On Nov. 12, Mac users complained their computers were acting sluggish. This sluggishness coincided with the release of Big Sur, the latest Mac update fro Apple.
After the update was released, a technical error disrupted the servers Apple uses for OCSP requests, the packets of data that verify a computer’s SSL certificate when it accesses online applications. Apple devices were shutting down because these OCSP requests weren’t reaching Apple servers
As some users looked closer, it became very clear why the devices failed when the OCSP servers were failing: Every time a user opens an application (even an offline one), that action is being tagged and traced by Apple’s OCSP servers.
This feature was introduced in Apple’s Catalina update, but certain tools (like Little Snitch) could be used to bypass it. Now, with Big Sur, there’s no practical way for average Mac users to thwart the feature.
Apple has touted itself as pushing privacy as the core of its mission, perhaps most publicly by rebuffing law enforcement demands to unlock one of the San Bernardino, Calif., shooter’s iPhones after the December 2015 attack.
But these new revelations demonstrate some of the inherent flaws in centralized data collection – you have to trust Apple not to share this information (or trust them to not be coerced into revealing it to a government agency). In this case, though, Apple’s siloing of data through Big Sur may not even be the primary issue because these OCSP requests are transmitted unencrypted, meaning the contents can be read by any surveilling party that intercepts them.
Thus, if Mac users want out from under Apple’s eye, they’re going to need to explore alternatives.
“On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read without a log of your activity being transmitted and stored,” hacker and security researcher Jeffrey Paul writes in a blog post.
Paul told CoinDesk in an email he doesn’t think “Apple has ill intent here,” but that its goal is to monitor malware and other illicit software on its devices.
The problem, though, is these OCSP requests are unencrypted and so “vulnerable to passive monitoring.” This leaves the data open to collection and parsing at the hands of “large-scale passive monitoring organizations” such as the U.S. National Security Agency (NSA).
“This is, of course, terrible practice, and despite being the industry standard, Apple should know better, as they are cryptography experts (who run their own certificate authority and regularly use relatively advanced cryptographic tools like client certificates and cert pinning),” Paul wrote over email.
Telemetry is a diagnostic process by which servers track how a device is used. Paul said the problem with Apple’s system here is that because this data is not encrypted, third parties can read it. Any entity tapping into these lines of communication can see what applications someone is using and when they use them.
“The real privacy risk here is not that Apple might be collecting this data. They’re likely not, as I believe that this is an attempt by Apple to prevent malware from being able to execute on their platform. The problem is that it serves as *inadvertent* telemetry to anyone who’s listening on the wire, which, in the United States, is every major ISP and the national military,” he continued.
These kinds of concerns have led to arguments against centralized servers for contact tracing in the European Union. They’ve also encouraged recent pushes for mixnets, which mix network traffic specifically to avoid passive metadata observation.
Apple’s devices have always been a walled garden of sorts. Applications and software from unverified publishers, for instance, must be manually approved by users. The ostensible aim of such controls is to protect the user, but as Cory Doctorow recently emphasized to CoinDesk over email, these controls can override agency in certain scenarios (for example, when Apple removed thousands of apps from its Chinese app store).
“I think this is a great example of what Bruce Schneier calls “feudal security,” Doctorow told CoinDesk, commenting on the activity logging feature. “The idea that our systems no longer give us the power to protect ourselves, but rather require us to surrender our destiny to one of the great techno-warlords of the age (Facebook, Google, Apple, Msft, etc.), who will protect us … from everyone except [t]hemselves.”
For any Mac users hoping to escape the surveillance, solutions are going to have to come from outside Apple’s locus of influence.
Before the Big Sur Mac update, VPNs or firewalls like Little Snitch would have kept your computer from leaking information. But Big Sur trumps this, said Valdas Petrulis, co-founder and lead software engineer at Mysterium Network, a decentralized VPN protocol..
“MacOS Big Sur (version 11.0) allows traffic to bypass usual routing and firewall rules. Which simply means Little Snitch won’t be able to monitor and block this, and neither can a VPN be able to help or hide you. MacOS has now simply forbidden that.”
Sean O’Brien, the principal researcher at ExpressVPN’s Digital Security Lab, said that ultimately a VPN will not “prevent Apple from being able to collect this data, but [it] “would at least protect it from other network intermediaries as it travels over the internet.”
There is a way to disable the feature, though Paul said only MacOS experts should try this. Apple changes which system services you can disable with each update, Paul said, so this may be changed in the future.
“Really, though, the #1 thing that consumers can do to protect their privacy when using Apple devices is to *never* use iCloud, and to not use iMessage,” Paul continued. iCloud data is unencrypted, he said, allowing “the FBI or U.S. military to read pretty much everyone’s complete iMessage history without ever touching the device.”
The only way to escape Apple’s panopticon, according to Paul? “Open-source software that doesn’t spy on you.” This used to mean tools like Little Snitch, Tor and VPNs, but now that Apple has a tighter grip on personal privacy, those seriously worried about their privacy can only change hardware and software providers.
Perhaps as testament to users making a change, Mysterium CMO Sharmini Ravindran said the service has experienced “8 to 10 times as much interest” in its Windows application versus its Mac version.
Of course, Microsoft is no privacy saint either, meaning the free and open-source Linux software, long the choice of most privacy advocates, could be the safest bet.
But that’s only going to work if your typical Mac user cares enough about the privacy-leaking feature. And if he or she does care, there’s also the matter of knowing enough about computers to boot and maintain Linux. One of Apple’s key selling points is that it’s user friendly for even the most tech-averse individuals, which can be appealing given privacy tech is sometimes full of friction for people who are used to logging into everything using Face ID.
Then again, Apple has also been praised as a privacy-conscious company, and public perception is always changing.
“Not only is Apple exposing its customers to risk from the company’s own executives and corporate decisions, but it’s also creating a moral hazard for governments, inviting them to coerce Apple into (ab)using this facility to harm – not help – its users,” said Doctorow.