By John Gruber
Kolide — User focused security for teams that Slack.
Ten years ago today, Steve Jobs introduced the iPad on stage at the Yerba Buena theater in San Francisco. It surprised everyone, in several ways. Some expected a touchscreen Mac with a stylus. Some expected a product that would do for the news industry what the iPod had done for the music industry a decade prior. Most expected a $1,000 starting price. The iPad was none of those things. It was also Jobs’s final big new product announcement.
“It’s just a big iPhone” was the most common initial criticism. Turns out, “just a big iPhone” was a fantastic idea for a new product — music to tens of millions of iPhone users’ ears.
Jobs’s on-stage pitch was exactly right. The iPad was a new class of device, sitting between a phone and a laptop. To succeed, it needed not only to be better at some things than either a phone or laptop, it needed to be much better. It was and is.
Ten years later, though, I don’t think the iPad has come close to living up to its potential. By the time the Mac turned 10, it had redefined multiple industries. In 1984 almost no graphic designers or illustrators were using computers for work. By 1994 almost all graphic designers and illustrators were using computers for work. The Mac was a revolution. The iPhone was a revolution. The iPad has been a spectacular success, and to tens of millions it is a beloved part of their daily lives, but it has, to date, fallen short of revolutionary.
iPad hardware is undeniably great. Lower-priced models are excellent consumer tablets, and are the cheapest personal computers Apple has ever made. They remain perfectly useful for many years. The iPads Pro outperform MacBooks computationally. They’re thin, light, reliable, gorgeous, and yet despite their impressive computational performance they need no fans.
Software is where the iPad has gotten lost. iPadOS’s “multitasking” model is far more capable than the iPhone’s, yes, but somehow Apple has painted it into a corner in which it is far less consistent and coherent than the Mac’s, while also being far less capable. iPad multitasking: more complex, less powerful. That’s quite a combination.
Consider the basic task of putting two apps on screen at the same time, the basic definition of “multitasking” in the UI sense. To launch the first app, you tap its icon on the homescreen, just like on the iPhone, and just like on the iPad before split-screen multitasking. Tapping an icon to open an app is natural and intuitive. But to get a second app on the same screen, you cannot tap its icon. You must first slide up from the bottom of the screen to reveal the Dock. Then you must tap and hold on an app icon in the Dock. Then you drag the app icon out of the Dock to launch it in a way that it will become the second app splitting the display. But isn’t dragging an icon out of the Dock the way that you remove apps from the Dock? Yes, it is — when you do it from the homescreen. So the way you launch an app in the Dock for split-screen mode is identical to the way you remove that app from the Dock. Oh, and apps that aren’t in the Dock can’t become the second app in split screen mode. What sense does that limitation make?
On the iPhone you can only have one app on screen at a time. The screen is the app; the app is the screen. This is limiting but trivial to understand. On the Mac you can have as many apps on screen at the same time as you want, and you launch the second, third, or twentieth app exactly the same way that you launch the first. That is consistency. On iPad you can only have two apps on screen at the same time, and you must launch them in entirely different ways — one of them intuitive (tap any app icon), one of them inscrutable (drag one of the handful of apps you’ve placed in your Dock). And if you don’t quite drag the app from the Dock far enough to the side of the screen, it launches in “Slide Over”, an entirely different shared-screen rather than split-screen mode. The whole concept is not merely inconsistent, it’s incoherent.
How would anyone ever figure out how to split-screen multitask on the iPad if they didn’t already know how to do it?
On the iPhone, you always launch apps the same way: tapping their icons. On the Mac, it’s slightly more complex. In most contexts — the Dock, LaunchPad, Spotlight results — you launch apps by single-clicking them; in the Finder, however, you must double-click them. There’s a method to that seeming madness — you must double-click to open something on the Mac in any context where single-clicking will merely select that item. But the Mac’s “When do I click, when do I double-click?” issue has confused untold millions of non-expert users for decades. How many people have you seen who double-click links in a web browser? The iPhone’s simplicity eliminated this sort of confusion. No one needlessly double-taps tappable items on iPhone. The iPad, originally, shared this simplicity and clarity. When the iPad debuted it was, from top to bottom, easier to understand than the Mac, and you could learn everything there was to learn about it just by tapping and sliding to explore. It was impossible to get lost or confused.
