I really like Apples pro-privacy stance, in contrary to Google & Microsoft.
Hopefully sometime soon Apple will also encrypt iCloud contents so data from non-american people (europe in my case) is protected against the US government prying eyes.
Our data/privacy seems pretty well protected inside Europe, but in America we seem to have 0 privacy rights (America first...!)
I think that's not true, note this line in the doc you link to:
"...and never provides encryption keys to any third parties".
The data might be stored encrypted, but Apple seems to have access to the encryption keys.
I've read that they need to be able to decrypt data to be able to comply with government requests.
I'm not sure if this is still the case now in 2017, but i assume so, until i read otherwise :)
I can't tell if you're implying that they store iMessages unencrypted, but iMessage is encrypted end-to-end. Backups of your phone, which may or may not contain message histories, are only encrypted at rest.
^ I am implying that they are storing iMessages unencrypted. The iMessages on iPhones/iPads are part of the 'backup' for each device and they are not encrypted at rest on the iCloud server.
As far as I've read, the iCloud backups have always been encrypted at rest, and Apple is apparently working on improving it to the point where they do not hold any decryption keys to the backups [0].
That's why, when you set up a new device, up until now it would not have your message history - because the message history can only be decrypted on devices that are already-authorized. If you restore a backup in its entirety, that includes the message log and the encryption key, but if you set up the device as "new", you only get the newly received messages - since it needs your password to decrypt the backup, it had no way to decrypt the message history from backup on the cloud and only sync that down to the new device (which always bothered me in terms of convenience). I think they're working on improving the usability of it in upcoming releases though.
My source, while I wholly acknowledge this is anecdotal and not evidence, is someone in law enforcement tasked with retrieving message logs for investigations. I was pretty skeptical but I've yet found any proof or documentation from Apple's support docs disproving this.
I also recall from the San Bernadino case that the FBI/Apple had the ability to get historic message history from the iCloud backup but the FBI pushed for decrypting the device because of the most recent and not backed up messages.
As for your scenario -- doesn't that explicitly confirm that the messages are not encrypted safely at rest? You can restore to an entirely new device, using the same backup, and retrieve the messages.
Which includes a section about iCloud security, including the following section:
iCloud secures the content by encrypting it when sent
over the Internet, storing it in an encrypted format,
and using secure tokens for authentication.
I am no security expert, but I am pretty sure FBI wouldn't have a huge fight with Apple if they had any way to get to the data directly (and once they figured out they could use a vuln in the old iOS to break into the device, they did indeed drop the fight).
> FBI/Apple had the ability to get historic message history from the iCloud backup
Right, because they reset the shooter's Apple ID password. Not because the backup was in plaintext.
> As for your scenario -- doesn't that explicitly confirm that the messages are not encrypted safely at rest? You can restore to an entirely new device, using the same backup, and retrieve the messages.
How does that follow? You still need to supply your password to decrypt the backup before you can restore it. From the same security whitepaper:
When files are created in Data Protection classes that aren’t accessible
when the device is locked, their per-file keys are encrypted using the
class keys from the iCloud Backup keybag. Files are backed up to iCloud
in their original, encrypted state. Files in Data Protection class
No Protection are encrypted during transport.
The iCloud Backup keybag contains asymmetric (Curve25519) keys for each
Data Protection class, which are used to encrypt the per-file keys. For
more information about the contents of the backup keybag and the iCloud
Backup keybag, see “Keychain Data Protection” in the Encryption and Data
Protection section.
The backup set is stored in the user’s iCloud account and consists of a
copy of the user’s files, and the iCloud Backup keybag. The iCloud Backup
keybag is protected by a random key, which is also stored with the backup
set. (The user’s iCloud password isn’t utilized for encryption so that
changing the iCloud password won’t invalidate existing backups.)
While the user’s Keychain database is backed up to iCloud, it remains
protected by a UID-tangled key. This allows the Keychain to be restored
only to the same device from which it originated, and it means no one
else, including Apple, can read the user’s Keychain items.
On restore, the backed-up files, iCloud Backup keybag, and the key for
the keybag are retrieved from the user’s iCloud account. The iCloud Backup
keybag is decrypted using its key, then the per-file keys in the keybag
are used to decrypt the files in the backup set, which are written as new
files to the file system, thus re-encrypting them as per their
Data Protection class.
I think its a great differentiator for Apple. It'll help them sell products like the HomePod and other products in the privacy sensitive "smart home" space.
Don't feel bad, most Americans don't have privacy rights either. :)
I've been saying this for awhile, that I trust Apple a lot more since they aren't directly incentivized to sell out their users for advertising. I LOVE iOS as a platform, as a user of both Android and Windows Phone there is simply no comparison, iOS blows both away.
>...since they aren't directly incentivized to sell out their users for advertising...
Is that due to Apple being pro consumer privacy or because they have $250 billion in cash? When the cache of cash drops does Apple start adding ads and tracking its users?
It's because they sell their hardware, software and services to consumers, not to ad buyers. It has nothing to do with their cash hoard (Apple is perfectly happy to maximize their profits regardless of cash on hand).
It is nice that Tim Cook is pro consumer privacy and that gets baked into the company culture, but Apple is also financially motivated to continue this stance (it's a major differentiating factor and marketing point).
>Hopefully sometime soon Apple will also encrypt iCloud contents so data from non-american people (europe in my case) is protected against the US government prying eyes.
Also not American myself, but I think legally it should be quite the opposite: NSA and CIA can "legally" spy non-US citizens. It is illegal for them to spy US citizens.
"Spying on citizens of other countries" is pretty much the job description of every spy agency in every government around the world (and many add "spying on their own citizens" as well). We may not like it, but it's not exactly a surprising state of affairs.
I'm not sure what the job description and constitutional limits of all spy agencies around the world are. What can Swiss authorities look into without a court order for instance? I don't know.
But in any event, there is only one country with a significant globally active IT industry and a capable globally active spy agency. That combination is becoming more problematic, which is unsurprising as well.
Why do you make it personal? I'm just mentioning current US law. The Snowden scandal wasn't because the NSA was spying people, it was because it was spying US citizens without a warrant. The NSA and CIA purpose is to spy the rest of the world in order to "keep Americans safe".
I'm leaning towards picking up an iPhone next, just to show some support for the solid pro-privacy stance Apple has taken in recent times. Uber isn't going to be happy with this at all, and that's a great thing.
I've been an Android user since my first smartphone, but Apple's privacy and human-hand-sized phones really had me considering an iPhone for my next purchase. I ended up with a Pixel anyway, since I can't use iTunes and I like having a filesystem and using Firefox, but it was a near thing.
I thought 3rd party browsers have to use the system HTML renderer, which means Firefox can't support extensions like uBlock, Toggle Animated Gifs, etc.
My Chinese girlfriend disputes this. Even the iPhone SE is a bit big for her, and it's just there to consume left-over parts rather than to be a living branch of their design space. No touch-screen phone maker is really serving the Asian market at this point, as far as "idiomatic" one-handed usage goes; they're seemingly expecting everyone with small hands to just treat their phones like phablets, juggling them around in both hands every time they want to tap anything.
A few months ago they changed their app so that iOS users no longer had the "only while using" option for location access, and announced plans to stalk users even after their rides had ended.
We could try to build a network to deliver applications, which would stop when you close them. We only need a system to map names to ips and some standards for protocols. We could even run them in a sandbox for security. Would be awesome.
It's not necessary to uninstall the app after each use to prevent tracking - in Settings...Privacy...Location Services, you can disable location on a per-app basis.
