macOS Big Sur has its own telemetry privacy nightmare

Reading time icon 5 min. read


Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

Privacy advocates have been complaining for years about telemetry on Windows 10, forcing Microsoft to make a number of concessions to satisfy regulators.

It turns out one of the alternatives, switching to Apple’s macOS, may simply be moving from the frying pan into the fire.

A recent incident where Apple’s OCSP (Online Certificate Status Protocol) was overwhelmed revealed to even casual users that Apple knows exactly which apps are running on your macOS laptop. During the partial outage, apps were very slow to launch or refused to launch at all, as the OS struggled to check the certificate of the apps against Apple’s revocation list.

Security Jeffrey Paul writes that this issue is simply the tip of the iceberg. On macOS Big Sur Apple does not only have control over which apps you run, but also:

  • the communication reveals your IP address, location and usage patterns.
  • the information is sent plain-text, meaning 3rd parties (e.g. NSA or Chinese firewall)  have access to the same information.
  • the telemetry can not be blocked, as macOS Big Sur does not allow user-level firewalls or VPNs to access system communication.
  • Apple’s new ARM-based PCs can only run macOS Big Sur, and can not be downgraded to less encumbered operating systems.

Jeffrey Paul explains:

On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored. It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn’t realize this, because it’s silent and invisible and it fails instantly and gracefully when you’re offline, but today the server got really slow and it didn’t hit the fail-fast code path, and everyone’s apps failed to open if they were connected to the internet. Because it does this using the internet, the server sees your IP, of course, and knows what time the request came in. An IP address allows for coarse, city-level and ISP-level geolocation, and allows for a table that has the following headings: Date, Time, Computer, ISP, City, State, Application Hash; Apple (or anyone else) can, of course, calculate these hashes for common programs: everything in the App Store, the Creative Cloud, Tor Browser, cracking or reverse engineering tools, whatever.

This means that Apple knows when you’re at home. When you’re at work. What apps you open there, and how often. They know when you open Premiere over at a friend’s house on their Wi-Fi, and they know when you open Tor Browser in a hotel on a trip to another city. “Who cares?” I hear you asking. Well, it’s not just Apple. This information doesn’t stay with them: These OCSP requests are transmitted unencrypted. Everyone who can see the network can see these, including your ISP and anyone who has tapped their cables. These requests go to a third-party CDN run by another company, Akamai. Since October of 2012, Apple is a partner in the US military intelligence community’s PRISM spying program, which grants the US federal police and military unfettered access to this data without a warrant, any time they ask for it. In the first half of 2019 they did this over 18,000 times, and another 17,500+ times in the second half of 2019.

This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns. For some people, this can even pose a physical danger to them. Now, it’s been possible up until today to block this sort of stuff on your Mac using a program called Little Snitch (really, the only thing keeping me using macOS at this point). In the default configuration, it blanket allows all of this computer-to-Apple communication, but you can disable those default rules and go on to approve or deny each of these connections, and your computer will continue to work fine without snitching on you to Apple. The version of macOS that was released today, 11.0, also known as Big Sur, has new APIs that prevent Little Snitch from working the same way. The new APIs don’t permit Little Snitch to inspect or block any OS level processes. Additionally, the new rules in macOS 11 even hobble VPNs so that Apple apps will simply bypass them.

Lois Rossman explains the issue equally eloquently in his video below:

Apple responded to the furore by saying:

Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.

Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures.

These security checks have never included the user’s Apple ID or the identity of their device. To further protect privacy, we have stopped logging IP addresses associated with Developer ID certificate checks, and we will ensure that any collected IP addresses are removed from logs.

The news makes rather a joke of Apple’s claims to put user privacy first. Do our readers agree? Let us know below.

Thanks, MrElectrifyer for the tip.

User forum

1 messages