clock menu more-arrow no yes

Filed under:

Does Yosemite have a privacy problem? Not exactly

New, 65 comments

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

This morning, The Washington Post called out an unexpected privacy concern in Apple's new Yosemite operating system. Apple's Spotlight application, previously used to index material on a user's hard drive, has added a new Suggestions feature that points to external sites relevant to a given search term. As the Post article points out, that means search terms have to be transmitted back to Apple with a lot of extra information, including location data that the Post found to be precise enough to pin down a specific building.

On closer inspection, many of the claims are less damning than they seem

But on closer inspection, many of the claims are less damning than they seem. There's already a public privacy policy for the new feature, as well as a more technical look at the protections in the most recent iOS security report. That document breaks down five different kinds of information transmitted in a search: the approximate location, the device type, the client app (either Spotlight or Safari), the device's language settings and the previous three apps called up by the user. More importantly, all that information is grouped under an ephemeral session ID which automatically resets every 15 minutes, making it extremely difficult to trace a string of searches back to a specific user. That also makes the data significantly less useful to marketers, since it can't track behavior over any meaningful length of time. And most importantly, the data is transmitted over an HTTPS connection, so it can't be intercepted in transit.

The biggest concern is that a user might accidentally search their own computer for a sensitive file — in Post reporter Barton Gellman's example, "secret plans Obama leaked me" — and unwittingly reveal that search term to Apple more broadly. But under the new scheme, there wouldn't be anything to tie the search to Gellman himself other than the ephemeral ID. More importantly, users who are concerned about such a scenario can easily disable Spotlight's Suggestions feature, effectively disabling the attack.

Update October 20th, 8:28PM: Apple has further detailed how Spotlight Suggestions work behind the scenes. In a statement to The Verge, the company says it's taken steps to "blur" location on devices, use temporary session identifiers, and let people opt out of the feature completely:

We are absolutely committed to protecting our users' privacy and have built privacy right into our products. For Spotlight Suggestions we minimize the amount of information sent to Apple. Apple doesn't retain IP addresses from users' devices. Spotlight blurs the location on the device so it never sends an exact location to Apple. Spotlight doesn't use a persistent identifier, so a user's search history can't be created by Apple or anyone else. Apple devices only use a temporary anonymous session ID for a 15-minute period before the ID is discarded.

We also worked closely with Microsoft to protect our users' privacy. Apple forwards only commonly searched terms and only city-level location information to Bing. Microsoft does not store search queries or receive users' IP addresses.

You can also easily opt out of Spotlight Suggestions, Bing or Location Services for Spotlight.