Privacy

Daniel Jalkut, in his Red Sweater Blog, recently posted that he had detected (via Little Snitch) some network activity from Dashboard back to Apple’s web site.  Upon further investigation, he found that the activity was apparently tied to this one-line entry in the release notes for 10.4.7:

You can now verify whether or not a Dashboard widget you downloaded is the same version as a widget featured on (www.apple.com) before installing it.

To me, that doesn’t do an adequate job of informing the end user that the computer will be contacting Apple on a regular basis to verify the installed widgets.  What it says is that the OS can (i.e., has the ability to), upon the user’s request, verify a widget before installing it.  Those are two different things.

A lot of the comments on Daniel’s entry are blasting him for posting this information, stating that it’s a matter of security, that Apple is providing functionality to help protect Mac users against malicious code.  OK, I’ll grant that the ability to verify the authenticity of a downloaded widget is a good idea.  I’ll even grant that the ability to manually, whenever I feel like it, ask my computer to verify the authenticity of the currently installed widgets is a good idea.  I’ll even go so far as to grant that having a checkbox somewhere that says, “Periodically check my installed widgets for authenticity” or something similar would be a good idea.

What’s not a good idea is adding a “phone home” feature that users (apparently) can’t disable and that can’t be configured, controlled, or adjusted.  What’s further not a good idea is misrepresenting this functionality in the release notes.  Finally, what’s not a good idea is for Mac users to confuse security with privacy.

This isn’t a matter of security.  Most everyone agrees that having the ability to check widgets to make sure they are safe is a good idea.  The problem here is that our computers are now communicating with Apple in a way that we did not authorize, were not informed about, and can not control.  That makes it a matter of privacy, not security.  And yes, while the communication right now is benign, will it always be so?  What will the Mac users do when it is not benign?

I posted a comment to the article to see what methods, if any, are available to disable this functionality.  As soon as I get some additional information, I’ll post it here.

UPDATE:  This safety check can be disabled by using the command:

sudo launchctl unload -w /System/Library/LaunchDaemons/
com.apple.dashboard.advisory.fetch.plist

This should all be typed on a single line.  In addition, it’s important to note that the dashboardadvisoryd process does not send any information to Apple currently; it only fetches information from Apple and compares it to the list of currently installed widgets.  Also, in the light of the extensive information shared with Apple as a result of using Software Update (an aspect I did not consider originally), I retract most of my concerns regarding privacy.  I do, however, stand by the statement that Apple should have been more informative and forthcoming with information on exactly how this work, as well as given users a means whereby to control it.

I wrote a short while ago about the fact that Microsoft’s Windows Genuine Advantage tool is phoning home on a regular basis (daily, in fact).  This issue has garnered more attention over the last week or so, and very smart people are tackling the issue.

These two articles, Big Brother Microsoft and Big Brother Microsoft is Snooper Than I Thought, were written following my original posting and include more information about the information disclosed to Microsoft.  Then, Pamela Jones of Groklaw got into the discussion with her article, Microsoft’s Calling Home Problem: It’s a Matter of Informed Consent, in which she carefully and meticulously looks at the issues, the EULAs (or lack thereof), and the timing of those EULAs.  Her conclusion?

Microsoft has now put out a statement, asserting that the Windows Genuine Advantage tool is not spyware, that they’re going to change it some, and that one thing that distinguishes it from spyware is that they get consent before installing it. I question the accuracy of the statement.

She proceeds to back that up with a detailed analysis of the EULAs (End User License Agreements), when EULAs are even presented to the user.  I’m no lawyer, but her discussion and analysis of the matter is detailed and fascinating to read.  Even if you disagree with Microsoft’s handling of this situation, I encourage you to read the entire article so that you have a good feel for the principles that are involved.

As if Microsoft didn’t have a reputation that wasn’t already bad enough, now comes the news that their anti-piracy initiative—Windows Genuine Advantage—is “phoning home” to Microsoft every day.

According to this article, Microsoft has acknowledged that the Windows Genuine Advantage tool, installed automatically by Windows Update in order to “verify” the authenticity of the installed copy of Windows, makes contact with servers at Microsoft daily.  Supposedly this is to see if it should continue to run, but it also turns out that Microsoft may be updating the list of “invalid” Windows product keys.

Now this would be no big deal if Microsoft had fully disclosed this information.  (OK, so it wouldn’t be as big of a deal.)  Instead, Microsoft is now having to talk about this after others have learned of the tool’s true behavior.

Will Microsoft ever learn?

UPDATE:  A private firewall testing company has released a utility to remove the WGA Notifications portion, which is the portion that is “phoning home” to Microsoft daily.  See these links for more information.

eWeek article on the new utility:  http://www.eweek.com/article2/0,1759,1979756,00.asp
RemoveWGA:  http://www.firewallleaktester.com/removewga.htm

Is it just me, or is anyone else bothered by the recent stories of MSN and Yahoo turning over customers’ search terms to the Federal government?  Apparently, the same request was made to Google as well, and Google is battling the request.

Supposedly, the data being requested by the government is intended to be used as evidence in a trial that could revive a child privacy law intended to protect children online.  As a father myself, I know how important it is to safeguard our children while they are online, but I’m loath to let the government do it via legislation—the track record isn’t really all that great.  Remember CAN-SPAM, anyone?

In any case, perhaps I’m just paranoid, and some would claim that my resistance to this and other similar moves indicates a desire to hide something from the government.  No, it’s just that as a free society that desires to remain free we’ve got to draw the line somewhere.  Why not here?