I am certainly happy about the steady pro-privacy process. I personally consider Apple full of shit until two features are released:
1. Contact sharing needs a complete overhaul. Some apps need to have access to my contacts. I get this. But they only need the name and the phone number. They don’t need addresses, birthdays and additional notes I put in m contacts.
Sure, I could have a separate contacts app with "meta data", but this would break the integration of Contacts in other Apple products.
2. Photos. It is either full access or no access. For example, I don’t trust WhatsApp. I share photos through WhatsApp by opening the Photos app, tap share, share via WhatsApp. This works okay.
But generally speaking: why can’t Contacts and Photos have the same sophisticated access control system like Health? Heck, make it optional for iPhone users, but at least offer it.
Agree tighter control over contacts sharing would be nice but I don’t think it’s malicious on Apple’s part that this isn’t possible - they’ve quite clearly shown they are on the side of user privacy, but they do also tend to move at a fairly slow pace
This seems to increase the amount of work a user has to do in practice. I suspect most users will end up sharing the entire library. From the link above:
> There's also the entirely new option Select Photos..., which leads the user through to the Camera Roll to pick one or more images to share. It is specifically images that users can opt to share, rather than albums.
> Which then means there is an issue that the next time a user wants to post an image, they find their selection confined to solely the ones they specified before. To change that and allow all or just different images, the user has to go to Settings on their iPhone.
My wishlist for fixing photo privacy on iOS:
1) Applications don't need to ask for permission to write photos to iOS folders. These get written to a separate album ($appName or $appDeveloperName by default), e.g. if you save a photo from Twitter it gets saved to your Twitter folder.
2) Photos taken by the iPhone Camera (presumably your personal photos) get stored in a special 'Camera' folder. Apps can ask for read/write permissions specifically here. Eg a photo editing app like VSCO or Darkroom may only need read permissions to begin with, but if it also wants to in-place replace your photos with its edited photos, it'll need read+write permission as well.
3) What about apps that occasionally need access to photos (e.g. social media apps) but you don't want them to have access to everything? The solution is to implement a OS-level photo picker in iOS with a UI can't be over-ridden and which makes clear you're sharing your selected photos with $appName. And ensure apps which want access to photos have to make the user go through the OS-level photo picker.
> he solution is to implement a OS-level photo picker in iOS with a UI can't be over-ridden and which makes clear you're sharing your selected photos with $appName.
This has existed forever - in fact, for far longer than applications have had the option of requesting full access to your camera roll. Unfortunately most applications have decided they prefer to take over the experience, and provide absolutely no fallback option if you reject giving them access.
Apple really just needs to make it mandatory to present a UIImagePickerController instead of whatever "integrated experience" an app provides when permissions to the photo library are denied. That would have been a much saner solution than this abomination - I don't want Teams to have the ability to wander around my photo library just so I can share a quick snap of a whiteboard. But I don't get a choice, because denying permission just makes it throw an error message up saying it doesn't have access.
From using my app on iOS 14 it appears the way it works is based on you accessing the photos library. So it goes like this:
Initial launch - user chooses a few photos.
User switches apps, and returns - the same photos are selected.
User force quits app (or doesn't use app for a few days and it gets killed off)
User opens app, and is then prompted whether they want to "Keep Current Selection" or "Select More Photos" the first time the app accesses the photo library in some way (I think this is based on when you do a photo permissions check, but not positive.)
#3 has existed since the iPhone added apps - UIImagePickerViewController - if you use it, you don't need photo permissions and you only get access to the photo the user selected. Most social media apps probably just skip using this because they want photos permission everywhere to do things like "post latest photo" or to show their own photo picker UI.
Select photos seems reasonable and if it's implemented right then it should be no more work than I was about to do anyway (select specific photos to share).
That's a very good start. I hope the feedback during the beta causes those controls to evolve a little bit so that it's more straightforward to change which photos an app can access.
The choice of only allowing access to specific actual photos seems an unusual one.
I would have thought there was a big debate in Product Mgmt over this vs the more obvious allow an app access to a given album.
One presumes the sticking point came when someone took a photo out of an album. Does that mean they are explicitly removing access? I don't see it as a huge issue... maybe there is some kind of technical
hurdle involved as well, otherwise the choice seems unusual
Nailed it. Using albums is the engineer’s answer to what is technically best. In the real world it doesn’t work because nobody knows how to, much less actually uses albums. And even if you do, what are the chances you have an album with exactly the photos you want to share? So you’ve got to select the pics you want anyway, but now you’ve also got to create an album first to put them in. It just adds to the work and confused and irritates people.
Yes they do. People who value the curation of their photos will take the time to do it. I create an album for any event etc. which I expect I'll want to photograph. It's easier to share and re-share the same set of photos, and it acts like a log of cool stuff.
Also, I don't have to scroll through months of memes to get to that one good photo I took in July 2017... or was it August..... maybe it was 2016......... shit.
> People who value the curation of their photos will take the time to do it.
