Print this page
Published in News

iCloud finally gets end-to-end encryption

by on08 December 2022


We didn't want to upset the Chinese

Fruity cargo cult Apple is finally getting its security act together to lock governments out of its iCloud.

Yesterday the outfit announced a suite of security and privacy improvements which it claims will help people protect their data from hackers. But the biggie, which will set Apple against governments will be the ability to back up data to the iCloud using end-to-end encryption.

Apple says the changes will help users protect their digital lives from hackers in the exceptional case that an advanced state actor was able to breach the company servers.

Privacy advocates like Albert Fox Cahn, founder of the Surveillance Technology Oversight Project and the changes “acknowledge the massive public backlash against expanded spying on our devices,” 

Jobs' Mob found itself in the middle of a row when the US supreme court’s reversed federal abortion protections, enabling states to charge women who had abortions with murder. This opened up a new class of murderer and would mean that police would suddenly be very interested in what people put on their computers about having any terminations. 

“This type of protection is most valuable in protecting against not cyber criminals, but people who are abusing government power to force the company to hand over data,” Cahn said.

“Apple has long been in the position where it’s had to be the long arm of the police for years. Their law enforcement manual shows dozens of ways that they can help with investigations and now for people who opt into the protection [feature], there will be a safeguard going forward.”

It could also cause problems for Apple where access to its cloud is cruicial to an investigation into kiddie porn, real murder or terrorism.  Apple appears to be saying, "look we have encrypted the lot, no one can have it."  

That might be a cause of concern for government agencies looking to get a hold of user data to aid in their investigations. 

Apple, like a lot of big tech companies though has become a target for hackers due to the vast amounts of information they hold about people. Recent years have brought a spike in global cyber attacks and data breaches. In the first quarter of 2022, there were 404 publicly reported data breaches, up 14 per cent from the same quarter in the previous year, according to a report from the Identity Theft Resource Center (ITRC). There was a 68% total increase in data breaches between 2020 and 2021.

Apple might be hoping that a court might see that it is more important to protect people from crime, than it is to lock people up. 

The end-to-end encryption of user information stored on iCloud, which Apple is calling “advanced data protection for iCloud”, will first be rolled out to a small subset of test users before launching widely in the US before the end of the year and globally in 2023. The new offering will mean information such as messages that are backed up to iCloud, notes and photos would be fully encrypted.

Apple's new system is not as courageous as some cloud companies. The change will not cover all data, however – contacts, calendar information, and email will not be encrypted – and users will have to voluntarily opt into the feature. The encryption key, or the code used to gain access to that secure data, will be stored on the device. That means that if a user who opts into this protection loses access to their account, they will be responsible for using their key to regain that access – Apple will no longer store the encryption keys in iCloud.

Privacy advocates would prefer it if the system was switched on by default.

Apple says that it made these features opt-in because the system requires users to be responsible for the encryption keys and other means to regain and recover access to that information.

“If you lose access to your account, only you can recover this data, using your device passcode or password, recovery contact, or recovery key,” according to Apple’s website.

In addition to iCloud data protection, Apple plans to roll out a physical security key system for people signing into their iCloud account on any new device. It acts as a hardware-based two-factor authentication system. For those who opt to use this additional layer of security, they will be required to plug a physical security key into the charging port on the phones to verify their identity when they sign into their iCloud account on a new device.

However, users who choose to use this to protect their iCloud accounts will be responsible for holding onto those security keys – the main key and a backup.

Lastly, the company is rolling out a code system that allows people to verify that their messages are only going to the intended recipient and not being compromised by a hacker. The process may be familiar to users of the encrypted messaging app Signal.

In Apple’s case, two people who’ve enabled the system will be able to exchange their unique code and their devices will automatically detect whether someone with a different code has entered the conversation. Automatic alerts will pop up in conversations between users who have enabled this verification feature “if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications”, the company said in the news release announcing the products.

It is also unclear if the product will be available in countries like China which might not want its citizens to have encrypted messages and data bases.

 

Last modified on 08 December 2022
Rate this item
(0 votes)