This might also be hampered by the desire to not store any device info if they stores device info, they might be able to build a reputation system for believing reports. They claim this is for user privacy, but it really just shifts the privacy defense to Apple -- so will Apple fight the gag order and subpoena for names of users of this app? At least if the developer did it themselves there could be a canary[1].
(Concerned that the information they would be required to store and handle may require they work with the government during a subpoena)
Apple also has to handle this (internally) to do push notifications, but I suppose that theory is Apple has pockets to fight the government (or it's at least out of the developers hands)
Yeah, that's basically what I deduced. They throw Android under the bus but _really_ it's not any more private, it just makes it up to Apple to comply, not the developer.
There is an argument to be made that Apple is better positioned to fight financially... However, the current administration tends to threaten blocking or mergers/acquisitions, or other red tape unless they comply. I doubt Apple would accept such financially damaging threats to protect ICEBlock's users.
The issue is much older than the current US administration : Apple has been listed as participating to PRISM since 2012, and considering the whole opacity of the Patriot Act (and its derivatives), the secret courts in particular, it makes whatever they (or any other US company) might say about their commitment to privacy (when the opponent is the US government) rather irrelevant.
(Personally, I am suspecting that they do try much more than some other companies, but again, the opacity makes it impossible to verify.)
Apple has since confirmed in a statement provided to Ars that the US federal government "prohibited" the company "from sharing any information," but now that Wyden has outed the feds, Apple has updated its transparency reporting and will "detail these kinds of requests" in a separate section on push notifications in its next report.
As other commenters have noted, Apple's treatment of Russian and Chinese users should not give you hope for their resisting US federal oversight.
Apple fought back against forced decryption orders. They could theoretically decrypt any iPhone they're given with new firmware but they don't want to.
On the other hand, Google isn't exactly working with the authorities either. They moved Google Maps' location history to on-device storage because of the many warrants they were served, for instance, and they too refuse to decrypt phones.
These companies know to pick their battles, but they did take on the government various times.
> They could theoretically decrypt any iPhone they're given with new firmware but they don't want to.
This is untrue at some technical level: Apple is currently unable to break AES-256.
The San Bernadino case was about having Apple create and sign new firmware that would enable a brute force attack - which could easily be unsuccessful. I don't believe the Secure Enclave found in newer models even allows for a brute force attack (enforcing some delay, among other things) from BFU state.
You can frame it like that if you want yes but they certainly aren't "resisting pressure from law enforcement".
As a side note, they do fight sometimes, they fought the EU's DMA for example, but in Russia and China, they complied without a fight though to my knowledge.
It's a different risk calculation with the current government. Deny blocking this, and suddenly there are new tariffs designed to especially hurt Apple, or other punishments for not complying.
If there is any silver lining in any of this, it may be that people will finally start taking privacy as not completely irrelevant trade-off to convenience. I am not really holding my breath, but if people do not have that level of self-preservation in relatively clear instances, it probably does not matter anyway.
Apple tracks user location too. If you log into your iCloud from a country you've never been to, you're going to have to need to provide your 2FA code even with a valid session token. They're not stupid.
Apple is very much in favour of user privacy, as long as that privacy means "protecting your data from third parties". When it comes to the data Apple itself collects, they're far less conservative. They don't share information derived from their massive databases per se, but they do keep track.
Thanks to Apple and Find My, stalking people is easier than ever. The company can look up where you are and where you've been. They'd probably fight a court order to provide live location data to ICE, but who knows what that'll mean with the current American government.
Even on iOS, user data ends up in the hands of data brokers through ads. They're not supposed to collect all that data, but that's not stopping an unethical company from trying.
Android's privacy issues are there, but only if you're protecting your privacy against companies. If you're trying to protect your privacy against the government, there's no difference, really.
But Google doesn't have to be involved! GrapheneOS is specifically a de-googled Android.
Even for normal Google-y Android, you could provide the APK to side-load, so it doesn't go through the Play Store or Google's FCM at all, an option you don't have with Apple.
I think this is what the Graphene posts are trying to say.
As others mention, having a web app would make a lot of sense.
ICEBlock is actively lying, is not open source and is confidently misleading many.
While I don't want to assume regular fed honeypot, we can at the very least be certain that it's an app made by an Apple Kool-Aid drinking person. iOS is, in many ways, more susceptible to governement subpoenas than an Android app would ever be. Sideloading, UnifiedPush, maintaining a connection to a server to handle notifications yourself are all more secure than just trusting that Apple will not just hand you over to the cops.
In addition, if the author is worried about a subpoena, it means that they're US based. Which is an absurdly stupid thing to do if you're going to make a fascist-reporting app while living in a fascist country.
This clearly demonstrates that the developer doesn't know what they're talking about. If anything, android is more secure because you can
A. Sideload an app so that google play store doesn't know you've installed it.
B: Run periodic background tasks to poll any https endpoint so no service provider has logs of device ids for push notifications.
C: Create local notifications on the device.
In this case the only logs that any company could be asked to produce is server logs which only show ip addresses.
I think this is a very good question to ask, along with why the Trump admin is threatening the developer rather than Apple. Forcing Apple to take it down is the only way to get rid of it now that it’s been published. Combine that with the fact that most people had never heard of this app before Trump made it go viral. I think we’ve all had enough conspiracy theories to last a lifetime, but it would be wise to exercise caution here.
