Apple Releases Statement on Customer Privacy and Law Enforcement Requests for Customer Data

[sash]

It's a pity we have to live in such times when the governments of the democratic countries are setting up such structures. I can understand their reasoning, it's much better tapping in our data than dealing with another Boston-like disaster -- and explaining to the public why they've let it happened. On the other hand, what's about my precious sacred privacy, which I don't want to give up? A tough question. Not that obvious as it looks.

 

[gnasher729]

Ya sure un-decryptable sure...
I really don't know the state of encryption today so I shouldn't really comment but I tend to have my doubts when somebody says that something is uncrackable.

Most of it is maths with reasonable number of people who can independently verify it. Based on that, 256 bit AES will be save for the next 50 years.

There's a limit to the number of operations that any computer can perform. There are hard physical limits, laws of nature, that computers cannot get past. It is physically impossible for any computer whatsoever to perform 2^256 operations, because there is just not enough energy in the whole universe to perform that many operations. (2^226 operations with all the energy in our galaxy, 2^196 operations with all the energy in the sun, and much much much less if we use all nuclear fuel on earth to provide the energy). A billion new MacPro's running for 50 years are rumoured to be capable of a total of less than 2^104 operations.

That makes 128 bit AES safe unless someone manages to reduce the number of operations needed to crack it significantly. At the moment, it is totally utterly impossible to crack. Some huge advances in mathematics would be needed to make it totally impossible to crack. And then some more huge advances in mathematics would be need to make it "only" impossible to crack. At which point everyone would change to a different system. 256 bit AES on the other hand would need a dozen huge advances in mathematics, which makes it safe for 50 years, that is a message that you encrypt today will be impossible to decrypt even 50 years from now.

----------

It's a pity we have to live in such times when the governments of the democratic countries are setting up such structures. I can understand their reasoning, it's much better tapping in our data than dealing with another Boston-like disaster -- and explaining to the public why they've let it happened. On the other hand, what's about my precious sacred privacy, which I don't want to give up? A tough question. Not that obvious as it looks.

What happened in Boston wasn't a disaster. In the USA alone, every day about 8,000 people die. Every day, about 100 people commit suicide in the USA, and not many fewer die in car accidents. So how is a bomb killing a few people a "disaster"? Apart from it being big in the news and everybody getting excited about it, not much really happened. If the same thing happened every weekend for a year, that would be fewer people dead than Harold Shipman has on his conscience.

So that question isn't tough at all.

 

[skinned66]

At least the stoners get it right. The refraction on the PRISM logo is complete nonsense.

 

[Tech198]

That's fraud and if you ever did anything illegal it would make the case for you more difficult..

Yes, and it will also make i MORE difficult for THEM to get that information, thats the whole point...

Google knows all abot most people, social networking sites/IM messaging is a gold mine for tracking with the NSA, not to mention your ISP's, and while now, it goes against every policy they put out, whats to stop them ?

Nothing...

Except if they never have the info in the first place, then it doesn't matter. Fraud, or not.

I would feel safer sleeping at night knowing the NSA isn't grabbing my ISP info, or other sites leaking info. Policies update all the time, just look at how many times Paypal has done this.

The point is, the NSA can do whatever they want, and can, and probably will.

As for me, I don't take any chances.

I'm not saying i stick fake stuff everywhere. I do give out real info, but only in situations (for example on CC application form), but only minimal stuff.

For example, If there are more than one way to contact (email and phone, and BOTH are mandatory, then I stick in real gmail (not ISP since i never share that), and fake phone...

If people want to contact, then email,, why do they need phone if they have your physical address anyway.

Same situations with Shopping sites, I only enter delivery info if i need it delivered, otherwise if it mandatory, i stick in fake stuff....

Get the picture ?

This way, i minimise exposure, and even if they didn't want it, they won't get it from me, since its probably already out there somewhere.

 

[orthorim]

Use this for cloud storage:

https://spideroak.com

The encryption happens client side so the servers never know what you're storing there. Considering switching from Dropbox which isn't yet on the NSA list, but will be shortly, and since they're in the USA there's very little they can do about it.

