back to article Apple's OS X Yosemite slurps UNSAVED docs into iCloud

Apple's OSX 10.10 – aka Yosemite – is silently uploading users' unsaved documents and the email addresses of their contacts to Apple's iCloud, according to security researcher Jeffrey Paul. Berlin-based Paul said the discovered the document auto-syncing without consent issue, and another hacker expanded the point by …

  1. Anonymous Coward
    Anonymous Coward

    So....

    ....just like Google does with all your contacts etc. But that's OK because it is Google and Google is the chosen one. Google can do no wrong. All hail Google.

    Apple tries to create a cohesive system for the users and it's all "OMG! APPLE AM DOING THE BADS!"

    1. Anonymous Coward
      Anonymous Coward

      Re: So....

      Two wongs don't make a wright. ;-)

      And how does google snarf your email contacts if you don't use chrome or gmail?

      1. RyokuMas
        Devil

        Re: So....

        "And how does google snarf your email contacts if you don't use chrome or gmail?"

        Got an Android phone?

        1. VinceH

          Re: So....

          "Got an Android phone?"

          Because if you have, you can turn this feature off.

          1. Anonymous Coward
            Anonymous Coward

            Re: So....

            "Because if you have, you can turn this feature off."

            No you can't. If you try to load contacts or anything, you have to do it via Google.

            The only choice is to install some third party apps and deal with the broken implementations of CardDAV etc that Android ships with.

        2. Anonymous Coward
          Anonymous Coward

          Re: So....

          Or a Chromebook?

        3. Anonymous Coward
          Anonymous Coward

          Re: So....

          "Got an Android phone?"

          nope.

          You have to remember that Apple is a hardware company. So they are a bit behind Google in making you their product. And that has value. ;-)

    2. Anonymous Coward
      Anonymous Coward

      Re: So....

      It's just Apple trying to make it easier & more efficient for the NSA to have your documents before you've even finished them.

      1. Anonymous Coward
        Anonymous Coward

        Re: So....

        "It's just Apple trying to make it easier & more efficient for the NSA to have your documents before you've even finished them."

        ...and as the big players are threatening the spy agencies with better device encryption, it's obvious that the data has to get to them *before* you save it on your device. So, everybody's happy -- the customer, who *thinks* the data is safely encrypted, and the agency *knowing* that they got a copy of the document before the customer even saved it (all drafts, brainstormings, thoughts, which never make it to the disk included). Brilliant.

        Curious to hear what Apple has to say here. It's obviously not a mistake. Saving data and auto-synching it are two different things, which can hardly be an oversight.

      2. Anonymous Coward
        Anonymous Coward

        Re: So....

        The Utah Data Center wasn't being filled up fast enough.

    3. Mike Flugennock
      Coffee/keyboard

      Re: So....

      "...Apple tries to create a cohesive system for the users and it's all "OMG! APPLE AM DOING THE BADS!"

      Shill much?

    4. Anonymous Coward
      Holmes

      Re: So....

      What could possibly go wrong?

      Man sits at shiny new Mac, starts Word document promoting his company's new skin creams:

      "Your wrinkles will melt away with AceCo's nuclear bomb treatment".

      Damned auto-correct!! Corrects text to read:

      "Your wrinkles will melt away with AceCo's New Clear Balm treatment".

      Hears wife from the foyer - "Dear, there are men dressed in black with guns drawn at the door!!"

    5. Anonymous Coward
      Anonymous Coward

      Re: So....

      Really, no Google doesn't do this. Did you even read the article and comprehend what's happning here.

      Apple have decided just to start slurping all your data unconditionally. Sure, if you install Google drive, and share folders, you are allowing Google to do this on your PC, but what Apple are doing is 10000000x worse.

      iCloud is insecure (it's 2 factor authentication is still flawed and not a patch on Googles), and now it's automatically uploading stuff to it...

      You need to take your rose tinted Apple delusional glasses off for a while.

      1. danny_0x98

        Re: So....

        A couple versions back, Apple introduced iCloud saving/sharing and reopen on close without the user needing to save.

