Apple Copies Your Files Without Your Knowledge or Consent

The latest version of Apple’s OS automatically syncs your files to iCloud Drive, even files you choose to store locally. Apple encrypts your data, both in transit and in iCloud, with a key it knows. Apple, of course, complies with all government requests: FBI warrants, subpoenas, and National Security Letters—as well as NSA PRISM and whatever-else-they-have demands.

EDITED TO ADD (10/28): See comments. This seems to be way overstated. I will look at this again when I have time, probably tomorrow.

EDITED TO ADD (10/28): This is a more nuanced discussion of this issue. At this point, it seems clear that there is a lot less here than described in the blog post below.

EDITED TO ADD (10/29): There is something here. It only affects unsaved documents, and not all applications. But the OS’s main text editor is one of them. Yes, this feature has been in the OS for a while, but that’s not a defense. It’s both dangerous and poorly documented.

Tags: , , , , , ,

Posted on October 28, 2014 at 6:21 AM40 Comments

Comments

VS October 28, 2014 6:44 AM

The linker article is grossly inflammatory and the title of this post factually incorrect. See the Hacker News comments thread at https://news.ycombinator.com/item?id=8510980 for more reasonable explanation. In particular:

  1. This does NOT concern files saved locally. It only affects UNSAVED documents. At no point does OS X “copy your files”, because the data backed up to iCloud are not in files yet.

  2. This is not new in Yosemite, dates back to when iCloud location (not necessarily iCloud Drive!) started being the default save location – in 10.9 (or was it even 10.8?)

  3. Documents are saved to iCloud by default in iCloud-enabled apps. That’s why unsaved data are stored in the same – default – location.

Andrew_K October 28, 2014 6:46 AM

No big surprise.

What do they do with users that do not have an iCloud account? Have there been any oservations yet?

Tim Bradshaw October 28, 2014 6:55 AM

This must be close to the end-game for this. For instance, let’s assume I’m a security-aware celebrity and I want to send some compromising pictures to my SO. But I’m security-aware, so I don’t upload them to iCloud: I send them by GPG-encrypted mail. Except I leave the draft, as-yet-unencrypted (which I need to do, because, if I also want to sign the message, the mail GPG addon needs my private key to save the draft, and I don’t want it to hold that for any length of time) sitting around for a few seconds. Now my pictures are on iCloud.

How hard can it be for them to support this stuff with a key only you know, and why would they choose not to do that?

Steven October 28, 2014 7:20 AM

This isn’t new to Yosemite. The behavior, and the instructions for opting out, have been documented since Dec 2013 on Apple’s Knowledge Base: support.apple.com/kb/TS4372 (iCloud: Unsaved documents in Apple apps that use Documents in the Cloud are automatically saved to iCloud)

Jesse Shapiro October 28, 2014 7:35 AM

Paint me extremely skeptical.

I saw this yesterday; where’s the evidence? I’d usually expect something like this to be of the format, “This is what I saw; this is how you can confirm that behavior on your own system.”

What’s more, where’s the responsible disclosure? If this does behave as accused, it could very well be a bug rather than intended behavior, in which case the author has disclosed a bug in security to the entire Internet without giving Apple fair warning.

Finally, as VS mentions, the author only claims that this happens if iCloud document and data syncing is turned on and data is not explicitly saved to a local location.

Jesse Shapiro October 28, 2014 7:38 AM

I see that Steven found an article documenting this while I was writing my comment. You can skip my first two points, then, but the third is now confirmed.

This is not shocking at all, nor is it a cause for concern.

The Last Stand of Frej October 28, 2014 8:51 AM

Any uploading of information to Apple or any third party should be, by default, opt-in or even double opt-in. It should be extremely simple to do or not do. It should be clearly, in layman’s terms and without caveats, disclosed by Apple or any involved third party.

The enemy here is murky, half-disclosed practices in a time when any questionable practice only adds to now-rampant mistrust. More should be done to provide assurances that trust is warranted or else people will understandably jump to conclusions.

mike~acker October 28, 2014 8:54 AM

hmmmmmm….
when I went to get a copy of Access 2013 I was unable to purchase a shrink-wrap packed with a disk or thumb media. I was FORCED to set up a MSFT/Office Account — which includes their sky drive — and download the package from their Office. When I went to use Access I had to hunt to find the option for local storage.

why are these vendors placing so much pressure on us to store our data in their systems?

