given to all apps. But iOS has a per app device ID.

theshrike79 5 days ago | parent | next [-]

And the ID resets pretty often.

The marketing department exploded when Apple announced that change, it made user conversion tracking completely useless.

ajross 5 days ago | parent | prev | next [-]

There is no device ID, only ones tied to a user login on a phone, and the app must request a permission to get it. You can, for example, know that the user ID (which you obviously also need to have a permission to retrieve), is being used on the same device as was used to access your service in the past. Or you can know that this particular otherwise-anonymous user/device combination is being used again. I'm pretty sure that's likewise possible on iOS, but folks can chime in.

And of course there are guidelines that disallow most of the abuse scenarios I suspect people want to imagine: https://developer.android.com/identity/user-data-ids

thewebguyd 5 days ago | parent [-]

Not familiar with how Android does it anymore, but sounds fairly similar to iOS.

The main difference is it's opt in on iOS, but opt out on Android I believe.

On iOS, when the app pops up and asks to track, if the user says no, the app can't access the system advertising ID at all, and also is not permitted to track activity via other means like email address, user ID, etc (but the only thing that's technologically enforced is the system advertising ID, it's only forbidden by policy to not use other tracking methods).

Given the huge fit Meta threw after Apple implemented this, while they were silent about Android, I'm inclined to believe Apple's method has more of a privacy impact.

Also worth noting Google is hoping to move away from device-level advertising IDs with their "privacy sandbox" thing.

gruez 5 days ago | parent | prev [-]

Yes, specifically both have some variant of "advertising ID", which is shared across all apps. The difference between iOS and Android is that iOS requires you to opt every app into receiving it, whereas Android is opt out. However on top of this Android has a "gsf" id, which is shared between apps, and can't be changed without a factory reset.