Last week on my Mac: Tracking and privacy, and the hidden OS X update

Systems like Facebook and ad tracking which use your personal data can be irritatingly off-target, or spookily knowledgeable. Kashmir Hill’s worrying account on FUSION of how a psychiatrist, who is an infrequent user of Facebook, was recommended her patients as potential friends, deserves careful reading. If you are alarmed at what you read, Kashmir has written a very helpful follow-up explaining how you can check what Facebook ‘knows’ about you, and how you can limit what it does with that knowledge.

You have no such options when it comes to advertising trackers. Block them and some sites which rely on advertising income think that you have turned on ad blocking, rather than tracker blocking, and won’t let you view their content. Let them do what they want, and your personal information steadily haemorrhages from your Mac or iOS device, straight into the hands of people who make money from trying to sell you things that you don’t want.

How do they get away with it?

In the case of Facebook and other social media, the claim is that you agree to their privacy conditions, and that you are provided with tools which can protect your privacy if you wish. In the case of ad trackers, the claim is that they track using IP addresses, and do not actually access, store, or manipulate personal information, in the sense that nothing can be tied down to a specific individual.

Facebook, Google, and other corporates who operate and benefit from social media rely on obfuscating documents which don’t establish clearly exactly what data they collect, and essentially leave them to decide whatever they want to do with it, wherever in the world they fancy. There will come the day that patients who have attended, and staff who work in, the same sexually-transmitted disease clinic will be offered one another as friends, perhaps, or will be targeted with wildly inappropriate advertising.

Ad tracking is even more sinister, because you don’t know what information is collected by whom, and only have the option of permitting it, or blocking. The claim with trackers is that they never know who they’re actually tracking, so although the data they gather is very detailed, it is nowhere associated with your personal information, such as name or address: in other words, it is not personal data.

That is manifestly vacuous, as if it were generic and impersonal, it would be incapable of targeting advertising at us. Law enforcement agencies are currently working at identifying individuals and their activities primarily from their IP address; if that is good enough to enable prosecutions, then it is surely good enough to qualify as a personal identifier, and render ad trackers illegal.

Both the social media and ad trackers also fail when presented with the test which should be applied in privacy law: if a black-hat hacker acquired the same dataset, would they be able to identify you and make malicious use of the information?

In both cases, it is clear that the data currently collected by social media and ad trackers is ample to allow personal identification, and for malicious use. Therefore the current conduct of the social media and ad tracking services falls short of the explicit consent and control which others – such as medical researchers – are required to provide. Both industries need to address these problems before they next suffer a major data breach. That is not a matter of if, but when.

OS X El Capitan

Thursday or Friday, depending on your time zone, you thought that you were just getting an urgent security patch, to close three vulnerabilities in OS X. Yet again, what Apple told us (“Security Update”) was quite different from what it did (414 MB of unrelated kernel extensions and more).

Already there are reports of problems resulting from that ‘security update’, which could not possibly relate to the three fixed vulnerabilities which it claimed to patch. A quick glance at your /System/Library/Extensions folder reveals that six kernel extensions were completely replaced by the ‘security update’, five of which can have had nothing to do with the bugs which Apple claimed that it had fixed.

My guess is that this was all about face. Someone had decided that OS X 10.11.7 would never exist, but realised that some essential parts of 10.11.6 remained so seriously broken that they could not be left like that. So Apple had to provide a minor system update without calling it that, and what should have been the most important bits of 10.11.7 became Security Update 2016-001.

If this all seems an irrelevant issue of terminology, think how a systems administrator might react. Security updates are lightweight and important, and normally get pushed out onto a network as quickly as possible. With just three vulnerabilities to be patched, the update could go out immediately. In reality, as there is still no information whatsoever as to what else this update did, it would actually need careful testing. With so many components updated, there’s a fair chance that it could break apps and other vital software.

In its OS X updates, Apple continues to bury what should be good news, to act deceptively, and to treat its users paternalistically. Macs do not live in a walled garden controlled entirely by Apple, and running Apple software alone.

There is also a serious question over quality assurance: the version of the kernel delivered to users on 2 September was dated 29 August, and updated kernel extensions were dated 2 September, the day of release. It would appear that this 414 MB of software update had undergone little or no beta testing, almost guaranteeing that many users will experience problems.

It’s comforting that Apple has closed those three vulnerabilities so quickly, but execrable that it has released more than a third of a gigabyte of untested system software without even telling us what it does, or finding out what it breaks.