I’m so glad I switched to Linux.

The Last Stand of Frej October 28, 2014 9:23 AM

What follows is the Apple iCloud terms of service.

Apple reserves the right at all times to determine whether Content is appropriate and in compliance with this Agreement, and may pre-screen, move, refuse, modify and/or remove Content at any time…You acknowledge and agree that Apple may, without liability to you, access, use, preserve and/or disclose your Account information and Content to law enforcement authorities, government officials, and/or a third party, as Apple believes is reasonably necessary or appropriate.

Until this changes, anything Apple does will and should be suspect. As long as they assert that it’s their right to do what they want with your files, we shouldn’t trust them.

Tim Bradshaw October 28, 2014 10:59 AM

Despite comments (including mine) I do not think this has been overstated. I think it has been badly misreported, but I think the problem is as bad or worse than the reported one.

The real problem, I think, is about what Apple call ‘continuity’. What this means is that you can, for instance, start writing a mail message on your mac, carry on on your iPad, and finally send it from your iPhone. Similar things work (I am told: I have iOS 8 but not OS X 10.10) for other document types.

What this means – what this must mean – is that the system is moving the content of your message between the devices. Whether it does this by iCloud or by some other mechanism is not very important: that data is going over insecure networks which we now know are snooped upon pervasively by bad people. Let’s just assume that this shipping of data is, in fact, done via iCloud: any other mechanism has the same problems.

Well, this is very bad indeed, because what it means is that drafts are shipped around by iCloud. Another commenter said ‘it only affects UNSAVED documents’. But unsaved documents are very sensitive documents because you have not yet made any decision about where they should live or what to do with them: until a document is saved, for instance, I can’t assign protections to it. If Emacs were to autosave buffers which are not associated with files I would expect it do to that in some very safe place with very paranoid permissions. It’s not a good thing that it only affects unsaved documents, it’s an extremely bad thing.

The received wisdom seems to be ‘so just turn off iCloud’ or ‘disable this functionality’ (often by some incantation involving using the command line, which is really going to be useful to someone who just wants a machine that works): but that’s a stupid answer, because continuity is actually a useful feature and it could be implemented securely if they simply cared to do so. So, again, the question is: why not encrypt this stuff with a key only you know? There can be no good reason I can see not to do that.

David Leppik October 28, 2014 11:20 AM

@VS: That document doesn’t appear to be up-to-date with Yosemite’s practices. In particular, the settings have at least moved around, and it doesn’t cover Handoff/Continuity, Apple’s feature for transferring work (web pages, email drafts, etc.) between devices.

Handoff is described here: https://developer.apple.com/library/ios/documentation/UserExperience/Conceptual/Handoff/HandoffFundamentals/HandoffFundamentals.html#//apple_ref/doc/uid/TP40014338

Note that “Handoff passes only enough information between the devices to describe the activity itself, while larger-scale data synchronization is handled through iCloud.” That is to say, Bluetooth/Wi-Fi are used to initiate contact, but documents may be transferred through Apple’s servers (presumably in a store-and-forward manner.)

As others have pointed out, drafts are at least as likely to contain confidential information as saved files.

For those of us who find these features useful but also need to comply with confidentiality requirements, this is a real headache.

David Leppik October 28, 2014 11:47 AM

@Tim Bradshaw: Digging deeper into the documentation, it appears that iCloud is used to synchronize files that are saved in iCloud. That is, the Handoff provides a reference to iCloud files. It’s not clear what happens if your applications support iCloud, but iCloud is turned off.

The API also supports IO streams between devices (Continuation Streams), which are presumably peer-to-peer, but that’s not spelled out explicitly.

See: https://developer.apple.com/library/ios/documentation/UserExperience/Conceptual/Handoff/AdoptingHandoff/AdoptingHandoff.html#//apple_ref/doc/uid/TP40014338-CH2-SW13

Bob S. October 28, 2014 12:21 PM

I think I read if you disable all Cloud storage, you are OK.

Also, what if you don’t have an account in the first place?

