Thank you very much for this post...I just want to say even if people don't intend to watch the entire video, do watch the first 5 minutes and the last part from the 44 minute mark to the very end.

Like it or not, we carry so many precious things on our smartphones--photos and memories--and it is very clear from the phone call at the end to Sunayana, Srinivas' widow, that getting the data back and being able to see his photos again is so important to her. Jessa did a wonderful job. What a horrible situation to have made it necessary, but she really did something meaningful for this family.
posted by hurdy gurdy girl at 5:54 PM on April 13, 2019 [14 favorites]

I agree. And I think it's pretty appalling that Apple takes such active steps to prevent people from learning that data on their damaged devices may actually be recoverable by an independent repair shop. It's a strange and heartless policy for them to have, considering they don't even offer this type of repair service themselves. In comments on repairers' videos, people mostly seem to voice the belief that this is about Apple being able to sell more devices, but I don't think that's it. Total control over the ecosystem of hardware and software around their devices seems to be an important part of Apple's corporate culture, and even acknowledging that independent repair shops that they don't control can offer a valuable service seems like a threat to their strategy.
posted by biogeo at 8:44 PM on April 13, 2019 [6 favorites]

Total control over the ecosystem of hardware and software around their devices seems to be an important part of Apple's corporate culture

This goes all the way back to the introduction of the original beige tombstone Macintosh, the computer Steve Jobs always touted as an "appliance".

It was a huge departure from the culture around the Apple II line of machines, which Woz had designed explicitly to be expandable in directions Apple never foresaw as well as being fully documented; hell, the Reference Manual that came with our family Apple ][+ included a complete circuit diagram and an assembly listing of the monitor ROM.

I clearly remember despising the computer-as-appliance theory from the get-go. Expandability and openness had always been the main thing that set the Apple II line above its contemporaries, and now this Mac thing needs a special Mac Cracker tool just to get inside the casing? The only expansion connectors are serial ports? GUI is cute and all but seriously, fuck. off.

And they've got progressively and inexorably worse ever since. There's no control freak quite like a Valley techbro control freak.
posted by flabdablet at 9:24 PM on April 13, 2019 [13 favorites]

I'm very very pleased at the good work CBC has been doing to stick the roo fingers up to these arseholes and draw public attention to the fact that independent repairers are a thing regardless of how much Apple wished they were not.
posted by flabdablet at 9:33 PM on April 13, 2019 [5 favorites]

Yeah, I think for a long time Apple maintained a sort of uneasy truce between those who loved their machines for their well-engineered hardware and software, and those who loved the idea of a techno-utopia provided by a benevolent Apple. Call it the Wozniak-Jobs dichotomy. Sadly the latter Steve was the one whose vision prevailed. People like Jessa Jones are spiritual kin of Steve Wozniak, and I don't think Apple has much use for them any more. Fortunately she, and others like her, are still out there, doing their best to keep technology democratic.
posted by biogeo at 9:38 PM on April 13, 2019 [6 favorites]

It's incredibly irresponsible for Apple to suggest that data on a damaged device is irrecoverable.

Both because it likely causes people to forgo seeking repairs, which could recover their data and also provide business to independent repair outfits, but also because it hides the fact that bad actors could recover data from a discarded phone.

On one hand, it would be difficult to do the exact process she goes through at scale. But there are a number of ways that it could be made easier, with jigs and stuff, especially if you don't care about putting the phone back together again or are stripping it for parts / scrap metals anyway.

I could totally see criminals doing this en masse, in the same way they can trivially pull the hard drives from old copiers for their sensitive content.

Apple claims that this isn't an attack vector, mostly because of the way data is encrypted with keys held in the Secure Enclave, but it shows that Apple isn't exactly forthcoming about attack surface, either, and I highly doubt that they would reveal a hypothetical flaw in the SE since doing so would be potentially ruinous to their business. (I suspect they would do what I suspect they've done, which is to silently fix it in the next version and move on, hoping they're far enough ahead of the curve for nobody to notice or care too much. Eventually, this approach always falls short.)

A discarded phone isn't just subject to today's exploits and extraction techniques, it's subject to tomorrow's as well, meaning that you need to think about what might be possible within the useful (adversarial) lifespan of the data. Saying categorically that information can't be recovered from a discarded device, when it plainly is, and these abilities will probably improve over time, is a... bold move.
posted by Kadin2048 at 10:59 PM on April 13, 2019 [9 favorites]

It's a bold move backed up by some very good crypto, though.

In order to break the whole-storage encryption provided by their Secure Enclave without powering up the specific CPU that originally performed that encryption and providing it with the device PIN, you'd need to extract the encryption keys from it - which would necessarily involve some highly specialized physical reverse-engineering hardware, because by design the SE has no ability to export the keys it contains.

The only currently feasible attack vector is via the front door: by repairing the phone sufficiently to let it boot up, then supplying valid unlock credentials (PIN, fingerprint or face). This is what Jessa Jones is able to do in nineteen cases out of twenty. That last one in twenty, though - I don't believe the required hardware currently exists to deal with that.

