Coincidentally, Little Snitch on macOS 13.6.7 recently caught photoanlysisd attempting to make a connection to bag.itunes.apple.com. This is unusual, because I hadn't created a photoanlysisd rule in Little Snitch before, which suggests that it wasn't attempting to phone home before.

The connection details say summary over 4 days, last denied May 19. This would put the first connection on May 15 or 14, soon after 13.6.7 and iOS 17.5 were released on May 13.

As the Reddit post linked in the article mentions, the photos that reappeared were manually saved as files by the user, e.g. via the share button.

In fact, I believe iOS uses hardlinks for this, as it is possible to save a 40GB video on a device with 64GB storage instantly - while logged out of iCloud and without an Internet connection.

Since hardlinks are used, there is likely no way to tell the original and copy apart except by their paths. The photo-rescuing algorithm that shipped in 17.5 probably wandered around the filesystem farther than intended, possibly via mds.

So Apple is probably not stealing your photos. If it is, this bug is not evidence of it.

Recent and related. Others?

Apple needs to explain that bug that resurfaced deleted photos - https://news.ycombinator.com/item?id=40433384 - May 2024 (60 comments)

Apple's photo bug exposes the myth of 'deleted' - https://news.ycombinator.com/item?id=40422136 - May 2024 (50 comments)

Apple Releases iOS 17.5.1 with Fix for Reappearing Photos Bug - https://news.ycombinator.com/item?id=40417703 - May 2024 (3 comments)

iOS 17.5 Bug May Also Resurface Deleted Photos on Wiped, Sold Devices - https://news.ycombinator.com/item?id=40393913 - May 2024 (31 comments)

iOS 17.5 is allegedly resurfacing pictures that were deleted years ago - https://news.ycombinator.com/item?id=40372867 - May 2024 (23 comments)

iPhone owners say the latest iOS update is resurfacing deleted nudes - https://news.ycombinator.com/item?id=40370078 - May 2024 (47 comments)

> Based on this code, we can say that the photos that reappeared were still lying around on the filesystems and that they were just found by the migration routine added in iOS 17.5. The reason why those files were there in the first place is unknown.

Good analysis!

Fyi, if you want to tell apple to not store the decryption keys for your iCloud Photos, you can go into iCloud settings and enable Advanced Data Protection.

You have to click through a number of warnings and set up recovery keys. We of course can’t prove that Apple isn’t still storing the keys, but imo they probably don’t even want to as it’s not their business model.

So, in short, all of this was user error (they double-saved pictures both in files and in the potos app), and we spent a week fear-mongering about privacy because too few people understand how filesystems work anymore?

I love how everyone talks about "deleted pictures". Those pictures were never deleted in the first place and just got marked as "don't show to user anymore".

That's all there is to it.

Apple, like all the other cloud companies does not delete anything.

It seems that Apple never truly deletes users' photos. Everything that has ever existed in our albums remains permanently stored in Apple's cloud. This so-called 'fix' merely prevents users from rediscovering this unsettling fact, rather than actually removing the deleted photos from their cloud storage. This raises important questions: Why is Apple retaining these photos? What is the purpose behind keeping this data indefinitely? Transparency and user trust are paramount, and users deserve clear answers regarding their data privacy.