FBI Is 'Deeply Concerned' With Apple's Encryption Upgrade For iCloud Backups
Yesterday, Apple announced a set of new security features coming soon to iPhones. Among these features is an option to enable end-to-end encryption (E2EE) for iCloud backups. US users are slated to be the first group for which this feature will be widely available, with Apple targeting the end of the year for its US release and early next year for the global rollout. However, the Federal Bureau of Investigation (FBI) is not happy with Apple’s plan to introduce E2EE for iCloud backups, calling it a “threat” to the American people.
Apple already stores fourteen categories of user iCloud data with end-to-end encryption by default. The company considers the data in these categories to be more sensitive than others, naming iCloud Keychain and Health data as examples. However, the upcoming Advanced Data Protection feature will give users the choice to expand E2EE to include a total of twenty-three iCloud data categories. This optional expansion will include iCloud Backup, Notes, and Photos data.
End-to-end encryption ensures that user data can be decrypted and accessed only on users’ own devices with their private keys. E2EE shifts the responsibility of data access onto the user, as the company hosting the data on its servers does not know the encryption key and is therefore unable to restore access to the data in the event that a user forgets his password. Apple’s Advanced Data Protection feature highlights this fact during the setup process and prompts users to setup an alternate recovery method to protect against data loss.
In practice, E2EE is both a privacy and security feature, as it protects user data in a way that prevents others from accessing information that users may want to keep private. Apple presents itself as a company that respects user privacy, going so far as to call privacy “a fundamental human right” and enshrine it as one of the company’s “core values.” However, Apple has a somewhat complicated history when it comes to privacy. Many of Apple’s own apps collect detailed user behavior data, even when analytics sharing is disabled. A recent report indicates that the company is also looking to expand its advertising business, which already targets ads with user data.
Apple already stores fourteen categories of user iCloud data with end-to-end encryption by default. The company considers the data in these categories to be more sensitive than others, naming iCloud Keychain and Health data as examples. However, the upcoming Advanced Data Protection feature will give users the choice to expand E2EE to include a total of twenty-three iCloud data categories. This optional expansion will include iCloud Backup, Notes, and Photos data.
End-to-end encryption ensures that user data can be decrypted and accessed only on users’ own devices with their private keys. E2EE shifts the responsibility of data access onto the user, as the company hosting the data on its servers does not know the encryption key and is therefore unable to restore access to the data in the event that a user forgets his password. Apple’s Advanced Data Protection feature highlights this fact during the setup process and prompts users to setup an alternate recovery method to protect against data loss.
In practice, E2EE is both a privacy and security feature, as it protects user data in a way that prevents others from accessing information that users may want to keep private. Apple presents itself as a company that respects user privacy, going so far as to call privacy “a fundamental human right” and enshrine it as one of the company’s “core values.” However, Apple has a somewhat complicated history when it comes to privacy. Many of Apple’s own apps collect detailed user behavior data, even when analytics sharing is disabled. A recent report indicates that the company is also looking to expand its advertising business, which already targets ads with user data.
In the past, Apple has presented iCloud backups as a way for law enforcement to access the contents of criminals’ phones without breaking into the phones themselves. Apple also planned to perform its own scans of iCloud Photos data to search for Child Sexual Abuse Material (CSAM) and report it to the National Center for Missing and Exploited Children (NCMEC). However, the company eventually put this plan on indefinite pause after significant backlash from privacy advocates. An incident this summer demonstrated the potential failings of a system like the one Apple originally planned to implement when Google’s CSAM scanning system led to a man being permanently locked out of his Google account after taking pictures of some swelling on his toddler’s genitals.
Safety, particularly child safety, sometimes conflicts with user privacy in public debate, with law enforcement often arguing that it needs access to user data in order to stop or prosecute assault, human trafficking, and other violent crimes. To this end, governments and law enforcement agencies occasionally request user data from end-to-end encrypted messaging services like Signal or ProtonMail, but the companies providing these services simply don’t have access to their users’ messaging content.
