1. 50
  1.  

  2. 15

    One gets the impression that Apple’s bug bounty programme is something the company was pressured into and that higher-ups are extremely unhappy about it. Presumably because running a successful programme and giving credit to security researchers is at odds with the lack of transparency to which the company normally aspires. The programme is clearly either massively under-resourced or deliberately sabotaged.

    1. 8

      Or poorly managed. Malice / stupidity, you know the quote.

      1. 5

        Yeah, pretending to be stupid is frequently a great cover for malicious actions.

        1. 5

          … three times is enemy action. You know the quote.

    2. 6

      It’s pretty neat that Apple is collecting and uploading so much health data, including reproductive and sexual health self reported data. That’s got to be amazing for their ad targeting and probably pretty handy when subpoenaed for various kinds of court cases.

      1. 3

        You seem to be saying that Apple is in the business of harvesting personal data for ad targeting. I am interested to know more about this.

        1. 3

          they are in the business of making money

          1. 4

            Yes, but as far as anyone is aware, Apple does not make their money from targeted advertising or data harvesting/selling like, say, Google and Facebook do. Apple makes their money the old-fashioned way: by selling their goods and services.

          2. 2

            I asked a search engine about “apple resell user data” and was informed that not only is there reputable evidence, but folks have taken Apple to court for allegedly reselling user data. I also asked about “apple breach user data” and was informed that health data provided to Apple was exposed via third-party breaches. While it’s true that Apple is primarily a fashion company and not a data broker, they have definitely acted and continue to act as a data brokerage.

            1. 3

              I asked a search engine about “apple resell user data” and was informed that not only is there reputable evidence, but folks have taken Apple to court for allegedly reselling user data.

              I asked a search engine about that case and found it was dismissed:

              The complaint fails to plausibly allege with enough facts that Apple disclosed plaintiffs’ personal listening information to third-party data brokers and similar entities, which caused plaintiffs overpayment, loss of value in personal information, unwarranted junk mail, and risk of identity theft.

              etc.

              I also asked about “apple breach user data” and was informed that health data provided to Apple was exposed via third-party breaches.

              I read your provided link and it begins:

              Researchers discovered an unsecured GetHealth database with over 61 million fitness records in plain text, most detailing Fitbit and Apple HealthKit users.

              Nowhere in the article does it state or even allege that Apple provided data surreptitiously to this third party. Neither is it stated or alleged in the report the article was based on. And if you keep digging a bit you’ll find out why no such allegations were made – because the the breached party did not obtain the data from Apple. The breached party was in the business of providing integrations for popular wearable health and fitness devices:

              According to GetHealth’s website they can sync data from the following: 23andMe, Daily Mile, FatSecret, Fitbit, GoogleFit, Jawbone UP, Life Fitness, MapMyFitness, MapMyWalk, Microsoft, Misfit, Moves App, PredictBGL, Runkeeper, Sony Lifelog, Strava, VitaDock, Withings, Apple HealthKit, Android Sensor, S Health.

              I wonder why you didn’t do that extra thirty seconds or so of reading/researching on either of your provided links?

            2. 1

              I was being medium tongue-in-cheek. They appear (based on what ads they show me in the App Store) to be using my behavior to present me ads that will drive revenue. When I had kids I experienced the shift in advertising as various advertisers correlated my search / browse / buy habits to guess that I was interested in diaper ads so hey, if you’ve got someone’s menstrual cycles, sexual activity and cervical mucus quality maybe you can do even better!

              1. 4

                It’s a very big jump from “Apple’s store used my purchase history in that store to recommend things to me in that store” to “Apple is harvesting my health data to sell me things”.

                Would you like to back up the latter claim with evidence?

              2. 1

                A very related thing: I’ve never ever seen “ikea” show up as a suggested app store search term before. But I went to an ikea store last week, and the app store showed me “ikea” as the highest suggested search term. So they’re certainly using position data or nearby wifi networks or some other info for advertising, and I think that’s very creepy.

                (And yes, putting a brand name at the top of the suggested search terms is advertising. And location data is personal data in my book.)

                1. 3

                  Ever since they started enforcing it a while back, you’ve had the ability to see privacy disclosures for every Apple app and every app you get from their app stores.

                  Which will lead you to some honestly pretty plain-English descriptions like this one. And instructions for how to turn off “personalized” ads in Apple’s own apps.

                  So there’s no need to wonder about what’s going on or how they’re deciding what ads to show you. You can literally ask any app for its privacy statements and read them.

            3. 3

              This work was worth years of salary, according to Apple’s own pricing for vulnerabilities. Certainly it took the author months of work following years of study. Apple’s refusal to pay, when combined with the demand for responsible disclosure, is effectively a form of exploitation of labor.

              1. 1

                Based on the timeline, it appears the program has gone downhill in the last two to three years. Or have they been always like this?

                1. 3

                  The programme has only been open to all for less than 2 years. Prior to that it was invitation-only. I’ve been hearing negative reports from security researchers from a few months after it opened up. Lack of communication, not attributing credit, frequent no-pay outcomes, and everything takes an unreasonably long time if the bug is acknowledged, fixed, and the bounty is paid out. I don’t know how it was during the invite-only years, presumably invitees had to sign NDAs.