Dear Reader,

Today I'm remembering an episode that happened a few years ago. We are still a proud print publishing company, but, like most publishers, we deliver some of our copies in electronic form through content platforms available for personal computers and mobile devices. One of those platforms at the time was Apple Newsstand, a virtual newsstand for iPhone and iPad devices. The user interface for Apple Newsstand looked just like a magazine shelf at a bookstore, with a picture of a bunch of magazine shelves. Then, if you purchased a magazine, an icon with the cover of the magazine appeared on the virtual magazine shelf.

The goal of Apple Newsstand was to be a perfect little replacement of a real neighborhood newsstand – you buy any magazine you want (from Apple), and all the magazines you buy line up along your own personal virtual newsstand. The international company I worked for back then had several magazines, and they submitted applications for their magazines to be on Apple Newsstand. Linux magazines? No problem. System administration magazines? Sure. Raspberry Pi and Drupal magazines? Of course. But when we submitted a request to sell an Android magazine, the application was quickly rejected. It turns out that Apple was banning anything that mentioned Android from their newsstand because Android was competing against the iPhone and (according to them), it was an inferior, copycat technology. In other words, Apple Newsstand was a perfect little replacement for a real neighborhood newsstand, except that it inhabited an imaginary universe in which Apple's enemies did not exist.

Apple could have argued that it was their store and they could sell whatever they wanted, but there is something a little disingenuous about that argument. Apple Newsstand wasn't just a store – it was the way to consume magazines on an Apple system. It was an integral part of an ecosystem that purported to present a virtual version of everyday life. Since then, several other browser-based magazine platforms have appeared, and Apple Newsstand has itself been retired in favor of newer tech, so it is difficult to compare it to the situation today, but at the time, it seemed a lot like the monopolistic practices of Microsoft back in the browser war days, when "control of the desktop" meant control of the complete user experience, only Apple wielded a much more powerful form of control. The episode reflects a common theme in the evolution of the electronic marketplace, in which the user voluntarily surrenders freedom and privacy for the chance to be the one who is seen dabbling with smooth and shiny technology.

Fast forward to this month, and a new chapter in this saga is playing out with Apple's new macOS 11.0 "Big Sur" system. A blog post by security expert Jeffrey Paul [1] outlines some of activities that Big Sur attends to in secret, including the fact that it "…sends to Apple a hash (unique identifier) of each and every program you run, when you run it." Paul adds that "Because it does this using the Internet, the server sees your IP, of course, and knows what time the request came in. An IP address allows for coarse, city-level and ISP-level geolocation, which allows for a table with the following headings: Date, Time, Computer, ISP, City, State, Application Hash…This means that Apple knows when you're at home. When you're at work. What apps you open there, and how often."

Of course, Apple and other vendors have been spying on their users for years, but the thing that is most striking about this, other than the sheer audacity of it, is that there doesn't seem to be any way to actually turn it off. (In the past, there was usually some way to suspend the surveillance if you really took the time and tried hard enough.)

Another weird thing that Paul and other security researchers have discovered is that even a VPN or user-controlled firewall can't stop your Mac from leaking this information to Apple. According to the report, if you intentionally configure your system to route all traffic through a VPN, it will use the CommCenter component (used for making phone calls) to maintain its own connection for sharing reports on your behavior.

Sometime after Paul's blog post appeared, Apple posted their own statement [2], saying that the app logging technology was a thing called Gatekeeper, which checks the developer ID signature to ensure that the app has not been altered by malware. Apple says "We have never combined data from these checks with information about Apple users and their devices." They don't offer any proof – you're just supposed to take their word for it. They also don't promise they will never combine the data in the future – just that (if you take their word for it) they aren't doing it now.

The way this privacy trampling works is that the vendor tries something, and if no one says anything, it becomes the new norm. If enough people squawk, they say "OK never mind…" and dial it back some. Perhaps in response to the negative feedback they have received so far, Apple has now stated that they will create a new preference setting sometime in the next year that will allow users to opt out of the Gatekeeper reporting feature. They still haven't explained why they thought it was reasonable that a computer configured to route all traffic through a VPN would continue to send information to the vendor through a secret backdoor – and what other information they might be sending in addition to the Gatekeeper data. We might have to keep squawking about that part.

Joe Casad, Editor in Chief