What are Ventura’s system privacy settings?

macOS privacy controls apply to all executable code, including macOS services. The TCC subsystem responsible for this imposes its controls over access to protected services, features and locations according to records in its two databases at /Library/Application Support/com.apple.TCC/TCC.db and ~/Library/Application Support/com.apple.TCC/TCC.db. Most of those records are made when executable code in an app or other code requests access and TCC obtains the user’s consent, but some are added without any user involvement, as system features. This article aims to discover which privacy settings in TCC are set by macOS itself, and are system privacy settings.

The best way to discover which are set by macOS is to reset all using the command tool tccutil, in an otherwise untouched instance of Ventura running in a virtual machine (VM). Log records should then reveal which system privacy settings are deleted to accomplish that reset, and which are subsequently restored without user consent or notification.

What is Liverpool?

Although most privacy settings are named transparently, there are still two with internal code names: kTCCServiceLiverpool and kTCCServiceUbiquity. Although the latter has long been recognised as referring to iCloud services, the former has variously been claimed to refer to Location Services or to CloudKit. Even recent articles refer to kTCCServiceLiverpool as relating to Location Services.

Extensive searches have failed to yield any Apple documentation explaining the meaning of those terms, although a few unofficial mentions have appeared since 2016, stating that kTCCServiceLiverpool controls CloudKit access.

To clarify this, the TCC subsystem has no concern at all with access to Location Services data. This is readily demonstrated by observing the log when changing different items in Privacy & Security settings: altering any in its Location Services category results in no TCC activity, as the changes are made by locationd and its associates; changing other privacy settings there results in a flurry of entries from TCC as it records the changes in its databases. This article lists services known to have kTCCServiceLiverpool access, which manifestly isn’t associated with location but with iCloud services in the form of CloudKit.

iCloud services

Ventura has access to two broad service groups in iCloud: CloudKit, for sharing and syncing data, and iCloud Drive, for sharing and syncing discrete files. Apple provides a useful overview of the former, and fuller details of its API.

While lightweight macOS VMs on Apple silicon are intentionally unable to sign in to iCloud using an Apple ID, that doesn’t prevent them from using CloudKit. Apple points out that CloudKit is still available then as “a valid iCloud account is only necessary when you want to save data that is specific to a single user. Apps can always store data in a public area that is readable by all users.” This presumably also applies to code checks run when launching executable code, which were first noticed to involve iCloud in Catalina.

TCC reset

Once the command
sudo tccutil reset All
is being executed, TCC begins deleting all items in its database. Concentrating for the moment on CloudKit (kTCCServiceLiverpool), this involves a series of log entries such as
5.785551 com.apple.TCC Publishing <TCCDEvent: type=Delete, service=kTCCServiceLiverpool, identifier_type=Bundle ID, identifier=com.apple.Passbook> to 2 subscribers: { 518 = "<TCCDEventSubscriber: token=518, state=Passed, csid=com.apple.photolibraryd>"; 337 = "<TCCDEventSubscriber: token=337, state=Passed, csid=com.apple.cloudd>"; }

In a bare system, with nothing else installed in Privacy & Security settings, those deletions are completed in around 0.003 seconds, at the end of which TCC moves on to do the same for a shorter list of subsystems for iCloud Drive (kTCCServiceUbiquity).

The following 27 subsystems are set by the system to have access to CloudKit, with kTCCServiceLiverpool:

com.apple.Passbook for Wallet access services
com.apple.Safari for Safari
com.apple.amsengagementd for ‘engagement’ with Apple media services including former iCloud media services
com.apple.appleaccountd for Apple ID account services
com.apple.assistant.assistantd to support Siri, dictation and semantic understanding
com.apple.avatarsd for Memoji and Animoji support
com.apple.biomesyncd for iCloud-based suggestions by Biome
com.apple.callhistory.sync-helper for syncing (telephone) call history
com.apple.cloudpaird for Bluetooth out-of-band pairing to support Continuity features
com.apple.donotdisturbd for Do Not Disturb, and possibly Focus more generally
com.apple.icloud.fmfd for the Find My Friends service
com.apple.icloud.searchpartyuseragent for further Find My support (although this is sometimes misinterpreted as malware!)
com.apple.identityservicesd for identity management services
com.apple.imagent for IM Agent, a service listening for FaceTime invitations
com.apple.knowledge-agent for Siri suggestions and related knowledge services
com.apple.passd for Apple Pay and Wallet services
com.apple.protectedcloudstorage.protectedcloudkeysyncing for syncing of protected iCloud storage
com.apple.securityd for main security services
com.apple.shortcuts for the Shortcuts app, which relies on CloudKit storage for its shortcuts
com.apple.siriknowledged for Siri suggestions and related knowledge services
com.apple.sociallayerd for the provision of privacy-sensitive data for social media
com.apple.suggestd for the provision of content-based suggestions
com.apple.syncdefaultsd for the syncing of settings data
com.apple.textinput.KeyboardServices for text-based services such as text replacement
com.apple.transparencyd for authorisation of access to private data
com.apple.triald for machine learning services
com.apple.willowd for HomeKit support and Home features.

