Critics chafe as Macs send sensitive docs to iCloud without warning

Representing a potential privacy snare for some users, Mac OS X Yosemite uploads documents opened in TextEdit, Preview, and Keynote to iCloud servers by default, even if the files are later closed without ever having been saved.

The behavior, as noted in an article from Slate, is documented in a Knowledge Base article from December. But it nonetheless came as a surprise to researcher Jeffrey Paul, who said he was alarmed to recently discover a cache of in-progress files he intended to serve as "temporary Post-It notes" that had been silently uploaded to his iCloud account even though he never intended or wished them to be.

"Apple has taken local files on my computer not stored in iCloud and silently and without my permission uploaded them to their servers," Paul wrote in a recent blog post.

Once upon a time, in-progress files were stored locally on a Mac, a design that gave users more ability to prevent sensitive files—say, those created on the fly to store passwords, a Social Security Number, or confidential client-attorney work product—from being accessed via law enforcement or national security dragnets. Whereas locally stored files residing on a FileVault-protected Mac require the adversary to have physical access and possession of crypto key, the bar for accessing files stored in iCloud is lower, according to former National Security Administration contractor Edward Snowden.

The iCloud autosave provides a convenience that many users no doubt are happy to have. After all, the cloud copies allow users to pick up right where they left off when switching Macs or turning on an iPhone or iPad to resume work on an unfinished letter, presentation, or other type of document. But critics object to the behavior being turned on by default without a more explicit warning that it funnels potentially sensitive data to Apple servers.

"I think the iCloud thing is really nasty behavior (and it’s apparently in Mavericks too) so I’m surprised that it hasn’t been mentioned in the tech press," Matt Green a professor specializing in cryptography at Johns Hopkins University, told Ars. "I’m sure someone will twig to it soon."

As Paul noted, the autosave feature is turned on unless users take action to disable it. One way is to turn it off within the settings can be accessed in System Preferences > iCloud > Documents & Data. Another way is to save a blank file and then type notes afterward.