(this is admittedly a pain, and Apple enforcing in-use-only option availability is a welcome change)
That's what the "Only While Using" option is all about. In iOS 10 (and earlier), apps could choose to request location tracking "Only While Using" or to request it "Always". Uber switched from the former to the latter. And the article you're commenting on is all about how iOS 11 will add "Only While Using" back as an option for all apps, so you can set it that way even though Uber doesn't want you to.
It is not allowed for apps to refuse to run without location permissions. If you do that the app will be rejected. So no, 'usually' apps do not do that. iOS is not Android.
Screw any app that really thinks it needs my precise coordinates in the foreground, let alone the background. Turn-by-turn directions in maps is the only exception I've found in 10 years of iPhone use.
Off the top of my head, any app involving directions – public transport, say – can reasonably use precise coordinates. Uber is also a reasonable use-case (when you want it to use that data) given the density of some city streets. Then there are location-sharing apps generally, or apps where you want to check in to locations (maybe a bit fuzzier, but there could be a lot of taggable locations within say 500m), or camera applications, or geocaching, or…
It's great to have control, and it would be even better if we were able to specify the accuracy an app is able to achieve. But there are obviously some reasonable use-cases for both foreground and background tracking.
For an app like that, I'd like to see a "approve every request" option. I don't always need my transit app requesting my position (even if only when in the foreground) when I really only need to look up the nearest stop occasionally.
I want to be tracked by Google. I went out of my way to turn it on in iPhone. My location is leaked to cell towers and by what wifi network I'm connecting through anyway, and I'd rather be able to figure out which cool restaurant I went to months after my visit to Vilnius is over.
Plus my memory of my personal life is so unreliable, especially if I don't have any context, so if I'm ever in court I'd like to be able to share exactly where I was when I was there.
I've stopped thinking that real privacy is attainable. That being said, I refuse to share it with scummy companies like Uber.
A car dealership who botched a warranty repair on my vehicle is stonewalling me - once they realized the error was likely to cost them $2k - $3k, their service department deleted my file and began claiming no evidence exists that I had ever been to their location. I got the scheduling department to confirm my appointment and just found my location history for that day showing that I was at the dealership right on time during the appointment. Going to send this to the manufacturer's corporate complaints departments. Thanks for the heads up.
Google's location history is excellent and I'd gladly pay for an equivalent application which I could self-host and set up with the minimum of hassle, but having them do it creeps me out too much. I've not managed to work out how to get OwnTracks to substitute fully for it.
Awesome, thanks for the link. I had been using Moves by ProtoGeo
https://appsto.re/us/PNDwE.i and it's not very accurate. Still good for going back and remembering that awesome random place you found on vacation after the fact so you can recommend it.
I also wish the NSA had something like a personal data explore, but I know that will never happen.
Unfortunately I've not found WHIB to be enormously accurate either, but it does well enough. The main nuisance is interpreting having paused whilst walking past an establishment has having gone in it.
Even Google's version couldn't get this right, at least in my case.
Explicitly decided to keep Google Maps' location history activated on my device for precisely the same reasons. I'm yet to use it in court or something like that, but the argument about human memory resonates with me strongly - I've used location history many times to review e.g. on which day I was in some place or other few years ago. (Or once, years ago, to check how exactly did I get home after one party.)
RE people saying "just take a photo and use EXIF", that won't work because I don't know in advance what locations I will be interested in in the future.
Apple's API don't discriminate with regards to precision. An app that shows nearby stores with a 1km radius precision requires the same level of permissions as an app that's trying to do 1m precision.
Apple's API allow very fine-grained control of both the accuracy and frequency of location updates, depending on, among other things, running in the foreground/background, the user's location etc.: https://developer.apple.com/library/content/documentation/Pe...
There's currently no explicit penalty for requesting too much information, but the battery power indication could probably get users to uninstall apps wasting energy, and it can even get you app terminated.
Unlike Android which have precise and coarse location. If Google wanted, they could limit precise to GPS and similar apps and force everyone else to use coarse location or geo fencing.
