Last I looked, iCloud was not HIPAA¹-compliant. Health-care workers who previously could have iCloud enabled, as long as they did not use it for HIPAA-covered documents, may be in for a big and expensive surprise.
Although non-compliant activity with regards to e.g. spreadsheets containing patient data is extraordinarily widespread [+], you're correct, putting a spreadsheet with PHI on iCloud (whether you intended to or not) is a reportable breach.
(Not a lawyer, but I have to care about this, for professional reasons.)
[+] Say, emailing in the clear about PHI. This is extraordinarily common even among people who theoretically know better.
From what I can tell, I think a lot of people in healthcare view HIPAA as poorly written, and more or less a bureaucratic obstacle to doing their jobs effectively. Part of it also is that all the EMR solutions are so terrible that to try and do patient care entirely within a given EMR is so painful, people do the dropbox/email route to get around their limitations.
Odds of an enforcement action are minimal (940 complaints for Security Rule violations in 5 years divided by one sixth the economy), given that enforcement is complaint-driven and CSV files rarely complain. If you're big enough you budget for fines like retail budgets for employee theft -- sure, don't seek it out, but you won't be heartbroken when it happens.
My experiences on this suggest that any company that both produces something classifiable as PHI and large enough to have dedicated IT / Legal staff have fairly draconian policies that include "every attachment that is mailed to a mail server that is not ours is stripped".
When individuals work around these policies, there tends to be some level of legal shielding for the larger business entity when it is investigated.
Right, which is why I don't have any HIPAA-covered data in Dropbox, but my risk assessment does not include "I have Dropbox installed on my machine, ergo, I need to be careful to never access HIPAA-covered info from my machine", which is apparently the level of care I now need for Yosemite. (An upgrade which just got delayed indefinitely, for the obvious reason.)
You're a braver person than I then. I wouldn't download HIPAA data to a machine with Dropbox on it, anymore than I would be downloading protected research data to such a machine. But then, I'm not a doctor so I don't deal with one-off patient info, so it's easy for me to maintain separation.
Though if this is actually a thing that many people want to do, perhaps the new Blackberry OS actually does something that people need...
VMware's vCloud Air does: "To help customers comply with HIPAA and HITECH, VMware offers a Business Associate Agreement (BAA) to all interested customers using our US-based data centers."[1]
> Clouds are almost universally antithetical to HIPAA, it's extremely rare to find a SaaS provider that will sign a HIPAA BAA.
That's true of small services, but less so of big enterprise vendor (and, given the size of the health IT market and the big enterprises to serve in that space, that shouldn't be surprising.)
It actually did upload stuff silently. Here's what you can do to reproduce:
Have TextEdit enabled in the iCloud System Preferences panel. Open TextEdit, create a new document, type stuff in it. Now press cmd + O to display the iCloud document picker, and you'll see your new document got uploaded to iCloud, without you ever hitting Save or explicitly agreeing to save it on iCloud.
The only way on Mavericks to have 100% local data was to:
a) disable Documents in the Cloud for all apps or a specific app, or:
b) save documents to the local drive immediately after creating them, before typing anything.
I'm surprised this isn't more commonly known, and that everyone seemed totally fine with it. Doesn't seem like intuitive or expected behavior for an average user IMO.
There are two kinds of users in this scenario. Those who don't care (99%) and those who do.
If you count yourself among the latter group, as I do, then it's always solid advice to choose actions which clarify your intentions.
In this case:
- don't use iCloud
- don't use iCloud sync for the app you use for private data
- do explicitly choose to save the file locally
- don't enable new features like Continuity that clearly change the file
persistence and availability model without considering your old patterns
The author is rightly sore that his bits got pushed to Apple due to his oversight. He's wrong to place the blame fully on Apple, but it's hard to be fair when you're angry. And I'm glad he wrote it up because it should encourage people to think carefully about where and to whom they trust their data. Though most people I know sync their private data to Dropbox, Ffs, so...thinking != thinking, I guess.
My secure notes strategy is vim with encrypted files on an encrypted partition. It could still leak, and I'd be angry, but there are at least three vendors involved that would have to alter their products behaviours before I was hugely surprised. TextEdit on HFS+ on OSX with iCloud enabled is just one vendor, who can't always cater to my 1% of 1% expectations.
