Free Software Foundation
 

Please consider adding [email protected] to your address book, which will ensure that our messages reach you and not your spam box.

Read and share online: https://www.fsf.org/news/the-problems-with-apple-arent-just-outages-they-are-injustices

Dear Free Software Supporter,

This November, both everyday users and privacy advocates found new reasons to be concerned about Apple. After an update to the latest version of their operating system, users found that they were unable to launch applications that were not written by Apple itself. This problem was caused by an Apple server outage. But why did the unavailabilty of a remote server prevent a user from launching a program on their own computer?

It turns out that each time a program is opened on macOS, it phones home via the Online Certificate Status Protocol (OCSP) to see if that application is "okay" to launch: it asks the corporation permission each time a new application is encountered, sending potentially identifying information along with that request. While this function only made news because of the recent server outage caused by the release of the newest version of macOS, Big Sur, research indicates that the report-back has existed in the operating system since September 2018, with the release of macOS Mojave. This is a classic case of proprietary software serving as an instrument of unjust power.

Although Apple does not directly receive the name of the application, but rather information on who developed it, most developers have only a very limited number of apps on the App Store, making it easy for Apple to infer. More disturbing yet is the other identifying information that is sent along with the request, which includes the user's approximate location and the current date and time.

Because macOS is so restricted, it leaves everyone, including free software developers, powerless to help users prevent their application use from being reported back to Apple. Due to the way the system is engineered, free software firewalls like LuLu are unable to block the information from being sent to Apple domains. Furthermore, the information is sent unencrypted over the network, potentially allowing a snoop to see which applications a user was trying to launch on their own computer. The request also bypasses any VPN, letting Apple know their approximate location even if the user has taken steps to stay anonymous.

In a recent note added to a support page, Apple has promised to make changes to the system and encrypt the requests, but this neither repairs the injury that was done to users, nor provides any real reassurance that these changes are for the better, or that your privacy will suddenly be worth protecting to Apple in the future. Even if they make changes to the system (in a vague timeline of "over the next year"), there was a period during which Apple was mandating use of the service with no opt-out, and they will continue to do so. Not only were they invading every user's privacy, but the records no doubt still exist. If Apple is as interested in privacy as their advertising copy claims, the user should be able to allow an independent server or group to verify that the applications they're running aren't malicious, rather than having to rely on Apple itself.

Furthermore, adding an opt-out option sometime "over the next year" does not nearly go far enough. Potentially invasive services like this one should only be opt-in, and have a clear and unambiguous message about how they might affect user privacy. Unless the setup is substantially changed so that users have a clear and unambiguous message from the outset that these services exist and might affect their privacy, then even after these changes have finally been implemented, the vast majority of users will still be obliviously sending this data to Apple. They will continue to be unaware that Apple is being notified each time they open a program and will have no way of knowing what Apple does with this information.

Services like OCSP can serve a legitimate security purpose. It might make sense for a user to want to verify in realtime that an app they are about to run is signed and vetted by someone they trust, rather than a piece of malware that somehow installed itself. But to truly be a security system and not a subjugation system, the user needs to be able to decide whom they want to trust to handle that vetting. Apple denies users that choice in multiple ways. For example, there is no way for a user to remove Apple as a trusted authority.

We're concerned by the way this point has been missed in public discussions of this system and its outage. The choice here is not between OCSP and users vetting every single program they run themselves, or having an insecure device. The real choice is between what Apple does with OCSP, and users being able to choose another company or organization to rely on when they lose trust in Apple. We do this all the time in our lives, like when we switch to a different car mechanic after having a bad experience, or a different doctor when something about our situation has changed. We don't have to get rid of our car -- or our body -- in order to make those choices, and there's no reason we need to do it with our software-running devices. Until Apple changes the fundamental dynamic and allows third-party "free as in freedom" security software on macOS as a full citizen, an OCSP system even with privacy improvements will be fundamentally about subjugation and not security.

The OCSP debacle is just the most recent example of why users shouldn't trust Apple with their computing. The fact that it took a server outage for users to become aware of this practice, which has been going on for at least two years, should give us pause. How many more ethically unacceptable practices will the next Apple server outage reveal? And how many before the users Apple has in its grip say that enough is enough? It's best not to wait to find out. Users caught in Apple's trap should make the switch to GNU/Linux today to free themselves. Choosing freedom instead of corporate authoritarianism is the most important step one can take to regain their digital autonomy and assume control over their own computing.

To make sure Apple gets the message, please keep up the emails you have been sending to Tim Cook letting him know that you are getting rid of your Apple devices or will not buy any Apple devices until they stop using the facade of security to lock down users.

In freedom,

Greg Farough
Campaigns Manager