Mac OSX Users Beware, iCloud Uploads Temporary Data To Apple Servers, Even Confidential Stuff

There's a fine line to balance when it comes to providing users with a comprehensive backup service and providing that service in a manner that fundamentally compromises the security of the people it's supposed to be protecting. According to security researcher Jeffrey Paul, iCloud has thoroughly breached that barrier thanks to unwelcome changes baked into OS X 10.10 (Yosemite).

Here's the problem: Prior to now, if you were working in an application -- even a basic application like TextEdit (the Mac version of Notepad), and you quit the application, the machine would automatically save your documents and open the application with your previously-entered information when you relaunched it. It turns out that in the latest version of OS X, previous working states aren't just saved to your local system -- they're saved to documents and uploaded to iCloud.

That might seem like a way to help users synchronize documents across a system but it's also a gaping security hole. Unsaved documents in plaintext are now uploaded to Apple's servers -- or, as Paul puts it "Notice that all of my locally-stored, “unsaved” documents open in my text editor have now been uploaded in full to a partner in NSA’s PRISM program. Update, 26 October 2014: This happens for all applications (think iA Writer, Pixelmator, etc) that had saved application state. Any open and yet-unsaved document within an app is now silently and automatically uploaded to iCloud Drive, and, by extension, the government."

Sure, You Can Turn It Off. How Many People Will?

The point that Paul makes, and that I agree with, is that simply being able to disable features like this is not enough. An extensive amount of research has been done on "Default" choices, and all of it points in the same direction -- hand people something, and they tend to keep using it. If that means Google over Bing, they use Google. If it means Internet Explorer over using Netscape, they use Netscape. If it's "Save your information locally" or "Save it in the cloud," most people choose whatever option is preselected for them, either because they don't understand what it means to change the default option or because they don't know that they should.

This kind of feature has become problematic for many because, in the wake of the Snowden leaks, it's not clear precisely what kinds of controls and oversight are meaningfully in place in the United States' government. Even when data isn't secret, per se, it may well be confidential -- only now, Apple is making automatic backups of all the presentations, documents, and files that people open online.

To put that in perspective:  Plenty of jobs have security agreements that forbid this kind of rampant sharing and put strict limits on the kinds of places files can be backed up and stored. Uploading all of your documents wholesale to iCloud by default creates a security nightmare for IT staff, particularly if iCloud's security is hacked.

Paul has also discovered that Apple's iCloud backs up the list of everyone you correspond with as well -- which means the list of established contacts is also stored online as a virtual snapshot of work you're doing on a system and who you've conversed with.

Via:  Datavibe
Show comments blog comments powered by Disqus