Last Week on My Mac: Testing trust in system upgrades and updates

The relationship of trust between an operating system supplier and the user is very complex. Apple makes it more so by its extraordinary secrecy, a policy which last week was brought into ridicule by the leaking of instructions about that policy.

I’m not here referring to the very reasonable desire to prevent competitors from knowing in advance of Apple’s plans, but to far simpler matters, such as what a system update actually changes and fixes.

Apple occasionally lets slip an insight into what is actually going on when you are waiting for an update to install – something the WWDC session on APFS revealed earlier this month.

Most of us only learned that iOS 10.3 had changed the file system on all our updated devices to Apple’s new APFS after we had updated. Maybe we should have waited a few days until the early adopters had discovered this, but if you took the trouble to read the official About this Update at the time, there was no mention of the change of file system. There were twenty other more important changes, such as Podcast shows or episodes are shareable to Messages with full playback support, but no mention of APFS.

Only if you happened to study the developers’ iOS SDK Release Notes for iOS 10.3 might you have seen that “When you update to iOS 10.3, your iOS device will update its file system to Apple File System (APFS).”

It was only in that WWDC session, though, that Apple’s Eric Tamura revealed that this was not the first update to iOS which had performed conversion of the file system to APFS. Apparently dry run tests had been included in the initial iOS 10.0 upgrade, and the 10.1 and 10.2 updates – in September, October, and December 2016, when many of us were still barely aware of APFS, and struggling to cope with iOS 10 and macOS Sierra.

According to Tamura, those dry runs involved performing the conversion of file system metadata exactly as was intended in the release conversion, but instead of then completing the process by writing out the new APFS ‘super block’ and then removing the old metadata, it reported back to Apple, then removed the converted metadata.

So far, Apple has not admitted to running any similar tests or dry runs during macOS updates; given the much greater scale of what would be involved in doing this with a macOS startup volume, I suspect that it probably hasn’t either. But as we were not told at the time – or even after those iOS updates – we simply have no way of knowing.

If you ignore the fact that hundreds of millions of iOS users have, it appears, unwittingly been alpha-testers for iOS 10.3, in which the conversion finally took place for real, what Apple did might appear a stroke of genius.

What Apple actually seems to have done was to unleash those alpha test file system conversion tools as part of what purported to be a final release quality system software update. It did not inform users beforehand or afterwards, nor did it give anyone the opportunity to decline to take part in its alpha-testing programme.

Now Apple would no doubt defend itself by arguing that the dry run conversion was designed so that it did not cause any problems: it only wrote to unused areas of storage, and cleaned up after itself. Well, that’s what they hoped it would do, and the whole purpose of carrying out such large-scale tests was to determine whether the conversion would work, and what percentage of iOS devices would suffer problems. Given that they were trying to determine those unknowns, Apple did not know prior to those dry runs that they might not trash a significant proportion of updated systems.

It would be equally vacuous to claim that users are always advised to ensure that they have full backups before all system updates. Apple knows full well that a great many users don’t, and that many users will trust Apple not to release software which has not been properly tested before release.

If you went to a medical practitioner and were treated for a condition, then several months later discovered that your treatment was in fact part of a trial, you would be rightly incensed, considering that your doctor had breached medical ethics. That would be as true if your doctor claimed that the drug used had been shown to be safe when used to treat other conditions, as it would if it was a completely experimental drug. Before you can take part in any trial of a drug or treatment, you must give fully informed consent as a genuine volunteer.

I felt uneasy from the first moment that I heard the story of these dry run tests on the iOS APFS conversion tool. The more that I think about how Apple seems to have treated those hundreds of millions of unsuspecting users, the more strongly that I feel that what Apple apparently did betrayed the trust that we put in our operating system supplier. If Apple wishes to bundle any more alpha tests in regular system software updates, then it surely must both warn users before they decide whether to update, and give us the option not to take part.

Knowingly and secretly installing such test software under cover of a series of system software updates would be a serious abuse of the trust between Apple and its users.