Apple Hits Back at European Activist Complaints Against Tracking Tool

An Austrian privacy advocacy group drew a strongly critical response from Apple on Monday after it said an online tracking tool used in its devices breached European law. From a report: The group, led by campaigner Max Schrems, filed complaints with data protection watchdogs in Germany and Spain alleging that the tracking tool illegally enabled the $2 trillion U.S. tech giant to store users' data without their consent. Apple directly rebutted the claims filed by Noyb, the digital rights group founded by Schrems, saying they were "factually inaccurate and we look forward to making that clear to privacy regulators should they examine the complaint." Schrems is a prominent figure in Europe's digital rights movement that has resisted intrusive data-gathering by Silicon Valley's tech platforms. He has fought two cases against Facebook, winning landmark judgments that forced the social network to change how it handles user data. Noyb's complaints were brought against Apple's use of a tracking code, known as the Identifier for Advertisers (IDFA), that is automatically generated on every iPhone when it is set up.

Apple could have validated the apps certificate on

[saloomy]

And not every time the app was run. They only need to check when the apps hash changes. They do it more frequently for a reason. That isnâ(TM)t the worst issue. The worst issue is this circumvents OS VPNs

Re:Apple could have validated the apps certificate

[Entrope]

This article is about the IDFA, not about app checking at launch.

Yes, a computer could validate a developer's certificate one time, but certificate revocation lists exist for a reason. Apple certainly overdid it by checking each time an app is launched, but it's not clear what is the best frequency to check CRLs. (I would argue "what the user picks", but Apple's philosophy mostly opposes that kind of control by users. They're holding it wrong!)

You can't find out later something was bad??????

[SuperKendall]

Revoking a certificate means you don't trust new content, not content already delivered

For applications, I would say the primary use case would be finding out an application is doing something bad, and stopping it from running and causing further harm.

Blocking content already delivered is the whole point of revocation!

Re:

[saloomy]

Revocation is for compromised certs. For example, a web admin lost control of his private keys to a signed cert. That doesn't invalidate the pages he already served. When it comes to software, the trust happens when you run the app. IF the app is later found to be malware, you know who's responsible (cert owner). The point of a certificate is to verify the author of the software, not its integrity. Thats misapplication of the tech.

Signed Software != Trustworthy Software.

Signed Software == Verified Sour

Sorry, but times have changed.

[SuperKendall]

Signed Software != Trustworthy Software.

Except in modern times, signed software does mean trusted software, your notions are antiquated.

Yes a signature ALSO verifies who it is from, but then when software under that umbrella is reviewed It ALSO implies the software is trustworthy (and of course the fact that some steps were taken to verify the identity of the entity acquiring the certificate).

This is true of SSL certs as well, or did you think that Verisign just handed certs off to any anonymous person? T

Re:

[Immerman]

but then when software under that umbrella is reviewed It ALSO implies the software is trustworthy

Ummm, no. That presumes that an in-depth security review was performed on every new version of the software - which so far as I know *nobody* does. If they did, then there would never be any security vulnerabilities in apps being published. A security vulnerability is FAR easier to detect than an intentional trojan with even modest obfuscation. Typically app-store review just looks for obvious violations of store terms, and even misses a lot of those.

The signature verifies that the software came from th

Re:

[SuperKendall]

Ummm, no

Ummmm, yes ACTUALLY.

That presumes that an in-depth security review was performed on every new version of the software

Which is exactly what Apple does with review.

It's not perfect but they do quite a bit of scanning and also user view, along with monitoring network traffic.

The signature verifies that the software came from the claimed source, NOTHING else....Now, maybe there's a little trust

I can see the light is just starting to shine through. You even just reversed your own statement in just th

Re:

[dgatwood]

There's certainly a time factor, though. If it hasn't been revoked within... let's say a month after the app was signed (as validated with a timestamping service), it almost certainly won't ever be, or at least not in a way that would affect whether that particular app should be trusted.