Unfortunately Google doesn't care about your privacy. In fact, it's only a matter of time before they remove coarse locations and/or give every app full access to location data (the same way they did with internet access).
That's a good point. Maybe app developers should be able to request the level of access they want, like precise location, neighborhood (postal code), city, state or country.
If an app never needs more precise information than the country (say Spotify trying to decide whether they operate in your country), they don't need to request it. That also guards against bugs or security breaches in apps that try to do the right thing.
Right. An application can ask for what it wants (low accuracy is much faster and burns less battery since it doesn't start GPS) but there's no way for the user to say that an app can ONLY get low accuracy data.
That's your personal choice and desired level of privacy. I like that my Lyft app knows where to set pick up and that my transit app knows the nearest street car location.
Agree with the OP that Uber can burn in hell for "always on"; I guess just in case I need an emergency Uber ride :-/
But feel free to just uninstall all those other apps that I love using.
Geotagging in photos it pretty useful. And find my iPhone. Then there's Pokemon Go - maybe not your cup of tea, but a lot of people love it. It's pretty useful to be able to share your location with someone in iMessage, I've done that a few times. Your mileage may vary.
I'm as willing as the next guy to dump on Uber, but in this case Apple didn't leave them many options.
If they chose "while in use" then a ton of functionality would never be possible for any user whatsoever... because the only options they had were, to coin some temporary terms:
Option A: "All or nothing with behavior 1 (while app is in use only)"
or
Option B: "All or nothing with behavior 2 (always use location whether app is in use or not)"
If they chose option A, their app would be a lot less useful.
If they chose option B, they piss off some people who think they should have offered option A. But Apple would not allow them to offer both option A and option B.
Now, with this upcoming change in iOS 11, Apple will allow them to offer both options, if they choose to.
Sorry, what functionality do I need from a ride sharing app while I'm not using it to hail a ride, wait for a ride, or while on a ride? Given Uber's infamous "hustle" and some of their other software hijinks, I very much doubt that their intentions in this decision were for the benefit of their users. I'd further wager that they use this info to e.g. Track when an Uber user takes a Lyft or competing ride service ride. I don't personally have evidence of this occurring, but given e.g. https://m.slashdot.org/story/324911 and that it's technically possible, I would assume that they're doing it.
While you're walking to where your ride will pick you up you can be, for example, checking your email, and your location will update as you move. Of course you could stand in a fixed position and keep perfect discipline about staying in the Uber app instead, but that's a very inflexible user experience.
This is not true. Apple has had the "only while using" option available to developers for some time. Now Apple is just allowing the user to have that option even when developers didn't explicitly enable it.
Turned location off for Uber for this reason. Makes the app less useable - but still worth it. Without that feature, I'd rather just wave a taxi in (depending on city). Makes me feel like Uber is hostile towards users instead of servicing them.
Waze uses that info to let you know when you have to leave for your appointment, including regular appointments you have but did not tell it about (if you drive to "5 Mcdonald Road" every day, around 4pm, then after a while, it will start suggesting it).
I dislike this feature intensely, so I actually have my location services turned off, and I only turn it on before using Waze or Maps.
(Oh, and it seems that the Apple "Use location to set timezone and GPS to set time" will use the GPS even if you turned that specific feature off - unless all location servies have been turned off. Or at least, that's my experience, but it might just mean my phone is bugged).
> Oh, and it seems that the Apple "Use location to set timezone and GPS to set time" will use the GPS even if you turned that specific feature off - unless all location servies have been turned off. Or at least, that's my experience, but it might just mean my phone is bugged
You sure it isn't just getting that info from the cell towers?
I am sure that the small triangle indicator comes up for a few seconds occasionally (I notice once in a couple of days) despite every single system service and app location permission being "off", and that the "time setting" is listed as "having used location services in the last 24 hours" (the indicator is never there long enough for me to get a "using it now" reading).
