The Cupertino technology giant released the new Mac operating system at the unveiling of its latest iPads in San Francisco last Thursday but it quickly transpired that Yosemite, which is the successor to Mavericks (Mac OS 10.9), had one feature that fell short on privacy expectations.
Yosemite has generally been well-received by tech journalists, from its flatter user name, the Handover iOS sync feature, dark mode and the ability to manage extensions to the new ‘Spotlight' feature which collects search results from Mac, iTunes, the App Store and the web.
However, Spotlight has since come under scrutiny following a close examination of Apple's terms and conditions. The application collects search terms for applications or files by default – and then passes this and location data onto Apple and third parties including Microsoft. This led renowned privacy researcher Ashkan Soltani to call it “probably the worst example of ‘privacy by design' I've seen yet.”
He added later that simply opening Spotlight results “your precise location” being sent to Apple by default.
“When you use Spotlight, your search queries, the Spotlight Suggestions you select, and related usage data will be sent to Apple,” reads the company's terms and conditions page.
“Search results found on your Mac will not be sent. If you have Location Services on your Mac turned on, when you make a search query to Spotlight the location of your Mac at that time will be sent to Apple. Searches for common words and phrases will be forwarded from Apple to Microsoft's Bing search engine. These searches are not stored by Microsoft. Location, search queries, and usage information sent to Apple will be used by Apple only to make Spotlight Suggestions more relevant and to improve other Apple products and services,” the disclaimer adds.
Web developer Landon Fuller has since built the https://fix-macosx.com/ website which says that users of the newest Mac OS can ‘restore privacy' by disabling Spotlight Suggestions and Bing Web Searches under System Preferences > Spotlight > Search Results.
Users are also advised to un-check “Include Spotlight Suggestions” under Safari > Preferences > Search, as Apple's own browser is set by default to send a copy of all search queries back to the company. Spotlight is also believed to collect this data on iOS 8 – the mobile operating system for iPhones and iPads – although it isn't turned on by default.
The same website goes onto detail how researchers are now working to alert Apple on other as-yet-unreported privacy and security flaws.
“Spotlight isn't the only Mac OS X Yosemite feature that unnecessarily phones home; a myriad of system and user processes are sending data to Apple in a default configuration, and we want to fix those, too,” reads the web page.
As a result, the group behind the website has built Yosemite Phone Home – a collaborative project on Github to ‘identify additional data that is collected by Apple and other third parties.
“Mac OS X has always respected user privacy by default, and Mac OS X Yosemite should too. Since it doesn't, you can use the code to the left to disable the parts of Mac OS X which are invasive to your privacy.”
Forensics researcher Jonathan Zdziarski told SCMagazineUK.com that Apple has been transparent by disclosing the full details of the data collection in the ‘About spotlight privacy' button at the bottom of the page.
“Apple discloses that they sent your spotlight searches to them. You can also turn it off in Spotlight settings. I'm not sure it's news.”
“I really don't understand why people are bent out of shape. Apple did a good job disclosing it. I think it even pops up the first time.”
He later added on Twitter: “I wouldn't call going into Settings and un-checking a very visible box to be an "obscure setting". Especially when a disclosure pops up.”
Scott MacKenzie, CISO at cyber security solutions provider Logical Step, went onto tell SC that this news potentially undermines earlier good work from Apple when it introduced encryption by default on the Mac OS X.
“Many users and privacy campaigners, who had previously applauded Mac OS X for its use of encryption by default, saw Apple performing a U-turn when it comes to privacy, following this weekend's update to OS X Yosemite,” he said in an email.
“Under Yosemite, Spotlight by default sends all your search queries, suggestions and usage data to both Apple and more surprisingly forwards some of this to Bing.
"Furthermore, if location services are enabled, then location information will also be sent to Apple in real time. Whilst you can disable these settings, because it is the default, most users will probably leave it enabled thus allowing Apple to track the majority of its users current locations and search habits in real time.”
Apple - which yesterday issued fixes for more than 40 vulnerabilities in the OS, including one to correct the Poodle flaw - has been praised for adopting more privacy and security-friendly features in Yosemite, such as default Filevault full disk encryption and the inclusion of the DuckDuckGo search engine, which doesn't send data to third parties.