It would be better because if not then someone can turn it off. Automatically or by misinforming the user or by requiring it etc. Like now on ios you apparently just need to install a profile, maybe it's too easy.
Well an MDM profile isn't going to decrypt iCloud data or Apple telemetry. It's basically the same dangerous power your ISP and DNS provider wields, but nobody is about to suggest banning those for user safety too.
That's the point, indeed. Your ISP and DNS can technically intercept your traffic, but it's pointless since TLS exists. Similarly, you can Wireshark an iPhone using MDM profiles but Apple doesn't respect your profile in the first place. Third-parties have no obligation to show you their traffic either, and many don't.
They don't need to. I'm not sure if you're aware, but it's actually possible to encrypt traffic using things other than TLS. A regular app on non-jailbroken iOS can completely circumvent TLS decryption. First-party Apple Apps will bypass your profile and custom CA.
Ah. You are saying they would encrypt on top. Sounds inefficient but I guess reasonable if you think about people like Kazakh government or Korean institutions requiring everyone to add a CA just to live a life. So without extra encryption they could snoop on that too. We can't have nice things...
(It's still possible to compare how much a blank device phones home but perhaps we wouldn't know all the details of what it talks about)
> So without extra encryption they could snoop on that too.
This is basically the crux of your argument. I mostly agree with you - neither Apple nor Google do enough to protect user traffic in the big-picture. You can Wireshark a lot of data off both OSes, the throughput is even scarier when you track radio emissions.
That being said, a lot of people have taken notes from Apple's "protect user privacy" shtick. Many logging libraries contain the app-equivalent of screen-recording baked in to the app framework, enabling a pipeline where PII gets ingested as a part of the logging process. Startups that incorporate these processes then brag about their self-imposed security compliance as a result of their own ass-backwards philosophy. And these aren't even the bad guys!
Companies like TikTok and Facebook collect lord knows how much information, and use the same "security" tautology as their scrappy startup peers. They consciously stretch the limits of their API capabilities, and then turn around and make puppy-eyes whenever regulators act concerned. Meanwhile, the actual users of these smartphones aren't empowered to regulate their own device's security. They can't turn off their phone because the modem is still on. They can't firewall Facebook analytics when the app is closed. They can't even stop their notifications from being snooped on without disabling the feature altogether. Where's Apple or Google when that's under scrutiny?
It's a bit tangential, but this is why I think Apple made an enormous mistake attempting to commodity privacy. Privacy is idealistic - there will always be perennial exploits on the iPhone to prove them wrong. Because Apple commits to imperfect, conditional privacy, scummier-and-scummier companies can follow their imperfect lead and make the same claims. And because none of them are as big as Apple, they rarely take flak when their systems fail. Apple's attempts to market security is like watching a leading F1 driver start turning into a tailspin, and taking the rest of the racers with them in a firey crash.
I'm not sure marketing privacy is the same as commodifying it, if anything commodifying something makes it less marketable...
Most marketing hinges on non commodities, take coca-cola for example, it's sugar water with a bit of caffeine, if they marketed that they'd be nothing, all of their marketing is about other stuff, intangibles
Kind of like Netflix's proverbial "chill"
Comparatively I'd say privacy is among better things to market
