Is it worth taking all the effort and struggle with the privacy friendly apps if I am using Apple devices?

Hi, all. I has always been a privacy and security enthusiast who follows and supports the development of open source and privacy friendly software such as the Proton Suite, Firefox, Brave, Bitwarden, Notesnook, ublock origin and etc. I even started blogging in my native language about the importance of these issues. Yet, I think I am experiencing an overwhelming exhaustion which I find very weird and funny to some extent that. I exactly know why I should not turn in myself to apple. Still the struggle comes to me futile nowadays.

Using these apps cost a significant inconvenience. And, most of the time, you experience some problems with these products. For instance, after the release of Proton Drive, I started to switch my backups from Icloud Drive to Proton, and it was very painful. I cannot completely use SimpleLogin, because there are so many sites blocking it during or after registration. These are just simple examples. Even though you pay for the products, you rarely find complete replacements, and you wont have the deeper integration with your OS and devices.

Instead of this hassle, I can use Safari, Icloud mail and drive, hide my email and other apple services. Most of them are E2EE, privacy friendly services, unlike Google or Microsoft products.

So, is it still worth the hassle and time I spend in the future resisting to use the alternatives? Is there anyone with similar feelings?

4 Likes

It just comes down to your personal threat model: are you okay with trusting Apple with the things you’ve listed? If yes, then there’s nothing wrong with it and you’re going to still have decent privacy from third parties that aren’t Apple. If your threat model is “big tech fuck off” then you should keep trying to use non-Apple services even if you are on Apple devices right now and migrate to non-Apple devices as your current devices get to be replaced.

8 Likes

I know how you feel, this is called a burnout.

I don’t know what your threat model is, but if you trust Apple by all means use it.

But I still think looking into alternatives is a good thing, but you don’t always need to replace what you have if it works.

BTW, have you looked into digital minimalism? I don’t know your needs but this helped me a lot with my personal burnout. For example, for notes you could just use a notebook and for cloud backups use hard drives. It could also benefit your privacy.

7 Likes

Don’t use all these apps all at once, especially if you’re inside an Apple ecosystem, which is pretty much a lockdown. You are better with trying one alternative at a time. Otherwise, it would be an overwhelming experience.

IMO, this would be a misunderstanding, since there’s no source available, just claims. See WhatsApp “end-to-end encrypted” messages aren’t that private after all | Ars Technica for example.

The source should be available, so anyone can verify that their E2EE implementation is working correctly without any hole/backdoor. Otherwise, it’s worthless.

If it’s possible, even the OS should be open source. But it’s still worth using privacy-friendly apps regardless of the OS.

1 Like

The misunderstanding would be assuming that you can’t verify things if you have no source. I haven’t read any articles claiming that Apple’s explanation of how iMessage E2EE works is not true; it would not be very hard to get a jailbroken device and hook into iMessage to trace whether it is doing what it says it’s doing (at least for the on-device portion). Obviously open-source implementations like Signal are better because you don’t have to jump through any hoops beyond knowing basic coding and cybersecurity to verify things, but again, you don’t need to see the source to do that verification.

1 Like

In what sense? I suppose it will depend on your usage but by far the biggest inconvenience for me is vendor lock-in. Even if you nowadays use only Apple devices and can thus conveniently access all the data everywhere, you’re curtailing your freedom when it comes to device purchasing choices and setting yourself up for potentially painful forced migrations in the future whether you decide to continue buying Apple or not. Its not just Google that discontinues services or changes the conditions under which they are available

2 Likes

No, you can’t verify anything without the source. For example, if the hidden code randomly applies to some devices? To some random period of time? Or to a specific individual? Etc.

For some obvious cases, yes. For any real verification, no.

This proves nothing. No one knows. It’s like saying that only the one who got caught for stealing is a thief, so if the person can steal without getting caught, he/she is not a thief.

1 Like

I think it’s important to criticise proprietary software with accurate claims, not hypotheticals that lean into conspiracy territory. If your threat model requires being absolutely 110% sure there’s nothing there that’s malicious then yes, you take those hypotheticals into account and use FOSS software and do all the intense checking, but for the average person who isn’t a high-value target, it just ends up being more conspiratorial than anything and personally it makes it hard to support FOSS despite it being better overall.

All the claims of “hidden code that randomly applies” can happen with FOSS software, especially if it’s a large enough project. Someone nearly snuck a backdoor into Linux. It’s not an argument that uniquely applies to proprietary software.

PS: “they” is a wonderful pronoun you can use for people without the clunky “he/she”, it’s been in English for longer than anyone here has been alive

4 Likes

It’s just a matter of fact and one of differences between proprietary software and open source/source available software. It’s just that no one can claim for 100% that any proprietary software work the way they told. I didn’t say for 100% like you do that we can verify the apps without seeing the source. I did say that no one can ignore that possibility.

This is incorrect. Nothing can be hidden in a public FOSS repo. If it’s not found, yes.

Thank you teacher. Sorry, English is not my native language. I believe not all people alive here is a native English speaker. I will try better next time, by the way.

3 Likes

Unfortunately much of the FOSS software is not checked by people who have suitable skills to detect malicious code. Also if you use a binary package you don’t know that what you have matches the source code (example the SourceForge disaster). IIRC The Atlantic Council even listed OSS as the 4th most significant threat to software security ( I assume because it is so easy to insert malicious code on collaborative projects). To be 100% safe you would need to have the skills to detect malicious code, then examine the app source code, each of the libraries it uses, and any other code sources it uses, then compile it on a compiler which you have also checked to be sure the compiler is not inserting malicious code. I don’t know anyone who has done this.

