Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Apple to Allow iCloud Backups to Be Fully Encrypted

December 15, 2022

I thought the day would never come. But it has.

The Washington Post reported (gift article) on December 7 that, after years of delay caused by pressure from the federal government, Apple will offer fully encrypted backups of photos, chat histories and most other sensitive user data in its cloud storage system worldwide, placing them out of the reach of most hackers, spies and (this was always a problem in the past) law enforcement.

Apple has benefited for more than a decade because it does more than other phone and computer companies to safeguard privacy, including using end-to-end encryption for iMessages between Apple devices. Those can only be read on the devices, not by Apple, a phone service provider or police with a warrant.

However, most iPhone and Mac computer owners back up their iMessages, photos and other content to Apple’s iCloud, where the company can retrieve it for locked-out users or, importantly, law enforcement. That has also left the material accessible to hackers who tricked customers out of their passwords, increasing the potential for embarrassment and, in some cases, extortion.

Apple representatives said those threats, and increasing attempts to breach cloud providers, made end-to-end encryption in the cloud the best option for those concerned about security.

The step will no doubt draw protests from multiple governments, some of which could take legislative or court action or deny Apple access to their markets. Top law enforcement officials in the United States, Britain and other democracies have argued forcefully against strong encryption, and some have passed laws they could attempt to use to compel companies to cooperate against their customers.

The FBI recently said it was “deeply concerned with the threat end-to-end and user-only-access encryption pose.”

“This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime and terrorism,” the bureau said in an emailed statement. “In this age of cybersecurity and demands for ‘security by design,’ the FBI and law enforcement partners need ‘lawful access by design.’”

The encryption option will be available for public software testers immediately, for all U.S. customers by year’s end, and for other countries starting next year, Apple said. It added that it might not reach every country by the end of 2023.

Apple’s move follows moves by other companies and organizations that have caught up to Apple on privacy or gone further.

Facebook’s WhatsApp is the most-used fully encrypted messenger, and it began offering an encrypted backup a year ago. Signal, which develops the protocol used by WhatsApp and others, does not allow cloud backups to prevent improper access. Google offers encrypted backups, though it is unclear how popular the service is.

After hacks of cloud service providers, an increasing number of businesses are insisting on controlling decryption keys themselves. Apple will now provide that option to consumers as well.

Privacy experts were delighted by Apple’s announcement.

“This is great,” said Meredith Whittaker, president of Signal, an encrypted chat app. “There’s been enough pressure and enough narrative work that they see the side of history forming. It’s really incredible.”

The shift is likely to slow an especially effective law enforcement tool. In a six-month period covered in Apple’s most recent transparency report, the company said it had turned over users’ content for legal reasons 3,980 times, mostly in the United States and Brazil. It said legal requests for all types of account data, including just identifying information, had doubled in two years to more than 20,000.

In China, Apple has come under increasing criticism for not doing more to protect iPhone users who are already under heavy surveillance. During the recent wave of protests against harsh covid restrictions, Apple limited the use of AirDrop, which people were using to share videos and other large files at close range. The iCloud data in China is stored on servers under a local company’s control.

Apple intended to introduce fully encrypted iCloud storage many years ago, according to FBI agents and Apple employees at the time. The FBI objected, and Apple dropped the idea rather than face a public fight.

As an alternative, it picked specific categories of data that would be secure from outside prying, including passwords and payment and health data. Now, everything can be stored securely except for email, calendar and contacts functions that need to interoperate with multiple providers.

Apple will require that users set up a recovery key or name another person who can help them get access in the event that they are locked out. That person, the account holder and Apple would all have to be involved in the recovery.

In another victory for privacy advocates, Apple said it is eliminating a plan to scan user photos for child sex abuse images. The company had paused that plan shortly after its announcement last year, as security experts argued that it would intrude on user’s device privacy and be subject to abuse.

Apple also said that it was making iPhones compatible with physical security keys that would connect to the phone so that consumers can require them for access to their accounts from new devices. That way, phishing attackers who steal passwords and user names would still be unable to get in.

Thanks Apple – you may be late to the party, but I’m glad you’re on board.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology