this post was submitted on 03 Aug 2025
46 points (97.9% liked)
Hacker News
2230 readers
374 users here now
Posts from the RSS Feed of HackerNews.
The feed sometimes contains ads and posts that have been removed by the mod team at HN.
founded 10 months ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
When it comes to user tracking for the purposes of targeting ads they're pretty deceptive. https://blog.lockdownprivacy.com/2021/09/22/study-effectiveness-of-apples-app-tracking-transparency.html
When it comes to Apple intelligence they skirt the question by not actually collecting the data themselves. Instead they rely on third parties to harvest the data and apple shows up to collect whatever they've rounded up.
The rest is based on the fact that all security claims made by Apple are near impossible to audit. You just have to take their word for it and for a company that makes such a ridiculous effort to paint themselves as secure and private, you shouldn't have to just take their word for it.
I would highly recommend you go through their security compliance documentation before saying its not auditable. The systems are very thorough for auditing.
Start here:
https://support.apple.com/guide/certifications/intro-to-apple-security-assurance-apc3cea61877b/web
Extra reading here:
https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf
https://support.apple.com/guide/certifications/ios-and-ipados-security-compliance-project-apcb2892d3b0/web
https://support.apple.com/guide/certifications/macos-security-compliance-project-apc322685bb2/web
https://github.com/usnistgov/macos_security/wiki
https://support.apple.com/guide/certifications/national-regulations-security-certifications-apc37dae516c6/web
https://support.apple.com/guide/certifications/apple-pay-security-certifications-apc3a0db329f/web
https://support.apple.com/guide/certifications/apple-internet-services-security-apc34d2c0468b/web
https://support.apple.com/guide/certifications/apple-app-security-certifications-apc392d0e98c3/web
https://support.apple.com/guide/certifications/visionos-security-certifications-apcf57bea62a/web
https://support.apple.com/guide/certifications/watchos-security-certifications-apc3dc9d68d91/web
https://support.apple.com/guide/certifications/tvos-security-certifications-apc3c0bb26e2b/web
https://support.apple.com/guide/certifications/macos-security-certifications-apc35eb3dc4fa/web
https://support.apple.com/guide/certifications/ipados-security-certifications-apc38ef52880f/web
https://support.apple.com/guide/certifications/ios-security-certifications-apc3fa917cb49/web
https://support.apple.com/guide/certifications/apple-t2-security-chip-certifications-apc3225ccbd21/web
https://support.apple.com/guide/certifications/secure-enclave-processor-security-apc3a7433eb89/web
https://support.apple.com/guide/certifications/common-criteria-cc-certification-status-apc3eff7b4ca/web
https://support.apple.com/guide/certifications/cryptographic-module-validation-status-apc33ea4bd77/web
https://support.apple.com/guide/certifications/about-apple-security-certifications-apc30d0ed034/web
None of these articles are proof of anything and again you're just taking their word for it. None of this is apple open sourcing the software for audit and none of these certifications makes them special. This is like saying a Microsoft Surface device passed all of these certifications and checks so it can't get malware.
It literally describes their entire security process, which is vetted by NIST (a government agency of the United States of America who create standards), NASA (a government agency of the US that focuses on civil space programs, aeronautics research and space research), DISA (a DoD combat support agency that provides IT and communications support to the president, VP, Secretary of Defense, DoD, and any individual or system contributing to the defense of the US), and LANL (one of sixteen research and development laboratories of the DoE who conduct multidisciplinary research in fields such as national security, space exploration, nuclear fusion, renewable energy, medicine nanotechnology, and supercomputing).
Those guys are always looking at Apple's security. Always.
Its vetted, tested, and hardened based on scientific research by many organizations. Its not just apple whipping this shit up willy nilly.
You are still insisting that these stop apple from writing software to harvest user data. The chips can work and the software can still be flawed or malicious. You seem to think that these certifications make it impossible to write malicious software for this hardware. You fundamentals don't understand what you're implying.
https://security.apple.com/blog/private-cloud-compute/
What fundamentals am I missing?
https://support.google.com/pixelphone/answer/11062200?hl=en#zippy=%2Cnist-fips----cmvp-cavp
Pixel devices have the same certificates. Does this mean Google can't harvest my data?
Correct. It will not harvest data until you log into a Google service and agree to their ToS.