Today, I get a phone call from my mom once or month or so because she’s accidentally gotten Safari into split-screen mode when tapping links in Mail or Messages and can’t get out.
I like my iPad very much, and use it almost every day. But if I could go back to the pre-split-screen, pre-drag-and-drop interface I would. Which is to say, now that iPadOS has its own name, I wish I could install the iPhone’s one-app-on-screen-at-a-time, no-drag-and-drop iOS on my iPad Pro. I’d do it in a heartbeat and be much happier for it.
The iPad at 10 is, to me, a grave disappointment. Not because it’s “bad”, because it’s not bad — it’s great even — but because great though it is in so many ways, overall it has fallen so far short of the grand potential it showed on day one. To reach that potential, Apple needs to recognize they have made profound conceptual mistakes in the iPad user interface, mistakes that need to be scrapped and replaced, not polished and refined. I worry that iPadOS 13 suggests the opposite — that Apple is steering the iPad full speed ahead down a blind alley. ★
Another blockbuster security story last week, initially broken by Stephanie Kirchgaessner for The Guardian:
The Amazon billionaire Jeff Bezos had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia, sources have told the Guardian.
The encrypted message from the number used by Mohammed bin Salman is believed to have included a malicious file that infiltrated the phone of the world’s richest man, according to the results of a digital forensic analysis.
This analysis found it “highly probable” that the intrusion into the phone was triggered by an infected video file sent from the account of the Saudi heir to Bezos, the owner of the Washington Post.
The two men had been having a seemingly friendly WhatsApp exchange when, on 1 May of that year, the unsolicited file was sent, according to sources who spoke to the Guardian on the condition of anonymity.
Large amounts of data were exfiltrated from Bezos’s phone within hours, according to a person familiar with the matter. The Guardian has no knowledge of what was taken from the phone or how it was used.
You will recall that The National Enquirer published intimate text messages and personal photographs from Bezos that revealed an extramarital affair, which in turn led to Bezos and his wife of 25 years divorcing.
Bezos unsurprisingly launched his own investigation into how the text messages and photos had been stolen from his phone and wound up in the hands of the Enquirer. According to Bezos’s team, early evidence pointed to Saudi Arabia. That Bezos’s investigators had evidence pointing to the Saudis spooked Enquirer publisher David Pecker enough that Pecker literally attempted to extort Bezos — offering not to publish additional photos in the Enquirer’s possession in exchange for Bezos dropping his investigation. Needless to say, Bezos told Pecker to fuck off, in a remarkably cogent open letter publicly revealing both the extortion scheme and Bezos’s investigative team’s suspicion that the Saudis were the culprits.1
At the time, there was much speculation as to how the Saudis hacked Bezos’s phone. Did they have agents intercepting his cellular signal? Technically possible, perhaps, especially if the text messages were SMS (we still don’t know what type of “texts” they were — we now know Bezos and MBS texted via WhatsApp, but we don’t know how Bezos and his girlfriend texted), but if the Saudis had in fact captured the information over the air, how would Bezos’s investigators ever have detected it months after the fact?
Now, we seemingly know. Bezos had a personal relationship with MBS and MBS personally sent Bezos the payload to exploit his phone. The evidence is strong enough and the allegations serious enough that the United Nations has issued a report on the matter, considers it part of a pattern of human rights violations from the Saudi regime, and is calling for the United States to further investigate.
But — but! — two days ago, The Wall Street Journal reported that federal prosecutors in Manhattan have evidence that The National Enquirer obtained the photos from Lauren Sanchez’s brother, who in turn was sent them from his sister’s phone. Whether Lauren Sanchez sent them to her brother, or her brother had access to her phone and sent them to his phone from her phone himself, is unclear, but the fact that Bezos and Sanchez are still together suggests Bezos believes the latter. It seems entirely possible that the Saudis pwned Bezos’s phone but that it was his girlfriend’s brother who betrayed them to The Enquirer. Or, more conspiratorially, perhaps her brother — a prominent Trump supporter with ties to the recently convicted felon and Trump advisor Roger Stone, a man who describes himself as a “dirty trickster” — was in cahoots with the Saudis and the Enquirer to cover their tracks.
