And are they seriously arguing they could build a viable competitor to mobile browsers if only they have access to all our browsing data? Personally I was leaving it off until it was out of beta, but this just convinced me to turn it on
While this complaint is definitely them throwing every single dart at the board, the note that Private Relay reduces the government’s ability to monitor internet use is at least legitimate.
I personally have never used Apple's private relay, but I have encrypted all my traffic since Snooper's Charter. The fact that the industry bodies are complaining about it -- effectively complaining that they can't spy and snoop on their users, often for commercial gain -- makes me think it is effective.
[1] https://onlinelibrary.wiley.com/doi/full/10.1002/poi3.250
My generation is the tail end of people who actually grew up using computers versus the "mobile"-ized internet for everything, and I was basically the "umm can you darkweb for me pretty please" guy for all my friends. Easy profit. Arbitrage their laziness for my ability to use a computer.
It does favour Apple in the market, though, because Apple can still see all the traffic, which is what the CMA in interested in. What is needed is for the mobile companies to offer the same protections that Apple offers, so all will benefit.
[1]: https://www.apple.com/privacy/docs/iCloud_Private_Relay_Over...
This could be achieved both via legal means (in e.g. their terms of service to prohibit use of any VPNs or similar software) as well as on a technical level. As per [1]:
> The fastest and most reliable way to do this is to return a negative answer from the network’s DNS resolver, preventing DNS resolution for the mask.icloud.com and mask-h2.icloud.com hostnames necessary for Private Relay traffic.
These ISPs surely operate some DNS resolvers - just make them return NXDOMAIN results. This doesn’t require consent or collaboration from Apple.
[1] https://www.apple.com/privacy/docs/iCloud_Private_Relay_Over...
Apple is bigger and more important than the ISP and likely much more trusted by the consumer.
The national security element is probably valid, but preemptive action is taken against people here in the UK (prejudiced by science or just a form of scientific reinforcement) to mess around with people from an early age.
Govt's, Religions and industry leading entities dont want their positions in society messed around with.
But so now, what’s left on offer if I exclude those associated within the Mobile UK group?
Thanks but I like my carriers to be dumb pipes
Here’s what I mean: rather than technology sewing a ski mask onto my head so that nobody can see me online, I’d rather have technology inform me about the nature of the site or network I’m using so I can make the choice of what my posture should be. I want to trust the services I use because they’re respectable and have earned my trust. If everyone is wearing a mask then how can I trust anyone? I’m not super excited about an internet where we trust nobody.
A concrete example: TLS 1.3. What if I want to trust a 3rd party to help me keep an eye on my traffic at a network level? Can’t now because sites can always know if there’s a MITM and of course they assume that’s always bad and unintended. (Perhaps they’re actually more interested in retaining proprietary access to their traffic.) Instead why can’t TLS allow me to configure a cipher-suite that allows me to e.g. run my own proxy for <insert reason>?
Same for browsers. Shouldn’t the browser be asking me which pieces of information and which APIs I want to allow a site to access (with sensible defaults, of course) rather than locking all the useful stuff behind “secure contexts”? It’s really hard to not see some of this privacy paranoia as conveniently enabling a lot of subversive platform control…
This approach might work for the average HN user, but what about your aunt? Is it reasonable for her to know the "nature of the site or network" she's using, or what her "posture should be"?
>A concrete example: TLS 1.3. What if I want to trust a 3rd party to help me keep an eye on my traffic at a network level?
1. Are you talking about SNI? AFAIK encrypted SNI requires cooperation from DNS, so if you really wanted to you could disable it at the DNS level.
2. for every user who has some sort of network security appliance that works like you described, there's probably 100 that don't.
>Same for browsers. Shouldn’t the browser be asking me which pieces of information and which APIs I want to allow a site to access (with sensible defaults, of course) rather than locking all the useful stuff behind “secure contexts”?
my impression from the barcode detection api[1] is that policies like this are "fuck http" rather than "improve security".
Re TLS: I’m referring to the encrypted server cert. It breaks inspection middle-boxes since they can no longer dynamically generate a response certificate on the fly. I’d just like the ability to say “hey I actually run and trust my middleware, TLS please run in proxy mode” even though I also agree with the new TLS behavior as a good default in general.
* Apple breaking mac addresses for privacy
* IPv6 privacy extensions (we can’t give everyone a stable address because tracking). We have stable physical addresses… why is the answer to privacy problems “whelp I guess we cant have a nice global internet after-all? I will concede privacy extensions at least don’t clobber your ability to have a stable address since you still do. I’d just like to see user level control over which address to use for what instead of a blanket all browsing happens with your anonymous address.
* Strong PKI/identity: cant give everyone client certs because they have a stable ID somebody might use to track you. IDK how about you give me an option when I connect to a site “do you want to connect as <handle> or connect anonymously”?
These privacy violations really feel like a social problem that we’ve failed to wrangle so we reach for a technology solution at all costs.
* Configurable TLS - I’m pretty sure all non-mobile browsers and Android let you configure the trust chain if you want to MiTM yourself (if I recall correctly with Apple you have to jailbreak). That’s a bit more complicated since most will engage in certificate pinning but that was developed due to a specific type of security attack so I don’t know what the answer there is.
MACs are randomized as part of the new wifi standard because people could literally follow you around physically from a distance (or even fully remotely). This isn’t an Apple thing.
These aren’t hypothetical. These are defenses that are developed in response to active misbehavior on the part of parties unrelated between the two parties that are trying to establish a trusted relationship. Some times it’s fine without but the times when it’s not tends to be a bigger problem that’s exploited at scale.
