Apple security alert: Mind your language

While sending out spyware threat notices, big tech firms should avoid using terms like “state-sponsored” or “nation-state” unless they can back the same with evidence.

Written by Rishi Raj

April 16, 2024 06:00 IST

The first one is the October 2023 alert and the second one came on April 11. (Image source: Reuters)

Apple was in the news last week for two consecutive days. On April 10, it was reported that the company has achieved a major feat in India in FY24 by producing smartphones worth $14 billion, which was double of what it manufactured in the previous fiscal. The achievement is by no means small, since the India production story started only some three years back and today, one in seven iPhones in the world are being assembled in the country.

The very next day — on April 11 — came the news that the company has warned its users in over 100 countries including India against mercenary spyware attacks such as Pegasus in their devices. A similar alert was received by users on October 30, 2023. While all hell had broken loose in October, this time no such thing happened, though the country is in the midst of a sharp and polarised election.

What changed between October and April? Trivial as it may sound, the answer is the language or, to be more precise, the wording.

Sample this: “Apple believes you are being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID.”

And this: “Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID.”

The first one is the October 2023 alert and the second one came on April 11. Both are the same, barring that in the former, the supposed attackers have been named as “state-sponsored” and in the latter, “mercenary spyware”, and therein lies a tale and a lesson.

The usage of the term “state-sponsored”, followed by Opposition leaders, activists, and journalists flashing screenshots of their iPhones, indicated that the government was behind the move. Put simply, the phones of the Opposition leaders were under surveillance.

Free press, a fearless Opposition, and an independent judiciary need to be protected at all times. So, any attack on their freedom, especially through “sophisticated” spyware, is not something to be taken lightly. It needs serious examination and investigation since stakeholders’ privacy and security — sometimes their lives — can be at threat.

Since there is no brouhaha this time, one can safely come to a set of conclusions. First, it seems that there was no surveillance by the government. Had that been the case, questions should have been raised this time too, as Opposition leaders and activists are not likely to be convinced by a mere change in the wording of the security alert.

Second, Apple, the maker of iconic brands, should have known all along that “mercenary spyware” is the right terminology rather than “state-sponsored” — the former encompasses governments, non-state actors, and even private companies.

Third, the ruling party, which ordered an investigation in the matter, in which Apple was asked to cooperate and explain the vulnerabilities in its security system, should also have known better. It never clarified whether any of its members possessing iPhones received such alerts. If they had shown the screenshots of their phones, the matter would not have become politically acrimonious.

Fourth, while Apple could obviously have done better by using more accurate and transparent language in the notifications, it’s hilarious that the company was under attack. This is because the fact is that 94% of India’s smartphone users are on non-Apple devices.

Did anybody, at any stage, bother to ask why we are not seeking an explanation from Xiaomi, Oppo, and Vivo, the three Chinese companies that occupy 80% of India’s mobile phone market, and Samsung, which occupies approximately 12%, for not alerting their customers of any such spyware attacks?