> "There are two kinds of users in this scenario. Those who don't care (99%) and those who do." ... "The author is rightly sore that his bits got pushed to Apple due to his oversight" (emphasis mine)
This attitude is completely unhelpful. It throws those who are otherwise ignorant under the bus simply because they don't (can't?) understand how modern tech works. Is that really fair? Must we really divide the world up this way? Most of the public hasn't caught up to how modern systems work and what the trade-offs really are, and they certainly won't if this is the approach we choose to take.
It's almost reminiscent of Morlocks and Eloi from HG Well's Time Machine.
If only users actually changed their buying behavior on the basis of security or privacy. Until that happens "users don't care about security or privacy" will continue to be the default since economically speaking it is absolutely true.
What users care about as revealed by buying behavior is: user experience, user experience, user experience, user experience, cost, user experience, and user experience.
The celebrity nude hack is a good case in point. "The cloud means some knucklehead from 4chan might steal all your data because they don't like your blog posts" has a certain ring to it.
It also might be helpful to drop "privacy." It's security. These are vulnerabilities. Apple could have encrypted this stuff with keys the customer controls, but that takes more engineering to make it friendly and usable. They won't until people care.
When I know that I value a product or service for different reasons than the majority of other customers, I recognize that the product might change in a way that eliminates or reverses the value I derive.
When I think about the privacy of my personal information, I know that I would be greatly irritated to learn that a single shred of "my stuff" went anywhere outside of my control.
I care. I care a lot. The cloud is not made for me. Social technology is not made for me. The extent that social and cloud creeps into my operating system of choice is a clearly tense relationship that I have to think about and plan defensively around.
I don't think everyone should have to do that -- but they don't. They want universal sync and autotweeting, and I am not one to begrudge them.
When I say "most people don't care", I mean that they have decided that the benefits are greater than the risks, and on the whole would rather trust Apple than Google or some syncerrific.io sort of operation. Maybe they care that their friends, neighbors, and coworkers can't read MyFavoriteHentai.docx, but they do not care much about strangers.
So they get the product that they want. And I (and some of the rest of us, but really quite few) do not. And this is the way it should be.
So I'm not throwing anyone under the bus. I wish there was a way to make the product that people want without making it harder for me (and the OP) to get what I want out of it, but it's impossible to serve all cases. That becomes my problem, and I bear it willingly.
> "... they have decided that the benefits are greater than the risks ..."
My point is that they're not even aware of how things work and therefore are not at all in a position to comprehend what the risks really are, let alone make sensible decisions.
The flaw in your reasoning is linking behaviour to knowledge. Just because people are behaving in a certain way doesn't mean that they are fully aware of the consequences of those actions. When it's only a small part of your life, it has little impact but when you suddenly realise a large chunk of your life depends on those choices it can be a bit of a shock (consider all the celebrities who had private images leaked recently).
The low-information customer you're describing is a totally different animal than the person we're discussing here. I agree with you as far as it goes, but OP is a security-conscious developer.
Jennifer Lawrence has a different problem. Apple can't really help her either.
I'm not angry, but it does violate the principle of least surprise and the document model that's been in use for text editors forever.
I opted in to iCloud Drive to synchronize files - files I chose to store in iCloud.
I did not opt in to synchronize my unsaved files in apps not currently supported by Continuity, nor was there any warning or indication that that would occur.
How would you feel if the OS, without warning, started syncing your vim temporary files (including your pre-encrypted versions) to the cloud? This is the same thing. Don't hate because it's TextEdit and iA Writer.
My only hesitation is that you and I have to recognize that we are on the fringes of the fringe, and be hyper-vigilant.
This behaviour is only surprising if you get lax (as I was, too) about evolving functionality.
My point about vim is that for me, it's a purposeful simplification. I do sometimes wish for a more flexible note taking app, but I know that it would take an earthquake of change for vim to sprout a file sync feature that tied into iCloud. And I value that, a lot.
This is OS functionality, so it would be akin to iCloud helpfully synchronizing your vim recovery files across your Macs (via a roundtrip to iCloud) without you ever asking it to - not a change in vim.
This is why this is worth sounding the alarm over - it's an OS-level change that affects all apps, not just Apple's.
That's a good point, and is part of the reason I have iCloud turned off completely -- so I don't have to think about individual cases.
Obviously, it's completely possible that mdsworker or any of the other dozens of Apple daemons is slowly leaking my unencrypted RAM or swap files out to 17.x.x.x or somewhere else I've allowed in my packet filter configuration.