        This version Apple said there'd be Handoff: start it on the iPhone, continue on the Mac.

        Now, how could these things be done without immediate saving to iCloud, before the user has chosen where it is to be saved?

        I'll wait.

        Yeah. That's right. This security genius has figured out that the waves get bigger when the tide comes in.

        Okay. Here's the critical part. If this bothers you, do not use Apple products. (But you better go cloud-free because otherwise something is leaving your device and has a non-zero chance of being intercepted.)

        If you're like me you say, a) security is inverse to convenience, b) it's good enough, c) I'm a boring grown-up so I'll pick a strong, unique password, take my chances and continue to enjoy the benefit.

        1. Anonymous Coward
          Anonymous Coward

          Re: So....

          "If this bothers you, do not use Apple products"

          Or just turn off the documents and data part in iCloud.

        2. P. Lee

          Re: So....

          >Now, how could these things be done without immediate saving to iCloud

          Over the local network?

          Or get icloud to publish presence information so you can sync device-to-device? (torrent tracker?)

          Or provide these options to the user beforehand? What if I'm working on video editing or I only have a small phone?

          Will somebody think of the bandwidth?

    6. Anonymous Coward
      Anonymous Coward

      Re: So....

      The issue is that Google started all this and showed it could work - look at the huge number of Google supporters - because people as soon as they see the word "free" are willingly to give away their firstborn.

      Once it worked for Google, it was clear others wouldn't have stayed at the window just looking...

    7. jonathanb Silver badge

      Re: So....

      When you type stuff into a web page, you expect it to be stored remotely. You don't expect that when typing into a local application.

    8. Anonymous Coward
      Anonymous Coward

      Re: So....

      Indeed. Apple OS's saves immediately to the cloud so that you can resume from another device using Handoff. Saint Google (who are also part of PRISM, incidentally) actually does the same if you use the word processor in Google Drive. Many forums also save the post you're typing as you go along, in case your browser crashes etc. Newsflash: if you want the convenience of cloud services, then you're entrusting your data to cloud providers, unless you are geeky enough to set up your own encrypted Linux server (and thus not have a life worth anyone knowing about in the first place). But of course "oh noes they must be slurping it all up so that the NSA will know about my secret recipe for chicken soup before it's written!"

      The average person couldn't give a toss about this. As for the nerds, stop being babies and switch the function off if you're that paranoid about what happens if you paste your naked selfies into your textedit documents (which is probably safe, but hey, why tempt fate when it's really not difficult to just use your brain?). It's really not hard, I'm not sure why no one seems capable of switching a preference setting any more. It's much quicker and easier than frothing on the internet about it.

  2. I. Aproveofitspendingonspecificprojects
    Devil

    How to tell a friend.

    So how do you tell a slightly paranoid friend that his pet has got brown eyebrows and has been eating him in his sleep?

  3. This post has been deleted by its author

    1. L W J

      Re: It Just Works

      LOL

    2. ThomH
      Big Brother

      Re: It Just Works

      But who is it working for?

  4. TRT Silver badge

    So how else did you...

    think "handover" worked?

    If I recall correctly, the blurb goes along the lines of "Start an email or a document on one device and finish it on another."

    Not a surprise.

    I would be worried, however, if Handover was a feature you could turn off and this still happened when this was done.

    1. Mike Bell

      Re: So how else did you...

      Good. This is exactly how it should work.

      A little disappointed that El Reg are continuing to run a re-tread about "Last week it emerged that the Spotlight search feature in Yosemite was passing on location and search data to Apple and its partners". That was a real FUD story if ever there was one.

      1. Dan 55 Silver badge

        Re: So how else did you...

        Just out of interest, if you disabled Spotlight Suggestions as directed when opening Spotlight, did you also disable Spotlight Suggestions in Safari's Search preferences as not directed?

    2. Randy Hudson

      Re: So how else did you...

      Since both devices must have bluetooth on AND be on the same wifi network, there are certainly other avenues over which one might imagine the handoff to occur.