However, Apple, among many others, still collects a great deal of user information without storing it in an end-to-end encrypted manner, making Apple a target for various search warrants that force the company to hand this data over to law enforcement. Apple signaled earlier this year that it would rather not have to provide user data to law enforcement, joining other tech companies in supporting legislation that would ban geofence and keyword warrants in New York.
Now, with the introduction of Advanced Data Protection, Apple will lock iCloud Backup and Photos data behind end-to-end encryption, closing off iCloud as a method of access for both Apple and law enforcement. In response to this news, a spokeswoman for the FBI told The Wall Street Journal that law enforcement needs “lawful access by design.” She further stated that the FBI was “deeply concerned with the threat end-to-end and user-only-access encryption pose,” as it “hinders our ability to protect the American people from criminal acts ranging from cyberattacks and violence against children to drug trafficking, organized crime and terrorism.”
Apple’s decision to offer E2EE for iCloud backups will likely also put Apple at odds with the Chinese government at a time of civil unrest within the country. Chinese citizens are currently protesting against the country’s authoritarian government and continued COVID-19 lockdowns, which have been exceptionally strict. The Chinese government likes to maintain strict control over its populace and does so in part through extensive technological surveillance and censorship.
Apple has complied with many of the Chinese government’s requests in this regard, opting to store Chinese users’ data in servers located within China where the government can access it. Apple also recently pushed out an update to iOS specifically within China that limits the AirDrop functionality, as protesters have been using it to share files and information. Nonetheless, the Advanced Data Protection feature is set to come to China sometime early next year, and the government likely won’t be happy that its access to Chinese user data will be significantly restricted by E2EE.
We’ll have to see whether Apple continues forward with its plan to introduce full end-to-end encryption for iCloud Backup and Photos data, or somehow limits this feature under pressure from law enforcement agencies and governments.
Safety, particularly child safety, sometimes conflicts with user privacy in public debate, with law enforcement often arguing that it needs access to user data in order to stop or prosecute assault, human trafficking, and other violent crimes. To this end, governments and law enforcement agencies occasionally request user data from end-to-end encrypted messaging services like Signal or ProtonMail, but the companies providing these services simply don’t have access to their users’ messaging content.
However, Apple, among many others, still collects a great deal of user information without storing it in an end-to-end encrypted manner, making Apple a target for various search warrants that force the company to hand this data over to law enforcement. Apple signaled earlier this year that it would rather not have to provide user data to law enforcement, joining other tech companies in supporting legislation that would ban geofence and keyword warrants in New York.
Now, with the introduction of Advanced Data Protection, Apple will lock iCloud Backup and Photos data behind end-to-end encryption, closing off iCloud as a method of access for both Apple and law enforcement. In response to this news, a spokeswoman for the FBI told The Wall Street Journal that law enforcement needs “lawful access by design.” She further stated that the FBI was “deeply concerned with the threat end-to-end and user-only-access encryption pose,” as it “hinders our ability to protect the American people from criminal acts ranging from cyberattacks and violence against children to drug trafficking, organized crime and terrorism.”
Apple’s decision to offer E2EE for iCloud backups will likely also put Apple at odds with the Chinese government at a time of civil unrest within the country. Chinese citizens are currently protesting against the country’s authoritarian government and continued COVID-19 lockdowns, which have been exceptionally strict. The Chinese government likes to maintain strict control over its populace and does so in part through extensive technological surveillance and censorship.
Apple has complied with many of the Chinese government’s requests in this regard, opting to store Chinese users’ data in servers located within China where the government can access it. Apple also recently pushed out an update to iOS specifically within China that limits the AirDrop functionality, as protesters have been using it to share files and information. Nonetheless, the Advanced Data Protection feature is set to come to China sometime early next year, and the government likely won’t be happy that its access to Chinese user data will be significantly restricted by E2EE.
We’ll have to see whether Apple continues forward with its plan to introduce full end-to-end encryption for iCloud Backup and Photos data, or somehow limits this feature under pressure from law enforcement agencies and governments.