But that is the line between enhancement for the majority and malice for the targeted. As long as I force Apple to cross that line before causing me any damage, I feel comfortable trusting them (their corporate policy, their auditing, their hiring, their systems administration, etc).
> I know that it would take an earthquake of change for vim to sprout a file sync feature
Well, you may know that, but don't worry, when it happens and surprises you and you post about it, there will definitely be someone here on Hacker News to scold you that you should have known better and that it's all your fault for not anticipating the unexpected and unannounced changes.
How would you feel if your unsaved files suddenly disappear? Would you blame apple for deleting files you explicitly chose to not save?
You were relying on a feature in an unusual and unintended way. Sooner or later, that may stop working.
The "unsaved files" being not synced to iCloud was never something that was meant to be guaranteed, it was just how it was.
What I'm suggesting is that by opting to explicitly save a file locally, you're giving more of a signal that you don't want it available remotely, compared to not saving a file at all.
I'm more interested in why the default behavior of internet users is so often to blame the victim.
Does it shift the danger of the world squarely onto those who couldn't ever possibly be you, as your internal narrative has you as perfectly informed at all times?
I'm a security-conscious engineer that's been using Apple hardware and software for two decades. Today, my computer took a bunch of private text and uploaded it without my knowledge or consent, completely contrary to my expectations.
Does it threaten your worldview to consider that perhaps I didn't do anything wrong?
(To answer your question directly: I would be annoyed but it wouldn't be the end of the world; I'd simply restore those files from backup as I knew where they were being autosaved previously. That's an entirely different ballgame than silently uploading them.)
I think if you had presented exactly the same data as the results of dispassionate research, you would have gotten a somewhat tepid, but appreciative response.
Because you presented it as a personal violation and unconscionable shock, many people are reacting with incredulity.
I don't think you did anything wrong, tactically, and I think this is an important discovery. I do think you need to rethink your strategy around private data though, because the course of user experience is at odds with your desires.
And you have the privilege of speaking of "the course of user experience" as if it's an undeniable course (or a user-driven movement, for that matter; which I daresay is not easily substantiated when we're on a topic of a decision of Apple engineering rolled out without warning) ... as a result of your dispassionate research?
We're talking about different things. Yes, I can say without hesitation that people want ("the course of user experience") document sync. Refutations welcome.
You might be trying to argue that people also want privacy or security in their document sync, but that has nothing to do with the matter at hand. iCloud is at least as secure as any other consumer sync service.
There are two kinds of users in this scenario. Those who don't care (99%) and those who do.
Correct, and those of us that do should act on behalf of those who don't, because a good many of them are not technically inclined enough to know if they should care.
Totally agree. Which is why I mentioned that I'm glad the OP posted about it and brought it to our attention.
Apple is averse to asking users lots of questions in general, but especially difficult questions that most won't understand or know how to answer -- or the implications of their choice. Pretending for a sec that Apple will change their default setting here, to the detriment of 99% of their users but to satisfy the noisy us... I'd love to see suggestions on how to word this checkbox option.
iCloud has a lot of options already. It's a complicated concept for most people. I agree that this is borderline surprising behaviour, but I don't see how to avoid surprising someone.
I'm pretty sure that this has been happening at least as early as Mountain Lion. I felt really violated when I discovered it - I use TextEdit as a scratchpad, so it's always full of random notes (and a temporary copy-paste spot for private keys, double-plus-ungood!). Not to mention financial data into Numbers - those were being synced automatically, too.
Another gotcha I noticed around the same time - Notes from iPhone are automatically stored to the primary email account. So I had my private scratchpad phone notes stored on my corp account's Notes folder with no easy and obvious way to re-associate them to the correct account.
It's easy to disable, but as the writer notes, that's not the point - if you don't know it's happening, there's not much you can do, just feel your stomach drop, disable it, then get to work figuring out how much damage was caused (i.e., get to swapping keys, ugh...).
Good find. The fact that this is a KB article seems to confirm what a huge violation of customer trust this is - they know this violates the principle of least surprise.
Except that this does not violate the principle of least surprise at all.
I expect that files I edit are saved at some point, somewhere, iCloud makes perfect sense in that it allows me to pick up where I left off on any device. Not only that, but Mavericks had the same behaviour for unsaved files as far as I remember.
And I'm baffled by yours, and others' in the thread. With the PRISM/Snowden revelations, Apple still refusing to encrypt their data center links, not using perfect forward secrecy, etc, the cloud simply doesn't seem like a good default.
