I once had a conversation under NDA (which has expired since) with an engineer at Apple who was working on iCloud infrastructure, and he was telling me that his team was a bit shocked to read that Dropbox was releasing apps for photos at the time “because they’ve noticed that most of the files users are uploading to Dropbox are photos”. He was like: how do they know that exactly? His team had no idea and couldn’t possibly find out if the encrypted files they were storing were photos, sounds, videos, texts, whatever. That’s what encryption is for, only the client side (the devices) is supposed to know what’s up.
Not having that information meant a direct loss of business insights and value for Apple, since Dropbox had it and leveraged it. But it turns out Apple doesn’t joke around about security/privacy.
Under Standard Data Protection photos, general drive storage and device back up are not end-to-end encrypted. Meaning that Apple has full access to reading and analyzing them.
Under Advanced Data Protection which is an opt-in feature available since iOS 16.2, you can have those files end-to-end encrypted.
End-to-end encryption makes the user responsible for keeping an encryption key safe, irreversibly losing their data if they lose the key. It's not practical for the general population. I would guess its use is in low single digit percent of apple customers.
And this feature came out in December 2022. A bit over half a year ago. Unless your friend's NDA was super short, I presume the conversation took place before it was released. Either your friend was bullshitting you under an NDA or he's an idiot.
Advanced Data Protection has a social recovery option that does not require end users maintaining a security key. It’s far more accessible to average users than one might think, though perhaps still a bit intimidating.
Really? That’s interesting what’s a “social recovery” option?
You can select up to five contacts that also have an iPhone to help you get back into your account if you get locked out (ex. losing your phone and getting a new one)
Could be the engineer didn't have permission to see file details. They could still be readable by higher-ups, but not to the general engineer. This is how it should work, if e2ee is not used. If Dropbox allowed everyone who worked on their server to read files... that's a huge invasion of privacy.
Makes no sense though. As if the engineer is the one deciding which apps are built. He's just saying things he thinks he sees.
Oh that’s interesting!
Yeah, that conversation is much, much older, pretty close to the very start of iCloud file storage. I’m guessing either things changed since and they used to be end-to-end encrypted, or more likely, what the friend was complaining about is his iCloud infrastructure team didn’t have access to the keys stored by another team, and reverse. So basically, Apple could technically decrypt those files, but they don’t by policy, enforced by org-chart-driven security.
Now excuse me while I go change a setting in my iCloud account… 😳
Really proves that Apple users believe Apple is perfect and they are protected, even when there's official documentation stating otherwise. It's baffling how many Apple users think they are fully anonymous and protected and not tracked. Apple is brainwashing you well.
I’m an apple user. I don’t think these things. I have a plethora of apple devices. I also have a few chromebooks, a high-end desktop I built for gaming and developing.
We as people really need to stop generalizing and insulting {X group of people who are not me}. I mean, you don’t like apple. That’s totally fine! Use whatever pleases you. That doesn’t bother me at all. But stop calling me brainwashed for enjoying an ecosystem that makes my life and day-to-day easier and more enjoyable.
People like to think of themselves as superior to the other group. But we are all individuals with our own preferences and life experiences. I had a google g1. I’ve had multiple android phones. Admittedly, they were all during android’s Wild West days where I barely got any major os updates and half of them failed within a year.
What I’m saying (and I know this is a reply to you, but this has been frustrating me with a LOT of things, not just “Apple users”) is that we should try to put things in perspective before insulting an entire group of people that we don’t even know. That’s my two cents.
I don't know anything about this, but the files may be encrypted blobs, but if they are mapped to the original filenames (as is the case with Dropbox) with suffix like jpg, etc, they could assume the type without decoding the file. Not saying there's no difference between Dropbox and Apple, but I'm not sure people expected filenames to be encrypted back in the day (if even now).
Yeah, to be clear, what the friend was saying that day is that they don’t even have access to file names. For them it’s 100% mangled data.
I would definitely consider file names to be personal information, that I would expect to be encrypted. If I store a file named “Letter to IRS for 2020 violation.doc”, then suddenly you know something about me that I probably don’t want you to know.
