One of the ironies of Apple’s long-running battle with the FBI over the agency’s desire for a security backdoor into iPhones is that it could have taken advantage of one which already existed: The fact that iCloud backups of iPhones didn’t use end-to-end encryption. Apple has now finally fixed this with Advanced Data Protection (ADP).
ADP not only closes a privacy hole which should have been closed a long time ago, but will also relieve Apple of the need to engage in any similar legal battles in future …
The security hole of iCloud backups
Apple built iOS with security and privacy as a very high priority. Today’s iPhones in particular are so hard to compromise that it takes nation state-level attacks to do it. These are sufficiently expensive that the vast majority of us are at no risk.
But there is one risk which potentially affects all of us: The fact that almost all of the personal data stored on our iPhones is backed-up to iCloud, and those backups do not currently use end-to-end encryption. This means that Apple holds the encryption key, and anyone with the necessary access within the company could download all of it.
The irony of the FBI battle
Apple famously engaged in an uncompromising battle over an iPhone used by the San Bernardino gunman. The FBI asked for a backdoor into the iPhone, Apple declined, a court ordered the iPhone maker to comply, and the Cupertino company again refused.
Even before the shooting, we’d outlined why Apple should resist pressure to weaken iPhone security even in terrorism cases, and reiterated the unacceptable risks of either of the two approaches which the FBI wanted.
The case led to a Congressional hearing at which then FBI Director James Comey spoke, as did Apple’s General Counsel Bruce Sewell. Things subsequently got very heated, but the irony is that if law enforcement had secured the iPhone and immediately approached Apple for assistance, the company would have been able to hand over a copy of the iCloud backup of the device.
Indeed, this is what happened in the Pensacola shooting.
No closed-door deal, but a long delay
Despite Apple’s high-profile battle with the FBI, there was a report back in 2020 which suggested that Apple had quietly given in to pressure from the agency not to close the iCloud backup hole.
According to a report from Reuters, Apple abandoned plans to release an end-to-end encrypted version of iCloud backups after facing complaints from the FBI who told Apple that it would hinder their investigations.
The report says that Apple was working on the feature more than two years ago, but it was cancelled after the FBI raised concerns. One employee said “legal killed it, for reasons you can imagine”.
That report was subsequently debunked, but there were still no signs of Apple actually proceeding with the plan. Until now.
Advanced Data Protection
Advanced Data Protection is Apple’s name for a series of privacy improvements, of which end-to-end encryption of iCloud backups is a major component.
I said almost three years ago that it surprised me then that Apple hadn’t yet done this.
I’d expected Apple to switch to end-to-end encrypted iCloud backups for two reasons. One, it fixes a hole in Apple’s privacy claims. Two, it would make life much simpler when governments come knocking on Apple’s door demanding access to someone’s backup. Right now the company has to make often tricky decisions about whether or not to comply; with end-to-end encryption, it would be able to shrug and say that it has no means to decrypt them.
It’s been a very long time coming, and If you’re not running the beta then the wait isn’t quite over yet – but it will be very soon.
This is good news for users, but also good news for Apple. No longer will the company have to determine whether or not to hand over data to law enforcement; it will simply be able to shrug and say that iCloud backups, just like iPhones themselves, use strong encryption, and that the company has no means to break it.
The FBI may not be happy about it, but Apple’s lawyers are going to be significantly less busy.
FTC: We use income earning auto affiliate links. More.
Comments