You were wrong then and you're wrong now. It's not really possible to be cordial about this topic.
There should never be any process acting against the user's interests on a device that they own. Ever. Full stop. The only reasonable option is to do full encryption on the device without any system that allows inspection or identification of the material being encrypted. It didn't matter that vouchers enabled the decryption of the material after a threshold was hit. There would have been logic running on everyone's device acting as a snitch. At some point that functionality would be expanded and abused.
Your optimistic point of view does not align with the reality of how this kind of technical capability becomes misused over time. The ones that create these things are not the ones that control them 20 years later.
It only ran when iCloud was enabled for photos - this makes it essentially a cloud feature. If this wasn't the case I'd agree with you.
I think it's a better outcome if it leads to iCloud encryption.
A reasonable person could think it's better to just have iCloud remain unencrypted and keep that separation strict in a more pure kind of sense (scan of unencrypted photos on server vs. hash threshold test on upload), but I think that person would have to acknowledge that the policy as described (only being enabled with iCloud photos enabled) is not worse (and if it enabled iCloud encryption is better on net for privacy) than the default in terms of what is specifically happening. It's more of an ideological argument about separation of server/device than what the specific implementation was.
Wrong. Physically, the routines run on the device. It is not a cloud feature by definition. There are no wormholes here. The work happens on the device. When this work happens the device's battery gets drained so it's happening on the device. It's not a cloud feature. Both technically and physically you are wrong here. I hate that you have this wrong and continue to say it. Stop saying it because you are actually lying.
It's not a better outcome because other companies with the follower-like mentality that most product managers and execs have would attempt to copy and one up Apple only to create a worse and more easily abusable implementation, just like the notch. Just like any socially acceptable easily marketable act that can be hashtagged and spread. That idea would have been an infection of the worst kind.
You're kind of arguing a straw man, sure it technically runs it on the phone (I don't dispute that), but only when upload to iCloud is enabled and the photo is being uploaded to iCloud. The latter bit matters (and what I meant by 'essentially'). Running the check on the phone on upload with these constraints is what would enable iCloud to be encrypted.
I don't think there's much point in discussing further, the main disagreement is already visible in the thread.
> only when upload to iCloud is enabled and the photo is being uploaded to iCloud
You have to trust Apple that this will always be the case.
Your model should be to trust no one. Don't take anyone at their word as it's subject to change at any time. Especially not a corporation which is easily manipulated governments (look how they bend to Russia and China).
It's entirely obtuse that this can be turned with product use. Product use that might be triggered at a distance by simply using the "blessed path". Most people won't even be aware this is happening. And that's beyond shameful.
This puts one foot in the door. There will be more. They'll be ramming everything through that they can to spy on you.
Companies should not be trusted with liberty and privacy. Not even Apple.
> You have to trust Apple that this will always be the case.
You're right of course, but I'd argue this is true in either case. If you're using an iPhone you're trusting Apple is doing what they say they're doing and there's not much you can do about it.
> Your model should be to trust no one. Don't take anyone at their word as it's subject to change at any time. Especially not a corporation which is easily manipulated governments (look how they bend to Russia and China).
I actually agree with this general idea (I work on urbit fwiw), I just think in this case you already have to trust anyway. If they're going to lie and do something differently that's bad - I just think that's independent of this policy and the policy specifics matter.
As it is unencrypted iCloud is a worse state imo, but as I said elsewhere reasonable people can disagree with this. The specific policy as described though isn't worse - it's people's assumption that it increases risk of an abusive policy that is. My take is that that risk is there in either case and really independent of this policy.
There should never be any process acting against the user's interests on a device that they own. Ever. Full stop. The only reasonable option is to do full encryption on the device without any system that allows inspection or identification of the material being encrypted. It didn't matter that vouchers enabled the decryption of the material after a threshold was hit. There would have been logic running on everyone's device acting as a snitch. At some point that functionality would be expanded and abused.
Your optimistic point of view does not align with the reality of how this kind of technical capability becomes misused over time. The ones that create these things are not the ones that control them 20 years later.