This whole saga is extraordinary to say the least. With zero hyperbole, it sounds like the pitch for a Hollywood thriller:
The richest man in the world — a billionaire a hundred times over — meets and exchanges phone numbers with the crown prince of Saudi Arabia, the most powerful dictator in the Middle East. The richest man in the world happens to own, as a mere side business, The Washington Post — a newspaper whose news coverage and opinion columns have been highly critical of the Saudi Arabian royal family’s brutal and regressive regime. The crown prince uses this superficial personal relationship with the richest man in the world to hack his phone via an infected attachment sent in a WhatsApp chat, using military-grade technology seemingly created by NSO Group, a secretive firm from Israel that supposedly only offers its services to trusted governments. Among the information the Saudis exfiltrate from the richest man in the world’s phone are text messages and intimate photos revealing an extramarital affair, which wind up published in The National Enquirer, whose publisher has long been a trusted confidant of the corrupt president of the United States, and had a stack of scandalous stories regarding said corrupt president’s own extra-marital affairs locked in a safe as part of a decades-long conspiracy to keep those scandals out of the public eye. Said corrupt president of the United States is also a vociferous critic of The Washington Post and its owner, the richest man in the world. The publication of these intimate texts and photos leads to the dissolution of the richest man in the world’s 25-year marriage, and unsurprisingly angers him, leading him to hire a team of investigators to figure out how the texts and images from his phone were stolen. A few months later a team of Saudi agents brutally murders and dismembers Saudi dissident Jamal Khashoggi — who was — wait for it — a journalist at The Washington Post whose columns were scathingly critical of the Saudi regime. The CIA soon determines that the Saudi hit team was acting at the direct behest of the crown prince; when informed of this, the corrupt president of the United States brushes it off with a more-or-less “Shit happens, what do you expect when you criticize our friends the Saudis? Those guys play hardball.” response.
Oh. And the corrupt president of the United States is also a nepotist. His son-in-law is a senior White House advisor with a sprawling portfolio of responsibilities, a top-secret security clearance that was granted only because the president demanded it (overriding concerns of national security officials). Said son-in-law is known to communicate with the crown prince of Saudi Arabia via — wait for it — WhatsApp.2
I take it back, this is not the pitch for a movie. It’s the pitch for a season-long TV series. My proposed title: Hacked to Bits. ★
Bezos, in his 2017 letter to shareholders: “We don’t do PowerPoint (or any other slide-oriented) presentations at Amazon. Instead, we write narratively structured six-page memos. We silently read one at the beginning of each meeting in a kind of ‘study hall.’ ”
The idea is that lazy thinking, if not outright sophistry, is easily disguised within slide decks, but narrative prose — not bullet points but a real narrative — forces the writer to think everything through. Writing is thinking, I’ve always thought, too. I frequently start a column thinking my argument is A, but as I write, I realize I was wrong and in fact my argument is Z. It’s the act of writing that forces you to think the idea through right down to the bedrock. Anyway, Bezos’s open letter revealing the Enquirer’s scheme and his suspicion that the Saudis were the culprits shows that, unsurprisingly, he’s a remarkably cogent writer. Reminds me of someone else. ↩︎
I actually think it’s unlikely that MBS hacked Kushner’s phone. Think about it. The hack of Bezos’s phone was eventually uncovered. If he hacked Kushner, it would have come out eventually too. Trump is embarrassingly cozy with the Saudis, but he would surely be furious if it were revealed the Saudis hacked Kushner’s phone. However useful hacking Kushner’s phone would be to their intelligence gathering, it couldn’t possibly be worth spoiling their relationship with Trump. Killing and dismembering a journalist working for The Washington Post ought to outrage the president. Hacking the phone of an American citizen — any American, prince or pauper — ought to outrage the president. But hacking the phone of someone in his family actually would. Trump’s strident antipathy toward Bezos effectively served as a free pass for the Saudis to hack his phone. That the United Nations is more outraged than the United States says it all.
