At SummerCon 2024, J. Gdanski, CEO and Co-Founder of Evertas, delivered a powerful talk titled “We Kill People Based on Metadata: How Apple Makes Us All Vulnerable.” The talk delved into the privacy issues surrounding Apple’s devices, especially iOS products, and highlighted how their design poses significant risks to user privacy.
The Origin of the Title
The quote that inspired the talk’s title comes from a Wired article: “Former NSA General Counsel Stewart Baker said: ‘Metadata absolutely tells you everything about somebody’s life. If you have enough metadata you don’t really need content.’ In 2014, former NSA and CIA director Michael Hayden remarked: ‘We kill people based on metadata.’”
What Is Privacy?
According to Gdanski, data privacy boils down to control. Quoting Cloudflare’s definition, he explained, “Data privacy generally means the ability of a person to determine for themselves when, how, and to what extent personal information about them is shared with or communicated to others.” He stressed that privacy isn’t just about hiding secrets but about having control over how personal information is shared.
The Four Criteria for Privacy
Gdanski outlined four critical elements that define a private device:
- Secure: The data on the device cannot be accessed without consent (i.e., should protect against coercion)
- Anonymous: All users/owners look the same, you should be protected from targeted attacks
- Tracking Protection: physical device should not be able to be tied back to an individual (e.g., RF, HW attributes, etc.)
- Signature Management: Signals from the device should be eliminated when possible, minimized where necessary, and obfuscated as much as possible
Apple’s Privacy Failures
While Gdanski acknowledged that Apple has done a lot to advance privacy (particularly for normal people who don’t want to spend their time thinking about it constantly), he argued that its devices often fail when measured against these criteria. Despite Apple’s marketing claims, significant vulnerabilities remain.
- Lockdown Mode: Apple’s Lockdown Mode, designed to protect high-risk users, is riddled with usability issues. Gdanski humorously described his experience with the feature, noting how it often breaks critical functions, such being unable to check into a flight or evenreading PDFs. He emphasized that Lockdown Mode’s UX issues makes it impractical for the very users it’s meant to protect.
- VPN Failures: Gdanski pointed out that VPNs on iOS devices are often bypassed, with Apple on record stating this behavior is “expected.” This undermines user attempts to keep their internet activity private.
- Apple Tracking: Apple requires a user account and makes it very hard to acquire a device, create an account, or interact with Apple anonymously/pseudonomously. This coupled with the amount of data sent to and from Apple shows there’s lots of work to be done to make Apple truly “private”
- iCloud is not private: Even with Apple’s Advanced Data Protection, Gdanski explained that metadata remains vulnerable. He warned that sensitive information, like file transfers between individuals, can be tracked and analyzed through metadata, exposing social connections and communication patterns.
Steps Apple Should Take
To truly protect user privacy, Gdanski proposed several actionable steps for Apple:
- Implement a “Push vs. Pull” Model for Notifications: This would reduce the constant leaking of information that occurs with real-time push notifications.
- Allow for Third-Party Applications: Apple’s restrictive App Store policies limit user choice, forcing them to rely on apps that don’t always respect privacy.
- Treat Apple and Third-Party Products the Same: Apple products and services often are privileged in some way (which is why Lockdown Mode is necessary). By removing this privileged treatment it should allow for greater control over all applications and services running on the device.
- Fix Netowrking Issues: Apple should ensure that all network traffic adheres to VPN and DNS settings and give users more control over their network connections. You should be able to deny all network connections to an application/service and also have a firewall that allows you to tweak settings on a per application basis. (e.g., Little Snitch for iOS)
- Continue to Pursue Privacy: Apple recently updated iOS devices to automatically restart devices to put them into a Before First Unlock state (which is harder to exploit). These sorts of changes are ideal, but should have happened sooner (GrapheneOS has had this feature for years). Providing for greater isolation and separate profiles would also be ideal. Opening up iMessage to non-iOS devices and trying to add more privacy to Apple Pay would also be huge boons.
What Can Users Do?
Despite Apple’s shortcomings, Gdanski suggested several steps users can take to protect themselves:
- Use a VPN Installed via Configurator: This ensures that the VPN is more difficult to bypass; you can also try using DNS to blackhole all requests that are not over a VPN.
- Buy Devices with Cash: Avoiding digital payment methods when purchasing devices helps maintain anonymity.
- Disable iCloud and iMessage: These services can expose user data if not configured correctly.
- Consider Moving to the EU: Gdanski humorously mentioned that Europe’s stricter privacy regulations may offer better protection for users concerned about their data privacy.
Conclusion
Gdanski’s talk was a call to action for both Apple and its users. While Apple has positioned itself as a privacy-focused company, its devices still have serious flaws that leave users vulnerable. Gdanski urged Apple to address these gaps and offer real privacy solutions, while also empowering users to take control of their own data.
For those who missed the talk, the full session is available on Team SummerCon’s YouTube channel here.