iOS & privacy: Looking at the  details reveals the bigger picture

September 2, 2021

             written by A.k Hemanth Kumar, Head of Delivery & Lead Solutions Architect at Sparkline

Earlier this month, eagle eyed observers on the r/iOSBeta subreddit noticed a change in  behavior on devices running the latest version of beta iOS software released by Apple.  While, devices not yet on this version of iOS were sending information to servers owned  by Google for routine security checks, the devices running the latest version of iOS  seemingly didn’t send __ANY__ information to Google servers. A nice write up describing  the potential change and what it means can be found here. 

This might at first sound like a trivial detail that’s to be filed under the category “mildly  interesting, but doesn’t affect me, so don’t care” category, but the more one considers  this move, not in isolation, but against the backdrop of steady releases and updates out  of Cupertino over a few years now, one may realize how profound the ramifications are for  the technology industry as a whole. 

To appreciate the details, lets step back for a second and try building some context. In  the interest of appealing to a broad audience, lets set aside technical semantics and  approach this in a manner where we’re observing the telling of a story that’s yet to be  completed. . . 

The Foundations of the Internet as we know it 

It is remarkable to consider that the vast majority of people on the planet today, can, FOR  FREE, speak to satellites up in space to find out where they are exactly on the face of the  earth down to a few meters and then , FOR FREE, speak to any other person with an  internet connected device on the planet over a video call. For someone that grew up in  the early 2000s when phone bills while traveling internationally were longer than many  phone numbers, this is a marvel that feels greatly under appreciated  

One of the economic models that makes all this possible is the ad-supported, free and  open internet. Exactly as we’ve described in the paragraphs above. This model has paid  for immeasurable leaps in technology and paved the way for an improvement in the  standards of living of billions of people the likes of which have arguably never been  witnessed in human history. From paying for satellite launches to photograph the entire  Earth and provide those images easily and freely to anyone on the internet to paying for  the incredibly expensive network of undersea cables that carry the internet across the  world, companies such as Google and Facebook have demonstrated the ability to “Scale  up” these economic models to the point where they are valued higher than many Nations  GDP and rightfully so, for their contributions, both past and ongoing to the advancement  of technology.

The great balancing act 

Every website you visit, every action you take on your modern mobile phone is built upon  thousands , perhaps millions of lines of code developed over generations of programmers  and software/hardware companies. How your phone fetches your present location when  you want to call a cab is based on a set of standards. Another set of standards dictates  how your phone tries to keep your data connection when it’s going through a tunnel or  you’re moving very fast on a highway. The billions of people who expect these actions to  work without a hitch every single time they run them rely on the intricately complex  system of layers of assumptions across all these components and standards doing  exactly what it is they’re responsible for , correctly, Every Single Time! 

fig 1 : A heavily simplified illustration of the “Stack” of technology that is a “System of systems” working together to do amazing  things. 

To you and me, on the surface, the worst seems to be, if any of these millions of lines  don’t work as they should, it stops the person trying to book a cab, for example, from  getting the location that they are, leading to frustration. But a sharp observer would also  note the opportunity for a spectrum of outcomes here. What happens if somewhere in  one of those millions of lines somewhere, an entity that was supposed to simply look at  the position of the device and return a location did so, but also made a note of that  request: The person who asked, the location their device was in , the time they asked and  everything else in a register somewhere? Just like the entry book at a hotel? 

Two’s company and Three’s a crowd?  

Well, obviously, anyone looking at that book would be able to tell a lot about the people in  there. Intelligent people looking at the book may also be able to draw deeper conclusions.  One may, for instance, notice that a few users request cabs at a certain location at the  same time every day and infer that these users are connected somehow either through  work or other societal relationships. So, there is a lot of potential here. 

From the perspective of the person making the request, however, the massive complexity  of the system of systems is very rarely fully clear. Even some of the most intelligent  software engineers I speak to tend to employ Abstraction, a process where higher level  systems are focused on instead of considering the granular inner workings of these  processes to deal with pretty much every system they work on. A popular interview  question I employ continues to be asking candidates for their view on what happens after  one opens a browser window, types a web address in and hits enter. There is so much  going on behind the scenes that I’m certain to get different responses each time and the  answer is very reflective of the level of detail the candidate chooses to get into. 