They could make this opt-in, as it's supposedly linked to Continuity, but it's very clearly unintuitive, as evidenced by others in this thread (https://news.ycombinator.com/item?id=8511115 for one). If even HN people (probably at least the 95th percentile in tech literacy compared to the general pop) didn't know this, then what about your typical PEBKAC user?
And, sorry to be incendiary, but I'm sure the NSA isn't displeased by Apple's UX choice here.
I love it when people get all "incendiary" about a privacy issue in the post-Snowden world. I really do not understand what your privacy world view was in 2009. Did you think governments did not have intelligence agencies? Did you think every government employee was an angel? Did you think F500 companies regarded personal privacy sacrosanct? ?
Back then a reasonable person might have had faith in the rule of law, and in the oversight system and that targeted surveillance was the norm. It turns out there are secret courts, with secret interpretations of laws and indiscriminate mass data-collection. The tin-foil-hat brigade turned out to be right.
This behavior is completely intuitive to anyone that's used a Mac for the past 5+ years - iCloud has an option for syncing documents and data. Mac OS has been preserving unsaved files since at least Lion, and on iCloud since at least Mavericks. You can opt out of the latter if you like. Or not.
I (and I believe most people) honestly could care less about the NSA. If they want to get at you, they will. Period. There is no technical solution to what is fundamentally a political problem. Most Americans WANT to be spied on, because terror. I don't like it, don't support it, but I'm not losing sleep over it.
For continuity to work, it should be obvious that what you are working on must be stored somewhere other than the machine you have turned off. The obvious place is on iCloud. Just do not enable continuity if you do not want to enjoy is features.
Since the continuity feature requires Bluetooth 4, I figured the magic was done over Bluetooth and wifi.
I personally don't mind using iCloud, but I understand the authors reservations. But feel the root problem is the NSA, not apple. It's too bad that America has lost control of its government and is unable to fix this.
The sadder truth is that the root problem is Not the NSA, it's the majority of Americans who don't understand the implications of their passivity. America by and large wants the NSA to spy on them. Given the number of protests swarming Washington about almost every issue under the sun, there have been a dearth about the NSA. America doesn't understand the problem and thus doesn't want to fix it.
There is no text editor on iOS, so documents stored in TextEdit are not expected to be subject to Continuity. Additionally, I do not use iA Writer on iOS (nor do I know if there is even an iOS version), so it is reasonable to expect that unsaved drafts I have open in that program would not leave my computer.
It would appear that iCloud is synchronizing all of the email addresses of people you correspond with, even for non-iCloud accounts, to their recent addresses service. This means that names and email addresss that are not in iCloud contacts, not synchronized to your device, and only available in an IMAP-accessed inbox are now being sent to Apple, silently.
This fact — that your phone is silently syncing third-party email account inbox metadata (sender address lists) to a major US cloud provider — is being downvoted.
Welcome to HN, where blaming the user isn't just our profession, it's our hobby!
This may sound naive but it is just bizarre that if you own a computer it is just not really "YOUR" computer anymore. It's like you are "leasing it" but you pay the hardware company with your data.
Like Adobe streaming their Photoshop software from their servers, Like Google is trying to push Chrome OS so that you DO NOT need hard drives.
Big boys in market, sooner or later, will move all software and hardware power to their side leaving you with a screen, mouse and keyboard to interact with everything.
As soon as companies do not have control over whatever you are doing, they are losing benefit on it.
Get ready to this big move already, every big company will try to do this to my opinion which is sad.
It's at odds with the name, but Creative Cloud runs independent of Adobe. "Cloud" refers to a harsher anti piracy check under the guise of a Dropbox like file storage that nobody uses.
I think the parent level poster was referring to the cloud-streaming capabilities Adobe is rolling out for Photoshop and presumably other programs, starting on the Chromebook.
While I agree that I definitely see this trend, this does not mean that this trend will end up winning. We have seen lots of horrible trends like this one and almost none of them survived.
What's horrifying about it? Many people have been wanting to store their stuff on the cloud for decades. In fact, geeks HAVE done it for decades with Rsync. Now it's happening for the masses.
One may not like this, because Snowden, but I don't think most people really are worried about that.
Hi, I'm Thomas from IDrive Online Backup. If you're concerned about the privacy of your data while using OS X Yosemite, you might want to consider IDrive as a cloud backup service. We offer 256-bit AES encryption with a private key option so the key to your data is not stored anywhere but locally on your computer. Hope that helps!