But, still, the fact that it’s even possible that MBS did the same thing to Kushner that he did to Bezos — combined with the fact that security officials in the U.S. were alarmed by Kushner’s use of WhatsApp all along — is deeply concerning, to say the least. ↩︎︎
Apple Inc. dropped plans to let iPhone users fully encrypt backups of their devices in the company’s iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters.
The tech giant’s reversal, about two years ago, has not previously been reported. It shows how much Apple has been willing to help U.S. law enforcement and intelligence agencies, despite taking a harder line in high-profile legal disputes with the government and casting itself as a defender of its customers’ information.
I want to go deep on this, because, if true, it’s staggering, heartbreaking news. Go read Menn’s entire report. I’ll wait.
OK. First, Reuters’ headline — “Apple Dropped Plan for Encrypting Backups After FBI Complained” — is missing one essential word: iCloud. For at least the last decade, Apple has offered truly secure encrypted local backups of iOS devices, using iTunes on a Mac or PC. (Starting with MacOS 10.15 Catalina, this feature is now in the Finder.) With encrypted local backups, if you don’t have the passphrase used to encrypt the backup, no one, including Apple, can access the backup data. (Local backups to your Mac or PC are not encrypted by default — more on this below — and non-encrypted local backups therefore omit sensitive data like your passwords.)
It’s essential that Apple still supports local backups, for many reasons, but for most iPhone and iPad users it’s irrelevant, because they never connect their devices to a Mac or PC, and the overwhelming majority of them surely have no idea that the feature even exists. iCloud backups are the only backups most iOS users ever use, and it is a fact that there is no option to truly encrypt them.
This fact has been, to me, a bit of a head-scratcher for the last few years — it’s the one gaping hole in Apple’s commitment to cryptographically-guaranteed privacy for its customers.1
In fact, it’s so contrary to Apple’s stance as The Privacy Company that I’ve already heard from several tech-savvy users today, in the wake of Reuters’s report, that they had assumed until now that their iCloud backups were encrypted.
The bottom line is that iCloud backups are not end-to-end encrypted, but should be, at least optionally. Menn’s report for Reuters suggests the reason they’re not is that Apple bowed to requests from the FBI. I do not believe his report is entirely correct. Menn writes:
More than two years ago, Apple told the FBI that it planned to offer users end-to-end encryption when storing their phone data on iCloud, according to one current and three former FBI officials and one current and one former Apple employee.
Under that plan, primarily designed to thwart hackers, Apple would no longer have a key to unlock the encrypted data, meaning it would not be able to turn material over to authorities in a readable form even under court order.
In private talks with Apple soon after, representatives of the FBI’s cyber crime agents and its operational technology division objected to the plan, arguing it would deny them the most effective means for gaining evidence against iPhone-using suspects, the government sources said.
When Apple spoke privately to the FBI about its work on phone security the following year, the end-to-end encryption plan had been dropped, according to the six sources. Reuters could not determine why exactly Apple dropped the plan.
Menn is a solid reporter and I have no reason to doubt what he is reporting. What I suspect though, based on (a) everything we all know about Apple, and (b) my own private conversations over the last several years, with rank-and-file Apple sources who’ve been directly involved with the company’s security engineering, is that Menn’s sources for the “Apple told the FBI that it planned to offer users end-to-end encryption when storing their phone data on iCloud” bit were the FBI sources, not the Apple sources, and that it is not accurate.
It simply is not in Apple’s nature to tell anyone outside the company about any of its future product plans. I’m not sure how I could make that more clear. It is not in Apple’s DNA to ask permission for anything. (Cf. the theory that a company’s culture is permanently shaped by the personality of its founders.)
Encrypting iCloud backups would be perfectly legal. There would be no legal requirement for Apple to brief the FBI ahead of time. Nor would there be any reason to brief the FBI ahead of time just to get the FBI’s opinion on the idea. We all know what the FBI thinks about strong encryption. How would this supposed conversation have gone down?
FBI Official: So, what brings you here?
