Since Yosemite was released, users have found that the operating system sends all kinds of data to Apple and saves documents without you knowing it. On the surface, it's an egregious invasion of privacy. Let's take a look at exactly what's going on here.
Privacy and Spotlight Searches
The initial controversy around Yosemite's privacy issues was sparked in the mainstream media when The Washington Post posted a story detailing how Yosemite logs your location and searches that you make with Spotlight and Safari. Essentially, when you type a search query into Spotlight, Yosemite dials into Apple and sends it all in under the guise of usage data. If you're also using Location Services, that info gets sent as well.
Yosemite relays your location, the type of device you're on, the app, your language settings and recent apps you've used. This sounds scary at a glance, but let's think about why it does this. It needs your location if you're searching for anything related to Maps, including local shops, restaurants or movie showtimes. It doesn't know what you're searching for when you start typing, so it always connects to the internet in case you need something from there. Needing to know what app you're using, the device you're on and your language settings is self-explanatory. As far as recent apps, that's just a basic function of Spotlight, but the data sent to Apple can also include text from any documents on your computer.
It isn't just Spotlight and Safari. Using Net Monitor, users found that a myriad of stats are sent to Apple. This includes About this Mac information, domain information for Mail, and even search queries routed through DuckDuckGo on Safari.
On Apple's end, the data you send in is grouped together under an anonymous ID that's reset every 15 minutes, so it's hard to trace it back to you. Likewise, all the data is transmitted over HTTPS, so it should be secure as it travels through the pipeline.
We are absolutely committed to protecting our users' privacy and have built privacy right into our products. For Spotlight Suggestions we minimize the amount of information sent to Apple. Apple doesn't retain IP addresses from users' devices. Spotlight blurs the location on the device so it never sends an exact location to Apple. Spotlight doesn't use a persistent identifier, so a user's search history can't be created by Apple or anyone else. Apple devices only use a temporary anonymous session ID for a 15-minute period before the ID is discarded.
We also worked closely with Microsoft to protect our users' privacy. Apple forwards only commonly searched terms and only city-level location information to Bing. Microsoft does not store search queries or receive users' IP addresses.
You can also easily opt out of Spotlight Suggestions, Bing or Location Services for Spotlight.
So, while the data gathering makes sense here, the main controversy is less about what Yosemite is sending to Apple and more about the fact most users are unaware of it. Traditionally, Apple has been an opt-in kind of company in regards to privacy, so it's off putting that this feature is enabled by default.
iCloud Data Privacy
Perhaps because of the controversy surrounding Spotlight and Safari, more people started poking around in Yosemite to see what else might get sent to Apple. Eventually, security researcher Jeffrey Paul found that in-progress documents are saved to iCloud Drive even if you don't explicitly save them. Since his blog post, other users have found similar behaviour in a variety of apps that use iCloud Drive.
Before Yosemite, in-progress files were automatically saved locally on your hard drive until you explicitly saved them elsewhere. You can type in whatever you want into TextEdit, but until you click the save button and upload it to iCloud Drive, it's saved on your computer and no where else. Yosemite introduced a new function where those documents are autosaved every couple of seconds. This is great, but they're autosaved starting the second you open the document, so even if you don't explicitly hit the save button, that data is still uploaded to iCloud. If you don't want your data in the cloud, this is a problem.
This is a feature of Yosemite called Continuity. You can start a document on one of your Apple devices and easily pick it up on another. Apple even has a page up describing how it works. That's the whole point of it.
The controversy comes from the fact that you might not be aware that those unsaved drafts are uploaded into iCloud because at no point does Apple make that obvious. Speaking with Slate, research professor Matthew D. Green says:
It's a behaviour nobody expects. I'm fine with things that I haven't saved being stored on the hard disk. I'm OK with that. I think it's a nice feature. But things that I haven't explicitly put on in the Cloud getting snuck onto the Cloud is a bizarre feature.
At a glance, his outcry seems justified. However, Yosemite's features wouldn't work if it didn't behave this way. How else would Continuity work? It's unconventional for a document to start auto-saving before you save it, but it makes perfect sense in this case. It's a basic requirement for the feature.
So, if you use any app that supports Continuity and iCloud Drive as a quick place to dump private information, including a social security number, email address, or credit card number, then you need to tweak some settings if you don't want that data uploaded to the cloud.
What You Can Do About It
Thankfully, you can work around these privacy issues pretty easily. In the case of Spotlight and Safari, you just need to toggle a couple settings:
- Disable Spotlight Suggestions and Bing Web Searches. Head to System Preferences > Spotlight > Search Results and uncheck those two boxes.
- Disable Safari's Spotlight Suggestions. Head to Safari > Preferences > Search and uncheck Spotlight Suggestions.
It's probably not a bad idea to disable location information too if you're worried about. As for autosave and Continuity, you have a few options.
To disable it on an app-by-app basis, head into System Preferences > iCloud > iCloud Drive > Options and uncheck any applications that you don't want to use iCloud Drive. Alternately, you can disable the iCloud saving by default feature across all apps with a Terminal command:
defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false
Once that's enabled, you'll save files locally first. You'll have to manually choose to save them to iCloud Drive.
This might all look convoluted, but the bottom line here is straightforward: Apple collects data about your usage, but it's supposedly anonymised. This data is required for the basic functions of its operating system. Likewise, in order for certain features to work, private documents need to be uploaded to iCloud so you can access them on other devices.
You can disable both of these features, but privacy advocates believe they should be disabled by default. The reactions we've seen so far are certainly justified, but they're a little overblown.