{"id":15554,"date":"2019-06-12T09:10:12","date_gmt":"2019-06-12T17:10:12","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/06\/12\/news-9303\/"},"modified":"2019-06-12T09:10:12","modified_gmt":"2019-06-12T17:10:12","slug":"news-9303","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/06\/12\/news-9303\/","title":{"rendered":"Apple iOS 13 will better protect user privacy, but more could be done"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Wed, 12 Jun 2019 16:42:41 +0000<\/strong><\/p>\n

Last week, Apple introduced several new privacy features to its latest mobile operating system, iOS 13. The Internet, predictably, expressed doubt, questioning Apple\u2019s oversized influence, its exclusive pricing model that puts privacy out of reach for anyone who can\u2019t drop hundreds of dollars on a mobile phone<\/a>, and its continued, near-dictatorial control of the App store, which can, at a moment\u2019s notice, change the rules to exclude countless apps. <\/p>\n

At Malwarebytes, we sought to answer something different: Do the new iOS features actually provide meaningful privacy protections?<\/p>\n

The short answer from multiple digital rights and privacy advocates is: \u201cYes, but\u2026\u201d<\/p>\n

For example: Yes, but Apple\u2019s older phones should not be excluded from the updates. Also: Yes, but Apple\u2019s competitors are not likely to follow. And more broadly: Yes, but Apple is giving users a convenient solution that does not address a core problem with online identity. <\/p>\n

Finally: Yes, but Apple can go further. <\/p>\n

Apple\u2019s new single sign-on feature<\/strong><\/h3>\n

At Apple\u2019s WWDC19 conference in San Jose last week, Senior Vice President of Software Engineering Craig Federighi told audience members that the latest iOS would give Apple users two big privacy improvements: better protection when signing into third-party services and apps, and more options to restrict location tracking. <\/p>\n

Apple\u2019s Single Sign-On (SSO) option will allow users to sign into third-party platforms and apps by using their already-created Apple credentials. Called \u201cSign in with Apple,\u201d Federighi described the feature not so much as a repeat of similar features provided by competitors Google and Facebook, but as a response. <\/p>\n

Standing before a projected display of two separate blue rectangles, one reading \u201cSign in with Facebook,\u201d the other \u201cSign in with Google,\u201d Federighi told the audience, \u201cWe\u2019ve all seen buttons like this.\u201d <\/p>\n

While convenient, Federighi said, these features can also compromise privacy, as \u201cyour personal information sometimes gets shared behind the scenes, and these logins can be used to track you.\u201d Behind Federighi, the presentation revealed all the types of information that get shuffled around without a user\u2019s full understanding: Full names, gender, email addresses, events attended, locations visited, hometown, social posts, and shared photos and videos. <\/p>\n

Federighi said \u201cSign in with Apple\u201d locks that data dispersal down. <\/p>\n

“Sign in with Apple” lets Apple users log into third-party apps and services by using the Face ID or Touch ID credentials created on their device. The SSO feature also gives Apple users the option to provide third parties with \u201crelay\u201d email addresses\u2014randomly-generated email addresses created by Apple that serve as forwarding addresses, giving users the option to keep private their personal email address while still receiving promotional deals from a company or service. Further, relay addresses will not be repeated, and Apple will generate a new relay for each new platform or app. <\/p>\n

\n
\"\"
Apple iOS 13 gives users the option to both share and hide their email from third-party apps when utilizing the company’s single sign-on feature. Courtesy: Apple<\/figcaption><\/figure>\n<\/div>\n

Privacy advocates welcomed the feature but warned about over-reliance on Apple as the one true purveyor of privacy.<\/p>\n

\u201cApple’s new sign-in service is definitely a step in the right direction, but it’s important to understand who it’s protecting you from,\u201d said Gennie Gebhart, associate director of research at Electronic Frontier Foundation. \u201cIn short, this kind of feature protects you from all sorts of scary third parties but does not necessarily protect you from the company offering it\u2014in this case, Apple.\u201d<\/p>\n

Apple has scored positively with EFF\u2019s annual \u201cWho Has Your Back\u201d report<\/a>, which, for years, evaluated major tech companies<\/a> for their willingness to fight overbroad, invasive government requests<\/a> for user data. <\/p>\n

But protecting user data from government requests and protecting it from corporate surveillance are different things. <\/p>\n

Luckily, Gebhart said, Apple has promised not to use the information it gleans from its SSO feature to track user activity or build profiles from online behavior. But, Gebhart said, the same can\u2019t be assumed from other big tech companies including Google and Facebook. <\/p>\n

\u201c[I]t’s important to remember for other SSO services like Facebook’s and Google’s that, even if they implement cool privacy-protective features like Apple has, that won’t necessarily protect you from Facebook or Google tracking your activity,\u201d Gebhart said. <\/p>\n

As to whether those companies will actually follow in Apple’s footsteps, Nathalie Mar\u00e9chal, a senior research analyst at Ranking Digital Rights, seems doubtful, as those competitors rely on entirely different business models. <\/p>\n

\u201cGoogle, Apple\u2019s main competitor in the smartphone market, relies on pervasive data collection at a massive scale not only to sell advertising, but also to train the algorithms that power its products, such as Google Maps,\u201d Mar\u00e9chal said. \u201cThat\u2019s why Google collects as much data as it possibly can: that data is the raw material for its products and services. I don\u2019t see Google shifting to a model where it collects as little information as possible\u2014as Apple says it does\u2014anytime soon.\u201d<\/p>\n

