Doesn't feel like a bug to me. After disabling iCloud Passwords I see a big nag in the Passwords menu asking me to enable it again; I don't remember that there on iOS 16.
And when it was enabled there was a nag for Passkeys or password family sharing or something like that. I guess they want people to use that now.
Also I don't understand how you could screw these things up repeatedly for so many features. iMessage is another one that iOS loves to enable again. I just checked: it's enabled again. Turned it off. And the one with Bluetooth that lapcat mentioned. I don't believe these things to be bugs.
But they really crossed the line for me with Passwords.
I agree. It’s easy to see how a user hostile setting would go unchecked by a large corporate company that doesn’t benefit from protecting the privacy of its users.
I consider sending anything up to the cloud without user's consent is pretty hostile. Passwords especially. I don't care if they claim it's E2EE; programmers and implementations are fallible and I thought a key part of Apple's whole value proposition is it's supposed to retain control in the user's hands.
Do these "generic bugs" ever happen the other way around? Meaning, do they ever disable any form of communication to Apple or are they always enabling?
They gave Apple authorization to access their phone (the phone is not Apple property) in order to copy certain things into the cloud.
They uploaded new software and downloaded data they were not authorized to download without getting permission first.
I'm sure there is some cover your ass clause in the EULA that tries to protect them when they (accidentally or on purpose) violate the CFAA, but, in this case, they pretty clearly did things that exceeded their authorization.
The relevant part of the CFAA is a.1 (I removed the bits that are irrelevant):
> (a) Whoever—
> (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained ... restricted data, as defined in ... causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it ...
> And yes they can see your stuff. We know this because law enforcement gets access to it all the time.
What law enforcement typically gets access to is iCloud Backups, which is not end-to-end encrypted by default (but can be) and is not a mandatory feature. iCloud backups do not contain your keychain.
> The keychain is just another keystore
Nobody has said anything else? But Apple does not hold the key to decrypt it.
Did they announce this change? It's a pretty major UI departure. In particular, if you have one Apple device and loose it, the 2022 article implies you can recover your keychain, but the 2023 article says you're completely screwed.
A lot of people rely on iCloud backup. It seems like there should be a device-wide toggle that lets you choose between the two behaviors for things like passwords, health data, and all the other E2E apps.
The escrow is only an additional layer of security - your device still has to decrypt the downloaded keychain contents using your password AFTER proving to escrow that you're allowed to download the encrypted keychain using device or SMS 2FA or an iCloud security code.
That definition quickly becomes absurd. If I run "cat a.txt b.txt" but only give it authorization to read a.txt, does that mean Richard Stallman (or whoever wrote the program) is breaking the law? You might say consent is implied in that case but:
1. I thought implied consent was out of fashion these days
2. What if it's something like an IDE that reads the surrounding directories? VS code does that and I certainly didn't know that feature even existed before I first opened it, so how could have given authorization? Is Microsoft in breach of the CFAA?
> 2. What if it's something like an IDE that reads the surrounding directories?
Reading the directory in a software running on your computer is not the problem. The question is, is data from the surrounding directories transmitted to somebody else's computer, a.k.a. The Cloud?
It's not just snobbery. There are real and serious usability issues. When doing group communication between an iPhone and a group member who is in Android user. The entire group chat gets downgraded to SMS, which means a lot of messages don't get through the way they were intended, and images and videos are so downgraded as to be unusable. The people that I know personally who are affected by this, it has nothing to do with snobbery and everything to do with pragmatism. People on iPhone will only use iMessage in the United States. It's stupid, it's absurd, it's self-inflicted, but ultimately it is what it is and all the advocacy of moving to something else is not moving the needle.