On the other hand, it does seem like another stealth attempt to obtain personal data to sell, give away, share, release to the media, post on the internet or whatever they feel like.

Bob S. October 28, 2014 12:28 PM

Yes, you can opt out, I guess:

From: http://support.apple.com/kb/TS4372

“Documents created with iWork apps (Pages, Numbers, or Keynote for iOS, Mac, or iCloud), Preview, or TextEdit are automatically saved to iCloud in certain circumstances.
Resolution

An unsaved document created with any of Apple’s Documents in the Cloud apps is automatically saved to iCloud in these circumstances:

The document is autosaved when you first create the document and edit it.
The document is periodically autosaved as you continue to edit the document.
On iOS devices and iCloud.com, the document is autosaved when you close the document or close the app.
On Macs, the document is autosaved when you close the document, but only if you opened the document from iCloud or manually saved it to iCloud.

When a document is saved to iCloud, it can be viewed and edited on your other devices that are using OS X Mountain Lion or later or iOS 5 or later. (TextEdit and Preview documents in iCloud are available only to other Macs.)

This autosave feature checks for document conflicts when saving. If the same document is being edited on more than one Mac or iOS device, you’ll be asked which versions of the document to keep.

On Macs, you can use either of these methods to stop the app from saving your document to iCloud:

Turn off Documents & Data: Choose Apple () menu > System Preferences, click iCloud, then deselect the Documents & Data checkbox. When you turn off Documents & Data, the iCloud Document Library no longer opens for any Mac apps that use Documents in the Cloud. You can continue to upload and download documents using the iWork for iCloud apps at iCloud.com.
Save the document to your Mac. Your edits will no longer be saved to iCloud, and your previously autosaved document will be removed from iCloud.</b>

jones October 28, 2014 12:35 PM

There is already evidence of questionable practices arising from how these technologies are used when services are centralized:

http://www.cnn.com/2011/12/01/tech/mobile/abortion-clinic-siri-iphone/

http://www.nytimes.com/2007/09/27/us/27verizon.html?_r=0

http://www.wired.com/2010/04/apple-bans-satire/

http://www.macworld.co.uk/news/mac/apple-censoring-icloud-emails-attachments-3432561/

although this last case might not be as nefarious as it first seems, the automated intrusion into personal correspondence is still an issue:

http://readwrite.com/2013/02/27/apple-isnt-censoring-your-dirty-emails

Dave October 28, 2014 3:16 PM

This may be slightly off topic but I wonder if all of this surrendering files on demand might not also work the other way?

If executable files get backed up to a cloud service then it would be tempting to replace them in the cloud with a targeted implant. Saves on field operatives.

Anonymous Coward October 28, 2014 4:41 PM

“iCloud content may include stored photos, documents, contacts, calendars, bookmarks and iOS device backups. iOS device backups may include photos and videos in the users’ camera roll, device settings, app data, iMessage, SMS, and MMS messages and voicemail. iCloud content may be provided in response to a search warrant issued upon a showing of probable cause.”

http://images.apple.com/privacy/docs/legal-process-guidelines-us.pdf

Anonymous Coward October 28, 2014 5:01 PM

It is also a good time to mention Microsoft Windows.

1) Bitlocker keys are uploaded by ‘device encryption’.

“Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected.

If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created.”

http://technet.microsoft.com/en-us/library/dn306081.aspx

2) Device encryption is supported by Bitlocker for all SKUs that support connected standby. This would include Windows phones.

“BitLocker provides support for device encryption on x86 and x64-based computers with a TPM that supports connected stand-by. Previously this form of encryption was only available on Windows RT devices.”

http://technet.microsoft.com/en-us/library/dn306081.aspx#BKMK_Encryption

3) The tech media and feature articles recognise this.

“… because the recovery key is automatically stored in SkyDrive for you.”

http://www.zdnet.com/surface-bitlocker-and-the-future-of-encryption-7000024613/

4) Here’s how to recover your key from Sky/OneDrive.

“Your Microsoft account online. This option is only available on non-domain-joined PCs. To get your recovery key, go to …onedrive.com…”

http://windows.microsoft.com/en-us/windows-8/bitlocker-recovery-keys-faq

5) SkyDrive (now named OneDrive) is onboarded to PRISM.

http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPlaceToHide-Documents-Uncompressed.pdf

tom October 28, 2014 5:08 PM

So this is how Apple can claim it encrypts everything?? — from everyone except Apple?? who then hands it over to anyone(s) who asks for it???

Thomas October 28, 2014 6:28 PM

@ Benni

This would not have happened with Linux

Except that it did.

The unity desktop on Ubuntu search bar defaults to searching amazon and google as well as local resources.

I switched to debian and Gnome.

Joseph October 28, 2014 9:35 PM

Bit but of ?ancient? history.

I seem to recall a very long time ago that MS Word had a bug which saved all edits in the document, but in the background. When the document was sent electronically, all the edits were sent, not just the final edited document. This was a mess since, as previous posters have pointed out, the early versions of the document are often far more compromising than the final one.

Andrew_K October 29, 2014 3:41 AM

@ Benni, Thomas, BoppingAround

Regarding Linux

Yes but no. It would not have happened, at least not in that dimension. But most persons affected by this would probably not have used Linux voluntarily in the first place. I really start to see a niche for ReactOS apart from legacy.

Regarding the overall problem: When I look at my own behavior, yes, unsaved documents should be treated way more careful than documents with a file representation.
I use them to store temporary information. Unless I’m in full-paranoia-mode, it can be anything from grocery list (and yes, even grocery shopping lists can reveal much about me) to PIN codes or passwords for less important services. Basically everything I would have used pen and a piece of scratch paper for — twenty years ago.
I just got me an old fashioned paper desk pad. I originally banned them for being filled with a mix of all kinds of confidential data after a month of usage. I just changed my mind on what poses the bigger risk.

Clive Robinson October 29, 2014 4:46 AM

@ Andrew_K,

Maybe you should have a private code for your shopping list where you use “healthy but tastless” words for “unhealthy and tasty” products, such as “curly kale” for “chocolate cake” 😉

However there is a problem with that and with scratch pieces of paper, wgich is “bin diving”. That is where investigators go through your rubbish looking for damaging evidence.

Of recent times their job has been made easier by “recycling” initiatives where you are penalized for not “washing and seperating” your “dirty waste” from your “recyclable waste”…

The more “industrialized” we become as a society, the easier it becomes for “panopticon” surveillance.

NOC October 29, 2014 5:32 AM 

 Microsoft + Apple = DRM ^n power. Incredibly weak and open like a sieve for PRISM XKEYSCORE and STINGRAY (Phone comms). May as well type info on a billboard outside; = control by lack of information, simply.

 Why anyone would use them is beyond anyone with a grain of sense. This IS the golden age of spying until Web 3.0 - fully encrypted and private - arrive(as they gradually are, as Edward Snowden imprecates).

Nick P October 29, 2014 9:26 AM

@ NOC

“Why anyone would use them is beyond anyone with a grain of sense. This IS the golden age of spying until Web 3.0 – fully encrypted and private – arrive(as they gradually are, as Edward Snowden imprecates).”

Web 3.0 is already here: it’s Web 2.0 applications running in the 90’s client-server (i.e. app-service) model. The apps often have permission to access all the person’s data. They run on devices with more vulnerability than some 90’s desktop products I used. They certainly aren’t observed by an IDS on host or network. There’s crypto, but now with backdoors.

Web 3.0: Ushering in a new age for the surveillance state!

Steve Palm October 30, 2014 10:04 PM

So, there is no way to turn this off in Yosemite? That Apple article is useless, because there IS NO “Documents & Data” in my iCloud system preferences panel. I can search for it in System Preferences, and it highlights the iCloud icon and takes me there, but there is no “Documents & Data”.

I am sick of the cloud and the push to have my stuff there, and I agree 100% that NOTHING should be put there until YOU SAY SO. What will it take to give the companies this seemingly simple message?

MicrosoftInnocent October 31, 2014 4:34 AM

@Anonymous Coward: “It is also a good time to mention Microsoft Windows.”

Got it, Microsoft Windows uploads your private key. But does it upload any encrypted content if not asked ?

billgateswasright October 31, 2014 6:44 PM

Who knew that Bill Gates was right about push technology? Only he got it backwards. Now we the consumer, puch all of our content to the servers.

Sofakinbd November 4, 2014 10:18 AM

Nice encapsulation of the issues here at the always good TidBITS website:
http://tidbits.com/article/15182

Important Bit:
To manage your session, Apple uses a one-time session ID that lasts for 15 minutes. Neither the session ID nor the search query contain your IP address or any other device identifier. Session IDs also aren’t coordinated or correlated, so there is no way for Apple to track historical usage by chaining session IDs together. In short, your query exists within a 15-minute bubble that isn’t tied to you directly. This is different from Siri, which uses a more persistent device identifier since it requires more context over time (due in large part to the overhead of voice recognition).

Queries do include location information, but Apple added a “fuzzing” feature to mask your exact location. The degree of fuzzing varies based on the density of the area you are in. In a city, it will likely be relatively precise, down to the block, in order to direct you to the closest coffee shop (really, what else matters?). In a suburban or rural area, it might be no more specific than the town. Fuzzing happens on your device, not Apple’s servers, so they never see your exact location.

It’s important to remember that Spotlight Suggestions and Siri use different search mechanisms, with different privacy settings.

To provide Bing search engine results in the Spotlight window, Apple keeps track of “common queries.” Apple does not pass every search query to Bing, merely those identified as common. For example, I search for “US Airways” a lot due to constant work travel. That query pops up the airline’s Web site (and Wikipedia entry) since it’s relatively common. But when I search for the title of a Keynote presentation that I need to edit on my upcoming flight, I don’t get any Web results, even though I would if I searched for it directly in Bing (since I’ve used that presentation at conferences and in blog posts).

When these queries are sent to Bing, they come from Apple’s servers, not your computer, so Bing can’t track them. If location is sent (e.g. you are performing a search for local movies) it is provided to Bing only at the level of the city you are in, not even the fuzzed location Apple uses. Lastly, Apple’s contract with Microsoft prevents Microsoft from retaining queries and results.

-Sofa

Alan Goodwin November 17, 2014 12:16 PM

Steve Palm,

“Documents & Data” has been changed to “iCloud Drive” in Yosemite.

“So, there is no way to turn this off in Yosemite? That Apple article is useless, because there IS NO “Documents & Data” in my iCloud system preferences panel. I can search for it in System Preferences, and it highlights the iCloud icon and takes me there, but there is no “Documents & Data”.”

Rodney December 17, 2014 10:34 PM

They have harassed me the last 4 or 5 months because i wont turn Icould on i cant up grade the phone

noneof yourbusiness March 8, 2015 8:01 PM

Sooo….. you’re paranoid about a feature that you have to turn on and sync to Apple’s online server storage coluntarily.

If you do not turn it on – nothing is backed up anywhere.

If you turn it on then you are consenting to have Apple back your content up and dump it on your servers.

“Hey jimmy – look at that furry black cat. It’s furry and it’s black. And guess what jimmy – it’s even a cat”.

Are you going to write up a similar article about how all humans breathe air also and how it too is a conspiracy ?

Figureitout March 8, 2015 9:16 PM

noneof yourbusiness
–Anything that can be “turned on” can be w/ malware, if you need more evidence for this you’re a real noob. And typically these big companies (google, apple, amazon, etc) don’t have your interest at heart and have malicious privacy settings as default (in addition to mounds of absolutely worthless crapware).

So maybe instead of Bruce writing up a conspiracy about breathing for your dumbass, you write a comment worth reading and replying to; you can do it jimmy.

ccc March 13, 2015 8:20 PM

Turn off Documents & Data: Choose Apple () menu > System Preferences, click iCloud, then deselect the Documents & Data checkbox. When you turn off Documents & Data, the iCloud Document Library no longer opens for any Mac apps that use Documents in the Cloud. You can continue to upload and download documents using the iWork for iCloud apps at iCloud.com.

I’m not to keen on the all or nothing proposition by Apple with regards to documents in iCloud. While I don’t want my unsaved iWork, Preview, and TextEdit documents autosaved on iCloud, I do want to be able to dump pdfs into a 3rd party app Readdle Document’s iCloud folder for access on the go.

bummer

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.