Opening TextEdit in your MacBook to jot down some notes may feel like the digital equivalent of scrawling on the back of an envelope. Unfortunately, those unsaved notes may not be as private as you think they are—and likely haven’t been for a while.
If you’re like the majority of Mac users, you may think your in-progress files—the ones you haven’t explicitly saved—are being stored directly on your hard drive. And with FileVault 2, a full-disk encryption feature included with your OS, Apple has made it easy to encrypt the contents of your entire drive, offering an additional layer of security if your laptop is stolen—especially if you store your own recovery key.
But security researcher Jeffrey Paul recently noticed that Apple’s default autosave is storing in-progress files—the ones you haven’t explicitly saved yet—in the cloud, not on your hard drive. (Surprise!) Unless you decided to hit save before you start typing, or manually changed the default settings, those meeting notes, passwords, and credit card numbers you jotted down in “Untitled 17” are living in iCloud.
Although this issue seems to be a recent phenomenon, it appears that it’s been happening since at least December of last year, according to Apple’s Knowledge Base, and it doesn’t just affect TextEdit, but also Preview, Pages, Numbers, and Keynote. Hopefully there wasn’t anything sensitive on those screenshots, spreadsheets, presentations, and documents you haven’t yet saved, or you were using other programs. (Luckily, Word for Mac isn’t affected—but it’s far too clunky to open on the fly.)
You can turn off this surreptitious feature in Documents & Data —> Apple —> System Preferences —> iCloud —> Documents & Data, or you can save your empty file before you even start typing. But that’s not really the point. The problem is that users intuitively expect their in-progress documents to be saved locally, but these files are being stored on the Cloud instead.
“It’s a behavior nobody expects,” says Matthew D. Green, a research professor teaching applied cryptography at Johns Hopkins University Information Security Institute.* “I’m fine with things that I haven’t saved being stored on the hard disk. I’m OK with that. I think it’s a nice feature. But things that I haven’t explicitly put on in the Cloud getting snuck onto the Cloud is a bizarre feature.”
Although it seems that the feature has been around for a while, Green says most people haven’t noticed: It’s not well-labeled in the operating system, and there’s no warning box to let the user know it has happened. And even though Apple’s documentation states that once you save a file locally, it will be removed from iCloud, Green points out that cloud storage doesn’t always support immediate deletion—so that information you typed in the file or those screenshots you previewed may still live in the Cloud for a while after you’ve saved them on your hard drive.
People were up in arms about a free U2 album being synced to their phones, but outside of the security community, there’s been little public outcry about these troubling autosave defaults. “I’m baffled as to why people don’t think it’s a big deal,” says Green. “It’s a big deal to me.”
There is always a tension between security and usability. That’s the reason so many people pick lousy iCloud passwords—they double up as Apple ID passwords and are used time and time again for iPhone app purchases for anyone who hasn’t enabled Touch ID. This makes accounts more vulnerable to being hacked. Even enabling two-factor authentication—which many users do not do—has many limitations and workarounds.
Some users may not care if their drafts and unsaved screenshots are traveling across the Internet and being uploaded to Apple cloud servers. That doesn’t mean that there shouldn’t be some kind of opt-in or a warning for all users—since so many are unaware that there’s some hidden feature buried somewhere in their settings that they need to selectively disable for any app they don’t want to be automatically synced to the cloud.
Silently uploading in-progress documents without user notification is troubling enough for people temporarily storing business notes, passwords, and credit card information. In other situations, it can be downright dangerous: journalists taking notes on sensitive topics, domestic violence shelters jotting down addresses and specific information about victims and perpetrators, or scientists working with personally identifiable research data.
As we move toward a digital future in which people become more and more reliant on cloud services, manufacturers need to offer sane defaults—or at least explicit opt-ins—rather than enabling sneaky default settings that are difficult to detect on a public that is largely unaware.
*Correction, Nov. 3, 2014: This post originally misspelled Johns Hopkins University.