Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Continuity and Spotlight highlight the need to closely examine where our data goes

Glenn Fleishman | Oct. 24, 2014
On Monday, I dutifully installed iOS 8.1 to enable Apple Pay on my iPhone 6, intending to test it out later in the day. (Spoiler: I did not.) This also let me turn on Continuity, the suite of seamless connection features between iOS and Mac OS X devices signed into the same iCloud account. My mid–2011 MacBook isn't capable of Handoff and Instant Hotspot, but it can manage SMS forwarding and phone calls.

The other two Monday situations were of a different nature. The "fix macosx" folks examined the kind of data that Yosemite sends in its default installation to improve search results for the new integrated Spotlight. Again, the situation isn't necessarily surprising or disturbing, except for three elements: sending user information is on by default; disabling it requires at least two settings; and Apple didn't disclose enough information as it provided a heaping of additional detail to the Verge after the "fix macosx" site went up.

Apple's fuller explanation assuages fears, but doesn't explain why one has to turn off as many as three settings, including Location Services, and why it wasn't so elaborate in its user disclosure. As Caitlin McGarry wrote a couple of days ago, "Apple is wading into sensitive territory with new features in Yosemite and iOS 8 and on new iPhones.... The company has to prove it can be trusted with search results if people are going to hand over more personal data."

One could argue that Apple should offer a skippable, simple tutorial before it enables the sending of information that would inform users precisely what it's sending. (In brief, it attaches "blurred" location information and other data to a token that it says persists no longer than 15 minutes, and doesn't retain IP addresses.)

Should we have just shaken our head at the original report and said, we're sure Apple is doing everything right? Absolutely not, an opinion aided by its need to more fully disclose.

Finally, the attempt, likely by the Chinese government, to intercept iCloud authentication sessions would seem unrelated, but it ties into one part of this pattern of needing to observe and be aware in our risky world. The subversion attempt uses a man-in-the-middle (MitM) attempt with privileged network resources that stand between a user and Apple's servers. But because of Apple's encryption, that MitM can only present a forged Web security certificate.

As Apple notes in a page it posted to help people understand the problem, an invalid certificate produces an error in browsers that shouldn't be bypassed. Over time, browser makers have made it more complicated to accept an invalid certificate as both the risk and the actuality of MitM attacks has grown.

If we are trained to ignore security red flags, we might see these warnings and think, "Oh, it's the Internet. I'm just going to click click click to bypass these alerts, because I'm trying to get something done."

We can't let ourselves be lulled into complacency; we need Apple and others to highlight the security implications of any changes so that we all — the technically minded and average user alike — continue to pay attention.

 

Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.