Encryption itself is safe, by the way. It's just that any real world implementation has weaknesses, and some of those are rather severe. So the NSA will plug in at the weakest link, not try to somehow brute force encryption (which would be futile).

For example they can listen in on all HTTPS traffic by hitting up two or three certificate authorities. It's that simple.

----------

Most of it is maths with reasonable number of people who can independently verify it. Based on that, 256 bit AES will be save for the next 50 years.

The fallacy in this assumption is that an attacker will attack the math. They won't. The attacker will attack everything else, starting with the weakest link your encryption armor.

Take HTTPS - it's safe. Except it relies on Certificate Authorities (CAs) to function. And there's only two that really matter, and only a handful in total. Subverting these is a piece of cake with the legal, financial, and technical resources possessed by the NSA.

Then there's the domain name service - DNS - back when the internet was invented, security was an afterthought. The DNS underlies all internet communications but it's inherently completely insecure, and, again, has only a handful points of failure.

Internet backbones - another target. Big ISPs - wow there's like 5 of them, easy to get at all their data.

When Snowden said they have access to all the data of the big companies, it wouldn't surprise me in the least if an attack on the DNS plus CAs plus ISPs could be very easily made into a comprehensive, all - encompassing ability to read any and all communications, encrypted or not, to and from the companies mentioned. With or without those companies' knowledge.

 

[dmax35]

Is Apple just trying to find a way to make me go back to Windows?

Go back then!

 

[DesertEagle]

I don't care if the NSA or anyone else reads my postcards. If I write something private on a postcard, I'll encrypt the message such that only the recipient can understand it. The same goes for e-mail and Facebook messages.

What I truly dislike is the government's sense of entitlement to collect communication history from any of my service providers, using a warrant from a court whose rubber-stamp-"decisions" are classified, and even impose a gag-order on the subjects. All of it based on secret interpretations of a controversial part of a draconian law, so much for transparency.

If the authorities don't want me to know that they're spying on me, then they shouldn't be doing it in the first place!!

 

[unplugme71]

Yes, and it will also make i MORE difficult for THEM to get that information, thats the whole point...

Google knows all abot most people, social networking sites/IM messaging is a gold mine for tracking with the NSA, not to mention your ISP's, and while now, it goes against every policy they put out, whats to stop them ?

Nothing...

Except if they never have the info in the first place, then it doesn't matter. Fraud, or not.

I would feel safer sleeping at night knowing the NSA isn't grabbing my ISP info, or other sites leaking info. Policies update all the time, just look at how many times Paypal has done this.

The point is, the NSA can do whatever they want, and can, and probably will.

As for me, I don't take any chances.

I'm not saying i stick fake stuff everywhere. I do give out real info, but only in situations (for example on CC application form), but only minimal stuff.

For example, If there are more than one way to contact (email and phone, and BOTH are mandatory, then I stick in real gmail (not ISP since i never share that), and fake phone...

If people want to contact, then email,, why do they need phone if they have your physical address anyway.

Same situations with Shopping sites, I only enter delivery info if i need it delivered, otherwise if it mandatory, i stick in fake stuff....

Get the picture ?

This way, i minimise exposure, and even if they didn't want it, they won't get it from me, since its probably already out there somewhere.

You do realize they can find you still, right? You aren't hiding behind much when you are on the Internet.

Do you lie to your ISP of who you are and where you live? Because even if you did, they can find where the cable or internet modem resides. Stop believing you can't be found.

My friends dad works for the NY internet crime division and the things they can do is unreal. And that is at the state level. I'm sure the Feds have even more power, resources, etc...

 

[tshrimp]

Go back then!

I am glad you have no issue with Apple doing what they want and following them blindly. I like my Macs, iPads, etc., but realize that Apple is not perfect, and I will go back on my next round of computers unless something changes between now and then. Thanks for your well thought out, mature response

 

[dmax35]

I Thanks for your well thought out, mature response

Your welcome.