When the entire "location service" is off, it does not happen (it might use the services for all I know, but the indicator doesn't light up)
iOS currently has both "Aways" and "Only While Using" options, but the developer specifies which are available to the user. iOS 11 now forces the "Only While Using" option to be available for all location using apps.
> Keep in mind that some apps may not show all three options. This is most likely because the developer has not yet implemented the while using this app option.
Next battle: getting Apple to give users more granular Location controls. Almost NO App really needs precise GPS. "within a mile" or city or zip code or other fuzzier locations should be fine for most apps. Users should have a better trade-off than exact or nothing.
This is great. There are a lot of apps that are a hassle to use, because I have to enable/disable their location access before/after using them to protect my privacy and battery. Looking at you Waze et al.
I've uninstalled Waze multiple times, being reminded that it has been accessing my location in the background while sitting at home relaxing always upset me.
>There's no good reason it should do so when backgrounded.
Wrong, and it's especially irksome that just because you cannot think of a good reason, you leap to the unfounded conclusion that there is no good reason.
When you are driving and not using the app and not even thinking about the fact that you have the app, and not planning to use it, it can still be gathering useful traffic information to help route other users according to the current conditions on the route you are traveling. By the way this takes a super negligible amount of power because it can piggyback its use of system services (location, data transmission, etc.) on top of other already running services.
Then explain that to users and let them decide what they want to share instead of opting everyone in by default with no choice to opt out (this is really more "forcing" than "opting" if there is no option).
There is no opting everyone in by default for location on iOS. They have to explicitly opt themselves in, if they want to. Otherwise they are opted out by default. This goes for all apps and is enforced by Apple in order to maintain a good experience for the user.
I can't think of an example where it would gather useful location data while I'm sitting at my home that couldn't be inferred if it was only allowed to use geo while in-app.
Just because you can't come up with any examples doesn't mean that other people can't. You aren't the only person capable of thinking of examples.
Some examples:
It's useful to know when you have arrived home and are no longer moving.
It's useful to know when you have started moving and left home.
It's useful to know where your home is so that it can guide you home and for other traffic related reporting reasons listed above and below.
It's useful to know where other homes are or other places you spend time, where it may be significant that you are arriving and staying for a long time, as opposed to for just a minute or two (as at a traffic light).
It's useful to know that your non-motion is not an indication of traffic being stopped on your road.
It's useful to know that non-motion when you are away from your home may be an indication that traffic is stopped on the road you are on.
All of these are directly relevant to explicit, openly featured Waze use cases.
There is a specific option to let them do that. It's accessible both from your phone and web browser. It appears on the very first page of it, that you linked to, at the bottom, "pause location history", in a big box the same size as the other major points, it's even listed before the list of your known "common locations" such as home and work.
I'm not saying it shouldn't be opt in rather than opt out, it should, but that's still a far way away from hiding it from the user.
PS: I'm a very big user of permanent location history and it's a feature I enjoy, I would actually like to make it more granular / precise with more regular updating of my position if possible.
Yay! I almost always use lyft now because Uber only allowed the "always on/never" location options. Occasionally I'd be somewhere where Uber was the only option and it was annoying to go into location services and manually perform what should be a system function ...
Yes, turning Background App Refresh off goes a long way toward achieving this (and saving battery). Even with Background App Refresh turned off though, some activities may continue, particularly Location, audio, voice, and the like [https://developer.apple.com/library/content/documentation/iP...]. This is why it's Location "While Using" is important. It also looks from OP's comment [https://news.ycombinator.com/item?id=14502423] that (some of?) these features will be more prominently displayed to users. This is good, users should have complete knowledge and control of their devices, particularly as it affects privacy.
Exactly my question. Buried deep in location services is a frequently visited locations that apps have access to even if they only have access "only while using."
I didn't know of that, thanks a lot for sharing!. Reminds me of the Google Location history on Android devices that shows you scaringly accurate where you went during your day.