Number one, if you are using Apple products in a high-security environment (e.g. HIPAA compliance) you should enable 2-factor authentication.[1] This will provide good security for data stored in the cloud.
Number two, there is an easy way to prevent data from ever even touching the cloud. Just immediately save the new document to a local non-iCloud folder before you populate it.
In terms of whether defaulting unsaved docs to iCloud is a good/bad design decision:
Defaulting unsaved documents to the cloud means if someone steals your account login and you don't have 2-factor auth enabled, they can access your unsaved docs.
Defaulting unsaved documents to local storage means continuity doesn't work and kills a lot of value of iCloud.
Continuity is only designed to work within a few meter range for handoff (and indeed requires bluetooth), which could easily be achieved over local bluetooth-bootstrapped p2p wifi.
Continuity data sync happens via iCloud. From the developer docs: "Handoff passes only enough information between the devices to describe the activity itself, while larger-scale data synchronization is handled through iCloud."
Can't say for sure whether a p2p wifi connection would really be an good substitute but I'm skeptical and I bet Apple's thought it through. I know AirDrop works that way but it seems to take a few seconds to set up the connection. Handoff is super fast, in my experience. So since AirDrop is designed to connect with unknown devices that p2p setup performance hit makes sense, but since handoff is for trusted devices, going through iCloud might be faster.
Yes, I am aware that that is how they chose to implement it.
It was not necessary to do it that way and the exact same user experience could be achieved without the data leaving the room. Continuity only needs to work within bluetooth (and therefore wifi) range.
If Continuity didn't require bluetooth (e.g. for picking up a document on your mac that was started on your phone left in the car in the parking garage) then this design decision could be defended, at least a little bit - but it doesn't work that way.
> the exact same user experience could be achieved without the data leaving the room
But you ignored what I noted about the performance of setting up p2p wifi vs. iCloud. Given that Apple does implement p2p wifi for AirDrop, it lends support to the theory that they had good reason to pass on it for Continuity.
"those in-progress (not yet explicitly “saved”) documents live in iCloud Drive"
So, what is it? On the drive or outside of it?
Does it matter? I googled a bit, but couldn't determine whether Apple can decrypt that data. It is encrypted both in transit and in the cloud, but do they hold the keys?
I know I have to trust them to do what they say they do, anyways, but if they do not have the keys, they cannot change their mind (say in response to a visit from the NSA)
> I know I have to trust them to do what they say they do, anyways, but if they do not have the keys, they cannot change their mind (say in response to a visit from the NSA)
Apple absolutely holds the keys to everything stored on iCloud. See their iOS security whitepaper [1], in the iCloud section:
> iCloud
> iCloud stores music, photos, apps, calendars, documents, and more, and automatically pushes them to all of a user’s devices. iCloud can also be used by third-party apps to store and sync documents as well as key values for app data as defined by the developer. An iCloud account is configured via the Settings app by the user. iCloud features, including Photo Stream, Documents & Data, and Backup, can be disabled by IT administrators via a configuration profile.
>The service is agnostic about what is being stored and handles all files the same way. There are two components for each file. The first is the file’s metadata, which consists of its name, extension, and filesystem permission settings. The second component is the file’s contents, which are treated by iCloud simply as a collection of bytes.
> Each file is broken into chunks and encrypted by iCloud using AES-128 and a key derived from each chunk’s contents that utilizes SHA-256. The keys, and the file’s metadata, are stored by Apple in the user’s iCloud account. The encrypted chunks of the file are stored, without any user-identifying information, using third-party storage services, such as Amazon S3 and Windows Azure.
Thanks. I scanned that, but mixed up the discussion of iCloud and iCloud KeyChain, of which Apple claims:
"iCloud Keychain allows users to securely sync their passwords between iOS devices and Mac computers without exposing that information to Apple."
So, I guess somebody should write a 'notepad' for iOS and Mac OS X that stores its data as secure notes in the KeyChain (assuming that secure notes get synced, too)
Could this all be related to continuity features? Not all apps support continuity APIs but I suspect we'll be seeing more and more apple stuff working across devices and one way for this work is by using iCloud. iCloud Drive is just an iCloud service.
No, not directly. If you're logged into iCloud, Documents and Data sync is enabled, the app uses iCloud documents, and you don't save the file locally, the file is saved in iCloud. As far as I recall this is how iCloud has always worked.
