‘How Safe Is Apple’s Safe Browsing?’

Matthew Green, writing at Cryptographic Engineering:

When Apple wants to advertise a major privacy feature, they’re damned good at it. As an example: this past summer the company announced the release of the privacy-preserving “Find My” feature at WWDC, to widespread acclaim. They’ve also been happy to claim credit for their work on encryption, including technology such as iCloud Keychain.

But lately there’s been a troubling silence out of Cupertino, mostly related to the company’s interactions with China. Two years ago, the company moved much of iCloud server infrastructure into mainland China, for default use by Chinese users. It seems that Apple had no choice in this, since the move was mandated by Chinese law. But their silence was deafening. Did the move involve transferring key servers for end-to-end encryption? Would non-Chinese users be affected? Reporters had to drag the answers out of the company, and we still don’t know many of them.

In the Safe Browsing change we have another example of Apple making significant modifications to its privacy infrastructure, largely without publicity or announcement. We have learn about this stuff from the fine print. This approach to privacy issues does users around the world a disservice.

If Apple needs to do things differently in China to comply with Chinese law, they need to explain exactly what they’re doing and why. Otherwise people are going to assume the worst. “Trust us” is not good enough. If they’re embarrassed to explain in detail what they’re doing to comply with Chinese law, then they shouldn’t be doing it.

Monday, 14 October 2019