In iOS 10 Settings > Privacy > Location, under the "Location Services & Privacy link, it says: "Your iPhone will keep track of places you have recently been, as well as how often and when you visited them, in order to learn places that are significant to you. This data is kept solely on your device and will not be sent to Apple without your consent. It will be used to provide you with personalized services, such as predictive traffic routing." This is consistent with Apple's philosophy of keeping personal data processing on-device as much as possible to protect user privacy. You can always keep the frequent locations feature turned off, or use "Clear History..."
Awesome! I never ever turn on location, but this one app requires it, and there is no way to set it to 'only while using', got annoyed and now I toggle it, not ideal. This is great.
It is annoying. My kids play some games on their phones I downloaded back in 2009. Lemonade art and is one. The game doesn't even appear on the App Store anymore and only works with older versions of iOS, but if your phone is compatible you can still download it from the 'Purchased Apps' section.
All that will go away, but on the other hand I really don't expect them to support 32bit apps forever. You always have the option of simply not upgrading iOS. It's a trade off.
Apple doesn't force updates. You can simply ignore the OTA update. I believe you'll get prompted again every time a new update is released, but hitting "Ignore" occasionally is a small price to pay.
Constant popups _are_ the means to force updates. In addition they also throw up a nagware screen where they trick you to enter your pin to schedule updates. Apple employs several dark patterns, on iOS, and also on MacOS to trick the user and its rather sad to see them follow MS/FB/Google.
>I believe you'll get prompted again every time a new update is released,
That is not true. They do it multiple times for the same update. Look, I wouldn't care if they were simply security updates, but Apple updates bloat up and slow down the phone over time. On top of that, what makes it even more egregious is that they make it impossible for me to downgrade, and go back to a state where the phone was working just fine and I was happy with it.
>but hitting "Ignore" occasionally is a small price to pay.
You make it sound like its once in a year. Unfortunately, Apple constantly nags you to the point where, unless you're constantly looking out for it, its easy to accidentally hit the wrong button. Its sad that they have had to resort to tricking the user to drive their update stats.
They show an alert saying something like "A new version of the OS is available." [Update] [Ignore].
That's not a dark pattern. It's easy to just Ignore. I have a number of development devices using older versions of the OS and I've never had any problem avoiding updates.
> On top of that, what makes it even more egregious is that they make it impossible for me to downgrade
That's mostly the fault of the baseband.
> Apple constantly nags you to the point where, unless you're constantly looking out for it, its easy to accidentally hit the wrong button.
This is just flat-out wrong.
> Its sad that they have had to resort to tricking the user to drive their update stats.
Yes, it may, depending on the use case - so we will have to do a better job convincing users that there is value in allowing the use of location "at all times"...
I like all the new things coming in iOS11, including this. I recently got my first iPhone and it's on iOS10. Do users like me get to upgrade just the OS on the same handset when they release iOS11? I haven't found the answer to this on some of the apple articles I have browsed.
It's worth mentioning though that there's often not a 100% feature parity between iOS versions on different devices, typically because of hardware changes. These even applies to devices of the same generation, e.g. iPhone 7 and iPhone 7 Plus have different camera features since the latter has two cameras and the former just has one.
The differences between feature sets on different generations is less and less it seems though. If I recall correctly, the differences between the iPhone 3G and iPhone 4 was bigger than for instance iPhone 6 and iPhone 7. If I weren't such a sucker for new and shiny things, I'd probably buy an iPhone SE today.
And my Galaxy Nexus stopped receiving updates 2-3 years ago despite it being a Google device (mine was also straight from the Google store, so it wasn't the carrier's fault).
Cyanogenmod supported the Galaxy Nexus until 13.0 which is Android 6.0.1. So Google just dropped support after 4.3 (coincidentally the last unsupported version) even though it was absolutely possible to update to newer versions of Android. As a result the Galaxy Nexus doesn't receive security updates from Google and is thus not usable as an online device.