And the next time you conspiracy theorist wake up in morning thinking to yourself. I slept nice and safe, think about all the 3rd world country knuckleheads who hate the USA just itching to do harm. If it wasn't for big brother watching, than the most recent planned 150 or so planned attacks wouldn't have been detected and prevented. I applaud companies willing to do what ever it takes to assist protecting my country.

 

[tshrimp]

Your welcome.

And the next time you conspiracy theorist wake up in morning thinking to yourself. I slept nice and safe, think about all the 3rd world country knuckleheads who hate the USA just itching to do harm. If it wasn't for big brother watching, than the most recent planned 150 or so planned attacks wouldn't have been detected and prevented. I applaud companies willing to do what ever it takes to assist protecting my country.

Not a conspiracy theory. It happened. Go watch the news. (you seemed to call this a theory [by calling me a conspiracy theorist], and then go on to admit it happened?!?!)

And what ever happened to this?

http://www.youtube.com/watch?v=gF3MC-TkpRQ&feature=youtu.be

Unquestioning trust of ones government can be very dangerous.

 

[dmax35]

Not a conspiracy theory. It happened. Go watch the news.

And what ever happened to this?

http://www.youtube.com/watch?v=gF3MC-TkpRQ&feature=youtu.be

Unquestioning trust of ones government can be very dangerous.

Don't care, I never voted for him. My trust is with the system put in place to protect us and proudly served 30 years of my life for.

 

[localoid]

Your welcome.

And the next time you conspiracy theorist wake up in morning thinking to yourself. I slept nice and safe, think about all the 3rd world country knuckleheads who hate the USA just itching to do harm. If it wasn't for big brother watching, than the most recent planned 150 or so planned attacks wouldn't have been detected and prevented. I applaud companies willing to do what ever it takes to assist protecting my country.

Sound like you've fully embraced the Culture of Fear.

Former National Security Advisor Zbigniew Brzezinski argues that the use of the term War on Terror was intended to generate a culture of fear deliberately because it "obscures reason, intensifies emotions and makes it easier for demagogic politicians to mobilize the public on behalf of the policies they want to pursue".

 

[DesertEagle]

Lies about PRISM-participation

Do people really believe in this? http://www.apple.com/apples-commitment-to-customer-privacy/

Apple initially lied about their participation in the PRISM program. They probably had no choice, and I'm not holding grudges or anything - but how can Apple expect me to believe that their (vaguely formulated) consumer privacy statement is true, and not just another court-ordered lie?

Thank God this was discovered before people started to keep their keychains in iCloud...

 

[SandboxGeneral]

Do people really believe in this? http://www.apple.com/apples-commitment-to-customer-privacy/

Apple initially lied about their participation in the PRISM program. They probably had no choice, and I'm not holding grudges or anything - but how can Apple expect me to believe that their (vaguely formulated) consumer privacy statement is true, and not just another court-ordered lie?

Thank God this was discovered before people started to keep their keychains in iCloud...

Go back to the start of this thread and review many of the posts, as well as the ones I made in here detailing the facts as we know them which actually point to Apple and other companies not being involved in this - that the Prism program intercepts data before it ever gets to Apple, Google, et al..

 

[skunk]

Apple and the others are surely able to detect when such interception has taken place, but were probably not permitted to disclose it.

 

[SandboxGeneral]

Apple and the others are surely able to detect when such interception has taken place, but were probably not permitted to disclose it.

If the information we have is correct, Apple and the others wouldn't even have known of the interception because as its laid out, this is occurring upstream of them at the ISP level.

The ISP's should have some kind of knowledge that the government is doing something.

 

[skunk]

If the information we have is correct, Apple and the others wouldn't even have known of the interception because as its laid out, this is occurring upstream of them at the ISP level.

The ISP's should have some kind of knowledge that the government is doing something.

I would be surprised if such large scale interception left no discernible trace upstream.

 

[SandboxGeneral]

I would be surprised if such large scale interception left no discernible trace upstream.

What they're doing is splitting the incoming data feeds at the ISP into two directions. One of them is the normal route through he ISP and back out to the Internet while the other is sent off to NSA equipment as a copy. There really isn't much to leave traces behind digitally.

This whole thing is laid out quite well here, here and here.

