Doubt has been cast on the story that Apple gave in to FBI pressure on iCloud backups, and abandoned plans to switch to end-to-end encryption for these.
In particular, it appears that the timing behind the claim may not be right…
Current iCloud backups are encrypted, but Apple holds the key, so can access the data. When law enforcement agencies want to access a locked iPhone, Apple cannot help them directly, but it can provide them with a copy of any iCloud backup of the device. This will include almost all of the data stored on the phone.
Apple receives government requests relating to hundreds of thousands of devices. In the first half of last year, for example, the company revealed that it received requests for over 195,000 devices, and provided data for 82% of them — or around 160,000 devices.
Apple uses far stronger end-to-end encryption for its two messaging services, iMessage and FaceTime. Here, Apple does not hold the key, and cannot read intercepted messages. (Although iCloud backups may contain stored copies of messages, which can be read.) We’ve long expected Apple to eventually adopt end-to-end encryption for iCloud backups too, meaning that Apple would be unable to decrypt any of the data.
However, it was yesterday claimed that Apple abandoned this plan following pressure from the FBI. I expressed the view then that this was the wrong decision on Apple’s part, though it would be an understandable one. In our poll, 37% agreed with me, though 55% said it was wrong, period. Fewer than 6% felt it was the right thing to do.
Doubt cast on ‘FBI pressure on iCloud backups’ story
Admittedly pro-Apple pundit John Gruber had already questioned the story.
Menn is a solid reporter and I have no reason to doubt what he is reporting. What I suspect though, based on (a) everything we all know about Apple, and (b) my own private conversations over the last several years, with rank-and-file Apple sources who’ve been directly involved with the company’s security engineering, is that Menn’s sources for the ‘Apple told the FBI that it planned to offer users end-to-end encryption when storing their phone data on iCloud’ bit were the FBI sources, not the Apple sources, and that it is not accurate.
It simply is not in Apple’s nature to tell anyone outside the company about any of its future product plans. I’m not sure how I could make that more clear. It is not in Apple’s DNA to ask permission for anything. (Cf. the theory that a company’s culture is permanently shaped by the personality of its founders.)
Encrypting iCloud backups would be perfectly legal. There would be no legal requirement for Apple to brief the FBI ahead of time. Nor would there be any reason to brief the FBI ahead of time just to get the FBI’s opinion on the idea. We all know what the FBI thinks about strong encryption.
If Apple has indeed abandoned its plans, argued Gruber, that would be because it would then be unable to help customers who lost or broke their iPhone and couldn’t remember their iCloud password.
But he later noted that there seems to be some hard evidence that the report is inaccurate. Namely, the timing doesn’t seem to add up. The story claimed that Apple made the decision “about two years ago,” while CEO Tim Cook indicated in an interview with the German press a year later that these plans were still likely to come to fruition.
Our users have a key there, and we have one. We do this because some users lose or forget their key and then expect help from us to get their data back. It is difficult to estimate when we will change this practice. But I think that in the future it will be regulated like the devices. We will therefore no longer have a key for this in the future.
A native German speaker said that the word “regulated” was a poor Google translation, and that a better translation would be “handled” like the devices — that is, end-to-end encryption would be used.
FTC: We use income earning auto affiliate links. More.