      In addition, Apple's own instructions (http://support.apple.com/kb/HT6337) only mention signing into the same iCloud account. They don't say anywhere that syncing "Documents & Data" must be enabled.

  5. Alan Denman

    by the time it is removed...

    Apple will gave catalogued every piece of info they needed to future improve their business revenues.

    Nice job Apple, I hope the genius who thought of that years ago got his bonus,. Obviously it has almost become standard policy to 'erroneously' collect useful data on each release.

    I await a post seance statement that says Steve iss shocked by it all.

  6. Pascal Monett Silver badge
    Big Brother

    You are on the Cloud

    Whether you like it or not.

    1. Anonymous Coward
      Anonymous Coward

      Re: You are on the Cloud

      > Whether you like it or not.

      And if you are on Apple's iCloud, you WILL like it. :-)

    2. Ken Hagan Gold badge

      Re: You are on the Cloud

      Since I've never actually set up my iCloud account password, I'm curious to know just whose cloud I am "on, whether I like it or not".

      Still, it is getting harder and harder to use consumer electronics without getting shafted like this. Why are we creating a world where you have to be a terrorist Linux or BSD user to have any control over your privacy?

  7. adnim
    Unhappy

    "and others are critical of Apple's changes."

    I have always been critical of Apple period. Not so much for overpriced hardware but resting control and choice from the consumer and ridiculous patent submissions.

    I will be honest, I don't really care what Apple do, they won't do it to me. It's just that the very tiny part of myself that cares for those of my fellow humans whom are incapable of being objective, screams to the huge part of myself that doesn't give a fuck..... "You have a responsibility to tell the sheep that they don't need a shepherd".

    If anyone thinks that Apple or indeed another multinational has the consumers best interests as a priority you are deluded. If you realise this then then why the fuck support them?

    1. Sealand

      Re: "You have a responsibility to tell the sheep that they don't need a shepherd"

      Brian:

      "You are all individuals!"

      Crowd:

      "We are all individuals!"

      1. John G Imrie

        "You are all individuals!"

        Er...

        I'm not

    2. Anonymous Coward
      Anonymous Coward

      Re: "and others are critical of Apple's changes."

      Give it a rest.

      People buy bloody Chromebooks were everything gets saved to the Cloud.

      1. adnim
        Holmes

        @AC Re: "and others are critical of Apple's changes."

        "People buy..." I guess I am not people then.

        You defend Apple by implying that others do it.

        How does holding up another privacy invading business model justify another?

        I can't say that I approve of your logic but each to their own.

        1. John Bailey

          Re: @AC "and others are critical of Apple's changes."

          "How does holding up another privacy invading business model justify another?

          I can't say that I approve of your logic but each to their own."

          But it's iLogic.

          If something is good. Nobody does it as well as Apple.

          OMG.. Apple's new iPhones are sooo thiiiiiiiiiiiiiiinn!!! squee..

          If something is bad, everybody does the same.

          But any phone will bend if you put enough force on it..

          1. Anonymous Coward
            Anonymous Coward

            Re: @AC "and others are critical of Apple's changes."

            It's because people get defensive. No one really likes being told "the thing you bought is a giant piece of trash and you should feel bad for buying it", which is pretty much the sentiment of most anti-Apple commentary.

            I don't think everyone necessarily feels the need to defend Apple or see them as infallible, but criticism is usually accompanied by "and all the idiot iSheep are just lapping it up instead of using being outraged with us and jumping to Android and Linux right away" and that's where the individuals themselves feel attacked and do their best to defend it. When you then have sites like the staunchly anti-Apple Register actively digging dirt and reporting it with the most ludicrously tabloid-like bias, naturally you get a few people stepping in to redress the balance a bit.

        2. Frank Bough

          Re: @AC Re: "and others are critical of Apple's changes."

          As soon as you connect to the Internet,your security is fucked. Get a grip, at least with Apple you have some consumer rights because you paid for their services.

    3. PJI

      Re: "and others are critical of Apple's changes."

