The author of the blog post makes a wild leap (from "A daemon connected to Apple's servers when I used QuickLook on a file" [paraphrased] to "Apple Has Begun Scanning Your Local Image Files Without Consent [...] Stock macOS now invades your privacy via the Internet when browing local files [...] macOS now contains network-based spyware"), with the strong implication that information about those files is being sent to Apple while stopping just short of actually claiming that.
I've seen these kind of accusations of spying be made a lot based on misinterpretation of very scant evidence, and without something more concrete I think that's almost certainly what's happening here. A far more likely explanation IMO is that the daemon is doing something like checking for regional availability of the Live Text feature (still somewhat problematic but definitely nowhere near the same ballpark), as partially suggested by this commenter: https://infosec.exchange/@yProd/109698545121198396
Agree with gp that this is a astonishingly huge logical leap by the author. I would guess the author left the default “report metrics to apple” on, and apple is noting that “a user leveraged the photo preview feature for the first time in X days.” I do wish these metrics were optin but I somewhat get the decision from a PM standpoint, and to their credit Apple presents this choice to the user during the setup process in a really hard-to-miss way.
Incredibly lazy blog post IMO, if you’re going to write an article and video on an infosec site, take the time to MITM the connection so you can avoid purely tinfoil speculative reporting. Apple likely does not make this easy but it is possible to do anything when SIP is disabled.
The blog post reports it happening once, not every time. I'd agree that it would feel significantly worse/more suspicious if Apple's servers were contacted every time I previewed/opened a file.
There is no legitimate reason why quicklook should be hitting an API when I preview a bitmap in the Finder.
Analytics and Siri Suggestions are off. I don't use iCloud.
Text recognition models would likely be served from an Apple CDN, not api.smoot.apple.com.
I don't know what it's sending (an API hostname suggests some dynamic server code, not just a file download), but it should not be sending anything at all. I don't want it to, and I never consented to such transmission.
I didn't make the claim that file information is being sent because I didn't want to publish anything but facts. I have not done any RE on the binary itself as yet.
I'm responding to you in good faith in the hope that you will take this with an open mind, but now that I see the previous thread, I'm worried that you might not. I'm not sure if you saw this comment but I thought it was particularly constructive and deserves consideration: https://news.ycombinator.com/item?id=34403107
> I didn't make the claim that file information is being sent because I didn't want to publish anything but facts.
When you say "Apple Has Begun Scanning Your Local Image Files Without Consent" what 95% of people will hear is exactly the claim that scanned data is being sent to Apple. I don't think you can in good conscience say that you're only publishing facts if you are aware of the rate of misinterpretation and don't attempt to clarify.
Ironically you're doing exactly what you're accusing Apple of: saying technically truthful things that say one thing that cause people to believe a different thing (which is, as far as we know, not factual).
The post makes big accusations and extrapolations without proof or research, based on a web request whose contents this 'security researcher' didn't even see. A quick web search reveals mediaanalysisd has been a part of macOS since at least 2017.
It is disappointing to see Louis Rossmann blindly repeating any random claim from any random person. This is the same person who created a 'standard' (https://consoledonottrack.com) and spammed a bunch of popular projects with it with an entitled attitude.
I am not a fan of the Apple Tim Cook is leading, but let's be reasonable and put down the pitchforks for a moment. A single web request does not immediately equate to your files being scanned without consent. Louis should know better, and you should not believe any random crap just because he repeats it.
Anyone know how to actually examine the contents of the request? Everyone's tossing around their own theories as to what this request is for but it looks like nobody's doing any real investigation. I'm on macOS Ventura and I tried this method that was suggested in another HN post: https://lapcatsoftware.com/articles/logging-https.html
But it doesn't seem to work. According to the aforementioned post, Apple system binaries are using cert pinning so it's difficult to intercept the network requests that they make. The suggestion was setting an environment variable to politely ask them to log their requests. I don't think mediaanalysisd respects this variable, however.
This is why I avoid buying an macOS laptop, creepy surveillance of users,
and the fact that they wanted to scan users photos and denouncing them to police.
They wanted to be the friends of Police State, and they are friends of China.
Readit News
I've seen these kind of accusations of spying be made a lot based on misinterpretation of very scant evidence, and without something more concrete I think that's almost certainly what's happening here. A far more likely explanation IMO is that the daemon is doing something like checking for regional availability of the Live Text feature (still somewhat problematic but definitely nowhere near the same ballpark), as partially suggested by this commenter: https://infosec.exchange/@yProd/109698545121198396
Incredibly lazy blog post IMO, if you’re going to write an article and video on an infosec site, take the time to MITM the connection so you can avoid purely tinfoil speculative reporting. Apple likely does not make this easy but it is possible to do anything when SIP is disabled.
Analytics and Siri Suggestions are off. I don't use iCloud.
Text recognition models would likely be served from an Apple CDN, not api.smoot.apple.com.
I don't know what it's sending (an API hostname suggests some dynamic server code, not just a file download), but it should not be sending anything at all. I don't want it to, and I never consented to such transmission.
I didn't make the claim that file information is being sent because I didn't want to publish anything but facts. I have not done any RE on the binary itself as yet.
> I didn't make the claim that file information is being sent because I didn't want to publish anything but facts.
When you say "Apple Has Begun Scanning Your Local Image Files Without Consent" what 95% of people will hear is exactly the claim that scanned data is being sent to Apple. I don't think you can in good conscience say that you're only publishing facts if you are aware of the rate of misinterpretation and don't attempt to clarify.
Ironically you're doing exactly what you're accusing Apple of: saying technically truthful things that say one thing that cause people to believe a different thing (which is, as far as we know, not factual).
The post makes big accusations and extrapolations without proof or research, based on a web request whose contents this 'security researcher' didn't even see. A quick web search reveals mediaanalysisd has been a part of macOS since at least 2017.
It is disappointing to see Louis Rossmann blindly repeating any random claim from any random person. This is the same person who created a 'standard' (https://consoledonottrack.com) and spammed a bunch of popular projects with it with an entitled attitude.
I am not a fan of the Apple Tim Cook is leading, but let's be reasonable and put down the pitchforks for a moment. A single web request does not immediately equate to your files being scanned without consent. Louis should know better, and you should not believe any random crap just because he repeats it.
But it doesn't seem to work. According to the aforementioned post, Apple system binaries are using cert pinning so it's difficult to intercept the network requests that they make. The suggestion was setting an environment variable to politely ask them to log their requests. I don't think mediaanalysisd respects this variable, however.
Is there a hosts entry I can add to block this behavior?
https://sneak.berlin/20230115/macos-scans-your-local-files-n...
Deleted Comment
They wanted to be the friends of Police State, and they are friends of China.
Not normal behaviour