Apple Representative: Well, we’re thinking about offering encrypted iCloud backups, such that only the user would hold the keys.
FBI Official: ——
Apple Representative: And, uh, we were wondering what you folks thought about that.
FBI Official: Is this a joke?
I would find it less surprising to know that Apple acquiesced to the FBI’s request not to allow encrypted iCloud backups than that Apple briefed the FBI about such a plan before it was put in place.
I’ll take as fact all of the following, based on Menn’s report and common sense:
Apple had and perhaps still has a plan to encrypt iCloud backups in a way that only the user controls the keys. I.e. that without the backup passphrase, there would be no way for Apple to access the data contained in the backup.
The FBI has requested that Apple not offer encrypted iCloud backups. I would be surprised if the FBI does not reiterate its stance on this issue whenever they meet with Apple regarding security matters. Apple might never have mentioned a plan to encrypt iCloud backups, but the FBI isn’t stupid. It has surely occurred to anyone who has followed Apple’s progress on security — which to date has only ever moved in the direction of providing customers with more cryptographically-guaranteed privacy — that encrypted iCloud backups are something the company has at the very least considered.
Apple cancelled or postponed its plan to offer encrypted iCloud backups.
It does not necessarily follow that #3 is the result of #2.
It could be the reason, but there are several other logical explanations. It’s a subtle point, but the “due to” in VentureBeat’s headline on Reuter’s syndicated report — “Apple’s iCloud Backups Are Unencrypted Due to Law Enforcement Pressure” — is not justified by the reporting. (Reuters’s original headline uses “after”.)
I’ll repeat the last line of the previous quote from Menn’s report:
Reuters could not determine why exactly Apple dropped the plan.
Dueling sources follow:
“Legal killed it, for reasons you can imagine,” another former Apple employee said he was told, without any specific mention of why the plan was dropped or if the FBI was a factor in the decision.
That person told Reuters the company did not want to risk being attacked by public officials for protecting criminals, sued for moving previously accessible data out of reach of government agencies or used as an excuse for new legislation against encryption.
“They decided they weren’t going to poke the bear anymore,” the person said, referring to Apple’s court battle with the FBI in 2016 over access to an iPhone used by one of the suspects in a mass shooting in San Bernardino, California.
If that is the case — that Apple’s legal department killed the project to avoid “poking the bear” — then it’s ultimately irrelevant whether Apple briefed the FBI in advance or not. It’s acquiescence, and users will be left unprotected. Not just in the U.S., where the FBI has jurisdiction, but everywhere in the world where encryption is legal.
Menn’s FBI sources clearly think that’s the case:
Two of the former FBI officials, who were not present in talks with Apple, told Reuters it appeared that the FBI’s arguments that the backups provided vital evidence in thousands of cases had prevailed.
“It’s because Apple was convinced,” said one. “Outside of that public spat over San Bernardino, Apple gets along with the federal government.”
What else could it be? This:
However, a former Apple employee said it was possible the encryption project was dropped for other reasons, such as concern that more customers would find themselves locked out of their data more often.
That’s a key point. Surely there are hundreds, maybe thousands, of people every day who need to access their iCloud backups who do not remember their password. The fact that Apple can help them is a benefit to those users. That’s why I would endorse following the way local iTunes device backups work: make encryption an option, with a clear warning that if you lose your backup password, no one, including Apple, will be able to restore your data. I would be surprised if Apple’s plan for encrypted iCloud backups were not exactly that.
Buried deep in the article is, to me, the most alarming aspect of Menn’s report:
Once the decision was made, the 10 or so experts on the Apple encryption project — variously code-named Plesio and KeyDrop — were told to stop working on the effort, three people familiar with the matter told Reuters.
The proof of the pudding is in the eating — let’s see what Apple actually does. Reuters’s report notwithstanding, I would not be surprised if end-to-end encrypted iCloud backups are forthcoming. This should be at the top of our list of hoped-for features at WWDC 2020.
This isn’t about Apple foiling law enforcement. It isn’t about Apple helping criminals. It’s about Apple enabling its customers to own and control their own data. As things stand, if you use iCloud backup, you do not own and control the data therein. ★