Yeah people dont know what they dont know, but just the fact people are risking their freedom to do something is important.
Someone explain to him that whatever he is doing, he needs to end to end encrypt so none of the infrastructure or middlemen can see anything but ips and who installed it (until they control the end device). (Better yet use veilid if it works yet, or i think there is some kind of tor routing over http these days)
Also he is making a weird mistake by not being a website instead of obvious corporate controlled "app", also should have tried harder to keep anonymous
I don't want to advocate for the Google Play store, but doesn't seem like legitimate technical / privacy reasons.
I know it's possible to do push notifications without user accounts - I'm doing that in an app I maintain.
But it is tedious to publish Android apps with a personal developer account - you need to run a 2 week test with 12 (used to be 20) users before you can release the app.
What prevents law enforcement for ordering the developer to alter the application in a way that reveals user info, maybe the order is simply that they have to hand over their signing certificates for the app?
Interesting. I was wondering about that. There are definitely solutions out there that'd make this feasible on Android from a privacy perspective, but may need a bit more work. Perhaps like ntfy.
Also, as an offside, this is one of the things I hate about Google's handling of AOSP: they keep shuttling things into their proprietary layer, making it next to impossible for alternative approaches to gain traction.
Making your own push system on Android is rather unreliable. On phones from several brands (Samsung, for one) the system would constantly try to kill any long-running polling operation or background refresh daemon.
I don't really see their point about device IDs, though. There are ways around that, from cryptography to on-device filtering.
It's also not like Apple isn't storing device IDs to send these push messages. There's no difference to user privacy.
All of that said, by leaving it up to Apple to keep track of device IDs, they're not going to be on the hook for warrants. The government can get that data from Apple instead, but they can claim innocence. It's CYA.
Apple could be subpoenaed for the data, and we all know that Tim Apple is happy to jump when Trump says jump.
Meanwhile on Android they could easily just distribute the app from their own website and if they really insist on push messages there are plenty of non-google options that are actually private.
People don't shop at Amazon for the amazing UI around buying stuff. It's absolutely ludicrously atrocious for a trillion dollar company. But the focus is getting you to buy the items that make them the most money, not the item you want.
Not positive, but I think our product added toasts to comply with ADA/VPAT requirements on confirming the user got a second page of data in the table that are viewing and clicked "next" for. I think it had to do with having both audio and visual acknowledgement of the action.
Otherwise, we would have to physically page or add dialogues people would have to click to close, just to see page 2 of table data
A lot of people are forecasting the death of the Internet as we know it. The financial incentives are too high and the barrier of entry is too low. If you can build bots that maybe only generate a fraction of a dollar per day (referring people to businesses, posting spam for elections, poisoning data collection/web crawlers), someone in a poor country will do it. Then, the bots themselves have value which creates a market for specialists in fake profile farming.
I'll go a step further and say this is not a problem but a boon to tech companies. Then they can sell you a "premium service" to a walled garden of only verified humans or bot-filtered content. The rest of the Internet will suck and nobody will have incentive to fix it.
I believe identity providers will become even more important in the future as a consequence and that there will be an arm race (hopefully) ending with most people providing them some kind of official id.
It might slow them down, but integration of the government into online accounts will have its own set of consequences. Some good, of course. But can chill free speech and become a huge liability for whoever collects and verifies the IDs. One hack (say of the government ID database) would spoil the whole system.
I agree, this would have very bad consequences regarding free speech and democracy. Next step after that would be a reestablishing of pseudonymously platforms, going full circle.
I think the average server size here is in the ballpark of 1200 people.
These are servers that asked to be advertised by Discord ("Discovery"). These are unlikely to be any kind of servers used for private or even semi-private discussions. You likely don't know most of the people on the server.
Most likely, the 'hottest' kind of data you might find is someone accidentally leaking info akin to the World of Tanks forum post 'corrections'.
A fair number of those servers have tens of thousands, if not hundreds of thousands of members. I admin two with over 50 thousand members, both listed in Discord's Server Explorer.
People felt 5-10 minutes isn't enough time for something as serious as insurance.. but 25-30 is so long it turns people away... And then 5%, maybe even 10% savings isn't enough to go through the effort, but 25% seems unrealistic....
You need a document long enough to seem informative and authoritative without being too extreme in any way... Then you can slap a price on it and call it a book!
I got a dashcam that ran off USB, which I knew my car had a port for on the center console. There's ways to run the wire under the trim for the most part, but it's a long run.. and at the end there's a part that remains visible to some degree.
There are cams that can do a rear view as well from inside the cab, which likely provides enough evidence if you're rear ended.
I only opted for a forward facing dash cam.
In my state, you are 100% at fault for rear ending someone unless you can prove your innocence -- which a dashcam can do assuming the person in front does something shady (like lane change + intentionally slam breaks).
However, do note that dash cams are not going to magically make rear ending the person in front of you somehow that person's fault. Virtually no one seems to leave enough follow distance by default because doing so means someone merged into the space.. and a dash cam doesn't shift the blame for simple rear endings unless it can prove some kind of malice or inattentiveness on the other driver (but even then, inattentiveness of the other driver is not necessarily a legal defense for you not leaving enough room to react.. perhaps if they stopped faster than a car could be expected to break, e.g. hit a concrete wall....) -- of course, laws vary by state
1: https://en.m.wikipedia.org/wiki/Warrant_canary
reply