Personally I rely more on the reputation of the source of the binary than OSS or proprietary, though given the choice I prefer OSS.

2 Likes

My threat model is just about evading mass surveillance, big tech, and supporting open source projects. I don’t see Apple as a threat personally. However, I really dislike the walled garden mentality, and want to support open source projects and community.

Do I trust Apple? I think they have a different business model than Google. Still, it can change over time, they can monetise our data, or when faced with legal hurdles, they won’t care so much about users. And it’s not open source, so we don’t really know the extent of their E2EE, or other privacy protections.
But they add many privacy good features, hide my email, fingerprinting protections. Apple even brought profiles to safari on iOS, which other browsers do not have.

Yes, I did. I actually remove apps from time to time, and minimise the number of notifications. Still, I need different software for personal and work purposes. So, a complete minimalism is really difficult for me. But thanks for the suggestion.

Does not seem to be a very credible organization, looking at who’s funding them: https://www.atlanticcouncil.org/about/donate/honor-roll-of-contributors-2019/

Certainly you’re not expecting a big business lobbying group, one whose backers largely profit from closed-source software, to tell you that open-source is where its at…

Edit: one of the poorest countries in the world, Democratic Republic of Timor-Leste, apparently has made a sizeable donation to this organization. Oh, and ever heard of Ukrainian company Burisma? Theyre seemingly involved in that too (Atlantic Council - InfluenceWatch - InfluenceWatch). Seems to be a platform to exchange political and business favors

3 Likes

If you want to avoid big tech and you dislike the walled garden, I think you should move to something that fits what you like. Maybe like GrapheneOS or DivestOS which are both open source and are not walled gardens. If money is an issue, the best I can say is to check out alternatives if you like them.

That is true, they do a lot more for privacy than things like Google. IMO, for the most sensitive stuff I would avoid iCloud email since they don’t encrypt their emails. The less info you give is better.

That’s fair, digital minimalism isn’t for everyone, but it’s good you took some important steps of removing apps. Your’re welcome :slight_smile:

1 Like

When I get burned out trying to balance security, privacy and anonymity against usability, functionality and cost I say “This is good enough for now”.
Then I submit more data broker opt-out requests☺

5 Likes

Even though I dislike Meta and Whatsapp, this is not meaning that E2EE is broken. If a message is reported by users, then it is shared with moderators. It is an issue of privacy, not security. In a rare statement, Signal supported Whatsapp. There is no need for FUD. I did not delve deeper into this subject, but if they break E2EE, we should have seen them appearing in courts.

Moreover, if you are using the OS, all data can be already collected from your keyboard, other means. I wish everything could be open source. I tried GrapheneOS in my hobby phone, but I don’t feel ready for the switch.

That’s the problem. Now, apple devices are the best choice for me. If I start to use grapheneOS one day, I can switch many services. In one day, I can move all my files, photos and other stuff, so I am not completely dependent. The only difficult part maybe aliases, still it is not a big deal.

Yeah, but we don’t know to what extent they comply with.

3 Likes

What the “whatsapp backdoor!!!1!!1” is in this case is actually the fact that users can report messages to Meta and those messages get saved to the user’s device then sent to Meta’s moderators to evaluate. Very scary and backdoor, I know.

It’s literally broken, as there’s also unencrypted metadata AKA PMPs attached to the user’s encrypted message, in which this metadata is visible to Facebook—and to law enforcement authorities or others that Facebook decides to share it with, as stated in the article.

As stated in the article:

Since the pen orders and their results are frequently sealed [by the court], it’s also difficult to say exactly what metadata the company has turned over… we don’t know exactly what metadata is present in these PMPs, we do know it’s highly valuable to law enforcement.

Basically, no one knows the metadata content that was shared, whether it included even the messages’ encryption key, etc.

My point is that if we can’t possibly verify how their E2EE implementation works, as we don’t see the source of the app, we can’t assume that it’s actual E2EE as it’s supposed to be. Perhaps, there’s a switch to turn off the target’s E2EE, etc. We just don’t know. All we know for sure is WhatsApp’s E2EE is useless and shouldn’t be considered as anything more than one’s peace of mind.


Yes, according to what everyone was told :sweat_smile:

Edit: Oh, I almost forget that this point is stated in the article also:

Although nothing indicates that Facebook currently collects user messages without manual intervention by the recipient, it’s worth pointing out that there is no technical reason it could not do so.

There is no technical reason why I couldn’t just steal $3 million in cryptocurrency from a random schmuck but that doesn’t mean I’m going to risk doing it. Besides, the metadata is the most important commodity for governments and LE, and that isn’t protected with Wapp so why go through all the trouble of adding automated message sharing when having actual proof of such would be even worse for their reputation than all the FUD for not much gain at all.

Whether they could have done that, or for why they did or didn’t do that to any person, is another point entirely and doesn’t relevant to this conversation regarding WhatsApp’s E2EE.

If you have anything related to the topic to discuss (WhatsApp’s E2EE implementation), please say so. Otherwise, please don’t derail the topic further.

Just because you don’t like someone challenging your “PROPRIETARY IS THE DEVIL 666” take doesn’t mean I’m derailing the topic. My absurd example is directly related to the matter at hand – why would Meta do something that would hurt their reputation further (and thus their bottom line) when the alternative is to lull people into a false sense of security using an E2EE app that doesn’t protect metadata. Signal seems to think it’s important to argue with the facts, they’ve defended Wapp in the past with regards to prior FUD around the encryption used (someone linked the article further up in the thread)

1 Like