If you enable documents in the cloud (now iCloud Drive, I think) document based apps will pick that location as the default location to save to. Autosave has long been a feature, so that happens, too.
It all makes perfect sense and is perfectly logical. How is it even possible to be surprised by this?! I’m mystified. It’s also not data outside iCloud. It is very much inside iCloud. Obviously. Newly created documents have to be saved somewhere, and if iCloud is your default location that’s exactly where. Where else?!
No.. it happens if you enable iCloud at all, not just iCloud Drive. There is no "enable documents in the cloud" setting.
According to Apple's KB, just signing into iCloud makes iCloud the default location for all unsaved docs (for iCloud-enabled apps).[1] So even if you've just turned on iCloud for photo streams or syncing contacts or whatever, iCloud becomes the default location for all unsaved docs.
They are uploaded to iCloud, which belongs to Apple. Apple — as an US corporation — has to comply with US laws and has to support ongoing US criminal investigations, including secret agencies.
Basically he says that files that were open but not explicitly saved by the user, were temporarily saved locally in ~/Library/Saved Application State/ but since updating to Yosemite, these are now all saved/uploaded to iCloud.
So all his temporary notes he open in TextEdit have been uploaded.
I doubt any of the companies are willing partners in PRISM - it's terribly bad for business, as Americans are only 4% of humans and being forced on threat of personal imprisonment to spy for the American government is not a really wise customer acquisition strategy.
It is really quite likely that the access to Apple and Google and other large providers' systems is done at an operations level, without knowledge of their management and providing for complete plausible deniability. How many network admins and ops people at Apple have physical access to the machines where keys are generated, stored, and used?
The #1 realtime end-to-end encrypted messaging service on the planet (where the software development and cyphertext transmission are both physically present inside the legal jurisdiction of the US) would be your first choice, no?
I doubt any of the companies are willing partners in PRISM
AFAICT that was xenadu02's point - that data from Apple et al are being collect by PRISM, but Apple is not a "partner" in the sense that "partner" implies cooperation. If intelligence agencies have to steer clear of management, that's not a partnership, that's espionage.
Nope. PRISM has do to with "direct access" to Apple's servers. This is according to NSA's own documents, and Apple may either be aware and forced by law to lie (Yahoo-style [0]) or unaware of this (i.e. they got hacked by NSA). Nothing to do with SSL being broken, especially as iCloud didn't run on Apple software but on Azure and AWS back then[1], and therefore iCloud wasn't itself vulnerable to goto fail.
"Direct access" came from a Washington Post story and it has since been walked back. PRISM is a program operated by the FBI, through which they make FISA court requests of data companies (like Apple) and then share the results with the NSA.
A plain text file stored on an encrypted disk image is a pretty decent way to save passwords, as long as you can trust your text editor not to upload your data behind your back (which has generally been a reasonable assumption in the past).
"Apple has taken local files on my computer not stored in iCloud and silently and without my permission uploaded them to their servers - across all applications, Apple and otherwise."
Presumably they actually did have permission through some ToS you have to agree to if you want to use OSX - which begs the question of what insane amount of permission they actually have here. Seems that it probably boils down to that they can make an argument for literally anything on the mac being useful for continuity, so they can probably upload anything they like by default using that claim?
How many hyperbolic, bad faith posts about Yosemite are going to be made and voted to the top at HN? (This is the third I've seen this week, and they all make extremely negative insinuations based on incorrect assumptions and the shallowest possible examination of the functionality being excoriated.)
It appears that the only new functionality in this case is increased visibility via iCloud Drive. Presumably these documents were always saved on iCloud, which has been default behavior when you don't save to the local file system for a while.
As usual, there's an unfounded insinuation that this is intentionally nefarious activity on Apple's part. Documents and Data sync is easily disabled -- what did anyone think it was doing previously?
It's both intentional, and nefarious - separately.
"Intentionally nefarious" implies bad faith - I think it's just wickedly reckless and violates the huge amount of trust that end users place in their OS vendor.
The synchronization of the email recents list across iCloud via recentsd is the big problem. If I add a third-party email account that I access via IMAP, it is not the job of my phone or workstation to send the metadata (sender list) to my OS vendor's servers, even if it does enable the feature of easy address autocomplete on my other devices.
¹ http://www.hhs.gov/ocr/privacy/hipaa/understanding/