More to the point, if it is revoked after that time, it is more likely to be a malicious revocation (e.g. a company trying to force upgrading, or hackers trying to screw over a company they don't like, or a malevolent gover

Re:

[saloomy]

Something akin to this, but again... Signing the software tells you who wrote it. It does not tell you that it is non-malicious. The idea being you can go after (legally) the developer for damages as well as never trust them again. There is a false sense of security that comes with signed software. Hopefully if you get it from a moderated source (App Store?) then someone else has done this for you, otherwise security researchers analyse it as well. The first run is to validate the certificate is still trust

Re:

[dgatwood]

Of course, there's a separate mechanism for Gatekeeper blocking the launch of apps that are known to be malicious. That's entirely separate from the OCSP checks of the app's signature, which probably only need to be done on first launch, but certainly not every launch forever and ever.

Scooby-Doo

[ytene]

And they would have gotten away with it, too, if it wasn't for you pesky kids!

Hash is the most important data

[AcidFnTonic]

Hash is literally the most important data when I need to lookup what exploit works against your exact version.

Guessing means failed attempts and the target knowing that something is up. Getting the hash and using one *exact* working exploit that silently succeeds is far more deadly.

Also would identify who has created any software deemed "bad". The hash of it's creator running it during development and before release would show who needs beaten or disappeared.

Has anyone figured out how to spam the service w

Hash is good

[Sebby]

Hash is literally the most important

I agree - hash [wikipedia.org] is good, and very important!

Oh, you meant this hash [wikipedia.org], nvm.

Nope, never buying one

[AndyKron]

You pay top dollar and what do you get? A device people can track you with. It just works!

Re:Nope, never buying one

[jellomizer]

I have recently moved from an iPhone to an Android Phone (a Samsung)
Sense I switched over, I am getting so many more targeted ads than I did with my Apple device, and the Apps that I got even the ones with Ads seem less intrusive and never had it lock up my App.

I am not saying Apple is innocent. However they seem to be a much better custodian to the data they collect vs what Google does.

Re:

[vyvepe]

Get a web browser with an adblocker a and get a firewall for your phone.

Re:

[guruevi]

Google can avoid all those things. Get a phone with an OS that isn't built by a company whose sole purpose is tracking and advertising.

Re:Nope, never buying one

[Misagon]

Ad-targeting is part of Google's Android ... because Google is an ad-company. You can disable targeted ads from Google in the settings: Settings -> Google -> Ads -> Ads -> "Opt out of Ads Personalization".

That's just one tracker though. Lots of other apps do it in other ways for ads in those apps, and those won't be disabled this way.

Do you have a cell phone?

[wiredog]

You'll be amazed how easy it is for governments to track those!

Not the OCSP check

[EvilSS]

The complaint is about the IDFA, not the OCSP checks in the news this week.

Noyb’s complaints were brought against Apple’s use of a tracking code, known as the Identifier for Advertisers (IDFA), that is automatically generated on every iPhone when it is set up.

Man, I'd hate to be Google if this makes any headway.

Why do these companies keep on trying their luck?

[The_Assimilator]

The EU has made it quite clear it's able and willing to enforce its citizens' right to privacy.

If only the so-called land of the free would show the same teeth, these parasitic tech companies would be forced to start treating user data with the respect it deserves. I'm hopeful that the incoming administration will make some strong moves in this direction, but not holding my breath.

Re:

[NoWayNoShapeNoForm]

The EU has made it quite clear it's able and willing to enforce its citizens' right to privacy. If only the so-called land of the free would show the same teeth, these parasitic tech companies would be forced to start treating user data with the respect it deserves. I'm hopeful that the incoming administration will make some strong moves in this direction, but not holding my breath.

That European article is a simple case of "Open mouth. Insert foot."

In other words, they jumped to a conclusion before thoroughly checking out what was going on...mm-kay

Re:

[CoolDiscoRex]

If only the so-called land of the free would show the same teeth, these parasitic tech companies would be forced to start treating user data with the respect it deserves.

Yeah but land of the free means “free to steal user’s data so long as you bury a clause somewhere in an adhesion contract”.

They had to abbreviated it for the national anthem.