I'm also quite willing to assume that the SE is in fact as good as they say it is, mainly because its job is simply not that complicated; unlike Intel, Apple appears not to have thrown everything and the kitchen sink into their SE design. Less Is More is a sound principle when it comes to security.
posted by flabdablet at 2:19 AM on April 14, 2019 [2 favorites]

About the "appliance" comparison: I've fixed my appliances multiple times.
posted by clawsoon at 8:26 AM on April 14, 2019

I'm going to swim against the tide here. I want my data to die with me. Yes, some of it is embarrassing (checked your browser history lately?) But most of it will make no sense to anyone but me. Surely the dead are entitled to a little privacy.
posted by SPrintF at 8:41 AM on April 14, 2019 [5 favorites]

I'm with SPrintF here. I have my phone locked and if I get hit by a bus -- or a bullet -- I want it to stay locked, then beaten with a hammer.

It was beaten into my head early, early on in IT, when I was working for a bank: Never, ever share a password. With anyone. Never, ever write it down. It was taken very, very seriously. As it should be.

I remember a girlfriend who was surprised and angered that I'd not share that with her -- confirmation that I didn't want to hang with her.

I have a trusted friend who has the master password that unlocks all of my online accounts, in case of my death or incapacitation, and that is what I want. Key word -- trusted. Implicitly. Like a Swiss banker, that kind of trust.

Snowden teaches us -- privacy is everything. It's the key thing. Someone asking why I want privacy is asking the wrong question. The right question is: Why would I ever share my password?
posted by dancestoblue at 9:39 AM on April 14, 2019 [2 favorites]

It was beaten into my head early, early on in IT, when I was working for a bank: Never, ever share a password. With anyone. Never, ever write it down. It was taken very, very seriously. As it should be.

Not having access to a deceased loved-one's computer at this time in history makes dealing with their affairs and estate incredibly more complicated. Just how many original notarized copies of a death certificate are you in the mood to mail out?

The password for the password manager that will allow my remaining family to access my financial information, etc is sealed in an envelope and stored in a safe. I encourage others to do the same.
posted by Xyanthilous P. Harrierstick at 9:45 AM on April 14, 2019 [2 favorites]

I understand Apple not offering such a repair service themselves. Since they’re the manufacturer, a process that only sometimes works might risk them being exposed to lawsuits, or at least to people having public meltdowns in their stores. It’s probably just not worth it to them given the potential negatives.

I’m not ok with them saying the shops that attempt these repairs are scams. “In our experience the process is unreliable and not recommended”, sure, but acknowledge that it has a success rate as well as a failure rate.
posted by a device for making your enemy change his mind at 10:21 AM on April 14, 2019 [1 favorite]

Google and Facebook both have "deadman's switch" options for your accounts, allowing you to designate someone who can access your stuff after a certain amount of inactivity.

Google: https://www.google.com/settings/account/inactive

Facebook: https://www.facebook.com/settings?tab=account&section=account_management (look for 'Your Legacy Contact')

Google's is neat in that it lets you specify up to 10 people, and lets you customize what data each of them get access to. So you can give some people access to some stuff, but not all of it, on an individual basis.

Facebook's is geared more towards choosing who gets to curate your Facebook 'memorial' page (and delete shitty troll posts, should there be any) which strikes me as a dubious honor, but points for effort.

Neither one are really geared towards helping next-of-kin in the immediate aftermath of your untimely demise, though. The shortest timeout on Google is 3 months, while I think Facebook requires some sort of proof of death (death certificate, etc.) before they transfer control.

As someone who has dealt with someone who died unexpectedly, it was good that their financial passwords were written down, or else it would have been pretty awkward to make that month's mortgage payment, among other things. So in some cases I think a low-tech solution of password-in-a-safe-deposit-box works well.

Lastpass has a reasonably decent shared-password feature where you can link accounts and share access to certain sites, but it's still kludgy as all password-keeper schemes tend to be. We still have a long way to go to escape passwords as an authentication mechanism.
posted by Kadin2048 at 11:32 AM on April 14, 2019 [2 favorites]

Mr. Roquette and I do not share passwords to ANYTHING. It’s not necessary to do so. In a relationship the sharing of passwords usually is demanded in situations where one party or another or both has been unfaithful. If that happened, we’d just go our separate ways. Probably for both of us there are no deep, dark secrets.
posted by Katjusa Roquette at 12:45 PM on April 14, 2019 [1 favorite]

I just don't understand the modern thinking that everything has to be password protected.
As for all those sites that invite you to visit them and then expect you to solve some puzzle to get there. I'll give them one try and if it still refuses, I'll go to a site that wants my business.
posted by Burn_IT at 1:24 PM on April 14, 2019 [1 favorite]

That's basically what's driving the adoption of those "Log in with Google" or "Log in with Facebook" buttons. The 'conversion loss' getting users to make an account on your grotty website is huge—nobody likes doing it.

Of course the tradeoff is being able to link a user across sites in ways that are... not always ideal for the user.