 

[DesertEagle]

Go back to the start of this thread and review many of the posts, as well as the ones I made in here detailing the facts as we know them which actually point to Apple and other companies not being involved in this - that the Prism program intercepts data before it ever gets to Apple, Google, et al..

Sure, I know they intercept the data (China does the same). All data which is sent in plain text is readable for any third-party, and I therefore assume that everyone reads everything (including content and meta-data) that I send in plain text, in addition to some of the meta-data (but not the content) for trusted and secure connections. The content ("ciphertext" when encrypted) will look like gibberish over secure connections.

In other words, it's practically impossible to see what you're doing when logged in to iCloud with https://www.icloud.com/. Note that the NSA can see that you've initiated contact with Apple's iCloud since this is meta-data, but anything you do over this connection will be unreadable to anyone who intercepts the message. Unless they can decipher the contents, of course, for which they will need the keys.

There are four ways for the NSA to obtain the information they want about your iCloud activities:

1. Getting the content or the decryption keys from Apple, lawfully by collaboration, court order, etc.
2. Getting the content or the decryption keys from Apple, unlawfully by hacking, social engineering, etc.
3. Guessing the decryption keys by brute-force, even if it may take thousands of years.
4. Using a quantum-computer to nondeterministically guess the correct decryption keys (within reasonable time!) and use them to decipher the content. (POIDH )

Which one do you think they're using? I find number 1 far more likely than number 2 (let alone number 3 or 4).

 

[SandboxGeneral]

Sure, I know they intercept the data (China does the same). All data which is sent in plain text is readable for any third-party, and I therefore assume that everyone reads everything (including content and meta-data) that I send in plain text, in addition to some of the meta-data (but not the content) for trusted and secure connections. The content ("ciphertext") will look like gibberish over secure connections.

In other words, it's practically impossible to see what you're doing when logged in to iCloud with https://www.icloud.com/. Note that the NSA can see that you've initiated contact with Apple's iCloud since this is meta-data, but anything you do over this connection will be unreadable to anyone who intercepts the message. Unless they can decipher the contents, of course, for which they will need the keys.

There are three possible ways for the NSA to obtain the information they want about your iCloud activities:

1. Getting the content or the decryption keys from Apple, lawfully by collaboration, court order, etc.
2. Getting the content or the decryption keys from Apple, unlawfully by hacking, social engineering, etc.
3. Using a quantum-computer to nondeterministically guess the correct decryption keys and use them to decipher the content. (POIDH )

Which one do you think they're using? I find number 1 far more likely than number 2 (let alone number 3).

It sounds like you're agreeing with everything I've been saying then.

Option #1 of your description would be the most likely one to use in order to get iCloud information when that information is strictly between you and Apple. But once you send an email for example from iCloud to someone else that doesn't have an Apple account, thus forced to be sent outside of the Apple networks, then the data is up for grabs, as I detailed in an example with Gmail here.

 

[decafjava]

I am glad you have no issue with Apple doing what they want and following them blindly. I like my Macs, iPads, etc., but realize that Apple is not perfect, and I will go back on my next round of computers unless something changes between now and then. Thanks for your well thought out, mature response

Well going back to Windows won't keep you any safer*. Anyway why should I change MY habits/ products/services the governments should change THEIRS.


*win 7 user.

 

[DesertEagle]

But once you send an email for example from iCloud to someone else that doesn't have an Apple account, thus forced to be sent outside of the Apple networks, then the data is up for grabs.

Sure. I know e-mails are sent in plain text across networks. This is why I've always stuck to the "postcard rule", i.e., if I for security reasons wouldn't write something on a postcard, then I won't write it in an e-mail either.

 

[skunk]

It's more secure on a postcard, because they have to be able to read your handwriting!

 

[SandboxGeneral]

Sure. I know e-mails are sent in plain text across networks. This is why I've always stuck to the "postcard rule", i.e., if I for security reasons wouldn't write something on a postcard, then I won't write it in an e-mail either.

That's a good practice, I do the same thing, though I don't have anything to hide, but that's beside the point.

It's more secure on a postcard, because they have to be able to read your handwriting!

Touché