Apple has made great progress over the years in protecting its customers against two big risks: theft of their Apple devices, and exposure of their personal data.
Activation Lock was introduced in 2013 and made it impossible for a thief to restore an iPhone or iPad to factory settings without the Apple ID credentials of its owner, or proof of purchase. Apple’s T2 chip did the same job for Macs as of 2018.
But while that’s great for protecting data, and making Apple devices far less appealing targets to thieves, there is a big downside …
We quickly learned that the presence of the T2 chip could prevent some third-party repairs, but used computer companies are saying the far bigger problem is that the security chip can completely brick a machine which would otherwise be refurbished and resold.
Motherboard ran a detailed report on this yesterday, summarized by one quote from a tweet.
“I’d like to do the responsible thing and wipe user data from these machines, but Apple won’t let me,” John Bumstead, a MacBook refurbisher and owner of the RDKL INC repair store, said in a tweet with an attached picture of two “bricked” MacBook Pros. “Literally the only option is to destroy these beautiful $3,000 MacBooks and recover the $12/ea they are worth as scrap.”
This isn’t a case of Apple protecting Mac owners from theft or data compromise: this is the T2 chip preventing the legitimate resale of lawfully purchased machines.
“By default you can’t get to recovery mode and wipe the machine without a user password, and you can’t boot to an external drive and wipe that way because it’s prohibited by default,” Bumstead told Motherboard in an email. “Because T2 machines have no removable hard drive, and the drive is simply chips on the board, this default setting means that a recycler (or anyone) can’t wipe or reinstall a T2 machine that has default settings unless they have the user password.”
As we’ve seen with iPhones in the past, users often don’t reset their own devices before they recycle or donate them, so the only thing that can be done with these devices—some of which are less than two years old—is have them shredded for scrap.
If the T2 equipped laptop’s previous owner doesn’t factory reset their machine before selling it or turning it in, then it can’t be done at all. The laptop is effectively a brick. “Recyclers are obviously prohibited from selling computers with user data on them,” Bumstead said. “But now they literally have to scrap the boards because Apple is giving them no way to remove user data if they don’t have passwords, as they most often don’t.”
It’s not just private sellers who don’t reset their machines before sale – it’s also enterprise companies upgrading their kit.
Bumstead his biggest problem is with Apple’s Device Enrollment Program (DEP). DEP allows a company to purchase an Apple device, register its serial number with the company, and easily deliver software updates and proprietary company software.
DEP is a godsend for companies, but a nightmare for independent operations like Bumstead’s. If a company enrolled in the program doesn’t factory reset the machines before selling them off, then second-hand stores can’t sell them.
Wiping your information from a device you trade in is good data hygiene, but individuals aren’t the only people buying computers. Often, companies buy and sell computers in bulk. “When managed machines are decommissioned, the companies rarely de-register their computers,” Bumstead said.
Bumstead said that around a quarter of the Macs he sees are affected, and effectively reduced to scrap.
This is a problem for everyone. Resellers may end up buying machines they have to scrap; those who buy used Macs have a smaller pool to choose from, which is likely to drive up prices; and it’s a huge environmental issue to have machines which could easily have a useful life of 5-10 years reduced to scrap after as little as two years.
I fully support Apple’s desire to protect customers, and there can absolutely not be any backdoor into restoring data, for all the reasons we’ve discussed at length before and after the San Bernardino case.
But there can and should be some method for Apple to authorize the wiping of Macs in legitimate resale channels.
One possible approach would be for Apple to maintain a stolen device register, similar to the one used by British folding bike maker Brompton. Anyone whose bike has been stolen can add the serial number to the database, and anyone wanting to buy a used Brompton can check that it isn’t listed as stolen.
Apple could do the same thing. If your device is stolen, you log in to an Apple website using the Apple ID credentials associated with the device and flag it as stolen. Law enforcement agencies would also be able to do this with devices listed in theft reports.
Both private individuals and resellers would then be able to check this database before purchasing a machine. Resellers should be able to additionally request authorization to wipe machines. Apple checks the serial numbers against the database, and if they are not listed, it authorizes the request. Machines can then be wiped and resold.
The T2 chip would need to be upgraded to support the remote authorization process, connecting to an Apple server when it is booted and checking for permission to be restored.
What’s your view? Would you welcome an Apple stolen device register, to provide protection when buying a used Mac and to prevent working machines being unnecessarily scrapped? Please take our poll and share your thoughts in the comments.