      >>but resting control a<<

      That's a much more peaceful image than "wresting" control, so much less effort and possible pain.

  8. Frankee Llonnygog

    Pretty sure it used to do this

    from Mountain Lion onwards

  9. Randy Hudson

    Old news and not correct

    By default, there is NO SUCH THING as an "unsaved" document. There are only "Untitled" documents. Since Mountain Lion, auto-save is enabled by default, and applications will restore any open documents/windows when re-launched, including so-called "unsaved" documents. These two system preferences cause "Untitled" documents to be written to disk so they can be resurrected when the app is reopened.

    From 2013: http://support.apple.com/kb/TS4372

  10. Anonymous Coward
    Anonymous Coward

    Remember, this is the "sharing" economy!

    You "share" everything with Apple. Or Google. Or whomever.

    There, I fixed it.

    What, you mean you DON'T want to share?? That is so unbelievably selfish.

  11. chivo243 Silver badge
    Facepalm

    Strange

    I have not signed into iCloud with my apple id, and guess what? I don't have any options under System Preferences>iCloud except to sign in ;-} Don't sign in and Apple don't get your info.

    Now go off and run with scissors or something.

    1. Jes.e

      Re: Strange

      "I have not signed into iCloud with my apple id, and guess what? I don't have any options under System Preferences>iCloud except to sign in ;-} Don't sign in and Apple don't get your info."

      ***

      Thank you. With all the yelling in here,I was beginning to wonder if upgrading to Yosmite was going to force/auto register me with iCloud.

      I've continually declined the nice prompts when occasionally offered, as I'm in an internet free home (by choice) and my laptop is my only iThing.

      ..and wasn't this behaviour of Handoff obvious? Start writing on your phone, finish it on your big screen.. without having to take any direct action?

      Again thanks from us non-iCloud users for the clarification.

  12. Lusty

    Glass half empty?

    Surely this could just as easily be written as Apple backing up your work by default for you, for free. This is just how the Apple ecosystem is designed - if it's easier for the user, or if the user gets some benefit then it's on by default. The difference between the Apple cloud and the Google cloud is that the Apple one is paid for by the users through higher device prices and higher subscription costs. The Google one is paid for by whoring out your information to all and sundry. The Apple privacy statement says they won't share your stuff, Google says they absolulu share everything you give them. Except it's not sharing, it's selling and it's not you giving it's them taking.

    Why do I trust Apple? Because I paid Apple for the products, people didn't pay Apple for me to take the products (lookin' at you Google and Facebook...)

    1. Ken Hagan Gold badge

      Re: Glass half empty?

      "Surely this could just as easily be written as Apple backing up your work by default for you, for free."

      Except that it is not free. Otherwise everyone would buy the cheap iPads (with hardly any space) and simply use iCloud as the main storage. Sadly, bandwidth costs and (if memory serves) space on iCloud costs as well.

    2. Jes.e

      Re: Glass half empty?

      "Surely this could just as easily be written as Apple backing up your work by default for you, for free. This is just how the Apple ecosystem is designed - if it's easier for the user, or if the user gets some benefit then it's on by default."

      ***

      Very insightful!

      The nudge theory (I hear Teller yelling in the background) tells us that if this was off-by-default there would be many unhappy users complaining that their iThing doesn't work properly and the interwebs would fill up with negative reviews.

      It *still* should be opt-in though. The way to do it would be a notification to the user the first time they log into their new Yosmite account with "Here are some new privacy options <checkbox list> and the reasons you might want to enable them now but IF NOT you can always change your mind later in preferences <info> [LATER] [APPLY]"

      ...

      This somewhat reminds me of the harrowing experience one day, when I found my Android phone suddenly started uploading every photo I had taken and storing them in "the cloud".

      I had absolutely no indication that this was going on.

      The behaviour was quite startling as I had just done the normal coffee shop app update marathon. I think I had long ago given up on reading all that info with most of it being bug fixes.

      What tipped me off was that my data use was slightly high..

      After I narrowed it down as to the "who" thanks to Androids very nice GUI interface for tracking data usage controls, I launched Dropbox.

