Widgets calling

As was reported elsewhere on Macworld.com, Apple quietly included a Widget update mechanism in 10.4.7, the most recent OS X 10.4 update. As some of you may recall, I was more than a little worried when Apple did something similar with the iTunes MiniStore during a supposedly-minor update to iTunes. So I must be going absolutely over the edge with this latest incident, right?

Well, yes and no, but more no than yes. There are only two things that really irk me about this new feature. The first is that it’s not user controllable. Most every other program I own that check for updates do so through a mechanism I can disable (there are exceptions to that rule, of course). With the Dashboard update tool, I have to use it, unless I modify the system by moving a file, as detailed at the end of the news story.

The update mechanism should be controllable through the already-present Widgets widget—this is the widget that lets you delete third-party widgets, as well as jump to Apple’s site to download other third-party widgets. It would be most logical to have a Check for Updates button here, as well as a setting on the back of the widget for the update feature—a pop-up to set the updates to automatic, manual, or disabled. (If not on the Widgets widget, then how about in the Dashboard & Exposé System Preferences panel?)

The second thing that irked me is that Apple didn’t tell us about it. The rationale for confirming that a third-party widget is both current and what you think it is is a good one—widgets can do many things, since they’re really miniature programs. So I actually admire the fact that Apple is stepping in to try to make sure that the widgets I have really are the widgets I think I have. However, the fact that Apple added this feature “on the sly” makes my mind immediately suspicious. So instead of thinking of the benefits of this new feature, I’m trying to figure out to what ill use Apple might be putting the information it’s receiving—and wondering what information it is receiving (more on that later).

Imagine now, if instead of letting this new feature be discovered by those who monitor all their outbound internet connections (via, for example, tcpdump or Little Snitch ), Apple had been proactive, and included this in their release notes:

OS X 10.4.7 includes a new feature, Dashboard Updater, which automatically insures that your third-party widgets are the most current versions, and performs some security checks to insure that you’re not using a widget disguised to present itself as something it’s not. This feature can be disabled, set to manual, or left in automatic mode, by visiting the Widgets widget. Note that Apple doesn’t collect any personal information as part of the update mechanism. Instead, we only see the names of the widgets and their version numbers.

I believe the response to something like the above would have been positive, not negative. And the last bit is true—those who have analyzed the data being sent confirm that it’s nothing more than the name of each widget and their version numbers. Contrast this with the iTunes MiniStore data, which included a cookie (which had, at least according to some analyses, your iTunes ID). The MiniStore data was also passed through servers belonging to a third party (Omniture). Clearly, there were opportunities for very bad things to happen, as the information being sent around included personally identifiable information, possibly including your iTunes account information. Apple listened to the public uproar, and quickly released an update that made it simple to disable the MiniStore.

Since the data being sent about my widget usage is completely innocuous and contains no personally identifiable information, I’m quite fine with this new feature (there’s the ‘more no than yes’ bit). I just wish Apple would learn from its mistakes and announce these new features ahead of time, rather than letting a firestorm erupt when they’re discovered. I think it’d be easier on Apple and easier on the users. Most important of all, it’s the right thing to do.

Subscribe to the Help Desk Newsletter

Comments