It doesn’t send any of that geo location data, which is not an insignificant detail. That’s an egregious claim and he just made it up, and now people are repeating it everywhere.

It doesn’t send a text string of the developer ID. It sends the thumbprint for the certificate. That’s still some information that could be used indirectly to determine some apps that may be running, but you’d have to at least collect a mapping database by sampling common apps.

Most importantly, it doesn’t even try to explain what OSCP is. This is critical in order to understand the purpose. Without that, and with the other false or misleading info, it looks like this literally exists for the purpose of tracking your every move and what apps you use. But that isn’t what it is at all. It’s a good faith malware protection feature that has some potentially unwanted side effects that have privacy implications, and even those implications are substantially less than what is claimed.

There are legitimate privacy concerns with OSCP but I feel that it’s important to represent the situation accurately. This is an off the shelf revocation checking protocol that was implemented to the spec. We should pressure them to improve it (which sounds like it already happened, a very positive sign) but it’s unhelpful to paint them as villains over it for following a standard and not even keeping any of the data that is sent back.

You’re correct that the notarization check has a hash, but that’s not what he was talking about. Also, that’s sent once and encrypted I believe.