      When I launched the Dropbox app it did inform me of the new feature but it was too late, the Dropbox *update* had made the change.

      I manually went to the settings and turned if off.

      I thought that the Apple design documents had something called "The law of least surprise" back when dinosaurs ruled the earth.

      The reason I bring this up is that I suspect this also occurred to Apple users in the past and is going to get more prevalent unless Apple drives a User Privacy Interface Standard that all Mac and iThing applications should (must?) adhere to.

      1. Lusty

        Re: Glass half empty?

        "The reason I bring this up is that I suspect this also occurred to Apple users in the past and is going to get more prevalent unless Apple drives a User Privacy Interface Standard that all Mac and iThing applications should (must?) adhere to."

        They do have a privacy standard with quite a good web page explaining it. Apple users expect that their information should be available on all of their devices (magically) and that if they lose their device a backup can be restored (magically) without that data being snooped, sold or other things not of benefit to the user. With a single iPhone there is enough free cloud capacity that backups happen with no issue, I only needed to pay once I had two phones and an iPad but I was happy to do so since I had previously lost a phone on a night out, the replacement had my half written drunken text message restored before I left the Apple store. I expect Apple to not interfere or use the data being synced and stored, and the privacy policy backs this.

        As I said, Google are just as open with their policy, but their policy is to make as much money from your data as they can in return for lower device and subscription costs. I'm fine with paying massively over the odds for cloud storage and upgrade options on hardware, and I'm glad at least one company gives me the option to just pay them for the service I want.

  13. tempemeaty

    The Universe of things...

    This is Apple's challenge right now. They keep leaning in a direction that may be considered by their customers unwell for them with regard to the handling of their personal data. Apple makes self serving decisions handling customer's personal data that does not have their customers best interest truly at heart. Apple wants it's customers in the cloud. Perhaps they have convinced themselves Apple's way is right because it's Apple's way to assume it knows better. Then suddenly Apple finds itself targeted for data. China is battering their servers for a way in, putting Apple and it's security to a test. Is this is the universe's reply? Is it the Karmic wheel? If Apple insists on continuing this course, can they expect not continue to become a increasingly bigger data target?

  14. L W J

    It used to be Microsoft was the evil Empire

    But they look like the good guys these days. They are much more careful to ask permission, they set limits on themselves, they're actually listening to the public on how to build Windows 10, and trying to make it more secure and so on ..

    But as for Google, their motto has become "Do evil" and as for Apple, theirs is "We'll back stab you in our walled prison er garden".

    For me digits I think I will go with Microsoft.

    1. Anonymous Coward
      Anonymous Coward

      "they're actually listening to the public on how to build Windows 10"

      hahahah you sir owe me a new keyboard.

      That'll be the third this month.

    2. Frank Bough

      Re: It used to be Microsoft was the evil Empire

      Nice to see Microsoft AstroTurf is still alive and kicking. It's comforting that some things never change.

    3. Dan 55 Silver badge
      FAIL

      Re: It used to be Microsoft was the evil Empire

      Is that why when you install Windows 8 you need to press the button to create a new MSN account to get to the button to carry on with the install process without signing on to an MSN account?

      Perhaps on Windows 10 they're working on removing that pesky little button.

  15. stringyfloppy

    So if someone was sharing their iCloud documents with everyone, and entered government secrets or libelous statemenrs or whatnot into an unsaved document, this would be a good way to share those things with the world without it being AT ALL their fault.

    1. This post has been deleted by its author

  16. Anonymous Coward
    Anonymous Coward

    No doubt it's all explained quite innocently somewhere in the 14000 page EULA.

    Probably along the lines of "You do not own this machine or any software used on it, thus any and all communication between yourself and our machine actually belongs to us. All your idea are belong to us!!!"

  17. Frank Bough

    Continuity

    this is surely required for Continuity to work efficiently?

