Why you should not upgrade to MacOS Big Sur if you care about privacy

Updated November 14, 2020. By Dr. David Wild. MyDigitalResilience Blog

Many of you will have heard of the problems a couple of days ago that prevented people upgrading to Big Sur, and caused everyone's Macs to behave sluggishly, weirdly hanging when you tried to open apps. It turns out this was due to a background process called trustd that runs on your Mac, and whenever you open a 3rd party app it communicates with an Apple server at the address ocsp.apple.com (credit to Jeff Johnson for figuring this out and putting it out on Twitter). It turns out this is the tip of the iceberg. Apple is constantly making calls to its servers for all kinds of purposes - some known, some unknown - from your machine back to the mothership.

Many privacy-conscious people run firewall applications like Little Snitch and LuLu that can block these calls, along with other unwanted communications from third party apps back to other motherships, such as Adobe or Google. Little Snitch allows very fine-grained control over which calls are blocked and which are allowed, which is useful because some calls are necessary for your computer to operate properly - such as looking for operating system and security updates. The first time you run Little Snitch it is quite shocking to see just how many times your Mac is communicating with the outside world without telling you.

In Big Sur, Apple has removed an application program interface (API) called Network Kernel Extension (NKE), which was used by firewalls such as Little Snitch to block internet access according to rules that you set up. It is replaced by something called NetworkExtension, which appears on the surface to provide the same functionality. Little Snitch has addressed this problem by releasing a version that uses NetworkExtension instead of NKE (you can read about this on their blog).

However, it turns out that Apple has exempted its own services from the API, which means that firewalls running on your machine are no longer able to block calls to Apple servers. It also means Apple can bypass any VPN running on your machine, so Apple will see your true IP address even if you are using a VPN. This is discussed in This AppleTerm article based on work by Patrick Wardle.

What does this mean in practice? If being able to keep your IP address private from Apple, and being able to use a firewall to decide what your computer communicates to the outside world is important to you, then you probably want to hold off on upgrading to Big Sur. If you use a separate hardware firewall such as a PFSense box, this might not be such a problem for you.

I hope this was helpful for some of you. If you enjoyed this blog post, please check out The MyDigitalResilience website. All material is (C) Copyright 2020 by David Wild. This website is designed to be simple and accessible, and does not contain any trackers of any kind. Suggestions and corrections should be emailed to info@mydigitalresilience.com.