Apple Pledges Privacy, Beefs Up SecurityJune 13 2019
Whether it’s from Apple fans, embedded marketing people, or actual developers, applause is an oft-heard feature of any keynote at Apple’s Worldwide Developers conference.
Yet the loudest applause at this year’s conference came not for some shiny feature, but for a seemingly insignificant, geeky detail: providing users with randomized e-mail addresses. As part of its coming “Sign in with Apple” feature, the company said it will provide users with the ability to use a random e-mail address for each app, holding out the possibility that consumers could, once again, have some small control over the informational transactions with application makers.
The applause for that small detail was both raucous and sustained.
“A lot of love for random addresses here,” said Craig Federighi, senior vice president of software engineering at Apple, before the WWDC 2019 crowd last week. “And that’s good news because we give each app a unique random address. This means that you can disable any one of them at anytime when you are tired of hearing from that app.”
Among a host of announcements, the “Sign in with Apple” offering stood out. It promised to treat people as valued customers rather than digital horseflesh to trade on the open market, taking aim squarely at two technology giants of whom consumers — and governments — have increasingly become wary: Google and Facebook. And it gave Apple some measure of cover in the US government’s investigation of whether its own business should be considered a monopoly that needs to be broken up. A bifurcated Apple, after all, may not be able to offer privacy as a selling point.
“This gives them a chance to improve the privacy of, at least, Apple users,” says Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation. “They also show a world is possible where companies are not snarfing up all your data to make money.”
The announcement placed the focus at the WWDC 2019 on privacy, but in smaller venues speaking to a more technical crowd, Apple focused on security as well.
The company announced it had made app notarization — a process that runs automated security checks against developers’ release candidates — mandatory as of June 1, 2019. Not to be confused with the App Review process, notarization involves sending a release candidate to Apple, which scans the code and checks it for common errors and security problems, as well as creates a certificate that validates the software. In return, developers are prevented from inadvertently shipping malicious code, gain the benefits of Apple’s hardened runtimes, and are provided an audit trail of their developer account’s activity, Garret Jacobsson, CoreOS security engineer at Apple, told developers at the conference.
“Users are more likely to download and try new software knowing that Apple has scanned it for known security issues,” he said.
The next version of the Mac OS, dubbed Catalina, will also have more extensive security checks. Apple has applied defense-in-depth principles to a greater extent in the coming version of the Mac OS. Gatekeeper, a program that originally blocked specific malicious software programs from running on Macs, has evolved into a much more comprehensive tool that scans for malicious content but also validates the signature provided by as part of the notarization process.
While the current version of the Mac OS, Mojave, blocks apps from accessing certain types of data without explicit user permission — including contacts, calendar appointments, reminders, and photos — almost all user data will be included in the permission-based model in the coming version. Applications that try to access files on the desktop, in the user’s Documents folder, or in any type of storage will require either explicit or inferred permission.
Unsurprisingly, considering its recent privacy-focused advertisements, Apple spent a great deal of time on showcasing its pro-privacy technologies. Any app that offers the capability of single sign-in with Facebook or Google will have to offer the user the “Sign-in with Apple” capability, Federighi said. In addition, the company will give users the ability to share location only a single time, requiring applications to request permission for each new time they want to use location data.
“At Apple, we believe that privacy is a fundamental human right, and we engineer it into everything we do,” he said.
Apple moves, along with the regulatory pressure from the European Union’s General Data Protection Regulation (GDPR) and antitrust investigations, will likely put pressure on Google and Facebook to change how much control they give users.
“I think there is a lot of pressure on the data companies from a lot of different directions,” says Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals. “Apple will continue to be the most aggressive proponent of privacy as it provides them a competitive advantage.”
Yet, whether technology companies that provide services for free can wean themselves off of data remains to be seen, the EFF’s Hoffman-Andrews says.
“Apple’s particular corner of the market is sustainable because they are one of the richest companies on the planets,” he says. “But can others follow in their footsteps? Probably not.”
- How iOS App Permissions Open Holes for Hackers
- Facebook Data Deals Extend to Microsoft, Amazon, Netflix
- Researchers Finds Thousands of iOS Apps Ignoring Security
- GDPR Suit Filed Against Amazon, Apple
- Privacy Futures: Fed-up Consumers Take Their Data Back
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio