With this announcement, Apple are saying "we will protect you from state actors", which is a role usually performed by states. Apple is saying "we operate at the same level as nation states; we are a nation-state level entity operating in the "digital world": It's a flag-raise.
It's the first such flag-raise I've seen. Security researchers talk about protections from state actors all the time, and there are tools which support that... but this is the first public announcement, and tool, from a corporation with more spare, unrestricted capital than many countries. It comes at a time when multiple nation states are competing for energy and food security; and Apple are throwing up a flag for a security-security fight (or maybe data-security). This is not just handy tech, it's full-on cultural zeitgeist stuff. Amazing.
There's a bit of a journey from "protecting you against government hackers and spooks" to full-on sovereign states; and there's a lot of things that a country's government funds that Apple couldn't even begin to take on[0]. Physical security and military operations are a hell of a different field from that of locking down computers.
Furthermore this isn't the first of its kind; Google has been alerting high-risk Gmail users about state-sponsored hacking for about a decade now. Microsoft probably does something similar. Apple is comparatively late to the party on this. On the offensive side you have the zero-day vendors that broker exploits between hackers and the government.
A better explanation is that Apple isn't supplanting the US government. It's supplanting Halliburton. As more and more people and things go online, hacking and doxxing them is becoming more militarily valuable than just arresting someone or firing a missile. After all, physical attacks risk counterattacks and escalation, but Internet attacks are relatively cheap, not really treated as an attack by many sovereign states, and, most importantly, difficult to attribute.
[0] Call me when Apple black-bags Louis Rossman for illegally repairing MacBooks, or threatens literal nuclear war - like, with uranium bombs and radioactive fallout - on the EU for breaking the App Store business model.
Furthermore this isn't the first of its kind; Google has been alerting high-risk Gmail users about state-sponsored hacking for about a decade now. Microsoft probably does something similar.
It’s great that Google alerted Gmail users, but then what?
“We believe you may be a target of a state-sponsored attacker; have a nice day.”
Beyond just telling you, Apple is providing some tools to do something about it.
Google advanced protection mode has been available for a while.
The threat models are different because the companies provide different services (spear phishing defenses from the web services company, hardware defences from the hardware provider), but still.
I'm not saying it never happens, and I don't want to assume anything about your background, but I think most people who work in software would agree there's no need. Plenty of problems get in on their own.
yep if that were your goal it would be way more cost effective to get a zero day from just not trying that hard with security practices. Not having any security knowledge on the team. Not patching/upgrading dependencies with security bugs.
It doesn't make sense from numbers perspective, there's simply not that much potential for profit there. In general, the sale price of a zero-day or ten in some popular product is tiny compared to, for example, the marketing budget of that product.
That money is significant from the perspective of a particular employee (i.e. if they personally would get the money) or for a specialized consulting company, but it's a drop in the ocean for the large companies actually making the products. So we should expect some backdoors intentionally placed by rogue employees (either for financial motivation or at the behest of some government) but not knowingly placed by the organizations - unless in cooperation with their host government, not for financial reasons.
>Apple is saying "we operate at the same level as nation states; we are a nation-state level entity operating in the "digital world"
Making mountains out of molehills.
I'm pretty sure they are saying that they will "offer specialized additional protection to users who may be at risk of highly targeted cyberattacks from private companies developing state-sponsored mercenary spyware".
There is a looooong list of things which nation states can do which Apple cannot, some examples of that are in other comments in this thread.
>but this is the first public announcement, and tool, from a corporation with more spare, unrestricted capital than many countries.
Google & Microsoft have both had fairly long-standing tools and procedures (which were publicly announced) to both alert users and aid users against nation state attacks.
The NSO Group, whom Apple specifically cites as an opponent that inspired this work, is a private corporation. They sell to governments, but so does Apple.
The relationship between state and private industry has never been binary and has always had features like this. I don't think this is a "Jennifer Government" type scenario.
At the same time, if that state actor happens to be China, Apple will just give the government access to your iCloud data. Not all state actors are equally within Apple's striking range.
It is worth mentioning that things like National Security Letters exist in the US. It is also the US who made Apple back off of encrypting iCloud backups E2E.
I wish we were more willing to cite our own government(s) as the bad actors here, rather than pretending that we have to reach for China/Russia/North Korea to find the kind of behavior Apple is attempting to protect its users against here.
Not to mention the CLOUD (Clarifying Lawful Overseas Use of Data) Act, which was enacted following a case in 2014 where Microsoft refused to hand over emails stored in the EU (an Irish data centre, in that case) on foot of a domestic US warrant.
The CLOUD Act expressly brings data stored by US-based companies anywhere in the world under the purview of US warrants and subpoenas.
This has always been the law. Common law courts have been issuing court orders that require you to take actions in foreign countries, even in violation of foreign law, for as long as it's been a legal question. The CLOUD Act actually introduced some additional safeguards and allows judges to consider the seriousness of the foreign law violation and weigh it against the importance of the court getting access to the foreign-stored data.
You unfortunately need something like this because otherwise people will just hide documents, money, stolen property, etc. in foreign countries out of reach of US courts, even if they are US persons and corporations.
It isn't just pro-government. Imagine you are a criminal defendant and there is evidence proving your innocence in a foreign server controlled by an American person or company. This rule makes sure you can legally compel that entity to go get the data, the laws of that other country be damned, so you can present your defense.
While extra-territoriality is not a new concept, it’s absolutely false to say that the CLOUD Act didn’t grant sweeping new powers to US courts. That’s a truly absurd claim that makes me question whether you’re commenting in good faith?
It was passed because in the Microsoft v. US case, the Supreme Court was expected to affirm the long-standing law on this: that in response to a U.S. court order, Microsoft had to hand over user data from Irish servers, Irish law be damned.
Such a blunt rule was considered a little too harsh, and a potential source of international problems, so Congress passed a law softening the rule and allowing judges more discretion in considering the burdens of complying with the order. The law had the effect of making the Supreme Court case moot.
Sorry that the truth is more nuanced than you’d like it to be.
There is nuance, but in the opposite direction. Microsoft did not adhere to the original court order, and fought it to the supreme court, where it was undecided when the CLOUD Act came into force and a new warrant was issued for the data held in Ireland.
It is unambiguously an expansion of Government powers. You're the first and only person I've ever come across who has argued the opposite. It's such a ridiculous thing to write that I am wondering if you're trolling me?
>There is nuance, but in the opposite direction. Microsoft did not adhere to the original court order, and fought it to the supreme court, where it was undecided when the CLOUD Act came into force and a new warrant was issued for the data held in Ireland.
What part of this do you think is incompatible with the fact that almost everyone expected Microsoft to lose the case?
And in fact, Microsoft, Apple, and Google lobbied for the CLOUD Act.
So maybe instead of accusing people of bad faith, you should have a little humility and open-mindedness to improving your understanding of the world. Believe it or not, techie discussion forums and Wired are not reliable sources of legal information, so that would explain why you're so misinformed.
It's part of the reason that Privacy Shield collapsed and why the US isn't considered to offer adequate protection to EU residents. It's currently being both litigated (as more and more EU country data protection agencies make individual rulings that specific instances of transfers of personal data to US companies are unlawful) and the subject of intense political negotiation between the EU and US.
Most companies affected are currently awaiting the results of these processes, because following the current precedent to it's logical conclusion, it appears unlawful to transfer any personal data of an EU resident to a US-based company (even if that data remains physically in the EU or another adequate country). That would obviously have catastrophic consequences for the current status quo, so it's hard to believe that a compromise won't be found to avoid it.
However, it's also hard to see a compromise unless the United States exempts EU data subjects from the CLOUD Act, which seem unlikely. Hard to know where it'll go.
> However, it's also hard to see a compromise unless the United States exempts EU data subjects from the CLOUD Act, which seem unlikely. Hard to know where it'll go.
Bureaucrats are capable of breathtaking sophistry when it makes their jobs easier. If red was illegal but convenient they’d make a policy that red was actually green and argue it was until they were blue in the face.
It's not entirely clear yet who wins, but the current issues with Google Analytics in the EU seem to be partially related. Some countries have come to the conclusion that GA can't be legal if Google US has access to the data.
Nothing stops Apple from offering e2ee backups, and in fact they do this for certain data backed up to iCloud (health data for example.)
But your iMessage data...well there, your ass is hanging out in the breeze. In fact, I'm not sure it's possible to log into an iPhone with your Apple ID and not have an iCloud backup immediately fire off, which means your private encryption keys hit iCloud and stay there until it is purged according to their data retention policies. And we have no idea what those policies actually are; those keys made end up stored forever.
> Nothing stops Apple from offering e2ee backups, and in fact they do this for certain data backed up to iCloud (health data for example.)
Almost all users can't handle this; to support people, you need to be able to recover their account when they've lost every single password and proof of identity they possibly can. It's not a backup if you can't restore it.
> In fact, I'm not sure it's possible to log into an iPhone with your Apple ID and not have an iCloud backup immediately fire off
You are correct there’s a bit of dark pattern going on here, but it is possible (to the extent the code does what it says of course). To be extra sure I have a custom lockdown MDM profile to disallow iCloud backups, as well as a number of other nefarious things like analytics, and whenever I get a new device, I first DFU restore it to the latest iOS image to ensure software (post bootrom) isn’t tampered with, then activate and install the MDM profile via a Mac and only then I interact with the device and go through setup.
The only persistent connection Apple has that I can think of to implement such a concept is for push notifications. Which would be a massive security hole if a HTTP response to that daemon was capable of bypassing the lock screen, secure enclave etc.
And the logical question is if they had such a system why would they bother triggering an iCloud Backup when they could ask the device to specifically hand over certain information e.g. Messages. Which at least could be done quietly over Cellular.
> Which would be a massive security hole if a HTTP response to that daemon was capable of bypassing the lock screen, secure enclave etc.
I mean, Apple has killswitches for every iPhone they ship. I wouldn't be the least bit surprised if that suite of tools also included settings management (MacOS has such a thing built-in, fwiw).
Yes, this is Apple protecting you against extralegal state actor threats. There's not really much Apple can do to protect you against the laws of your own country.
Because they are complying with Chinese laws regarding data localization in the country and have been known to work with China (recently YMTC chip deal, previously in a major unreported deal that was unearthed a little while ago) in order to get market access.
"Apple is moving some of the personal data of Chinese customers to a data center in Guiyang that is owned and operated by the Chinese government. State employees physically manage the facility and servers and have direct access to the data stored there; Apple has already abandoned encryption in China due to state limitations that render it ineffective."
I really dislike that there is so much social control :( In theory is to protect you. In practice it can and is misused in so many ways that it should not be even allowed without a judge authorization.
You're kind of missing the point. The Chinese government has unlimited social control. Even if there was some sort of written law in China requiring judicial oversight, that wouldn't limit social control because the judiciary is just a rubber stamp.
Apple has abandoned encryption for everyone in iCloud. You cannot encrypt anything except a limited subset of your device's data (Apple Health data, mostly.)
That may be true, but Reuters reported that Apple had a plan for it (which means they felt it was workable) and dropped it due to pressure from FBI/DOJ.
Also, there are many users who would benefit from e2ee iCloud backups who are not targets of NSO Group-type attacks, so I don't think it makes sense to make it only available in "Lockdown Mode".
I was all prepared to answer this with "so Reuters reporting something makes it true?", only to discover that, in fact, Reuters reported no such thing.
Reuters makes two claims:
1) The FBI talked to Apple (duh)
2) An unannounced plan to implement fully E2EE backups was no longer discussed with the FBI at their next meeting
Both of those things might be true! Reuters isn't known for just making stuff like this up, like, say Bloomberg, but the article specifically says:
"When Apple spoke privately to the FBI about its work on phone security the following year, the end-to-end encryption plan had been dropped, according to the six sources. Reuters could not determine why exactly Apple dropped the plan."
So we've got an unannounced product, which the FBI didn't like, which Apple stopped talking to the FBI about (according to some leakers at the FBI).
This does not add up to "Apple dropped plans due to pressure from [the] FBI/DOJ". It adds up to "secretive company discusses plans with secretive agency, and some stuff about that conversation leaked".
I would suggest that if you're doing anything illegal in the country you're staying in, turn off icloud sync at the least, and best policy is don't use an iphone but use an android with an open source operating system like graphene OS
> In Apple's defense E2E encryption also makes it a lot easier to get locked out of your photos and device backups.
This is likely the real reason E2E hasn't been done yet. I would wager Apple deals with orders of magnitude more people who are locked out of their phones than the number impacted by the lack of E2E backups. Trusted recovery contact added in the last iOS version is a step in a direction of providing some way to implement E2E, and still give people a way to recover.
Definitely very interesting. I know Google has their “Advanced Protection Program”[0] with a Titan security key which is similar. It is interesting considering that Google’s protections target the user as the weak link, as your data lives on their hardware; while Apple is obviously targeting both the user and the hardware they have. I’m curiuos what security researchers will think of this, if it’s more theater or if it is actually a innovative attempt at giving advanced privacy to people who need it. Despite their past stumbles (e.g., CSAM), it seems like Apple is genuinely in the privacy fight, even if it is just for their bottom line.
Microsoft has a “Democracy Forward” team (previously called “Defending Democracy”) that aims to protect government officials and systems from adversarial state actors. It’s been ongoing for a few years now.
Given their track record, I'd trust Microsoft approximately 0% to secure my critical/sensitive systems. The funny thing is that the U.S. government does, in fact, trust them.
I think you're letting the reality distortion field get to your head. They're creating a safe mode for iPhones because a lot of features complex/intricate enough that they are perennial sources of vulnerabilities (and/or UX flaws that lead users to make unsafe decisions).
That is, they're turning features off for security. Something every IT department has been doing for decades. Windows supports this. Mac OS supports this. In fact, iOS was kind of notable in being so unconfigurable. The settings available in their MDM implementation were pitiful and didn't let admins disable many of these features.
> Apple is saying "we operate at the same level as nation states; we are a nation-state level entity operating in the "digital world"
Apple's profits are bigger than my country's (Slovenia) whole GDP. You bet your butt they're a state level actor in the digital world. They have more resources than many countries.
If Apple was a country, their $365bn in revenue would make them the 43rd richest country in the world right after Hong Kong.
This also points out how the increasing costs of technology and economies of scale mean that small countries like Slovenia are no longer viable on their own. The only way they will be able to survive the next few decades and avoid turning into failed states is to surrender most of their sovereignty to larger regional alliances.
My understanding is that the "social contract" inside many of these large companies is quite cushy. Especially in USA where being employed comes with services traditionally provided by the state like health care, child care, free or subsidized food, retirement benefits, etc.
I think Apple's announcement (and as I've learned from this thread MS's and Google's similar programmes) represent a significant step-change. A single defense attorney performs this action on a case-by-case basis, and they earn "single human" levels of income from it. They (to some degree) use that money to make themselves comfortable and perhaps share it with charities and make investments. All the defense attorney's in the world combined still, probably, have access to a fraction of Apple's budget, and a fraction of Apple's audience. Defence attorneys don't always win all their cases.
Apple have the kind of money that makes 1000s of attorneys envious. Apple use that money to make infrastructure and client devices and then sell/share that technology with billions of people. Most of Apple customers buy their phones on loan agreements over some contract time-frame. It's "cheap", and the protections are automated.
I'm tired and getting rambly about this now, but I intuitively feel like the combination of state-level power (albeit exercised with a very narrow focus), and the way so many people live their (digital) lives interacting with a "noosphere" that crosses international borders are facets of a complex phenomenon we have not witnessed before, and which will merge with other related facets and then emerge as something really different. I accept I'm getting very fuzzy in my thinking here. I'm leaning into my inner sci-fi author (who's not come out for 30years and wasn't too talented when it did).
Google has been dealing with nation state actors targeting its users (Gmail specifically) for a decade now. They have Advanced Protection program. We actually regularly used to hear about how human rights activists were targeted in spear phishing campaigns and then arrested.
agreed, the rise of the corporation as the most powerful institution (above the nation-state) in this new budding global civilization is a long time coming.
on the other hand, this is how democracy dies. what structures (systems) exist to prevent apple (and other comparable corporations) from being an oppresive force against human persons? moreover, what incentives do they have?
I can think of a few, at least applicable in the USA:
Apple doesn't have a military or police force with jurisdiction over me. They don't have the legal power to arrest me or throw me into prisons, which they also don't have. I don't have to pay taxes to Apple. I don't have to do business with them or interact with them in any way if I don't want to. I don't need Apple's permission to do anything unrelated to their product lines.
Same is true for any megacorporation. It's a big stretch to say they are even remotely as powerful as nation-states, let alone more powerful.
Yes, the state's monopoly on force is to me what truly differentiates them into a different category of power than a corporation. Also international recognition for nation states and being able to have treaties and the like, but really its the monopoly on use of force. That said, I think the rise of charter cities (think of an SEZ on steroids run by a private corporation) will blur the lines further, although most proposals I've seen for charter cities leave policing to the locality they're residing in.
Many nation states don't have control over interest rates (because their central banks are run independently of the government) or even the ability to print money, if they have adopted another currency.[0]
> Mandatory taxes
States typically tax transactions which happen on their territory (e.g. wages and sales), and in the case of Apple, their devices are their territory, like feudally controlled tracts of land in cyberspace. Taking a cut of all app sales and in-app purchases seems very much like a tax under this analogy.
>Many nation states don't have control over interest rates
And many others do. The State can abdicate such power and it usually does in stable economies where markets can self regulate.
Given a big enough crisis, however, and the State will usually take that power back.
>or even the ability to print money, if they have adopted another currency.
Usually in cases of near total State bankruptcy
>Taking a cut of all app sales and in-app purchases seems very much like a tax under this analogy.
> I don't have to do business with them or interact with them in any way if I don't want to. I don't need Apple's permission to do anything unrelated to their product lines... Same is true for any megacorporation
Nope. You can avoid buying an iphone, but you cannot escape Google. I'm often forced to "do business" with google. I've seen several government websites that require code hosted on Google's servers. I need Google's permission to do all kinds of things unrelated to their service (reCAPTCHA) and google will track everywhere you go online even if you never use any of their services. Facebook also doesn't give you any option. They'll create a profile for you and start collecting data on you even if you've never created an account. You could argue that you pay these companies taxes in the form of your data rather than money, or that the fees they charge developers drive up consumer prices (acting as a tax on the purchases), and I suspect that should Apple/Google pay become more commonplace they will start charging a fee (tax) for that as well. Nothing stops them from doing it.
Some corporations even have their own literal armies (Blackwater/Xe/Academi), but others don't bother because they have the ability to command the police and military wherever they are. The RIAA have their own "swat" team. They participate directly in raids breaking down doors and handling evidence.
Companies like Apple and Google are far more invasive than police watching everything you do, listening to everything you say, recording every person you're in contact with. They censor and ban with impunity. If they really wanted to, they could plant data on your devices that would get you arrested and thrown in prison in any country around the globe.
corporations might not yet be as powerful as a nation state, but they're a lot closer than you give them credit for, and they likely have more direct influence on your day to day life and what happens to you.
No, they're nowhere close to being a nation state. Those spheres of power are nothing compared to something like the British East India Company, which had a currency, an army, and forcefully controlled almost 2 million sq. km. of Asia.
Captchas are definitely worthy of criticism, but they are not remotely on the same level as forcefully controlling the land under someone's feet.
The Knights Templar were a religious organisation, but also a quasi-banking institution in Europe; they took and protected deposits of gold, and issued 'cheques' allowing, for example, travellers to deposit gold in London and spend the money in Southern Europe. They were dissolved because they were beginning to rival the Papacy and nations in power due to their immense wealth.
Also, few know this, but many African slaves who were victims of the slave trade became slaves due to debt-slavery (though this didn't involve formal banks). I've seen estimates of up to 25% of slaves back then having been debt-slaves.
Yes! I had heard a bit about the Knights Templar, I guess I would have categorized them as religious first, financial/governance functions second. But also the Order of Malta had quite a lot of power, to the point I believe that it is still recognized by the UN!
I hadn't realized that about African slaves; debt for what?
the ones that only service other banks hence only people working in higher level banking are likely to have heard about. e.g. the bank for international settlements
I only found out about this bank because the former president of the mexican central bank -- Mr. Carstens, left the central banking gig to go to that bank.
From reading their Wikipedia quickly sounds like BIS has a similar function to say the IMF when it comes to financial system stability. I do agree these sorts of organizations exert huge amounts of influence, especially for smaller countries that are dependent on loans and outside financing, but I'm not sure I agree they are more powerful than a nation itself. A nation can (theoretically) decide to opt out from these systems and operate independently, or can play different parties funded by nations (because in the end they all are working for someone's agenda) off of one another as many countries did during the cold war between the U.S. and Soviet Union. But if a nation reneges on its debt, the BIS, IMF, etc. isn't going to invade your country--one of it's creditor nations might, but not them.
The BIS is just a counterparty to facilitate payments between nations. It doesn't exert influence in international affairs (except really via the BCBS [1] which sets the Basel capital accords defining how much capital banks have to hold and therefore does have a lot of influence behind the scenes on how banks operate anyway). When the US says it's going to give $100m in aid to some country or one country pays back a debt to another country, there needs to be someone to process the payment, and that someone is the BIS.
Source: friend used to work in the BIS and I've also been involved in banking off and on for a long time, including dealing with various international banking regulators.
Some fun BIS facts:
1) They process payments via regular SWIFT[2] messages. So the $100m in aid comes as a message just the same as if you transfer $5 from one bank account to another. It has an IBAN number with a regular bank account, so if you changed that to your own account details and the message was processed suddenly $100m would appear in your checking account instead of going fund an aid programme for some government in Africa or whatnot.
2) The number of payments they process is very low (>100 per day max and usually in the low tens of messages) so every payment message is checked by hand by several independent people as well as having automated checks. Partly to avoid the risk of funds getting sent to the wrong places etc.
3) My friend worked there in the 90s and said that even back then they had extremely strong security with multifactor biometrics on every entry to the premises. You got in via an entrance where you had to step into a cylander which would only unlock after it had taken multiple photos including an iris scan
Based on their history of using their control over the App Store to "protect people" from such harmful content as content about how smartphones are made in sweatshops and tools (such as VPN clients, but also for a long time cryptocurrency wallets) that allow people to bypass restrictions put in place by these nation states that Apple works with, I'd claim these incentives are pretty shit :(.
Apple is a public corporation and votes on its corporate direction are freely available on the open market for anyone to purchase. Based on my share ownership Apple is much more subject to my whims than my actual elected politicians are on a % basis.
I was dripping with disdain and sarcasm as I clicked "reply" but I actually want to engage you and have you seriously consider the history of oil and gas exploration and extraction.
This may, in fact, be a first for a US tech company ... but not in any way whatsoever a first for a business interest or corporation, etc.
This is also a very tame, roundabout and implied flag-raise - as opposed to "... summary execution, crimes against humanity, torture, inhumane treatment and arbitrary arrest and detention ...":
Good points. I had not thought about oil at all. I’ve become aware through light skimming that wars, coups and similar incursions have occurred around other resources.
This feeds into the point I was aiming at. The tech megacorps now have tooling to protect a narrow aspect of their customers lives from state incursion, regardless of which country that customer live in. I’ve not read the link you shared yet, so I don’t know the angle it takes or the angle you want to dig into my ideas from.
Counterpoint - the EU has been passing laws that force apple to be more fair in their markets, and this "we're protecting you from bad guys" stuff is apple trying to figure out deniable methods to protest or sue against the EU passing laws to restrict apple's ability to lock other developers out.
Throw together a basic set of options that should have been available long ago, now apple is protecting you, don't strip apple of the ability to protect you, etc.
> from a corporation with more spare, unrestricted capital than many countries
... than most countries. There are only 7 countries with a higher GDP than Apple's market cap.
I have been concerned for some time about these mega corporations being as powerful if not more powerful than governments. They wield tremendous economic and political power. Corporations have very little allegiance to countries and have little to check them. It is a major concern of mine. Democracy in the U.S. is already being sold to the highest bidders.
These corporations are feudal lords but much, much more powerful because there is not a single person who can be brought down. Corporations are a collective who are treated as people when it's convenient and as something else when it's not.
It's bothersome to me, because these corporations are tax sinks. They get absolutely massive tax breaks on everything they do and pay as little as possible income taxes, comparatively speaking, all the while keeping billions offshore.
Billionaires and mega-corporations are national security threats to the countries that house them.
Pick whatever comparison you'd like, and the rest of my comment still stands. What you said may be true, although I'm not sure it's as simple as you state. But debating the semantics of the exact comparison used isn't really important to the sentiment I espoused.
Apple is following the lead of Microsoft in this regard. Microsoft has been acting as an international cyber defense agency for a few years. On the effectiveness of Ukraine's cyber defense: "Microsoft in particular has been hard at work" 21:45
After the Snowden leaks that showed even in-country citizen-to-citizen communication was being scooped up by the NSA without a warrant through fiber taps (if I remember that right) when Google replicated the data to out-of-country data centers, Google announced encryption of those links:
Google encrypts data amid backlash against NSA spying
What they are doing is giving users an easy-to-use option to sacrifice part of the default user experience to enhance security by disabling features that are common vectors (which happen to be used by, as they phrase it multiple times in the announcement, "private companies developing state-sponsored mercenary spyware").
IMHO, whatever the reason why they are doing it, it's a good addition to their value proposition; but I don't think it's the same as what appears to be your understanding ("they will protect users from state actors"), at all.
A nation state has more than one way of extracting information from enemies of said state. There's the civilized way we now call hacking, and then there's the traditional way, which may or may not involve technology.
I dislike big tech as much as the next hacker, but this seems like quite a leap. Protecting from nation-state actors digitally can be a job for digital powerhouses. In this case, the hackers are just very determined hackers with a lot of resources. Apple is a very motivated company with a lot of resources. Slightly to your point though, they have higher income than 96% of the countries on the planet. So they have the wealth to establish an Appletopia.
> Apple is saying "we operate at the same level as nation states; we are a nation-state level entity operating in the "digital world": It's a flag-raise
Maybe. But these security “features” feel like things that should have been there from the beginning. Windows 11 has already had a much wider and deeper array of security options. Sure, it’s not mobile, but many of those security options would be unlikely to be needed against unsophisticated attacks.
Flag-raise or marketing gimmick? You be the judge I guess.
This feels like an argument the government would make against strong encryption like in the case a few years ago where the government tried to force Apple to unlock an iPhone and Apple refused claiming it wasn't possible.
Apple are basically saying that they're going to do their best in terms of security measures to thwart even state actors, which is only as much of a nation-state level thing as "military grade encryption" is a thing only applicable to militaries.
You haven't been paying attention. Many tech companies have been protecting accounts from state attackers for many years, and explicitly calling out state sponsored attacks. Google introduced state-sponsored attack warnings in 2012 [1] and the Advanced Protection program explicitly protects from state sponsored attacks [2].
Many tech companies have been protecting accounts from state attackers for many years…
How many people have Microsoft and Google actually helped?
Incase you didn’t notice, Apple is in the process of giving a few hundred million iPhone owners--every iPhone since the 2017 iPhone 8--protection from state-level actors, for free, in the next operating system update due this fall.
It totally dwarfs anything that any other company has done in this area. So there’s that.
Google sent more than 50,000 state sponsored attack warnings in 2021. And those warnings started in 2012. So a lot of people have been helped. Meanwhile Apple didn't start doing similar warnings until less than a year ago.
> Apple is in the process of giving a few hundred million iPhone owners
Um, no? Lockdown mode is explicitly for "very few users". There's no way a hundred million iPhone users would benefit. Google's Advanced Protection offers protection from state-level actors to anyone with a Google account, so if you want to count by the number of people offered optional protection, Google wins by a landslide.
> for free
Haha, no, you have to buy an iPhone from Apple first. Google offers protection to anyone actually for free. All you need is a free Google account and a security key which doesn't have to be purchased from Google.
The point is the several hundreds of millions of existing Apple customers who own an iPhone 8 or newer are going to get Lockdown Mode in the next version of iOS for those "who may be at risk of highly targeted cyberattacks from private companies developing state-sponsored mercenary spyware" at no cost.
While it's true that very few iPhone users should ever need to activate this feature for the described use case, Apple has already indicated there will be more features added in the future where this could change.
There are likely additional use cases where an iPhone user may want to activate Lockdown Mode, such as traveling to an authoritarian country.
This article makes the argument that Lockdown Mode could benefit iPhone users who never activate it. [1]
"state actors" doesn't mean the US government in its full force or any other government Apple is in bed with to make money (like China).
It means in the best case shady agencies, foreign services, small governments, and in the likelier case just unhinged people with some access to state facilities (tax employees, unofficial police investigations, lawyers...)
They don't "operate at the same level as nation states", protecting against state actors isn't the only thing in that level, unless you mean cyber-security only. Abstracting this to anything "nation-state level entity" is the crux of your argument.
“Flag-raise” seems a bit hyperbolic but at any rate I think the BSA asserted such reach and power, long ago. Both have to act within the oversight of actual nation states.
Beyond that, a secure phone is necessary but not sufficient to defend oneself against a nation state.
I don't know if you've been paying attention to Apple's strategy over the last year, but it's basically been "granting user privacy also happens to grant us an advertising/data monopoly"
I don't think the aim here is to block at state actors but to basically continue to close all security holes that can be exploited by any other company and continually proving to users that Apple cares about privacy.
The things is I really like Apple even more now since they have realize that my privacy interests can be tightly aligned with their own economic interests. I never trust companies to be good or look out for my interest even when I pay them to, but when my privacy ultimately means they gain a very strong competitive edge the I'm much more trusting.
Apple has realized they can become to privacy what Google has been to ubiquitous search, and doing so can reap even larger and more secure rewards.
They started with a walled garden and now extending it to fortress surrounding the garden.
Other than running ads inside the App Store, do you have any knowledge or evidence of Apple collecting personal information for advertising or any other use?
Apparently that protection does not include protection from the US government.
iMessage offers excellent privacy of message content, but no 'pen register' protection.
Phone device security is very strong, but it's made largely moot if you turn on iCloud backups (which is the default behavior if you provide an Apple ID. I'm not sure there's even a way to stop the initial backup from happening?)
Apple reportedly doesn't offer e2ee on iCloud, or even encrypted device backups, out of compromise with the federal government...specifically the FBI, CIA, and NSA.
Why might people care about this? Criminalizing abortion and miscarriages...and what looks like at the very least a re-recognizing, and possibly criminalization, of LGBTQ relationships.
When Apple says "state actor threats" they're not talking about future-state theoretical breaches of domestic privacy by your own government. Apple is always going to follow the law. They're talking about the types of situations where data from people's phones is used to commit international criminal activity, espionage, assassinations, etc.
It's the first such flag-raise I've seen. Security researchers talk about protections from state actors all the time, and there are tools which support that... but this is the first public announcement, and tool, from a corporation with more spare, unrestricted capital than many countries. It comes at a time when multiple nation states are competing for energy and food security; and Apple are throwing up a flag for a security-security fight (or maybe data-security). This is not just handy tech, it's full-on cultural zeitgeist stuff. Amazing.