> Apple claims to protect user privacy all the time. But they can't offer a product in a major jurisdiction that has actually meaningful privacy laws? Didn't they consider that while designing the product?

Complying with complex privacy laws is surprisingly orthogonal to making a product with good privacy.

In another regulatory area (not privacy, but something more historically regulated) we ran into strange situations where complying with the letter of the law would require us to walk back things that we had done in a better way. The laws are not simple and they're not written by engineers or even people who understand what future product needs look like.

▲

microtonal 40 minutes ago | parent | next [-]

Complying with complex privacy laws is surprisingly orthogonal to making a product with good privacy.

Maybe it's more because the privacy is largely marketing and helps with continuously shutting out competitors under the guise of privacy?

If they really cared about privacy, they would end-to-end encrypt iCloud backups [1] by default and not just when ADP is enabled, which only a small subset of users do. In fact, many technical people I know don't even realize that iCloud backups are not end-to-end encrypted. At any rate, this large hole opens a lot of data (including iMesssage) open to Apple, law enforcement, etc.

https://support.apple.com/en-us/102651

[1] And iCloud Drive, and photos, and notes, and voice memos, and wallet passes, and contacts, and reminders, and...

▲

bflesch 2 hours ago | parent | prev [-]

Privacy laws are not complex, they only become complex if your goal is to actually skirt them.

Tax laws are also quite easy, tax lawyers are only needed if you want to NOT pay what the country you're operating in is owed.

▲

kube-system 2 hours ago | parent | next [-]

Respectfully, it sounds like you just haven't dealt with any significant tax or regulatory tasks.

There's entire industries of experts who work on these tasks, and they don't just work for people trying to skirt the rules. I've hired people for both tasks and the reason was specifically to comply.

	▲	MBCook an hour ago \| parent [-]
		Not privacy, but as an example: NIST, MS, and the security community all recommend against forcing people to change their passwords on fixed intervals. They should only be changed when there is an indication they have been compromised. PCI requirements demand mandatory 30 day rotation intervals on user passwords for users with administrative privileges, IORC. Something like that. They haven’t kept up. So until they change the rules you can either be PCI compliant or implement the current best practice. Not both.

▲

s1artibartfast 2 hours ago | parent | prev | next [-]

would you say civil engineers are only required if you want to skirt building codes?

Someone has to understand the codes and how they might be applied to a specific project, and direct a project such that the outcome will comply.

Codes dont provide a blueprint for a house or a bridge. They stipulate features and properties that it must have. Design resides with the firm.

▲

JumpCrisscross 2 hours ago | parent | prev [-]

> Privacy laws are not complex

Privacy isn’t complex, compliance is.

> Tax laws are also quite easy

Yet audits are still a pain.

> tax lawyers are only needed if you want to NOT pay

This is nonsense. Tax lawyers are sometimes used to skirt the law. They’re much more often there to help prove you followed it.