How one man’s private files ended up on Apple’s iCloud without his consent

How one man’s private files ended up on Apple’s iCloud without his consent

By Craig Timberg October 30 

After security researcher Jeffrey Paul upgraded the operating system on his MacBook Pro last week, he discovered that several of his personal files had found a new home – on the cloud. The computer had saved the files, which Paul thought resided only on his own encrypted hard drive, to a remote server Apple controlled.

“This is unacceptable,” thundered Paul, an American based in Berlin, on his personal blog a few days later. “Apple has taken local files on my computer not stored in iCloud and silently and without my permission uploaded them to their servers - across all applications, Apple and otherwise.”

He was not alone in either his frustration or surprise. Johns Hopkins University cryptographer Matthew D. Green tweeted his dismay after realizing that some private notes had found their way to iCloud. Bruce Schneier, another prominent cryptography expert, wrote a blog post calling the automatic saving function “both dangerous and poorly documented” by Apple.

The criticism was all the more notable because its target, Apple, had just enjoyed weeks of applause within the computer security community for releasing a bold new form of smartphone encryption capable of thwarting government searches – even when police got warrants. Yet here was an awkward flip side: Police still can gain access to files stored on cloud services, and Apple seemed determined to migrate more and more data to them.

The once-clear line between devices – such as Macs or iPhones – and proprietary cloud services is all but vanishing, security experts warn. And it isn’t just Apple doing it. Microsoft, Google and others increasingly are relying on cheap, easily accessible storage capacity to roll out new features for customers. Apple’s automatic saving function allows users to switch seamlessly between devices, without fear of losing documents or edits.

That’s great news if your Mac gets stolen and you need to buy a new one. But security experts such as Paul are asking, at what price in privacy?

“For me,” said Green in an interview, “this is really shocking. I’ve been taking a lot of confidential notes in business meetings in TextEdit” – one of the programs that automatically saves some files to iCloud.

Confusion about how devices and cloud services interact apparently was a factor in the theft of intimate photos of  dozens of Hollywood celebrities, such as Jennifer Lawrence, last summer. Their phones were secure, but the photos also were stored in online Apple accounts that, while protected by passwords, were vulnerable to hackers, experts say. It’s not clear the victims had any idea their personal photos were on the cloud, but they were -- within the reach of highly skilled Internet creeps.

Paul’s concern is less freelance Internet creeps than the U.S. government, which as he noted in his blog post collects data from U.S. technology companies, including Apple, through the National Security Agency's PRISM program.

The Supreme Court ruled in June that cell phones deserve a high level of protection from police searches, requiring in most cases that a court find probable cause and issue a warrant seeking specific evidence. But the issue is less clear when it comes to information found on cloud services; many companies require warrants but no definitive legal standard has yet emerged for law enforcement access to such information.

As for the NSA and the other high-tech intelligence operations run by governments around the world, the revelations by Edward Snowden make clear that government hackers are ingenious and voracious. And while the best likely can hack their way into any individual phone – even those with the tougher, new encryption offered by Apple – experts say it’s easier to collect data on a mass scale when it’s collected in centralized locations, such as on company cloud servers.

Apple did not reply to a request for comment about Paul’s blog post or the issues he raised, but the company has published a document on the “Support” section of its Web site describing how the automatic saving function works. The gist is that files created on several widely used apps are saved to iCloud as soon as the files are created. When a user later gives the file a name and selects a location to store it, the document is “removed” from iCloud (unless, of course, the user intentionally saves the file to iCloud.) Users can also disable iCloud altogether, keeping files confined to their devices.

But it turns out that many people use these apps without immediately naming documents or designating a place where they should be saved. Green, the Johns Hopkins cryptographer, long has used TextEdit as an easy way to take notes that he thought were safe on his hard drive, only later giving them a file name. For Paul, he used the same program as a way to create the computer equivalent of a Post-it Note – a handy place to jot a range of information, including passwords, private information, even the occasional love letter.

By the time he discovered the files were being uploaded to iCloud, the deed was already done. And though Paul recalled activating iCloud Drive, he could recall no warning that it would operate in this way.

The “huge benefits” of such automatic save features are not lost on Paul, he wrote in an e-mail exchange with the Post. “I enabled iCloud Drive knowingly. What I didn’t sign up for was my local private data outside of a specific part of my system being synchronized without additional consent, automatically.”

As Paul’s blog post bounced around the Web, other researchers discovered another twist to the Mac’s automatic iCloud save function. It didn’t arrive with Yosemite, the new operating system released this month. The “Support” document Apple published on the subject was dated December 16, 2013, when the previous operating system, called Mavericks, was still new. The automatic saving function might go back even further – yet few seemed to notice its introduction.

This is at the core of the complaints by Paul and Green. If a document is going to be transmitted across the Internet to a cloud server, they want to be warned first – and have a chance to object if they deem it too private.

It’s an option other users – even those who don’t study security issues for a living – might well want if they understood what was happening to their files. But how many do?

Paul wrote in an e-mail, “If you take 100 people and sit them down in front of a factory-new machine running Yosemite with iCloud Drive and have them open TextEdit, create a new window, type their darkest secrets into that window, and power the machine off without saving it anywhere - how many of those 100 would believe that the data hadn’t left the room?”


http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/30/how-one-mans-private-files-ended-up-on-apples-icloud-without-his-consent/

Comments

Post a Comment

Popular posts from this blog

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke...
Read more

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that th...
Read more

New ATM's: withdraw money with veins in your finger

New cash machines: withdraw money with veins in your finger Cash machine technology that reads the pattern of finger veins is already available in Japan and Poland   By Telegraph Reporters 6:59PM BST 15 May 2014 Cash machines could soon be installed with devices that identify customers by reading the veins in their fingers. The technology is already being rolled out in Poland, where 1,730 cash machines will this year be installed with readers, negating the need for a debit card and Pin. Developed by Hitachi, the Japanese electronics firm, the machines read the patterns of the veins just below the surface of the skin on your finger using infra-red sensors. The light is partially absorbed by haemoglobin in the veins to capture a unique finger vein pattern profile, which is matched to a profile. The technology is used by Japanese banks and also in Turkey, offering “groundbreaking levels of accuracy and speed of authentication”, Hitachi said, which in t...
Read more