Apple Opens up parts swapping between devices

[manikyath]

5 minutes ago, Kisai said:

That's not small potatoes, that's 18% of the phones sent to be recycled being diverted.

but none of this is relatred to people's phones being stolen.. which is the point i'm trying to make, and you're not getting.

 

none of this is related to your phone getting stolen. it's about apple's bottom line, and they're spinning it as if it benefits you.. and you've clearly taken the bait.

 

so.. to reiterate..

my point is that none of this is "protecting the user" against their phone being stolen. it's protecting apple's ability to deem your phone "dead" and have you buy a new phone instead of visiting unauthorized repair shops.

yes.. these repair shops often use parts of questionable origins... why? because apple makes darn sure that they cant get any parts from official sources.

 

to put an example behind this.. i work for a battery repair shop.. the majority of our work is stuff with a proprietary BMS that has some sort of communication, so we have to replace broken ones with another BMS from that manufacturer..

now, we cant buy those.. so what do we do? we buy 'recycled' batteries by the truckload, dismantle them, dispose of the cells trough a recycler, and test the BMS'es to stock up on working ones.

now.. it *is* theoretically possible these truckloads of batteries contain *some* batteries that would have come off stolen bikes at some point.. but it would make no sense to steal E-bike batteries to sell to a recycler.. we pay so little per battery that a potential thief would have to steal potentially hundreds of batteries each day to make an actual living for themselves. i'm gonna assume that 'for recycling' iphones dont pay that much more.. so by extension the idea that phones would be stolen *from users* *for parts* simply does not make financial sense. the value of these refurbished parts comes form the refurbishing job, not the device they came out of.

 

also.. i want to say this;

if 18% of the phones destined to end up in a blender is pulled aside for harvesting parts for refurbishment.. i'd see that as a good thing, reduce, reuse, recycle, in that order. if we can reuse, we should not recycle. the only reason why this is "a bad thing" is because apple does not want this to happen, any potentially repaired or refurbished iphone is a potential for one less iphone sale. this is apple's problem, not your problem. you should not defend apple's position in this regard, because apple's position is directly opposed to iphone users' position in this regard. it is unrelated to wether or not you like having an iphone, it is something you should be against no matter the rest of your preferences. you should be pressuring apple to allow more reuse before they can start marketing about how much they recycle.

[Kisai]

21 hours ago, manikyath said:

but none of this is relatred to people's phones being stolen.. which is the point i'm trying to make, and you're not getting.

 

Nope, you're not getting it. Apple wants to ensure that only Apple parts that Apple made to go into Apple devices. 

 

21 hours ago, manikyath said:

 

also.. i want to say this;

if 18% of the phones destined to end up in a blender is pulled aside for harvesting parts for refurbishment.. i'd see that as a good thing

Did the recycler test all these parts? No. What if some of those parts contained customer data, or was damaged in being removed and caused customer devices to catch fire?

 

You're not getting it. The correct answer here is "Apple must buy back devices, take them apart themselves and reuse parts that are qualified to be reused." Clearly sending the parts to a third party results in diversion and no quality checks, otherwise they would not end up in the supply chain at all. Having the recycler steal parts under the guise of "saving the environment" is not the right answer. They were paid to do a thing, and didn't do a thing. If they were not willing to do the thing, then they should not have bid on the contract to do the thing.

 

The right thing here would have been for NOBODY to bid on destroying iPhones, only dismantling, testing and refurbishing phones from parts they are permitted to use. That should be in the contract signed with Apple. But this may require government arm-twisting of Apple to do this. Alas it's cheaper to send things to the landfill than it is to recycle, and many "recycling" is little more than sending an item to Asia to be be burned in their incinerators.

 

 

[manikyath]

2 hours ago, Kisai said:

 

Nope, you're not getting it. Apple wants to ensure that only Apple parts that Apple made to go into Apple devices. 

which is exactly the point i'm making.. none of this is related to theft of people's phones, but that wont stop apple from fearmongering that your precious device might be stolen if you are able to feel just a bit of freedom.

2 hours ago, Kisai said:

Did the recycler test all these parts? No. What if some of those parts contained customer data, or was damaged in being removed and caused customer devices to catch fire?

what if you buy fruit at the store and it happens to have a bug in it?

besides, the only part that *can* contain customer data is the motherboard.. and i'm fine with the concept of locking those down, for that very reason.

 

also - things catching fire isnt NEARLY as big of a problem as you make it out to be here.. you essentially have the same chance at a fire spontaniously happening with an apple refurbished phone as you have with a third party refurbished one.

because.. surprise surprise.. apple isnt the only company in the world capable of doing quality control. sellers of harvested parts dont *want* to sell a damaged part, because it harms their reputation.

on that note.. louis rossmann has some great examples of apple refubrished macbooks looking like absolute garbage inside.

