Apple has finally taken several steps in recent weeks to fix its lax security practices.
First the company updated the iCloud website to prevent brute-force attacks, patching a vulnerability that should never have been there in the first place. Now it plans to add more security features to iCloud, allowing it to message people when the service is backed up, passwords are changed, or a new device is used to access the service for the first time, according to a Wall Street Journal report.
It’s heartening to see Apple taking security more seriously than it has in the past. Though the iCloud website’s vulnerability is no longer thought to have contributed to the systematic theft and release of nude photographs, updating a website with basic security features is never a bad thing. Adding notifications to iCloud that could warn its users when their data is at risk is also a good move — so long as people understand the threat that those messages represent, of course.
But the most interesting thing about these updates is the clarity with which Apple is explaining them to the public. The company has previously attempted to obfuscate its security problems by using difficult language to describe problems and their fixes — or by just putting relevant updates at the bottom of a long list of changes that most consumers probably weren’t reading anyway. As I wrote when the company released a critical security update for its mobile software in February,
Terms like “privileged network position,” “sessions protected by SSL/TLS,” and “restoring missing validation steps” are gobbledygook to most consumers. Apple might as well have said that its magic portal may have been vulnerable to demonic infiltration, because its doohickey wasn’t properly communicating with the gizmo or the who’s-a-what’s-it.
There was a similar communication breakdown when the company fixed a similar vulnerability in its desktop operating system:
Considering the extent to which this vulnerability has been identified as a prime concern for consumers, Apple’s unwillingness to clearly explain the issue to its customers is irresponsible. Its attempt to assuage concerns among its business customers by releasing a document describing its mobile operating system’s security measures, which must protect financial information, digital communications, and fingerprints from prying eyes, is laughable.
Now it seems that Apple is at least attempting to make its efforts to fix obvious security problems with its service a little easier to understand. I’m sure that has more to do with the allegations that it was responsible for the reprehensible leak of stolen nude photographs than with a new sense of responsibility to consumers, but we’ll have to take what we can get. Maybe the lesson will stick and the company will decide to be a little more forthcoming in the future.
There is no reasonable expectation of perfect security in modern society, but we can at least strive for transparency from companies like Apple when our privacy is threatened. Better to know that something can’t be kept secure than to think it’s safe and remain ignorant of any threats.