While iOS upgrades are usually free these days, it hasn't always been like this. According to wikipedia, iOS 1.1.3 was a paid upgrade on iPod Touches (while being a free upgrade for iPhones).
No they are right. Due to some sort of accounting thing once upon a time on some of the first iPod touches there would be a small fee to upgrade the OS.
Killing 32-bit-only-applications sucks for those apps that haven't been updated in years, but it speeds up the OS and should give you a bit of disk space back as well.
The difference in disk space is basically nonexistent (I could gain significantly more by removing the 32b apps applications, especially since most are games), and the OS speedup/memory gain should be limited and mostly applicable to when you're actually launching 32b applications.
In order to support 32-bit apps the OS needs to include 32-bit versions of all the system frameworks. So dropping support for 32-bit apps means cutting the size of all the system frameworks in half.
As for speedup/memory gain, merely launching a 32-bit app will cause the OS to get a bit slower / use more memory until such time as the app is actually killed by the system. Merely going back to the home screen isn't good enough, since apps stay suspended in the background until the OS decides it needs that memory back. And if you have any 32-bit apps that actually do background processing, you'll end up with 32-bit apps in the background frequently.
> In order to support 32-bit apps the OS needs to include 32-bit versions of all the system frameworks. So dropping support for 32-bit apps means cutting the size of all the system frameworks in half.
Less than half as 32b code objects will be smaller than 64b ones, but even if it's half how much storage is that exactly? I mean I probably have games bigger than the frameworks on my device.
> As for speedup/memory gain, merely launching a 32-bit app will cause the OS to get a bit slower / use more memory until such time as the app is actually killed by the system.
Well yeah so it's just pay for what you use aka who gives a shit.
> And if you have any 32-bit apps that actually do background processing
Which is unlikely given the vast majority of applications being killed by this move are games.
I mean let's be honest for once, the gain from removing 32b frameworks is pretty much entirely on Apple's side, there's little gain to be found for end users when they're not just plain losing value in this move.
> I mean let's be honest for once, the gain from removing 32b frameworks is pretty much entirely on Apple's side
I've given you multiple concrete benefits to end users. You may not personally care about the code size difference, and you seem to be completely discounting the speed / memory usage issues, but just because you personally don't think those are a big deal doesn't mean they don't actually exist.
Think carefully before upgrade. You can't downgrade after you upgraded and new upgrades are known to significantly slow down old devices. My iPhone 4S became unusable after iOS 7 and it's almost bricked with iOS 9. This is Apple way to force users to buy new phones.
That said, they force developers to discontinue support for old iOS versions, so if you don't upgrade, you'll stuck with old apps and some might stop work if they rely on remote servers with changed protocols. So if you want to use iPhones, be prepared to buy new phone every 3-4 years.
Apple doesn't "force" developers to discontinue support for older OS's. Apple does require that you at least have a build that supports both 32 and 64 bit versions.
Apple also will allow you to download an older version of an app if the newest version doesn't support your hardware. I can confirm that this works back to devices that only support iOS 5 - like my first generation iPad from 2010.
Apple occasionally release upgrades which the hardware really isn't capable of supporting. I think the worst example was the iPhone 4, which was given the iOS 7 upgrade. iOS 7 was basically only suitable for multi-core capable devices, and the iPhone 4 was the only device it was released on (the same generation iPod and iPad didn't get the update).
Apple tries really damn hard to make their stuff run well on all devices and it's very impressive how well they support them.
But if your device is a few years old… You're right that you may want to wait and see what the reviews say. Sometimes the updates actually make the phone feel faster, but sometimes (like iOS 7 with all the new transparency effects) it definitely can be a worse experience.
Hopefully sometime soon Apple will also encrypt iCloud contents so data from non-american people (europe in my case) is protected against the US government prying eyes.
Our data/privacy seems pretty well protected inside Europe, but in America we seem to have 0 privacy rights (America first...!)