Sounds like only something people who aren’t stressed from their underpaid jobs can do? Most people are kept busy and don’t have time to fit into this dark (corporate app) pattern.
The argument is that many corporate apps upload things without the user's consent or prior knowledge (revealed here by iOS 14 [1]).
Your post was in my eyes saying this issue was up to individual users to tackle. I disagree with that. I think it is instead the governments' role to regulate and reel in predatory and parasitic corporations.
My wife is not in a tech related industry, so I consider her "normal," and yes, she does use albums.
She has albums for work stuff. She has albums for home decorating ideas. She has albums for the various screenshots she collects of things she wants to remember. She has albums for different places she's been.
I know that the people she's friends with use albums because I've heard it mentioned.
I think normal people use albums. Tech people don't. Which explains why a company like Apple, that tries hard to court normal people, not tech people, has them.
I've had an iPhone for years. I didn't even know albums existed. I've just noticed the tab in Photos when I went looking for it after reading your comment. And it turns out, I do have one other album already, with a couple of photos in it, though I have no idea why or whether I created the album or how the photos got there or what purpose it serves.
When it comes to security features, simple and obvious behaviour is good, pretty much always. The same is true of user interface design, and the lack of both documentation and natural discoverability on iOS has always been a pretty glaring weakness of the platform. Complexity creates edge cases, and edge cases create vulnerabilities, including due to misunderstandings and resulting human error.
Judging by the other replies to the parent comment, apparently I'm not alone here, so I'm guessing if Apple did any user research about this, that "big debate" probably lasted a few seconds...
I take a lot of photos and I use the album feature a lot. But when I am going to for example post a photo to Instagram I don’t at all want to have to put the photo in a dedicated Instagram album just so I can post it. That is to say, one mans “obvious solution” can be another mans annoyance.
Interesting that you "personally consider Apple full of shit until..." and then demand _they_ be more granular (It is either full access or no access.) Couldn't you consider Apple partially filled with shit?
Ok, if you take it literal: Apple is partially filled with shit, because they try to tackle privacy but seem to miss some very obvious design choices where users would benefit a lot if they were implemented properly.
As I said, I'm glad they tackled the Photos problem. But of course, I could ask what took them YEARS to do so. They even have a private album in Photos but didn't think that some apps shouldn't get access to these pictures?
There's totally a middle ground between 'full access and no access'. Apps can show UIImagePickerControllers and CNContactPickerViewControllers whenever they want, without any permissions. They then get the photo[s]/contact info the user picks.
Which is exactly what most apps actually need.
WhatsApp has no good reason to look at any image you aren't explicitly choosing to share right now. The only user-facing WhatsApp feature that requires Photo library access is the scrolling list of recent photos on top of the in-app camera.
WhatsApp has a better case for asking to continually scan your contacts to show you people with accounts. But instead of just falling back to asking for a phone number when you don't give permission, it could show the contact picker, and check the accounts you pick.
Unfortunately, in both cases, WhatsApp takes the all-or-nothing approach - it asks for the blanket permission, and has no fall-back if it is denied.
> There's totally a middle ground between 'full access and no access'. Apps can show UIImagePickerControllers and CNContactPickerViewControllers whenever they want, without any permissions. They then get the photo[s]/contact info the user picks.
If they don't use this control you can also inject whatever photos you want into most apps using the share sheet. It does mean you have to exit the app and go to photos, but as you point out, it's the app maker's fault for not supporting the extremely privacy friendly `UIImagePickerController`.
Roughly speaking, current OSs "stop" at tools for interacting with data, and the hardware behind it.
In this world where we expect internet access, I'm beginning to think OSs need to manage certain types of data more proactively. I'm trying to wrap a general point around your concerns about contacts. Contacts seem one of the data types that need something approaching OS level tooling. For me, another is "tags". I want to use the same set of tags I apply to "files" to apply to "contacts" too.
I keep hoping someone will make a rival OS that tackles this head-on. Start at Haiku, sprinkle some of Apple's "the UI isn't a virtualised office any more" UI paradigm, model a small handful of human-centric data types (like places, people, maybe individual health, too) and the access and interaction rules that support them safely and really run with it.
They had a People hub that collated all your contacts and had reasonable sharing mechanisms for the data. HERE was essentially that places concept. I'm sure if Windows Phone had kept traction, it would be integrating your smart device health data into live tiles and a hub interface for all the metrics.
My son and I were both long time Windows Phone users. It never gained the public acceptance required to survive, but I don't know anyone that used it for any length of time, that does not miss it. The UI was very intuitive and it just worked for me. My brother is still running it on his Nokia phone, that seems to be lasting forever. I am not sure which model it is, but the camera on it is fabulous. I wish I had picked one of those up.
Windows Phone’s hub concept was marvelous. As a user I don’t care if I’m messaging you though MSN Messenger* , Skype or XMPP; I just want to IM. Gaming hub integrating with Xbox Live was a nice touch, it felt like MS finally got the concept of an ecosystem.
