While the defaults are typically to use what the browser or OS has for storage and sync of the passkeys, you can use other things.

Like KeePassXC:

https://keepassxc.org/blog/2024-03-10-2.7.7-released/

As for attestation to how the key is stored securely (like in a hardware key), Apple’s implementation doesn’t support it for iCloud ones, so any site that tries to require it wouldn’t work for millions of people. That pretty much kills it except for managed environments (such as when a company provides a hardware key and wants to make sure that’s the only thing that’s used).

What separate auth operation is needed besides authenticating with the local device to unlock a passkey?

More usable for the average user and more supported by actual sites and services, so yes.

The problem is people you know may still have social media and they can tag you or include your info in the descriptions, even if you don’t have a profile. Companies collecting this info from social media can totally build a shadow profile if they want, especially if they’ve got like 5 photos that have a matching face and the description has the same tag or name in it.

Regarding the DMV thing, it looks like they don’t sell the photos but do sell other data that may be useful in cross-referencing things: https://www.vice.com/en/article/43kxzq/dmvs-selling-data-private-investigators-making-millions-of-dollars

Amassing a huge dataset to search through with all the metadata (usernames, names, etc) is the part than an individual would probably have trouble with doing, not the actual “is this a photo of the person in this other photo” part.

The lies you are able to generate will likely never outweigh all of the accurate data other people create and definitely won’t remove it, just add some noise.

It doesn’t even have to be your friends. It could just be you walking by in the background of a photo someone else took.

For this feature though they’ve tried to select the topics to be ones that “[do] not include sensitive categories (i.e. race, sexual orientation, religion, etc.)”. The list is also public and gambling is not on it:

https://github.com/patcg-individual-drafts/topics/blob/main/taxonomy_v2.md

While this won’t satisfy those who want no individualized ads or no ads at all, it would be an improvement over what we have now and put control over what topics are used (or even if it’s enabled at all) in the local browser instead of some server online.

Isn’t this client-side solution for analyzing the history and coming up with ad topics for sites better in your scenario than the server-side solutions currently in use though? A government would have a much harder time trying to get access to the data when it’s on each individual’s device, rather than a profile created through an online ad service.

That’s one of my main problems with Microsoft at this point. They can make improvements to the underlying technologies (WSL, better security sandboxing, FDE by default on supported hardware, etc) and develop actually decent software (Edge) but then they keep doing things to piss off the users like forced online account logins, the mess they made of the default app selection going from 10 to 11, pre-installed junk, and now this. They just need to get out of their own way and focus on making decent products: ones people want to use, instead of ones they’re coerced to use.

The least they could do is bring back the Office of Technology Assessment to help them understand things:

https://en.wikipedia.org/wiki/Office_of_Technology_Assessment

I’m not sure which thing you’re referring to.

If it’s between http and https, the s stands for secure and the connection to the server is authenticated and encrypted.

I don’t think a spanned volume is quite what they were after. I’m pretty sure macOS uses the SSD part as a cache and it’s used mainly for increasing the performance of the relatively slow but large capacity HDD. Nowadays though you might as well just go with all SSD in most cases if performance matters.