So we are back to Apples promises of privacy and security being meaningless because you can't verify that any of these claims are valid. The hardware may be secure but that doesn't mean much in this case.
I never left the topic of Apple's promises of privacy and security. The article you linked initially is completely about third party apps and their tracking. Using their App Store policies, Apple have steered apps into stating if they track you or not. It doesn't eliminate tracking. It simply lets the user know how much data will be harvested.
You can see how it shook up a lot of the big harvesters when they were EXTREMELY slow to update their apps following this policy going into affect. Each app had to determine what was being harvested and figure out a way to let the user know. You'll notice the big apps like any Google apps, Facebook (Meta), IG, etc waited a looooong time before releasing any of that data.
Apple themselves post this data in each and everyone of their apps. You can find it in the app store. Its transparent, and they let you know what they do with it.
There is no secret tracking, if thats what you are implying. The article you linked focuses on third party apps anyways, not Apple's own apps.
Apple above all has more access than any 3rd party app. You simply have no way of knowing what apple is doing behind the scenes without the source code. You are merely taking their word for it.
I'd love to have the source code, yes, but there are literally zero ads on my apple devices until I open the app store.
What data are they harvesting? and again, can you provide a source that they are harvesting data on users?
I'm done with this. Ads in this case are just one aspect. Apples ad service is a multi billion dollar part of their business and if you think they've done that with zero ad targeting you're being extremely naive.
Harvesting data in this case is also extremely vague and doesn't have to involve ads at all. If they're advertising privacy and security then it obviously should be about more than ad targeting data. It should be the case that they have no access to any user data on the device or being stored in the cloud. For instance iCloud storage is not end to end encrypted by default, instead Apple has the encryption keys and can decrypt user data at any time.
You absolutely cannot guarantee privacy and security without knowing exactly what's going on behind the scenes, especially when we are talking about a company that is more beholden to shareholders than its own users.
Need a source for that, m8. Otherwise you're just blindly throwing around conspiracies with no proof that they harvest any data (which you haven't linked to during this entire conversation)
All data on any Apple device is encrypted by default. Once you decide to send it to iCloud, they give you an option to turn on Advanced Data Protection (ADP), which allows you to encrypt your data with your own keys in true end-to-end fashion. That means they do not have the keys. This is optional at the moment because not all supported apple devices can use this feature, and also it isn't authorized for use with certain accounts (like children accounts). It also requires that the user store the keys offline in a way they won't lose them, because if they lose the keys, there is no way for Apple to let you recover that data since they don't have the keys themselves.
Again, the documentation that I posted earlier that you are just brushing off have their entire security and privacy processes laid out for you to read. If you are refusing to accept that Apple and multiple government and private organizations came together to create those standards, then thats on you denying the science and research behind it. So do you, boo.
This was 2 years ago but you can find more up to date numbers with a quick search and it's only increased since this Forbes article was written.
https://www.forbes.com/sites/daviddoty/2023/02/08/apple-the-story-behind-its-new-ad-offerings-to-retailers-restaurants-hotels-other-location-based-businesses/
You just repeated back what I just told you but with more details. The end to end encryption of iCloud is not the default so most users are not end to end encrypted. The device encryption is standard across the board for when it comes to mobile devices and this isn't something that makes apple special. This also doesn't prevent apple from accessing the data on the device. Which again could be the case but we have no way of knowing without the source code.
Again these certifications are held by many manufacturers of mobile phones. You seem to think this makes them incapable of having backdoors and that just isn't the case. All they are verifying is that their encryption methods and the hardware performing the encryption are working as intended. They are in no way a guarantee of privacy or a guarantee that Apple won't write code to access user data. If that were the case then everyone else with these certifications would also be making ads about how secure they are. They can all theroughly document their process for handling biometrics, keys, ECT but that still doesn't show us the source code. Even if you think some magical system exists that can scan the source for backdoors, and these private organizations run apples source through this system to certify them, you still have no guarantee that the backdoor wasn't added immediately after it was certified. Trusted security is open source and apple doesn't have it. It doesn't matter how many stickers they slap on it or how many promises they make.
Lastly Apple constantly emphasizes a commitment to privacy as a fundamental human right, built on principles like data minimization, on-device processing, transparency and control, and security but that load of bullshit went out the window when China tested them on it. They reversed course on all of it, including what they consider to be a human right, just to make some money.
https://www.nytimes.com/2021/05/17/technology/apple-china-privacy-censorship.html