| ▲ | ezfe 3 hours ago |
| Apple's solution is iCloud Keychain which is E2E encrypted, so would not be revealed with a court order. |
|
| ▲ | 3 hours ago | parent | next [-] |
| [deleted] |
|
| ▲ | tokyobreakfast 3 hours ago | parent | prev | next [-] |
| What is your proof they don't have a duplicate key that also unlocks it? A firm handshake from Tim? |
| |
| ▲ | eddyg 3 hours ago | parent | next [-] | | You should watch the whole BlackHat talk (from 2016!) from Apple's Head of Security Engineering and Architecture, but especially this part: https://www.youtube.com/watch?v=BLGFriOKz6U&t=1993s | |
| ▲ | otterley 3 hours ago | parent | prev [-] | | If they say they don't, and they do, then that's fraud, and they could be held liable for any damages that result. And, if word got out that they were defrauding customers, that would result in serious reputational damage to Apple (who uses their security practices as an industry differentiator) and possibly a significant customer shift away from them. They don't want that. | | |
| ▲ | direwolf20 2 hours ago | parent | next [-] | | The government would never prosecute a company for fraud where that fraud consists of cooperating with the government after promising to a suspected criminal that they wouldn't. | | |
| ▲ | otterley 2 hours ago | parent [-] | | That's not the scenario I was thinking of. There are other possibilities here, like providing a decryption key (even if by accident) to a criminal who's stolen a business's laptop, or if a business had made contractual promises to their customers, based on Apple's promises to them. The actions would be private (civil) ones, not criminal fraud prosecution. Besides, Apple's lawyers aren't stupid enough to forget to carve out a law-enforcement demand exception. |
| |
| ▲ | tokyobreakfast 2 hours ago | parent | prev [-] | | Absent the source code, it's incredibly difficult to disprove when the only proof you have is good vibes. | | |
| ▲ | otterley 2 hours ago | parent [-] | | There are many things you can't prove or disprove in this world. That's where trust and reputation comes in - to fill the uncertainty gap. | | |
|
|
|
|
| ▲ | jcalvinowens 3 hours ago | parent | prev [-] |
| > Apple's solution is iCloud Keychain which is E2E encrypted, so would not be revealed with a court order. Nope. For this threat model, E2E is a complete joke when both E's are controlled by the third party. Apple could be compelled by the government to insert code in the client to upload your decrypted data to another endpoint they control, and you'd never know. |
| |
| ▲ | dcrazy 2 hours ago | parent | next [-] | | That was tested in the San Bernardino shooter case. Apple stood up and the FBI backed down. | | | |
| ▲ | ezfe an hour ago | parent | prev [-] | | Yeah and Microsoft could insert code to upload the bitlocker keys. What's your point? Even linux could do that if they were compelled to. | | |
| ▲ | jcalvinowens an hour ago | parent [-] | | > Even linux could do that if they were compelled to. An open source project absolutely cannot do that without your consent if you build your client from the source. That's my point. | | |
| ▲ | ezfe 24 minutes ago | parent [-] | | Wait I'm sorry do you build linux from source and review all code changes? | | |
| ▲ | jcalvinowens 12 minutes ago | parent [-] | | You missed the important part: > For this threat model We're talking about a hypothetical scenario where a state actor getting the information encrypted by the E2E encryption puts your life or freedom in danger. If that's you, yes, you absolutely shouldn't trust US corporations, and you should absolutely be auditing the source code. I seriously doubt that's you though, and it's certainly not me. The sub-title from the original forbes article: > But companies like Apple and Meta set up their systems so such a privacy violation isn’t possible. ...is completely utterly false. |
|
|
|
|
