Submitted a bug report ticket through Feedback application using an Apple Business Manager account.
Contacted professional points of contact within Apple.
Received a response from Apple enterprise support.
Received response from professional contacts within Apple.
July 30 —
Reported and updated with all points of contact and tickets that this exists in 10.13.6.
Received a response from enterprise support that this has been submitted to engineering.
July 31 —
Reported and updated all points of contact and tickets that this exists in 10.12.6.
Received response from enterprise support thanking me for testing but no update to report yet.
August 1 —
Received a response from product security that they are investigating the issue.
September 4 —
I sent an update to product security that the problem still exists in Catalina betas.
September 9 —
Received a response from product security that they are still investigating the issue.
October 9 —
Sent an update to product security that the public final release of Catalina still has the issue and that the Supplemental Updates to Mojave did not address it.
October 18 —
Contacted personal contacts within Apple about the issue.
October 31 —
Created a new product security ticket for the issue with Apple.
Followed up with Enterprise Support on the severity of the issue again.
Emailed Tim Cook.
November 5 —
Received information from Enterprise Support on disabling learning from Apple Mail through System Preferences →Siri.
It’s been 100 days since I’ve alerted Apple, we’ve seen a security update to macOS Sierra 10.12, security updates to macOS High Sierra 10.13, Supplemental Updates to macOS Mojave 10.14, a security update to macOS Mojave 10.14, macOS Catalina 10.15.0 released, Supplemental Update to 10.15.0, and 10.15.1 release.
For a company that prides itself on security and privacy, the lack of attention to detail on an issue like this completely and totally surprises me. It brings up the question of what else is tracked and potentially improperly stored without you realizing it. For an operating system that you generally have to change controls to make it less secure, this is a setting that requires you to set to make it more secure and behave correctly. I also have to wonder why it took 99 days for someone to know the answer on how to prevent this. All parties at Apple were alerted multiple times before writing this blog and giving an ample amount of time before I published this. The two real main issues here are...
Disabling Siri doesn’t stop macOS from collecting data for Siri.
That with Siri enabled or disabled this process is storing encrypted emails in a database completely unencrypted.
If these issues are a concern for you and your organization, consider creating an enterprise support ticket, filing feedback, or contact your representative at Apple and let them know.
Below are some screenshots showing an encrypted message being displayed UNENCRYPTED with DB Browser for SQLite without requiring the private key. Apologies for all the blocked-out areas but I had to hide identifying information.