Although Apple uses end-to-end encryption for both iMessage and FaceTime, it doesn’t do the same for iCloud backups. They are encrypted, but Apple holds the key, meaning that the company has access to a copy of almost everything on your phone – and that includes stored messages.
I’d long expected Apple to fix this, but a report today claims that the company has decided not to…
I’d expected Apple to switch to end-to-end encrypted iCloud backups for two reasons. One, it fixes a hole in Apple’s privacy claims. Two, it would make life much simpler when governments come knocking on Apple’s door demanding access to someone’s backup. Right now the company has to make often tricky decisions about whether or not to comply; with end-to-end encryption, it would be able to shrug and say that it has no means to decrypt them.
Apple referenced these sometimes difficult decisions in its latest transparency report.
Our legal team reviews requests received to ensure that the requests have a valid legal basis. If they do, we comply with the requests and provide data responsive to the request. If we determine a request does not have a valid legal basis, or if we consider it to be unclear, inappropriate and/or over-broad, we challenge or reject it […]
For example, Apple may reject a law enforcement request if it considers the scope of data requested as excessively broad for the case in question. We count each account-based request where we challenge it in part, or reject it in full, and report the total number of such instances by country/region.
Apple details the percentage of cases where it handed over the requested information. This ranges from 0% in countries like Qatar, Iran, and the United Arab Emirates to 100% in the case of a number of countries, including Finland, Malaysia, and South Africa. The figure for the USA was 84%.
Today’s report on iCloud backups
A Reuters report today claims that although Apple was working towards end-to-end encryption for iCloud backups, it has now abandoned the plan. Furthermore, it says that this was a result of pressure from the FBI.
Apple abandoned plans to release an end-to-end encrypted version of iCloud backups after facing complaints from the FBI who told Apple that it would hinder their investigations.
The report says that Apple was working on the feature more than two years ago, but it was cancelled after the FBI raised concerns. One employee said “legal killed it, for reasons you can imagine.”
I think Apple’s decision is wrong
On a point of principle, I do think that’s the wrong decision. Personal data has never been more at risk, and any weakness in privacy protections designed for use by the good guys is one that is at risk of exploitation by the bad guys. That’s why I’ve always been opposed to any backdoor into iOS.
It’s also my view that the most dangerous criminals and terrorists are the ones smart enough to protect their data and communications. There are readily-available forms of encryption that can disguise the fact that they are even using it.
Steganography is an example of this. An encrypted message is embedded into something like a JPEG file. To anyone examining it, it would appear to be a perfectly ordinary photograph, with no clue to suggest that it contains a message. But with the right software, and the encryption key, the message can be extracted. You can do the same with any file, from a spreadsheet to an app. Any smart terrorist will be using this kind of technique, not WhatsApp or iMessage.
Yes, dumb criminals will do dumb things, but they are mostly not the ones posing major risks.
But I think it’s understandable
By taking this route, Apple achieves three things.
First, it will be able to help law enforcement most of the time. Most criminals are not techies, and won’t realize that using iCloud backup means Apple can access all their data. So while law enforcement agencies will still attempt to pressure Apple, as the FBI has done in both the San Bernardino and Pensacola shootings, it’s nothing compared to the pressure that would be applied if the backups were unavailable.
Second, it keeps the risk of compromise extremely low for ordinary users. It would require a bad guy with a very special contact within Apple able to access the backups. My guess would be that Apple only makes that privilege available to a tiny number of employees – just enough to keep up with law enforcement demands – and vets them rigorously. The risk of abuse is close to zero for the average law-abiding iPhone owner.
Not quite zero. A corrupt employee is always a risk if enough cash is at stake, even at very senior levels. Plus, of course, innocent people do find themselves investigated by law enforcement and the subject of search warrants, physical and electronic. But personally I consider the risk sufficiently low that I happily use iCloud backups myself.
Third, it allows those who aren’t happy with even this tiny risk to opt-out. Simply decline the option to toggle on iCloud backups, and make encrypted backups locally, on a Mac. In this way, Apple has no access to them.
So while it isn’t the ideal approach by Apple, it is a pragmatic one with few downsides. And one that might, in the long-run, reduce the risk legislation forcing Apple to compromise iOS, which would create massively greater risks.
Were I Tim Cook, I couldn’t say for sure that I wouldn’t make the same decision, however reluctantly.
What’s your view? Has Apple made the right decision? The wrong-but-understandable one? Or just the wrong one, period? Please take our poll, and share your thoughts in the comments.
FTC: We use income earning auto affiliate links. More.