From Greg Farough, FSF <[email protected]>
Subject The problems with Apple aren't just outages, they are injustices
Date December 12, 2020 3:36 AM
  Links have been removed from this email. Learn more in the FAQ.
  Links have been removed from this email. Learn more in the FAQ.
*Please consider adding <[email protected]> to your address book, which
will ensure that our messages reach you and not your spam box.*

*Read and share online: <[link removed]>*


Dear Free Software Supporter,

This November, both everyday users and privacy advocates found
new reasons to be concerned about Apple. After an update to the
latest version of their operating system, [users found that they
were unable][1] to launch applications that were not written by
Apple itself. This problem was caused by an Apple server
outage. But why did the unavailabilty of a remote server prevent
a user from launching a program on their *own* computer?

[1]: [link removed]

It turns out that each time a program is opened on macOS, it
phones home via the Online Certificate Status Protocol (OCSP) to
see if that application is "okay" to launch: it asks the
corporation permission each time a new application is
encountered, sending potentially identifying information along
with that request. While this function only made news because of
the recent server outage caused by the release of the newest
version of macOS, Big Sur, [research indicates][2] that the
report-back has existed in the operating system since September
2018, with the release of macOS Mojave. This is a classic case
of proprietary software serving as an instrument of unjust power.

[2]: [link removed]

Although Apple does not directly receive the name of the
application, but rather [information on who developed it][3],
most developers have only a very limited number of apps on the
App Store, making it easy for Apple to infer. More disturbing yet
is the other identifying information that is sent along with the
[request][4], which includes the user's approximate location and
the current date and time.

[3]: [link removed]
[4]: [link removed]

Because macOS is so restricted, it leaves everyone, including
free software developers, powerless to help users prevent their
application use from being reported back to Apple. Due to the way
the system is engineered, free software firewalls like LuLu are
unable to block the information from being sent to Apple
domains. Furthermore, the information is sent unencrypted over
the network, potentially allowing a snoop to see which
applications a user was trying to launch on their own computer.
The request also bypasses any VPN, letting Apple know their
approximate location even if the user has taken steps to stay
anonymous.

In a recent note added to a [support page][5], Apple has promised
to make changes to the system and encrypt the requests, but this
neither repairs the injury that was done to users, nor provides
any real reassurance that these changes are for the better, or
that your privacy will suddenly be worth protecting to Apple in
the future. Even if they make changes to the system (in a vague
timeline of "over the next year"), there was a period during
which Apple was mandating use of the service with no opt-out, and
they will continue to do so. Not only were they invading every
user's privacy, but the records no doubt still exist. If Apple
is as interested in privacy as their advertising copy claims, the
user should be able to allow an independent server or group to
verify that the applications they're running aren't malicious,
rather than having to rely on Apple itself.

[5]: [link removed]

Furthermore, adding an opt-out option sometime "over the next
year" does not nearly go far enough. Potentially invasive
services like this one should *only* be opt-in, and have a clear
and unambiguous message about how they might affect user
privacy. Unless the setup is substantially changed so that users
have a clear and unambiguous message from the outset that these
services exist and might affect their privacy, then even after
these changes have finally been implemented, the vast majority of
users will still be obliviously sending this data to Apple. They
will continue to be unaware that Apple is being notified each
time they open a program and will have no way of knowing what
Apple does with this information.

Services like OCSP *can* serve a legitimate security purpose. It
might make sense for a user to want to verify in realtime that an
app they are about to run is signed and vetted by someone they
trust, rather than a piece of malware that somehow installed
itself. But to truly be a *security* system and not a subjugation
system, the user needs to be able to decide whom they want to
trust to handle that vetting. Apple denies users that choice in
multiple ways. For example, there is no way for a user to *remove*
Apple as a trusted authority.

We're concerned by the way this point has been missed in public
discussions of this system and its outage. The choice here is
*not* between OCSP and users vetting every single program they
run themselves, or having an insecure device. The real choice is
between what Apple does with OCSP, and users being able to choose
another company or organization to rely on when they lose trust
in Apple. We do this all the time in our lives, like when we
switch to a different car mechanic after having a bad experience,
or a different doctor when something about our situation has
changed. We don't have to get rid of our car -- or our body -- in
order to make those choices, and there's no reason we need to do
it with our software-running devices. Until Apple changes the
fundamental dynamic and allows third-party "free as in freedom"
security software on macOS as a full citizen, an OCSP system even
with privacy improvements will be fundamentally about subjugation and not
security.

The OCSP debacle is just the most recent example of why users
shouldn't trust Apple with their computing. The fact that it took
a server outage for users to become aware of this practice, which
has been going on for at least two years, should give us
pause. How many more ethically unacceptable practices will the
*next* Apple server outage reveal? And how many before the users
Apple has in its grip say that enough is enough? It's best not to
wait to find out. Users caught in Apple's trap should make the
switch to [GNU/Linux][6] today to free themselves. Choosing
freedom instead of corporate authoritarianism is the most
important step one can take to regain their digital autonomy and
assume control over their own computing.

To make sure Apple gets the message, please keep up the [emails
you have been sending to Tim Cook][7] letting him know that you
are getting rid of your Apple devices or will not buy any Apple
devices until they stop using the facade of security to lock down
users.

[6]: [link removed]
[7]: [link removed]

In freedom,

Greg Farough
Campaigns Manager

--
* Follow us on Mastodon at <[link removed]>, GNU social at
<[link removed]>, Diaspora at <[link removed]>,
and on Twitter at <[link removed]>.
* Read about why we use Twitter, but only with caveats at <[link removed]>.
* Subscribe to our RSS feeds at <[link removed]>.
* Join us as an associate member at <[link removed]>.
* Read our Privacy Policy at <[link removed]>.

Sent from the Free Software Foundation,

51 Franklin St, Fifth Floor
Boston, Massachusetts 02110-1335
United States


You can unsubscribe from this mailing list by visiting

[link removed].

To stop all email from the Free Software Foundation, including Defective by Design,
and the Free Software Supporter newsletter, visit

[link removed].
Screenshot of the email generated on import

Message Analysis