Is Apple at a crossroads for privacy and security?
Angela Lang / CNET
Apple has long been recognized as a security and privacy advocate in a technology industry that deals with soaking up consumer data. Two recent events, however, have raised the question of whether the iPhone maker’s reputation is fading.
Earlier this month, Apple released an emergency patch to fix loopholes in the operating systems of its iPhones, iPads and Apple Watches that made them vulnerable to Pegasus spyware from the Israeli NSO group. The patch, which was rolled out a week before new versions of the operating systems were released, attracted unwanted attention that distracted from the device’s launch in the fall.
Get the CNET Now newsletter
Spice up your small talk with the latest tech news, products and reviews. Delivered on working days.
In a separate walkback, Apple postponed an announced feature that would search its devices for images of child exploitation. Privacy and security experts, as well as other critics, have argued that the approach to tackling the illegal material is tantamount to creating a back door that could be exploited by governments seeking to restrict freedom of expression.
“How Apple deals with it, and they have done it relatively badly for the past few days, will affect how they can maintain consumer confidence,” said Richard Bird, chief customer information officer at cybersecurity firm Ping Identity.
The Pegasus spyware discovery could mark a “Cambridge Analytica moment,” he says, referring to the headline-grabbing collection of data from Facebook that was used to campaign.
Public criticism of Apple’s security and privacy marks a crossroads for a company that has used its dedication to its user-centric attitude to differentiate itself from its data-hungry competitors. The company received praise for pushing back against the FBI, which wanted Apple to crack the iPhone 5C of a terrorist who killed 14 people in 2015.
Apple took advantage of this unwavering position on privacy to flip through its competitors. The company put up a billboard ahead of the 2019 Consumer Electronics Show that said, “What happens on your iPhone stays on your iPhone.”
Apple declined to comment on this story beyond its previously published statements on both topics.
Apple has long had a reputation for being relatively free of viruses, Trojans, and malware, all forms of malicious software that can contaminate your computer. This is mainly because the Mac computers were more niche machines than the workhorses of companies, such as those used by Microsoft’s ubiquitous Windows operating system.
Cyber security experts say it just wasn’t worth the cybercriminals’ time and effort developing malware to target them or look for vulnerabilities in their operating systems.
But the popularity of the iPhone has fueled interest in Macs. According to research firm IDC, sales of Apple desktop and laptop computers grew 29% year over year in 2020, giving the company a 7.6% market share.
That makes Macs and the wider Apple ecosystem more attractive targets for malware-distributing hackers. And the widespread shift towards mobile computing on phones and tablets has created a host of new goals in product classes that Apple is leading.
In March, for example, Apple released an update for iPhones, iPads and Apple Watches to fix a vulnerability in WebKit that powers Apple’s Safari browser that was discovered by security researchers at Google’s Project Zero. The researchers said at the time that it was possible that the vulnerability could be actively exploited.
Last fall, five hackers said they discovered 55 Apple vulnerabilities, 11 of which were classified as critical. The group found the problem pit over a period of three months and by October had received almost $ 300,000 in bug bounties from Apple for their work.
It makes sense that cyber criminals are targeting mobile devices because so many businesses and consumers have moved their work to these platforms, said JT Keating, senior vice president of product strategy at mobile security company Zimperium.
“The reason this is newsworthy is that we don’t hear about these things often,” Keating said. Apple and Citizen Lab, the research group that discovered the Pegasus vulnerability, appeared to have worked well together on solving the problem, he said.
Not everyone is that free. Ping’s Bird said Apple couldn’t admit that the spyware was specifically designed to attack Apple devices.
According to market research firm Counterpoint, Apple had a 53% share of the US smartphone market in the second quarter of this year, about twice as much as its closest competitor Samsung.
“You have to publicly acknowledge that we as customers are a target,” he said, adding that the company appeared to have swept the problem under the rug ahead of last week’s product event.
Perhaps even more worrying is Apple’s announcement last month that it would develop new technology to search for images of child exploitation on its users’ devices.
The new function, which was originally supposed to be integrated into the software updates iOS 15, iPad OS 15, WatchOS 8 and MacOS Monterey, is intended to detect whether material related to child exploitation is stored on your device.
It would do this by converting each image into hashes or bits of code that identify files. These hashes are then compared to a database of known child exploitation content maintained by the National Center for Missing and Exploited Children. When a certain number of matches are found, Apple will be notified and can investigate further.
The move was blown up from the start by security experts and data protection officers. Groups like the Electronic Frontier Foundation and Fight for the Future organized protests outside the Apple Stores and handed over petitions to the company, which were signed by around 60,000 people.
At a media event leading up to the protests, renowned technologist Bruce Schneier, who sits on the EFF board, said nothing could stop governments from forcing Apple to use the same system to look for other things. (Apple argues that client-side scanning ensures security by keeping the process on the device.)
“We can’t safely push this to every single Apple user device because it’s a surveillance system on every single Apple user device,” says Schneier. “It’s not targeted, it’s not proportionate, and it doesn’t work.”