On Tuesday this week I emailed Tim Cook after I read about Mat Honan’s Mac being wiped via iCloud’s Remote Wipe feature. I pointed out that Apple has tremendous control over my data now, partly via iCloud but especially Remote Wipe. What happened to Mat is an example of why people warn about over-reliance on the cloud.
A member of the executive assistant team, Philippe, called me back today and we spoke about my concerns in light of Apple’s response later in the week. He was a nice guy, friendly and open to constructive criticism from a customer’s point of view and promised my comments would be read.
My concerns when I wrote were that no amount of technical safeguarding on the customer’s part would have prevented this particular trick from working. Having a backup would have made it a mere inconvenience, but it would still have happened. Even Apple were caught by surprise, claiming their protocols should not have allowed it. But it did happen, because of human error at customer support in the face of an ingenious manipulation.
Apple said they were taking that facility offline for 24 hours to examine what went wrong and fix it. iCloud is Apple’s future so I have to trust that this is pretty serious shit for them and it’s Going To Get Fixed; Philippe didn’t explicitly disagree with that observation.
Of course, somehow eliminating human error for password reset won’t make iCloud impenetrable; I expect individual accounts get hacked via other techniques as often as any other world class online service, so back your stuff up. But if Apple starts to allow password reset over the phone again, whatever they’ve done we just have to trust them if we want to keep using the service.
I told him I understood why Apple don’t make many statements about stuff like this until they know what they’re dealing with but that when they do know I’m going to want to be reassured that it’s fixed.
I’m still using iCloud but this week I turned off Remote Wipe for my Mac. If something this avoidable and out of my control happens again, I’ll have to review how I use it again and it’ll start to feel like when I had a Facebook account and I had to keep checking my Privacy settings every time they tweaked something. Using an Apple service shouldn’t feel like managing Facebook.
Philippe didn’t give anything juicy away, obviously, as he was calling to listen and reassure. I cheekily asked how the Executive team found out about the hack and what the feeling at Apple was about something this serious; but, you know…
Finally we talked about the security of Find My Phone and how a savvy thief knows now that if you can turn the phone off you’ll disable the signal. If the option were available to disable shutdown or maybe even Airplane mode without a PIN, I’d use that if it bought me a couple more hours tracking time.
So if you see that turn up in iOS 6, that was my idea.