The following subsystems are set to have access to iCloud files, with kTCCServiceUbiquity:

photolibraryd for Photos library services
com.apple.finder for the Finder
com.apple.stocks.detailintents for Stocks
com.apple.weather for Weather
com.apple.weather.widget for the Weather widget.

Restoring services

No sooner has it completed deleting those than TCC starts restoring most of the services it has just deleted from its database. Typical entries for com.apple.securityd might read
5.794488 com.apple.TCC REQUEST_MSG: msgID=453.44, msg={ service="kTCCServiceLiverpool" modDate=0 (0x0) flags=0 (0x0) function="TCCAccessSetInternal" bundle_url=<xpc_null> noKill=false target_token={NULL} TCCD_MSG_ID="453.44" indirect_object_code_requirement=<xpc_null> client_type="bundle" indirect_object_identifier=<xpc_null> indirect_object_type=<xpc_null> code_requirement=<xpc_null> granted=true client="com.apple.securityd" } 5.795669 com.apple.TCC Update Access Record: kTCCServiceLiverpool for com.apple.securityd to Allowed (System Set) (v1) at 1675870565 (2023-02-08 15:36:05 +0000) CodeReq: None Indirect : Unused 5.796052 com.apple.TCC Publishing <TCCDEvent: type=Modify, service=kTCCServiceLiverpool, identifier_type=Bundle ID, identifier=com.apple.securityd> to 2 subscribers: { 518 = "<TCCDEventSubscriber: token=518, state=Passed, csid=com.apple.photolibraryd>"; 337 = "<TCCDEventSubscriber: token=337, state=Passed, csid=com.apple.cloudd>"; }

Of the 27 subsystems deleted from TCC databases, the following 15 are restored to kTCCServiceLiverpool Allowed within a couple of seconds of a TCC reset:

com.apple.amsengagementd
com.apple.assistant.assistantd
com.apple.cloudpaird
com.apple.donotdisturbd
com.apple.identityservicesd
com.apple.knowledge-agent
com.apple.passd
com.apple.securityd
com.apple.shortcuts
com.apple.siriknowledged
com.apple.sociallayerd
com.apple.suggestd
com.apple.syncdefaultsd
com.apple.transparencyd
com.apple.willowd.

The other 12 may follow later.

Conclusions

When a user hasn’t signed in to an iCloud account with their Apple ID, a total of 27 subsystems in macOS are given access to protected data using CloudKit, and five to iCloud Drive. Without a connected iCloud account, those subsystems can only access data in public areas that is readable by all users, and cannot access any private data in iCloud. However, those under the impression that not providing their Mac with an Apple ID prevents it from accessing iCloud might like to reconsider.

14Comments

Add yours

1

John Gilbert on February 15, 2023 at 2:28 am

I have looked at the current status of the TCC databases. For example with this command:

sudo /usr/bin/sqlite3 “/Users//Library/Application Support/com.apple.TCC/TCC.db” “SELECT service,client,datetime(last_modified , ‘unixepoch’, ‘localtime’) as date_mod from access” | grep Liverpool | grep com.apple

I have 61 entries relating to kTCCServiceLiverpool and com.apple. Some were added (and not changed since) back in 2019. I am, of course, signed into to iCloud.

LikeLiked by 1 person
- 2
  
  hoakley on February 15, 2023 at 12:45 pm
  
  Thank you.
  I haven’t even dared looking at what iCloud connections enable. I might leave that to someone with more time and patience!
  Howard.
  
  LikeLike
3

JM on February 15, 2023 at 6:46 pm

As a layman, I can’t quite discern the importance here of what you discovered and whether or not this is concerning. Are you saying that these subsystems are pulling information via Apple cloud services from the machine that are related to privacy, security and many other settings, and sharing that information to some kind of “public” area that other users can access? (Albeit not anything related to your own iCloud account?) Is the information shared of any consequence, and where are these public areas? This was very technical, but I did read it three times.

LikeLiked by 1 person
- 4
  
  hoakley on February 15, 2023 at 8:19 pm
  
  No, there is absolutely no evidence to support any issues over privacy or protected information.
  However, quite a few people think that, if they don’t have an Apple ID, or don’t enter one into their Mac, that Mac doesn’t have access to iCloud. That’s simply not correct: on a virtual system which can’t have an Apple ID or connect to iCloud, macOS still sets up 27 different services that can connect to iCloud. However, they (and third-party apps) can’t connect to private areas, only public areas. So any data they transfer isn’t private or sensitive, but they still can and do transfer data.
  Howard.
  