That said, Mar\u00e9chal still commended Apple for offering relay email addresses in its SSO feature. <\/p>\n

\u201cThis makes the process much more user-friendly, and makes it even harder for data brokers and advertising networks to connect all of someone\u2019s online activity and create a detailed file about them,\u201d Mar\u00e9chal said. <\/p>\n

Yet another researcher, who said it was good to see Apple taking \u201cpractical steps\u201d to protect online identities, warned about a larger problem: The increased dependence on a user\u2019s identity as the de facto credential for accessing all sorts of online services and platforms. <\/p>\n

\u201cWe are seeing more and more websites and apps pushing us to identify ourselves; while sometimes this may be appropriate, it comes along with dangers,\u201d said Tom Fisher, a researcher at Privacy International. \u201cIt can be a tool for tracking people across sessions, for instance.\u201d<\/p>\n

Fisher continued: \u201cThere\u2019s a need for more thought not only on how identification systems can protect people\u2019s privacy, but also when it is appropriate to ask people to identify themselves at all.\u201d<\/p>\n

Apple\u2019s new option for location privacy<\/strong><\/h3>\n

Apple\u2019s second big feature will give its users the option to more closely manage how their location is tracked by various third-party apps. <\/p>\n

With the update to iOS 13, users can choose to share their location \u201cjust once\u201d with an app. That means that, if users choose, any service that requests location information\u2014whether it be Yelp when recommending nearby restaurants, Uber when finding nearby drivers, or Fandango when locating nearby movie theaters\u2014will be allowed to access that information just once, and every subsequent request for location information must be approved by the user on an individual basis. <\/p>\n

Mar\u00e9chal called this an important development. She said many apps that request location information provide convenient services for users, and users should have the option to choose between that convenience and that potential loss of privacy. That decision, she said, is unique to each user. <\/p>\n

\u201cThat\u2019s a very contextual decision and I\u2019m glad to hear that Apple is giving its users more nuanced options than simply \u2018on,\u2019 \u2018off,\u2019 or \u2018only when the app is in use,\u2019\u201d Mar\u00e9chal said. \u201cFor example, I might not want to share my location with Yelp while checking opening hours for a business in my home city, because the privacy trade-off isn\u2019t worth it, and then might share my location while traveling the following week because I don\u2019t know the city I\u2019m visiting well enough to know how far a restaurant is from me.\u201d<\/p>\n

Further steps? <\/strong><\/h3>\n

When interviewed for this piece, every researcher agreed: Apple\u2019s newest features provide simple, easy-to-use options that can leave users more informed and more in control of their online privacy. <\/p>\n

However, another response came up more than once: Apple can\u2014and should\u2014go further. <\/p>\n

These responses are not unusual, and, in fact, they follow in the footsteps of all advocacy work, particularly in online privacy. Earlier this year, it was Mozilla, the privacy-forward, nonprofit developer of the web browser Firefox, that asked Apple to do better by its users in protecting them from invasive online tracking<\/a>. Similarly, it is privacy advocates and researchers who have the most thought-out ideas on protecting user privacy. These researchers had a few ideas for Apple. <\/p>\n

First, Mar\u00e9chal said, Apple should provide \u201ctransparency\u201d reports\u2014the way it already does for the government requests it receives for user data\u2014that disclose how third-party apps collect Apple users\u2019 information. She said Apple\u2019s marketing tagline (\u201cWhat happens on your iPhone, stays on your iPhone\u201d<\/a>) is only true for the data Apple itself collects, \u201cbut it\u2019s not true of data collected by third party apps.\u201d <\/p>\n

A Washington Post article last month revealed this to an alarming degree<\/a>: <\/p>\n

\n

\u201cOn a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with.\u201d<\/p>\n<\/blockquote>\n

Fisher raised a separate issue regarding Apple\u2019s security updates: Who gets left behind? At such a high price point for the devices (The oldest iPhone model for sale on Apple\u2019s website that is iOS 13 compatible, the Apple iPhone 7, starts at $449), Fisher said, \u201cWhat happens to people who can\u2019t afford Apple\u2019s expensive products: Are they then left only with access to more invasive ways of identifying themselves?\u201d<\/p>\n

Another one of Mar\u00e9chal\u2019s suggestions could address that problem. <\/p>\n

\u201cI would also like some clarity about how long a new iPhone will be guaranteed to receive software updates, as well as a commitment to providing security updates specifically for at least five years,\u201d Mar\u00e9chal said. \u201cGiven how expensive new iPhones can be, customers should know how long the device will be safe to use before they purchase it.\u201d<\/p>\n

While this idea does not fix Fisher\u2019s concerns, it at least gives users a better understanding about what they can expect for their own privacy years later. Any company\u2019s decision to put users in more control of their privacy rights is a decision we can sign onto. <\/p>\n

The post Apple iOS 13 will better protect user privacy, but more could be done<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: David Ruiz| Date: Wed, 12 Jun 2019 16:42:41 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Apple\u2019s newest iOS features provide simple, easy-to-use options that can leave users more informed and more in control of their online privacy. But privacy experts agreed: Apple can\u2014and should\u2014go further. <\/p>\n

Categories: <\/p>\n