 

all of this is also beside the point.. because you appear to be arguing a point i havent made, and you're still missing it.

my frustration with this kind of stuff is that apple insists it's to "protect the user", while all it does is limit consumer choice to be only what options apple blesses them with. there is no industry in existance where allowing third party / user repair is inherently problematic. yes.. there are idiots and shady mechanics who bodge up their car, but to argue that these limited idiots have to mean that you should only ever be allowed to visit a dealer garage for repairs is exceptionally shallow.

 

and in case it is unclear to you.. i dont consider "for the resource blender" phones getting scavenged for parts by recyclers as "stolen", i see it as recyclers doing the job apple should be doing if they want to advertise their recycling efforts. and any effors that apple is doing to prevent this should NEVER affect the choice an end user gets.

 

and to clear up some more details..

2 hours ago, Kisai said:

The correct answer here is "Apple must buy back devices, take them apart themselves and reuse parts that are qualified to be reused." Clearly sending the parts to a third party results in diversion and no quality checks, otherwise they would not end up in the supply chain at all.

news flash.. apple doesnt even *make* their own phones. no one does. the supply chain is all "third party" front to back.

it makes no sense for apple to build an "apple recycling corp" if they can just contract "Shenzhen recycling co.ltd." to do the work for them, since they already have the infrastructure and experience to do so. and i assure you that they are doing quite a lot of quality checks, because otherwise they wouldnt be finding working parts in the piles of phones arriving by the literal truckload. "for recycling" phones are essentially a bulk good handled by the gallon.

you seem to be confusing "verifying the quality of harvested parts" with "verifying no parts are getting saved from the blender". they're both a form of QC, but they are a very different form of QC.

 

2 hours ago, Kisai said:

The right thing here would have been for NOBODY to bid on destroying iPhones, only dismantling, testing and refurbishing phones from parts they are permitted to use.

that's the problem.. people want to refurb iphones, but apple doesnt permit them to use parts. that's why "permitting parts" doesnt work.

 

2 hours ago, Kisai said:

Alas it's cheaper to send things to the landfill than it is to recycle, and many "recycling" is little more than sending an item to Asia to be be burned in their incinerators.

yes. ever looked into just how little apple's "recycling" efforts return? we're in the singular percentage terretory. it should be a crime to ban recyclers from harvesting working parts from your "for the blender" pile, but instead it's apparently a crime for recyclers to actually do the ecologically right thing.

[hishnash]

6 hours ago, manikyath said:

but instead it's apparently a crime for recyclers to actually do the ecologically right thing.

It is a crime for them to break a contract, if they were paid to shred and then recycling raw materials then it is a crime if they break that contract and do not shread.

Why do lots of companies insist on used phones (and other tec) being shredded?  Well the laws about data destruction are very badly written, while we can re-set the root encryption key making it impossible to retrieve existing data most laws about data retention do not consider this one explicit permitted method, many talk about full physical destruction.   This is why most companies and schools etc will pay a recycling company to shred the phones, I have envelopes seen companies pay to have perfect working (just 2 year old OLED high end TVs) destroyed since the liability that someone gets them then someone (through burn in or other methods) extracts even a single line of text is not something your avg IT manager wants to take.   

Those companies ands schools would love to just sell these phones to a recycler but they would only every dream of doing this if there was a clear legal easy pathway to absolve them of any legal resposiblty for the enviable data breach when someone forgets to properly wipe them.   Many companies require the recycling firm to turn up on site with a shredder and then have a staff member witness the shredding as they no longer trust the recycling firms to properly destroy them and there have been multiple instances of company HW (including medical and even defence contractors data) ending up in devices being re-sold.   As an IT manager for some of these companies you might even end up in jail if you did not take the needed steps to ensure the data was destroyed (the corporate protection does not apply to medical, child or defence data in most of the world).

 

Companies would be more than happy to click the single button in MDM to release the find my locks, (and get some payment form the recyclers or at least not need to pay them as they currently do) on all they reyclinged devices if this did not increase the chance the they recyclers just lie to them and sell them on as is whiteout wiping the data. 
 

[Kisai]

4 minutes ago, hishnash said:

Why do lots of companies insist on used phones (and other tec) being threaded?

I assume you meant shredded.

 

Data privacy mainly, but to tell you a short story, the engineering company I was doing work for sent stacks and stacks of laptops to be recyucled. These laptops still had mechanical drives in them. The company that sent me there didn't want me properly wiping the machines "That's the recycler's job"

 

With the SSD's, its' actually a lot easier to ensure they are wiped, you just go to the BIOS and tell it to wipe the SSD and it's done in 4 seconds. Where as the mechanical drives it could take 6 hours to do.

 

But if it came down to it, it took two minutes to just unscrew the back's off all but the Precision 5520's , pull the M2 drive out and snap it in half through the NAND chip, or push it into the paper shredder.

[hishnash]

10 minutes ago, Kisai said:

SSD and it's done in 4 seconds. Where as the mechanical drives it could take 6 hours to do.