I once had a conversation under NDA (which has expired since) with an engineer at Apple who was working on iCloud infrastructure, and he was telling me that his team was a bit shocked to read that Dropbox was releasing apps for photos at the time “because they’ve noticed that most of the files users are uploading to Dropbox are photos”. He was like: how do they know that exactly? His team had no idea and couldn’t possibly find out if the encrypted files they were storing were photos, sounds, videos, texts, whatever. That’s what encryption is for, only the client side (the devices) is supposed to know what’s up.
Not having that information meant a direct loss of business insights and value for Apple, since Dropbox had it and leveraged it. But it turns out Apple doesn’t joke around about security/privacy.
What?
https://support.apple.com/en-us/HT202303
Under Standard Data Protection photos, general drive storage and device back up are not end-to-end encrypted. Meaning that Apple has full access to reading and analyzing them.
Under Advanced Data Protection which is an opt-in feature available since iOS 16.2, you can have those files end-to-end encrypted.
End-to-end encryption makes the user responsible for keeping an encryption key safe, irreversibly losing their data if they lose the key. It's not practical for the general population. I would guess its use is in low single digit percent of apple customers.
And this feature came out in December 2022. A bit over half a year ago. Unless your friend's NDA was super short, I presume the conversation took place before it was released. Either your friend was bullshitting you under an NDA or he's an idiot.
Advanced Data Protection has a social recovery option that does not require end users maintaining a security key. It’s far more accessible to average users than one might think, though perhaps still a bit intimidating.
Really? That’s interesting what’s a “social recovery” option?
You can select up to five contacts that also have an iPhone to help you get back into your account if you get locked out (ex. losing your phone and getting a new one)
Could be the engineer didn't have permission to see file details. They could still be readable by higher-ups, but not to the general engineer. This is how it should work, if e2ee is not used. If Dropbox allowed everyone who worked on their server to read files... that's a huge invasion of privacy.
Makes no sense though. As if the engineer is the one deciding which apps are built. He's just saying things he thinks he sees.
Oh that’s interesting!
Yeah, that conversation is much, much older, pretty close to the very start of iCloud file storage. I’m guessing either things changed since and they used to be end-to-end encrypted, or more likely, what the friend was complaining about is his iCloud infrastructure team didn’t have access to the keys stored by another team, and reverse. So basically, Apple could technically decrypt those files, but they don’t by policy, enforced by org-chart-driven security.
Now excuse me while I go change a setting in my iCloud account… 😳
Really proves that Apple users believe Apple is perfect and they are protected, even when there's official documentation stating otherwise. It's baffling how many Apple users think they are fully anonymous and protected and not tracked. Apple is brainwashing you well.
I’m an apple user. I don’t think these things. I have a plethora of apple devices. I also have a few chromebooks, a high-end desktop I built for gaming and developing.
We as people really need to stop generalizing and insulting {X group of people who are not me}. I mean, you don’t like apple. That’s totally fine! Use whatever pleases you. That doesn’t bother me at all. But stop calling me brainwashed for enjoying an ecosystem that makes my life and day-to-day easier and more enjoyable.
People like to think of themselves as superior to the other group. But we are all individuals with our own preferences and life experiences. I had a google g1. I’ve had multiple android phones. Admittedly, they were all during android’s Wild West days where I barely got any major os updates and half of them failed within a year.
What I’m saying (and I know this is a reply to you, but this has been frustrating me with a LOT of things, not just “Apple users”) is that we should try to put things in perspective before insulting an entire group of people that we don’t even know. That’s my two cents.
I don't know anything about this, but the files may be encrypted blobs, but if they are mapped to the original filenames (as is the case with Dropbox) with suffix like jpg, etc, they could assume the type without decoding the file. Not saying there's no difference between Dropbox and Apple, but I'm not sure people expected filenames to be encrypted back in the day (if even now).
Yeah, to be clear, what the friend was saying that day is that they don’t even have access to file names. For them it’s 100% mangled data.
I would definitely consider file names to be personal information, that I would expect to be encrypted. If I store a file named “Letter to IRS for 2020 violation.doc”, then suddenly you know something about me that I probably don’t want you to know.