Filed under: Software, Internet Tools, Apple, Security
Apple responds to privacy concerns over Dashboard phoning home
One only needs to brush up on the Windows Genuine Advantage debacle over at Download Squad (a sister blog) to get a recent example of the trouble a company can get into for making their software phone home (let alone adding an alleged 'kill switch' for the OS, but that's a different story). You can probably imagine, then, the uproar that has been caused when Mac users discovered that, after updating to 10.4.7, a little utility called 'dashboardadvisoryd' started calling home to Apple every eight hours or so. Immediately (of course), allegations of privacy invasion and Apple going the way of the devil began appearing, when (Gruber hit it on the head) Apple could have simply pre-publicized this as nothing more than the security feature that it is. CNET News has an article quoting an Apple statement as saying: "Apple takes protecting user privacy very seriously. The Dashboard Advisory feature is a security tool that ensures that the correct version of a widget has been downloaded from a third-party site and no personal information is transmitted back to Apple". The daemon is simply helping Apple check to make sure that you're running the same widget that is advertised in the Dashboard section of their downloads site.Sounds like the crisis has been averted; nothing more to see here kids. Move along.
Get a WordPress.com Blog
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
Dave Jeffery said 2:57PM on 7-09-2006
Regardless of the reasons, there should still be an option to disable it.
Reply
JTA said 3:02PM on 7-09-2006
Couldn't Apple have added a button in the Dashboard Preferences that did this function on command, rather than automatically? It seems you would only really need to run this every time you installed a widget from a third-party site. How many people install a widget every eight hours? I barely use the ones I already have.
Reply
George said 3:05PM on 7-09-2006
I have a modified Apple Weather widget because they haven't translated it to Spanish yet. What is supposed to happen then?
Reply
dombi said 3:57PM on 7-09-2006
JTA: honestly, I don't care. It is only checking for new versions of my widgets... many other software do similar things.
They stated that no personal information is being trasmitted, so that is good enough for me.
Reply
Andy Lee said 4:34PM on 7-09-2006
Sounds like the crisis has been averted; nothing more to see here kids. Move along.
Sorry for my tone-deafness, but was that sarcastic? Nobody seriously suspected Apple of gathering personal information. The problem was not telling us and not giving us a way to turn it off.
And there's another problem, which is that the idea doesn't make any sense, as JTA pointed out.
Reply
Dave Zatz said 4:54PM on 7-09-2006
"Sounds like the crisis has been averted; nothing more to see here kids. Move along."
DC, you may want to give Apple a pass but I don't. The point isn't whether this is a security or privacy issue, the point is Apple abused our trust by not notifying us and/or giving us a choice in the matter. Where's the off switch?
Reply
Sam said 5:01PM on 7-09-2006
There never was a "crisis", but the issue is most definitely not resolved properly by Apple yet. Fortunately there are many on the internet who have found good ways to permanently disable this "feature". Hopefully all sysadmins at large schools and businesses with Macs read those sites instead of spending large sums of money independently tracking this down. It's still given a rather huge black eye to Apple for anyone with a large number of installed Macs.
Reply
alexander s. said 6:13PM on 7-09-2006
I would guess they threw this out simply as a test, to see the reaction on a possible privacy violation.. probably for some feature to come..
Reply
Douglas F Shearer said 6:33PM on 7-09-2006
I have to agree with number 7 here, it does seem like a bit of an experiement. But then, it would look like a u-turn to later turn the functionality off.
Why not integrate this with 'Software Updates'?
Reply
jason mark said 7:18PM on 7-09-2006
To me this sounds like some really smart pre-emptive security. If I *was* going to write a virus for the Mac, the place I'd hide it would be in a tool that you could download DIRECTLY from apple. So I'd write a dashboard widget everyone wanted, and piggyback my virus on it, with a 3 month delay, get 10,000 people to download it, and then trigger the damn thing.
With an automatic, non-escapable, Dashboard widget check, should this happen (and it will if Apple Market share continues to climb), Apple can instantly turn off the offending Widget on ALL users machines. It won't prevent all damage, but it can keep it from spreading, and can also act as a deterrent for someone thinking of writing a widget virus.
Now giving power users an easy way to turn it off isn't a bad idea, but it sounds like there are enough of those cirulating on the web, so those people who know enough to safely turn it off, and still recover from a dashboard virus can, and those than can't hack the system don't have the option to turn it off.
Because Dashboard widgets are downloaded from the Apple site (unlike most applications), but are not created by Apple employees, having a way to "recall" those automatically sounds like a good legal CYA, as well as a smart way to keep OSX more secure than Windows.
Reply
Michael Gray said 7:41PM on 7-09-2006
I don't actually mind! - I want the most up to date stable widgets ... of course it would be nice to be able to turn this off in dashboard prefs - however, i'm not too concerned. As long as it doesnt tell me I have to reboot every 5 mins because I am installing security updates!!!
Reply
Armaan said 7:51PM on 7-09-2006
What I don't understand is why it has to check so often? Can't it just do it once a day? Or even better, have the user specify how often it phones home.
Reply
darkphan said 8:00PM on 7-09-2006
Or better yet, check when a new dashboard component is being installed.
Reply
Yuri Walkiw said 8:35PM on 7-09-2006
Dasbord?
Reply
Reg said 8:54PM on 7-09-2006
> Regardless of the reasons, there should still be an option to disable it.
I suppose you mean a checkbox or something, and I agree. But it only takes the same amount of time to cut & paste the appropriate command into the Terminal.
Reply
Dave Barnes said 11:15PM on 7-09-2006
Why is this a problem?
Little Snitch says "it wants to phone home" and I check "deny forever. Problem solved.
Not running Little Snitch, then that is your problem.
In the Windows world everyone (who is paying attention) runs a firewall program that checks both in- and out-bound communications (e.g., ZoneAlarm).
Reply
Padriac said 1:13AM on 7-10-2006
a) So... why is everyone disabling a security feature? Out of principle? What kind of message is this sending to Apple? Even if they should have told us, in the end, this is a good thing. 3 request per day = no big deal to average user. (yeah, yeah: mythical sysadmins. Why does everybody suddenly administer a 10,000 strong mac computuer network now that this has been revealed?)
b) Do all of you have have software update disabled as well?
c) Enough with the Little Snitch already. Little Snitch only helps prevents the security feature (the security being a good thing) but does not change the fact that Apple did not disclose it (the bad thing). Why is everybody disabling the good thing to get revenge for the bad thing?
Reply
Jake said 1:48AM on 7-10-2006
Never has the phrase "drank the Kool-Aid" seemed to be a better description of a blog entry. War is peace. 4 legs good, 2 legs better.
I think all your readers expect you to apply critical thinking skills to Apple's press releases & other PR statements.
Reply
Robert said 2:00AM on 7-10-2006
just make it part of apple's software update, problem solved...
Reply
Antony said 2:01AM on 7-10-2006
Well...have you seen the code that actually does the whole phone thing ? If not, then you cannot say what is "good" and what is "bad" thing. Does it check to see if we have the proper widgets ? Yes. Does it do anything else beyond that ? Noone knows. And by the fact this was not mentioned and not given the option to disable it, I have every right to be suspicious and sceptical about this "good thing".
Reply