Apple's iOS update includes a contact tracing API. There's a keen discussion at MacRumors.com about whether that API can be accessed or used by Apple. MacRumors.com is the best Apple community site with a rich and varied membership of long term Apple users and sceptics like myself and Apple evangelists. The consensus is no, it's safe. Apple is talking a good game. The adoption will be voluntary, it will require Bluetooth to be enabled.
So far, so good. Voluntary. Non-invasive. The FAQ linked above tells a very different story though. There's a second mandatory phase already planned, once people have been tricked into installing the voluntary OS update.
In the second phase, available in the coming months, this capability will be introduced at the operating system level to help ensure broad adoption, which is vital to the success of contact tracing. After the operating system update is installed and the user has opted in, the system will send out and listen for the Bluetooth beacons as in the first phase, but without requiring an app to be installed. If a match is detected the user will be notified, and if the user has not already downloaded an official public health authority app they will be prompted to download an official app and advised on next steps. [emphasis mine]
In theory, since Bluetooth must be enabled for the contact tracing app or API to work, there's no way for Apple to contact trace without user authorisation. But there are no physical switches on the radios of an iPhone. Apple could directly activate Bluetooth for its own purposes without either alerting the user or allowing any way to turn off Bluetooth. Or if Apple would like to play by the legal book, Apple could disable an iPhone until the user authorises Apple to use the Bluetooth radio for "legally mandatory contact tracing".
Mainstreamers and Apple apologists dismiss these privacy concerns.
If these people would actually know what they complain about, they knew that
a) location isn't shared at all (it's not even recorded),
b) sharing is off by default and
c) even when you enable it, neither Apple nor Google nor any other party will get this data. It's processed on device.
Sadly mainstream trust in Apple is both misplaced and foolish. Just this month, Apple was caught out sharing background, unrequested recordings from Siri with external contractors. What's particularly galling is the fatuous arrogance of phrases like "these people would actually know what they complain about".
If Apple asserts that the processing is all done on device then informed commentators should write that "Apple asserts". Even that with a healthy degree of scepticism. Apple lies and lies often.
Apple is an American company subject to all the legislation of the Patriot Act and its successors. Since 1986, gag orders forbid American companies from letting their users know if the organisation has been contacted by the NSA or CIA. On the flipside, since 2008 American corporations are immune to any suit for violation of privacy:
Release of liability: No cause of action shall lie in any court against any electronic communication service provider for providing any information, facilities, or assistance in accordance with [an order/request/directive issued by the Attorney General or the Director of National Intelligence].
Under the circumstances, it's imperative to be highly sceptical of any privacy claims of Google, Apple and Facebook. Steve Jobs was a difficult man, but he really did his best in regard to privacy and in regard to candour. Tim Cook and the current crew of profiteers, tax-evaders and carpetbaggers are not cut from the same cloth.
Sceptics were met at MacRumors.com with accusations of paranoia and conspiracy theories.
My advice to those who would trust Apple, even after the recent Siri recordings debacle, is to read the public Snowden papers. It's possible to browse them sorted by agency (CIA, NSA, GCHQ, Five Eyes, etc.), security classification (top secret, secret, classified, etc), program (Prism, Boundless Informant, Stellarwind, Xkeyscore, etc.). These programs are real.
Here's what Apple was willingly providing to the NSA in 2013 within the Prism program. Apple is certainly not providing less information in 2020.
Note that Apple did not join Prism until October 2012, after the death of Steve Jobs from cancer.
Conspiracy theory was a term invented by the CIA to encourage mainstreamers (like yourself) to discredit leaks about CIA activities:
“Conspiracy theory” is a term that at once strikes fear and anxiety in the hearts of most every public figure, particularly journalists and academics. Since the 1960s the label has become a disciplinary device that has been overwhelmingly effective in defining certain events off limits to inquiry or debate. Especially in the United States raising legitimate questions about dubious official narratives destined to inform public opinion (and thereby public policy) is a major thought crime that must be cauterized from the public psyche at all costs.
It's highly unlikely that those asserting that iOS 13.5 will not enforce contact tracing on an unwilling public have done the appropriate tests in a forensic lab which can intercept and decode communication with Apple's servers. Claims that iOS will not force additional and secret monitoring of our phones are made of air, i.e. of zero security value. Moreover, the voluntary nature of contact tracing is directly contradicted by Apple's own published statement above.
Can anyone objectively confirm that Apple is not sharing data from this API with the NSA surreptitiously? No. One can't accuse the NSA guys of lacking a sense of humour. Look closely at the last two photos from this NSA training document from 2010-01 (Prism program).
It's amusing and sad that even 3214 years later, the Trojan Horse tactic works faultlessly. iOS 13.5 with its welcome fixes (iOS 13.4 crippled video playback, happily I stayed on 13.3.1) is just such a gift. Contact tracing is coming to Android and iOS updaters whether we like it or not. Android users are at less risk as it will be a monumental effort to force an update across older versions of Android. My colleague Martin is running Android 5.1.1 and hasn't been offered an update from HTC in many years.
iOS users on both iPad and iPhone should be very wary of upgrading to iOS 13.5. There's no path backwards and it will track and trace you in entirely new ways.
It's a pity for iPad users as there's real improvements to USB mouse support in 13.5 as it is the full-fledged iPadOS Apple has been promising for the last six months. I can get by without a USB mouse but I'd like to keep my privacy.* Perhaps it's time to drop Apple devices and for Lucia and I to sell off our iPhone 11 Pro Max, iPhone XS and iPad Pro.
Can't do that either: I need to actively use iOS devices for client site testing. But if you're not in my situation and value your privacy, I suggest you take a long look at LineageOS (Android without Google) next time you buy a new phone.
* If you must use iOS, be sure to avoid iCloud. Data on your device is encrypted and requires the NSA/US government take active measures to obtain it. Data on iCloud is not encrypted and Apple co-operates with any security request. Requests no longer require a court order or even FISA court warrant but are issued via an NSA internal process. Anything in iCloud is an open book as Emma Watson, Amanda Seyfried, Jennifer Lawrence and scores more modern beauties have painfully discovered.
Alec has been helping businesses succeed online since 2000. Alec is an SEM expert with a background in advertising, as a former Head of Television for Grey Moscow and Senior Television Producer for Bates, Saatchi and Saatchi Russia.