Security: Phoning Home
Jan. 21, 2009
May. 21, 2009
May. 22, 2009
Aug. 22, 2009
Dec. 10, 2009
Jan. 5, 2011
Jan. 6, 2011
Jan. 7, 2011
It appears Apple is now using 2o7.net with some of their tracking even with applications. I just fired off Pages and Little Snitch kicked in with a list of warnings. One states
"Pages wants to connect to metrics.apple.com on TCP port 80(http)." The Details show an ip of 184.108.40.206 and a reverse DNS of *.112.2o7.net. After reading about 2o7.net last year, this seems a little scary.
Next to the also-infamous DoubleClick and the more honorable Google-Analytics , the number of websites that use Omniture to track and mine web useage data are mind boggling. Whether it's 2-zero-7 or 2-Oh-seven or whatever, they seem pervasive. I have told my NetGear DSL router to block them in both directions. When I do get around to checking my security logs to see who's been pinging and port sniffing, I am always astounded at the number of blocks my router instigated to/from Omniture.
It further bothers me greatly that Omniture is based in the state of Utah , whose business oversight and regulatory umbrellas roughly correspond to the government of Belarus for sacrificing consumer protection and privacy in the name of l'aissez fair ( = ride roughshod) enterprise. I live in the next state over, Wyoming. We have long been wary of Utah on nearly level. It's a four letter word.
Someday I will have a prescient conversation with my grandchildren along the lines of " I remember the good old days when we actually had some privacy , anonymity, and security on the internet...". And the devious, under-the-radar activities of Omniture are one principal reason why.
If Apple has indeed switched to using Omniture, I would consider that yet another regression in Apple's reputation , getting more tarnished with each passing month now.
You can easily turn off the 2o7.x issues by simply using their web page.
I turned off iPhoto's "check for updates" (Why isn't iPhoto included in the System Preference option to check for updates?)
iPhoto still wants to connect to ssl.apple.com via port 443, thereby encrypting whatever information it is sending to and/or receiving from Apple. This is not good behavior. Apps should let you know what they are doing. ANY "sneaking around" behind the user's back is just bad. And doing so using encryption is even worse.
Apple may not be up to anything here, but then why hide in the shadows?
Why connect a photo viewer to the 'net AT ALL? (This is *not* the same
connection iPhoto uses for location information. Those connections are
to google via unencrypted port 80.) [...]
MacInTouch Reader wrote:
"(Why isn't iPhoto included in the System Preference option to check for updates?)"
Not sure how many of your readers are aware of this, but there's been a bit of a kerfuffle recently about certain iPhone apps phoning home. Some details are here:
The gist is that app developers can choose to install tracking software from a company called Pinch Media. When you quit the app, it reports a bunch of usage information back to Pinch:
iPhone's unique ID
If the application is cracked/pirated
If your iPhone is jailbroken
time & date you start the application
time & date you close the application
your current latitude & longitude
your gender (if facebook enabled)
your birth month (if facebook enabled)
your birth year (if facebook enabled)
I can see how a lot of this would be useful for developers, but there's *way* more than typical tracking info there: I'm not sure I like the idea of anyone linking my phone's unique hardware ID to a GPS derived location, for example. If you've ever wondered why some apps which wouldn't seem to need your location ask permission to use location services, this is why. Personally I found that maybe 20% of my apps had this installed.
Whether or not this is actually "spyware" is debatable, but I definitely find this behavior somewhat underhanded given there's no *clear* opt-in on this, no easy way to identify apps that use it, and no way for a typical user to opt-out. Legal or not, I think it's a slimy business practice for a company to be based on and I don't feel like supporting them via my personal information.
So what's a user to do? On a regular iPhone, not much besides trying to figure out which apps use it and deleting them. On my jailbroken iPhone I was able to edit the hosts file to block the Pinch Media servers. Fortunately there's now an app for jailbroken iPhones called PrivaCy (available for download from Cydia) that simplifies this process and blocks Pinch along with several other tracking companies.
Just another reason to jailbreak, in my mind. Personally I hope Apple gives non-jailbroken users clearer information and better control over this sort of "feature". I don't think most users would enable this if it were clearly stated to them what information they were giving out.
I tried the Chrome beta biefly today.
I find it quite disconcerting that on launch, it tries to contact a number of different google servers without telling the user. (Little Snitch helps a lot here.) More contact efforts followed later, all unsolicited. (I did not tick the checkbox to submit usage statistics.)
Dismayed, I just quit the app.
Now, an hour later, Little Snitch reports that a GoogleSoftwareUpdateAgent wants to home phone. It appears that that one got installed with Chrome.
I just don't like this kind of behaviour, and urge other users to realise that giving Chrome a spins means giving Google more than you may have bargained for.
I ran into some real issues with even Aperture making unnecessary connections back to home base to configuration.apple.com without permission. Little Snitch caught that and another couple of web grabs. Not good.
I've written up the grim details with screen shots: http://foliovision.com/2011/01/05/apple-privacy-policies-like-microsoft
Thanks to everyone for sharing their experiences. A great help.
Mikko, there is an open source version of Google Chrome without the mandatory Google updater code on your computer (I won't put up with it). Google obscures Chromium's download location for the pre-built binaries (no link from the home page) but here they are for OS X: http://build.chromium.org/f/chromium/snapshots/chromium-rel-mac/
More on Aperture in specific:
Apple Aperture Places and Privacy
Alec Kinnear wrote:
"I ran into some real issues with even Aperture making unnecessary connections back to home base to configuration.apple.com without permission."
I read your blog and it's not clear to me if you are using MobileMe. If so, this is why Aperture is "phoning home" to Apple. It connects to the MM configuration servers to check for MobileMe Galleries and sync them. Do you have a MobileMe account?
In your blog article, you wrote:
"Presumably Mobile Me communicates all of the requisite information, whether you turn on selected services or not. So once you've used Mobile Me even once, US authorities have full access to all of your computers."
You may presume this, but I've been running Little Snitch for many years, and I am 100% positive that MobileMe does not connect to Apple's servers and store data unless you turn it on and turn on data sync.
(Granted, MobileMe is of limited use without sync, aside from the handy email address. But that's your choice. :)
I suppose that, as I mentioned in another posting here, it comes down to trust.
Also in your blog, you referred to "surveillance backdoors" in iPhone. I read the article you linked to, which says "The keyboard logging cache means an expert can retrieve anything typed on it for up to 12 months." This "keyboard logging cache" is what the iPhone uses to learn custom words that you use and add them to its user dictionary, and is also what it uses to remove custom words you don't use again (in other words, to remove typos you accidentally added). This isn't a "surveillance backdoor", it's a case of a data forensics expert knowing where to look in the system's internals to exploit a feature.
(If it weren't for this keyboard cache, each time I tried to type a curse word, iPhone would keep correcting them to "duck" and "he'll". ;-)
"Mikko, there is an open source version of Google Chrome without the mandatory Google updater code on your computer (I won't put up with it). Google obscures Chromium's download location for the pre-built binaries (no link from the home page) but here they are for OS X"
Another option, which is similar to Chrome but not created by Google, is Stainless. It has a lot of interesting features, including tab-specific cookies, parallel sessions (i.e. login to a website with different accounts in different tabs), session-aware bookmarks, etc. Check it out, it's pretty neat!