  18. lee harvey osmond

    Tsk

    Time to have done with it, and firewall out 17/8 except for special occasions

  19. Anonymous Coward
    Anonymous Coward

    helpd.apple.com

    When an Apple(tm) operating system makes a connectin to: helpd.apple.com it is sharing lots of your systems data, most of it encrypted 128bit, but not all. If you watch the connections with a packet sniffer or something like Little Snitch you can see what it is doing.

    One example. If you plug in a USB device to a Mac it connects to helpd and sends it a list of all file names on the USB device.

    I am not trying to convince you it does this. I am sharing with you a way to form your own objective opinion.

    1. Dan 55 Silver badge

      Re: helpd.apple.com

      If Zidziarski's not said anything and it's not on fix-macosx.com I'm inclined to believe that you're full of it.

  20. Jean-Paul

    How it works

    whilst I agree this shouldn't be a surprise, I also think it should be switched off by default and make it crystal clear what will happen when you switch it on.

    I think it is the practise of having it enabled by default that is not great. Really shouldn't happen in 2014, especially not when you upgrade and this already have saved application states.

  21. Anonymous Coward
    Anonymous Coward

    It's not really wilful violation..

    .. it's more a case of badly chosen default, and in that matter Apple is not exactly the only company that seems to default to sharing rather than keeping things secure.

    If you're smart enough to NOT immediately provide your Apple ID and password it will not have the credentials to access the iTrouble cloud, and Yosemite (or whatever iThing you-re setting up) will not be able to export any data. Once you have all set up, you enable what you need. I personally avoid sharing facilities like the plague they are, so my machine has no knowledge of any Twitter, Facebook or iCloud accounts - the Apple ID is only set up in the App Store and iTunes.

    On the plus side, iCloud access does not require you to agree to terms that give Apple forever a free pass to use whatever you upload for their own purposes - they are at least keeping your data yours exclusively. If you want an example of something you don't want to agree to, carefully read http://google.com/accounts/tos. The section you really need to read a couple of times is titled "Your Content in our Services", and repeated reading is required to discern that the limitations on their use aren't, and that they have gone through an awful lot of trouble to avoid the use of the word "perpetuity".

    As soon as you have a Google account you have agreed to this. Still feeling lucky?

  22. onebadfishy

    How Else Would Continuity Work?

    You start your message on your iPhone and continue on your computer. Obviously it would have to be cached in iCloud. This is why Apple has put two step authentication and every other security measure in place since your iCloud information is hugely important to your Apple experience. There's a reason for such data to be placed on iCloud... It's there for your other devices. Now if you don't want continuity, I'd like to know if this behavior stops if you turn it off. Since this activity requires more network bandwidth I'd be concerned for people with limited data plans etc.

    1. Dan 55 Silver badge

      Re: How Else Would Continuity Work?

      The two devices have to be close (in Bluetooth range) and have the same user logged into iCloud. If so, the data is transferred with a propriety protocol over WiFi Direct.

  23. Anonymous Coward
    Anonymous Coward

    This is news??

    As a newbie to iphones: got a 5c a week ago cheaply to replace my GT-15503T (with Andriod 2.2) & so far I'm impressed with the iOS8 ecosystem. I am amazed someone thought that this was news. The initial setting up asks about iCloud usage and then you go into that to see what can/cannot use iCloud.

  24. Rob Gr

    There's more than one bad Apple.

    Microsoft have been bad for this too - new documents are, by default, saved to SkyDrive. This can be overridden (file-by-file), but I'd unintentionally saved a few docs to a cloud based "Documents" folder before I realised.

  25. Taliesin

    Don't let the Cloud rain down on you.

    If you want to secure your personal data, then you have to be in control of it. giving it to the cloud (or any other on-line system) relinquishes all control of your data.

    so the solution is simple. if you want others to read/ distribute your files, go ahead and use cloud.

    if not, disable the system and don't use it.

    If an OS wont allow you to disable the feature, change to an OS that does!

    Its the only way that big corporations learn. they don't give a shit about complaints or having a bad track record with privacy and personal data protection..

    what they care about is revenue.

    Vote with your credit card. Make them earn your hard earned money and when they get things as wrong as this.. jump ship.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like