  LikeLike
  - 5
    
    JM on February 16, 2023 at 1:47 pm
    
    Thank you for clarifying that.
    
    LikeLiked by 1 person
    - 6
      
      hoakley on February 16, 2023 at 5:39 pm
      
      No problems. I’m sorry the bulk of the article was heavily technical, but it needed to be to evaluate the evidence properly.
      Howard.
      
      LikeLike
7

JM on February 17, 2023 at 4:28 pm

I certainly don’t mind the technical writing, even if some of it’s advanced; you wouldn’t want to dumb it down. It’s great to read about what goes on under the hood of these machines, and hear about what they’re up to.

LikeLiked by 1 person
- 8
  
  hoakley on February 17, 2023 at 5:10 pm
  
  Thank you.
  Howard.
  
  LikeLike
9

rnas on March 17, 2023 at 1:31 pm

Hi,
I am trying to delete a 3rd party app document folder in iCloud. I tried following solutions, however none work for me.
https://apple.stackexchange.com/questions/260224/remove-folders-in-library-mobile-documents
https://apple.stackexchange.com/questions/180990/how-do-i-delete-unlinked-folders-from-icloud-com
https://apple.stackexchange.com/questions/328499/remove-faded-folders-in-icloud-drive/377364#377364

The specific folder I am trying to delete is folder called “iCloud~md~obsidian” created by obsidian.md application located in ~/Library/Mobile Documents/iCloud~md~obsidian/.
Do know if this is possible?
Thank you

LikeLiked by 1 person
- 10
  
  hoakley on March 17, 2023 at 3:56 pm
  
  Well, although that’s far from the subject of this article…
  That isn’t a folder in iCloud Drive, but in iCloud private app data, and is therefore under the control of the app that created it. That’s the best way to remove the folder’s contents, but few iCloud apps give the user control over removing their folder. Ideally, apps that install folders to iCloud should also provide a way of removing them, although few do so.
  The third link you provide does give an old method that used to work, although AFAIK it no longer does. It’s also going to be a problem if you try to remove files outside the app that created them, if you have any other Mac or device signed into the same iCloud account. If you do want to have another go using that method, I suggest that you shut down all other Macs and devices that sign into that account first. You might then be lucky, but I think you’ll need to do this using Obsidian, and not the command line.
  Howard.
  
  LikeLike
  - 11
    
    rnas on March 17, 2023 at 10:28 pm
    
    Thank you for your swift reply. I only have one MacBook and iPhone, so I tried the same steps with iPhone powered off but none work. It seems the option “Apps Syncing to iCloud Drive” on System Settings doesn’t seem to be deleting the folders as I can still see these private app data for both 1st party apps like iMovie and 3rd party apps like Obsidian. It is likely that deleting these folders is out of my control without the app itself having an option to delete them.
    Thank you.
    
    LikeLiked by 1 person
    - 12
      
      hoakley on March 17, 2023 at 10:53 pm
      
      It’s important to see the distinction between iCloud Drive, which are the openly accessible folders in your iCloud Drive, and private app data, which aren’t exposed to the user outside the app.
      iCloud Drive folders are all within the path ~/Library/Mobile Documents/com~apple~CloudDocs, and you can trash files within those folders as you wish. You still don’t always have full control over the folders, which are after all an illusion created by iCloud.
      Folders outside that path, like ~/Library/Mobile Documents/C7HPP7U8L7~com~taptaptap~CameraPlus and the Obsidian folder you cited, aren’t shown in iCloud Drive in the Finder, and come under the control of the app that owns them. Changes you try to make to them are likely to be undone by iCloud.
      Some years ago, Apple was intending to make some major changes to iCloud during the annual beta phase of the next macOS. They went horribly wrong for many users. Although I wasn’t badly effected, it led to most of my iCloud Drive and other iCloud folders being doubled up. For some, we could successfully delete them, but others just kept coming back even after rolled back the changes. I still have a couple of duplicate folders as evidence of the mess!
      Cloud storage is so much fun.
      Howard.
      
      LikeLike
13

Rose on March 23, 2023 at 12:40 pm

Hi, long time lurker, first time poster. Interesting to see your list of those granted access to kTCCServiceLiverpool after being reset. Did you have any requests after resetting them?

LikeLiked by 1 person
- 14
  
  hoakley on March 23, 2023 at 2:46 pm
  
  Thank you.
  The user isn’t prompted for CloudKit access, and it isn’t controlled in Privacy & Security, but by options in iCloud. As this is a virtual machine, it doesn’t (and can’t) have an Apple ID, so no user iCloud access. The only processes accessing iCloud are this those in macOS, which are only accessing public areas, so there’s no issues over privacy.
  Howard.
  
  LikeLike