Except when you realize all of those implementations needed to be coded by Microsoft. There was no way for a third party to plug in. I heard some things from MS people that the clients for IM services were driven server side which would have made it hard and inelegant to add additional protocols.
Nokia's maemo had this done with better execution. The SMS app had a plug-in for xmpp and I used it for Google talk. I think I used a third party one for Google voice. There was a Skype one that supported calling through the normal phone app but it didn't work very well. The clients were run on the phone and not in the cloud.
IIRC you had to do server side push as Windows Phone 7 didn't support local notifications and always-on Internet connection. Some IM clients used some tricks to run in background, such as masquerading as a streaming audio player (that had always-on capabilities enabled) but you lost the music player capabilities of your smartphone when running those apps.
WP8 relaxed some of those restrictions but it wasn't enough to truly develop a IM client.
It's true that only Microsoft could create such integrations, but it was a business decision. On Windows Phone 7 era, regular developers couldn't deploy native code and you couldn't call native APIs directly from the managed .NET/Silverlight runtime. Native SDK wasn't available at all, but it was a regular Windows CE at its core.
Maemo's was way superior to Windows Phone. It's a shame that Microsoft trojan-horsed Nokia.
Add Background App Refresh to this please - considering that apps exfiltrate 4G/WiFi connectivity info (helpful to triangulate your current location) regularly to tracker/analytics scum APIs with this feature - it should be exposed as a Privacy setting, not buried in Settings. I don’t understand what’s hard about this for Apple to be eerily silent on this.
Background App Refresh also has a significant battery life impact. I keep mine disabled and get a significant battery life increase with little downside.
The feature should be a per-app opt-in instead of being enabled by default and buried in settings.
1) a way for apps to display a view that shows the contact name for a phone number, with specified styling / sizing / etc, but without being able to determine what that contact name is.
2) an App Store rule that forbids apps from requiring contact access unless they can't function without it. WhatsApp forces you to provide contact access, giving Facebook your place in the social graph even if you don't use Facebook, even though WhatsApp should be usable (using phone numbers) without it.
WhatsApp works so well because it is tied into the same contacts that you already have on your phone. Without access to your phone’s contacts you would need to set up and manage an entirely separate set of contacts. Right now, Grandma could download WhatsApp and instantly start chatting with her granddaughter without having to remember what her phone number is because it’s already there. That’s a major selling point of WhatsApp.
I revoked Contacts access in WhatsApp a year ago. It works just fine. Problem is: WhatsApp only shows the phone numbers in the list and NOT the usernames of people. This is rather annoying, because I don't know any phone numbers by heart. Profile pics help a bit, but people change them and often don't have pictures of themselves.
Signal shows the nicknames next to the numbers which is a really nice feature and makes it pretty much perfectly usable without contacts permission, except that it constantly nags to grant the permission.
I understand that. I'm just saying that there should be a middle ground between "give Facebook full access to my entire contact list" and "cannot use the app at all". For example, WhatsApp should be able to trigger a contacts picker, without needing to have access to the full list of contacts. And it could even be able to show a styled view for "the contact name for this phone number" without needing to know what the name is.
WhatsApp does work if you revoke Contacts permission after setting it up, but IIRC you can't onboard when you first install the app if you don't grant it. Forcing the granting of the permission should be against App Store rules.
I use WhatsApp after revoking its contacts permission and it's pretty much fine. As an aside, same with Signal, and I really don't understand why a supposedly privacy-focused app like Signal nags hard to get contacts permission when it works perfectly fine without; it even shows people's chosen nicknames next to their numbers.
You can easily solve this with UX. Select new message, show the picker, select one or more contacts and then you have the identifier you need and you don’t need blanket permissions.
In fact, I'd much prefer to share with apps like WhatsApp (although I don't use it anymore) and Telegram only the contacts I manually select. There's no reason for them to know all barbershops I ever called too, and I don't even really need to know that an acquaintance of mine started using Telegram, I only contact those who I know to use Telegram beforehand anyway.
“Instead of sharing your entire Contacts list in third-party apps, you can now type individual names to automatically fill their corresponding phone numbers, addresses, or email addresses in fields that request it. The autofill happens on your device, and contacts are not shared with third-party developers without your consent.“
This is pretty clear to me, you type a name, it’s looked up in your contacts by the OS, data is retrieved if there is a match and placed in the form. This is not the same as sharing an individual contact and allowing the app to continue to read it later, but still gives you a means to give contact data to an app without giving it access to the entire list.
1. Contact sharing needs a complete overhaul. Some apps need to have access to my contacts. I get this. But they only need the name and the phone number. They don’t need addresses, birthdays and additional notes I put in m contacts.
Sure, I could have a separate contacts app with "meta data", but this would break the integration of Contacts in other Apple products.
2. Photos. It is either full access or no access. For example, I don’t trust WhatsApp. I share photos through WhatsApp by opening the Photos app, tap share, share via WhatsApp. This works okay.
But generally speaking: why can’t Contacts and Photos have the same sophisticated access control system like Health? Heck, make it optional for iPhone users, but at least offer it.