Complying with complex privacy laws is surprisingly orthogonal to making a product with good privacy.
In another regulatory area (not privacy, but something more historically regulated) we ran into strange situations where complying with the letter of the law would require us to walk back things that we had done in a better way. The laws are not simple and they're not written by engineers or even people who understand what future product needs look like.
Maybe it's more because the privacy is largely marketing and helps with continuously shutting out competitors under the guise of privacy?
If they really cared about privacy, they would end-to-end encrypt iCloud backups [1] by default and not just when ADP is enabled, which only a small subset of users do. In fact, many technical people I know don't even realize that iCloud backups are not end-to-end encrypted. At any rate, this large hole opens a lot of data (including iMesssage) open to Apple, law enforcement, etc.
https://support.apple.com/en-us/102651
[1] And iCloud Drive, and photos, and notes, and voice memos, and wallet passes, and contacts, and reminders, and...
Ironically the gaps you point to are things they have had to do to appease the European Union.
If regulators suck at understanding tech, they are making poorly thought out laws for corporations just as much as they are for you.
Tax laws are also quite easy, tax lawyers are only needed if you want to NOT pay what the country you're operating in is owed.
There's entire industries of experts who work on these tasks, and they don't just work for people trying to skirt the rules. I've hired people for both tasks and the reason was specifically to comply.
NIST, MS, and the security community all recommend against forcing people to change their passwords on fixed intervals. They should only be changed when there is an indication they have been compromised.
PCI requirements demand mandatory 30 day rotation intervals on user passwords for users with administrative privileges, IORC. Something like that.
They haven’t kept up. So until they change the rules you can either be PCI compliant or implement the current best practice. Not both.
The best practice was to rotate your passwords, but we discovered that this led users to picking less secure and easier to remember passwords and patterns.
Once technology offered up solutions to problems like password managers and breach notifications, that recommendation changed.
PCI used to mandate password changes for in-scope accounts (meaning they have access to credit card flows). Now that MFA is widely deployed that requirement only remains for accounts that do not have a second factor for authentication.
If you were ahead of the curve and implemented strong password policies that did not conform the the PCI baseline, all you had to do was explain to the auditor why. Assuming what you were doing genuinely increased your security posture it would be approved.
> They haven’t kept up.
Other standards all used to recommend password rotation. Most have amended it to deprecate or even prohibit password rotation.
> Once technology offered up solutions to problems like password managers and breach notifications, that recommendation changed
It wasn’t just that.
The original recommendation for password expiration failed to take into account the human practices that resulted.
Everyone has worked in an office with passwords on post-it notes, or seen passwords numbered with sequentially incremented integers at the end. Password rotation isn’t merely a baseline level of assurance, it has a negative impact on security because of the effect it has on password hygiene. In practice, passwords that expire can be easily guessed by appending something to the end of the prior password. And they are more likely to be written down in plaintext.
Permanent, non-expiring passwords without MFA are stronger in practice than expiring passwords.
Someone has to understand the codes and how they might be applied to a specific project, and direct a project such that the outcome will comply.
Codes dont provide a blueprint for a house or a bridge. They stipulate features and properties that it must have. Design resides with the firm.
Privacy isn’t complex, compliance is.
> Tax laws are also quite easy
Yet audits are still a pain.
> tax lawyers are only needed if you want to NOT pay
This is nonsense. Tax lawyers are sometimes used to skirt the law. They’re much more often there to help prove you followed it.