With SSDs unless there is a root encryption key that can be re-set to a new random value the BIOS SSD wipe does not destroy all the data and it can be recovered by a data recovery lab.  (on PC many of the root keys can't be fully rotated you can change the user-portion but if someone has a backup of this then they can still decrypt the data, root keys need to be private and need to never leave the device sec enclave to be considered as a method for whipping the drive). 

The reason lots of companies now insets of full device distraction is they do not trust the recyclers (or the sub-cotnracter that the recyclers will use) to bother even with un-screwing it and standing or shrewd the M.2...  There have been to many cases of companies just not doing what they said they would do in the contract or sub-contracting to someone else to do this and not checking up on it.  This is no considered so common that it would not be a legal defence in court to if data leaked that was under a protected status.   You need documented evidence of destruction and best to also have a witness who can testify that they were there when it was shredded.

The laws need to be updated such that if there is a cyrptogrphicly signed report of the root key being rotated then this is evidence.   Then we could put pressure on vendors like apple to provide this feature to DFU reset mode such that the sec-enclave could sign this when it re-sets the key and provide it as a report or even upload it to apples servers so that anyone with the SN can validate the time and date that the device was fully wiped.     But currently in most of the world the laws around data destruction (think schools with child data) are such that this is considered a grey area by lawyers and your advised to just destroy it.   


 

[leadeater]

6 hours ago, hishnash said:

Those companies ands schools would love to just sell these phones to a recycler but they would only every dream of doing this if there was a clear legal easy pathway to absolve them of any legal resposiblty for the enviable data breach when someone forgets to properly wipe them.

Everything we send away must get a certificate of secure erase, pretty simple liability transfer. You don't need witnesses or anything, these are certified documents and 100% transfer the liability in full.

 

Sure contracts must be abided by but not everyone demands actual destruction. For example we demand destruction of our LTO backup tapes (data is software encrypted anyway) which we get a certificate of destruction however we don't demand our laptops even with on-board non-replicable NAND, just a secure wipe and certificate of wipe.

 

A e-waste/recycling company could of course fake these certificates but that would be pretty stupid, although likely happens to some degree. But as to your point you can demand destruction but that doesn't mean they are, you can demand secure erase but that doesn't mean they are. There is no benefit or legal benefit to defaulting to asking for physical destruction unless the data classification requires physical destruction only.

 

Anyone that really cares or is subjected to data laws that stipulate data erasure will do data wipes themselves first, we do. Everything that goes away for destruction or recycling (with secure erase) have already been wiped but they have to do it themselves and supply the evidence of doing it.

 

5 hours ago, hishnash said:

This is no considered so common that it would not be a legal defence in court to if data leaked that was under a protected status.

Not true, that's not how laws or the court works. Commonality is not a factor. Neither is it actually that common in all places in the world, even within the same country. We can only pick from government accredited e-waste/recyclers who are audited and have security clearances, anyone can choose the same company do don't have to like we do. There isn't a shortage of companies that do it right and are known to do it right. 

 

5 hours ago, hishnash said:

Then we could put pressure on vendors like apple to provide this feature to DFU reset mode such that the sec-enclave could sign this when it re-sets the key and provide it as a report or even upload it to apples servers so that anyone with the SN can validate the time and date that the device was fully wiped

This would actually be very useful, ideally with the device was MDM managed by Apple the prior owner would get a report in the portal verifying it has been wiped once it has  and that status transmitted to Apple.

 

Of course you can send remote device wipes via all MDM solutions anyway and get completion reports of it being carried out.

Edited April 23 by leadeater

[hishnash]

15 minutes ago, leadeater said:

There is no benefit or legal benefit to defaulting to asking for physical destruction unless the data classification requires physical destruction only.

In much of the world the laws have not been updated to consider the possibility of rotating root keys to do data destruction.  So if you are destroying it to comply with the law you commonly are looking at doing full physical destruction.   
 

[leadeater]

15 hours ago, hishnash said:

In much of the world the laws have not been updated to consider the possibility of rotating root keys to do data destruction.  So if you are destroying it to comply with the law you commonly are looking at doing full physical destruction.   

In what places? A lot of countries have adopted very similar laws, very very few things require by law physical destruction. Medical information here doesn't for example. We are not required by law to have our LTO tapes destroyed but we do anyway by our own judgment.

 

So no you are not commonly looking at physical destruction, the vast global refurbished supply of IT equipment shows otherwise and that even includes server hardware that were once prior used for sensitive data.

 

And if you want examples of data that would be on our tapes, which again we are not required to under any law to physically destroy, would be: Medical data, personal information about minors, military data (low security), confidential industry data, research data published and unpublished, finical data, employee data, security indecent data (digital and physical).

 

I think you are greatly over estimating who and what MUST be physically destroying data by law. Our relevant laws are current and last updated in 2022 and 2023.

 

FYI a lot of countries updated their laws so physical destruction is not required for a lot of thing so they could utilize Azure/AWS/GCP etc. Prior to this, like here, those were off limits although for us sovereignty reasons not data security/destruction.