The paragraphs above reveal the obscurity associated with performing common actions  that we all take for granted. If any of the thousands or millions of systems in the web  between the person and what they’re trying to do (Book a cab, view a photo etc) behave  in a way that the user does not intend the action to behave, we have a skew in  expectations where, a person expecting to conduct a seemingly private operation stands  to have their information shared amongst parties they typically have no ready visibility  into. 

Challenging the Fundamentals 

A word constantly thrown around in technology circles dealing with startups is Disruption - the act of questioning if a process or an industry itself is operating in a way that could  be heavily improved, but hasn’t, because that’s the way things have always been. We  have seen successful examples of this ranging from the taxi industry being disrupted by  the rise of ride hailing mobile applications to the Space Launch industry being disrupted  by reusable orbital rocket stages. (You already see where we’re heading with this) 

A single software developer would almost certainly find it impossible to make any  meaningful impact to solving the problem we’ve seen outlined earlier around the complex  web of systems that stand ready to be disrupted in favor of a better way™. It is left to the  imagination of the reader what “better” means in this context. It may mean more security  to some people, while others may construe it as an improvement in the transparency of  the underlying system they’re talking to. 

It would be very hard even for a group of engineers to justify spending a large amount of  time, logical reasoning, money, computational resources etc to go about even identifying  all the things that need to be tackled since these systems and conventions we use have  evolved over decades and continue to change and improve every single minute. 

When faced with the task of building an app or a website, a developer looking to build is  more likely to choose a solution that’s available “Off the shelf” even if it does bake in  these conventions and standards rather than spend more time in creating that solution  from scratch than in actually building the app or the website.

Bringing it all together: Privacy, Control & so much  more 

Over the past couple of years (at the least), we’ve seen a steady sequence of subtle  changes in the way Apple devices work amongst this very complex set of systems to  preserve the privacy of the people using these devices as well as to reduce the likelihood  of something going wrong because of unexpected behavior deep in the “Stack” we saw  above. So many ‘little’ changes and updates that i’m certainly not going to attempt to link  to all of them but will attempt a link to a generic page with a subset of the privacy  changes here 

Each of these elements aims to solve one part of the larger problem, but does so in a  reasonably complete manner. A few examples include:  

- Making it harder for websites allowing their visitors information from being  shared with other companies openly. 

- An improvement, preventing other websites from seeing where a person who  just clicked something is coming from or even sharing information about that  click. 

In isolation, each of these measures seem not too big of a deal, but taken together, we  see a pattern emerging where, previously routine “leaky” operations are now being  challenged with solutions put forth that permit the operation as long as it operates within  the boundaries of not “leaking” attributable details of the operation to someone a user  performing the operation might not expect. If this isn’t possible to do, the change  attempts to block all variants of such an operation. 

Now, the original story that triggered this post is just one of the latest manifestations of  this steady, consistent approach. It is by no means the first and it certainly will not be the  last. In fact, for the curious, a subset of proposed future changes may be found here. This  specific change looks to reduce even further, the avenues for information tied to a user  ending up on the servers of other entities. Even if done for a good cause. Googles Safe  Browsing technology protects a large number of people around the world from the harms  of websites with malicious software on them. . again, FOR FREE. This is done as a  service to the community and Apple is just one of the many entities that make use of  Googles expertise in running such a service to identify and protect users on Apple  devices. Now, from the latest version of iOS, that service will still be used by Apple, only,  in a way that reduces the information tied to a single user that would previously be sent  over routinely.

As has been mentioned earlier in this write up, incredibly helpful services like Google Safe  Browsing exist today because of the success of the business models built on top of  internet standards and protocols that rely on making an ad supported revenue stream  possible and allowing billions of people to benefit from easy and free access to said  technology 

On the other hand, attempts to reduce unintended behavior in elements deeply  embedded in the “stack”, are well intentioned and beneficial to plugging the gaps in  previously routine, unchallenged assumptions. 

The technology industry has gone through major disruptions in the past, from the rise of  mobile phones with apps on them to the rise of extremely fast mobile networks allowing  previously unimaginable use cases. The patterns described in this story make up an  ongoing episode of one such period of disruption. Each of these periods of change we’ve  observed in the past have the companies that adapt and coordinate better than others  winning out in the new order of things. 

Necessity being the mother of Invention and all that, here’s hoping that the present set of  challenges put forth by these changes lead to innovation and a shared approach between  the companies with differing business models in the tech world that have contributed to  so many of the advances we take for granted today and go on to strengthen the model of  the free and open internet.