It's a real pity that OAuth seems to have died.
posted by Kadin2048 at 4:17 PM on April 14, 2019

Lots of stuff uses OAuth, they just don't use it for cross-site logins. And yeah, that sucks.
posted by vibratory manner of working at 4:36 PM on April 14, 2019

Katjusa, it's also necessary to share passwords when someone has died. I have far more of the financial passwords than my wife does (by her choice). She has the password to my password manager, though.
posted by lhauser at 6:42 PM on April 14, 2019

The 'conversion loss' getting users to make an account on your grotty website is huge—nobody likes doing it.

I would much much much rather be able to add a new account to my KeePass just for your site than either cross-link my Google account with it or have to manage a completely new Google identity just for logging into yours with.

Also I want to know which Googler started this whole bullshit thing where you have to supply your username, click something, wait for a page load, then enter your password and click something else, because I have a burning desire to fight them.

There is nothing at all wrong with the old style of login page that just has username and password as two tab-selectable entry fields on the same page. I really dislike having to fartarse about with your site's KeePass auto-type settings just to make your stupid nonstandard login pages work right.
posted by flabdablet at 9:09 PM on April 14, 2019 [4 favorites]

And I think it's pretty appalling that Apple takes such active steps to prevent people from learning that data on their damaged devices may actually be recoverable by an independent repair shop

Substitute “The FBI” for “independent repair shop”, and I’d bet you find it far less appalling the data isn’t recoverable.

Also, if the phone doesn’t boot enough to put in a pin, the combined resources of the world’s intelligence service can’t get data off the phone.

Getting the phone sorted out enough to boot again (which is what happened here) is the only way forward people actually want. Anything easier for repair shops or whatever, makes things easier for the cops and other bad actors as well.
posted by sideshow at 8:36 AM on April 15, 2019

supply your username, click something, wait for a page load, then enter your password and click something else

I actually knows this one, it's because of the proliferation of Okta & other Enterprise Single Sign-On portals. It's split so that based on your email they can direct you to whatever login flow your account is associated with.

Doesn't help users who aren't in that flow (or have autofill like that), but Enterprise is where the money is, and it's a tad more secure so ¯\_(ツ)_/¯
posted by CrystalDave at 9:49 AM on April 15, 2019

Substitute “The FBI” for “independent repair shop”, and I’d bet you find it far less appalling the data isn’t recoverable.

Uh, yes? Going to an independent repair shop with a damaged phone and paying them to recover my data using my PIN and "the FBI" or whoever accessing my data without my permission are different things.

Also, the point isn't that the data isn't recoverable. It's that it is recoverable, but Apple insists that it isn't and suppresses this information in their stores and on their support forums. People care about their data, often for very personal reasons, and Apple's only response to a data loss situation like this is "Welp, you should have backed up to iCloud."
posted by biogeo at 5:18 PM on April 15, 2019

"Welp, you should have backed up to iCloud."

"Welp, you should have paid us every month to rent enough iCloud storage to make anything vaguely resembling a backup even feasible, because that 64GB iPhone is sure as shit not going to fit in what we include for the purchase price."
posted by flabdablet at 9:31 PM on April 15, 2019 [2 favorites]

this is fantastic, thank you.
posted by Busithoth at 6:18 AM on April 16, 2019

Louis Rossman responds to the CBC News piece on Jessa Jones:

The #1 reason Apple pisses me off.

Jessa Jones has some thoughts about what might be motivating Apple to lie about dead iPhones being irrecoverable:

The Real Reason Apple Says Wet iPhone Data Recovery is Impossible

tl;dw: Apple Marketing has never grasped the essential difference between security and security theatre and is fully invested in trying to ensure that the public never does either.
posted by flabdablet at 8:17 AM on April 16, 2019 [1 favorite]

Welp, you should have paid us every month to rent enough iCloud storage

I wonder how long it will take Apple to come around to the Google/Android business model, where the phone is practically a loss-leader for the revenue you earn them as a user over time. In the Android ecosystem this is mainly via Google's advertising arm, which gets a cut of all the in-app advertising revenue (which is the dominant model for Android apps), plus a cut of most mobile-web ads by virtue of being the biggest ad network around.

Apple gets a cut of app sales and subscriptions, of course, but doesn't have the "long tail" of ad revenue. Holding user data effectively hostage unless you pay monthly for an iCloud subscription could be one method of wringing money out of users on an ongoing basis.

For now, you can still back up an iPhone locally using iTunes, although they seem to be making it harder and harder. At least mine seems to no longer do the automatic backup via WiFi thing anymore. (This made backing up to your local machine almost as robust a solution as the iCloud backup, assuming you're at home every day so it could do the WiFi backup.) I'm not sure why, and it's a pain to debug. So I just try to plug it into my desktop periodically, but of course that's not a great solution.

But as they seem more and more interested in moving towards the iPhone as delivery mechanism for subscription services, I wonder if they'll close this "loophole" somehow, and make it impossible to do a backup/restore onto your own computer.
posted by Kadin2048 at 1:17 PM on April 17, 2019