Links referenced for video
- https://sneak.berlin/20230115/macos-scans-your-local-files-now/ - Apple Has Begun Scanning Your Local Image Files Without Consent by Jeffrey Paul
- https://news.ycombinator.com/item?id=34392391 - Hacker News thread
- https://twitter.com/mysk_co/status/1617291107456454656 - Mysk Twitter thread
- https://youtu.be/_YQEE9Jl7fs - Mental Outlaw video
- https://youtu.be/6LfCJGSUcfk - Louis Rossman Video
- https://youtu.be/-aRp0fSw3uk - Louis Rossman followup
Please excuse any grammatical errors. I used a tool to generate the transcript and haven't had a chance to read through it yet. ✔️
FUD stands for "fear, uncertainty, and doubt." It's a popular term used a lot in the privacy community, and leads me to a topic I've been wanting to talk about: best practices when researching and analyzing information on the internet. I will be referencing an article written by a security researcher about Apple. I am not making this video to defend or shill Apple, but because I believe that real conversations about privacy and security should be based on facts, not lazily written articles attempting to lead readers down a path the author wants.
The article was published on January 15th, 2023 and has a very intriguing title. However, my skepticism kicked in and I looked into it some more. A lot of information is out there and, sadly, catchy headlines are the ones that get shared first without much validation.
So, let me take you through my process when evaluating an article, especially one that I am considering sharing with an audience. When I first get to the page, I see the title. In the sidebar, I quickly read about the author, who is a hacker and security researcher living in Berlin. After reading that, I think that the information should be technical with a lot of detail. However, the title, "Apple has begun scanning your local image files without consent," is a very strong claim to make, and I would expect something equally strong in the writing to back that up.
The author starts off with a preface, explaining that they don't use iCloud, Apple ID, Mac App Store, or store photos in the Mac OS Photos application. They use Mac OS software on Apple hardware.
The author then describes using a program called Little Snitch, which alerts them to network traffic attempted by the programs they use, and that they have all network access denied for many Apple OS level apps. They then start browsing some HEIC files in a subfolder of their documents and Little Snitch tells them that Mac OS is now connecting to Apple APIs via a program named "media analysis daemon," a background process for analyzing media files.
Instead of reading more detailed technical analysis and information, the author just starts to talk about Apple's client-side scanning for CSAM in 2021, and how they retracted it because of a public backlash. The author talks about the need to read Apple's statements carefully and how they are very good at writing technically truthful things that say one thing, but cause reporters to report a different thing.
The article concludes by reminding readers that if they have nothing to hide, they've done nothing wrong, and it's most important to limit information in those times.
So, to put this in perspective, the first few paragraphs gave the preface and some background on what the author found. Everything else talked about Apple's CSAM scanning, how they're bad, and the government. When I read an article and someone gives me one or two paragraphs with technical detail and then the following 10 paragraphs are about an event they want me to remember, that's a little suspicious and I feel like I'm being led down a path to correlate events without the author actually saying that.
So, after reading that, I had some hesitation about actually trusting what I read in this article or about what the author found. So, the next thing I like to do in that case is to actually search for the title of the article and see what else shows up. See if anyone on the Internet is talking about it. Typically, if it's a newly published article, I'll search for it on Google because they usually index first before other search engines. So, in this case, we'll search for the title, and we can see here I actually clicked it in the past. But one of the first results is for Hacker News.
This is a forum where information can be posted and shared, and people can comment on it. And we can see here, the article is posted 25 days ago. This is the site we were on reading it. Sneaked up Berlin. You might notice it was published by sneak, and if we go to this website, we can see most of the handles the author has are sneak. We don't see the Hacker News one listed here, but if we go to the home page of the website, they list that their Hacker News handle is at sneak. So, we can confirm that the author is the one that posted this on Hacker News. We can also see the article was flagged, and if you start reading through the comments, we can start to see pretty quickly that other people had similar doubts. It talks about the domain that showed up in the author's image smoot.apple.com is used for spotlight. This article is rightly flagged as BS. This guy found something a little snitch and suddenly exposing some dark company secret in the story.
I understand these are just some strangers on the Internet, but they're already confirming some of these suspicions I had about this article, and we know that sneak is the username for the author. So, if we search for sneak on the page, we can start to see some comments from the author. "If I made any false claims in the article, please let me know ASAP so I can correct them. I was very careful to report facts only and let the readers draw their own conclusions about what is happening here." You didn't report any false claims, you reported a bunch of unrelated claims without any technical research, and then pointed your readers to a conclusion that lacked any technical or journalistic merit.
It's shallow alarmism, and I want to be clear that I understand people might publish information that's inaccurate. But if someone goes back then and edits their information or adds something at the bottom saying "you know, after further research this was determined," but what you find from reading this is that the author chose to die in this hill. I didn't make that claim because I have not reverse engineered media analysis D to know precisely what it's doing. And this, I think, sums it up right here. We have a lazily written article where the author found something that they knew would get clicks.
So, nothing that we found is concrete proof of what's going on, but my trust with him is lacking because instead of adding corrections or addendums to his article, he chose to publicly defend it and continually say that he did not make those claims, even though he employed the same practice that he bashed Apple for, which is Apple is very good at writing technically truthful things that say one thing, that caused reporters to report a different thing.
Now, to contrast the article that was posted by Jeffrey, a miss-put thread on Twitter countered what was actually claimed in that article: no, Mac OS doesn't send info about your local photos to Apple. We analyzed media analysis D after an extraordinary claim by Jeffrey Paul that it scans local photos and secretly sends the results to an Apple server. They did a thorough analysis of what was claimed by the author to analyze the process, the network traffic. They did all the work that Jeffrey did not do or chose not to do. The unfortunate part is that it's likely these tweets with actual technical data to back them up did not get the same attention the original article did. They posted an update that this was indeed a bug and was fixed in Mac OS 13.2. This process no longer makes calls to Apple servers.
So, that's what I do when I find an article that I think is too good to be true, especially if I'm considering making a video on the topic. I do want to touch on one last point on why I think publishing this type of information and letting readers draw their own conclusion is irresponsible. This article had a clear conclusion they wanted the readers to come to, and that's exactly what happened. Two other popular YouTubers, with audiences much larger than myself, Mental Outlaw and Louis Rossman, both published videos on the topic. In defense of Lewis, he did publish an updated video correcting what he said in this one. If you produce content for a large audience, at least spend a few minutes fact-checking the articles you're talking about. At the end of the day, people are out there trying to make the best educated and informed decisions that they can. Content and blog posts like this are not helpful and they do more harm than good.
I absolutely agree these companies are doing things that are not good for user privacy, but if we're going to have discussions like this, they should be based on accurate technical details, not conspiratorial narratives based on fear, uncertainty, and doubt that get clicks and shares. So, if you liked this video and made it this far listening to me talk, I think you'll like this top video, and the algorithm thinks you'll like the bottom one.