Apple Updates: Better iCloud Security

Posted on Dec 20, 2022 by Glyn Moody

Apple has made two important announcements that will enhance privacy for its users, and that could have important beneficial knock-on effects around the world:

  1. Wired reported that Apple has dropped plans to bring in client-side scanning of images stored in iCloud Photos, which it announced last year.
  2. Apple aims to bring end-to-end encryption to iCloud.

While the first would have been a terrible setback for individual privacy, the second… is the very opposite. Most notably, governments and official authorities around the world are pushing back against individual privacy in the name of law enforcement.

Strangely enough, tech giants are also pushing back against authorities being able to access individual communications whenever they deem necessary.

What Is Apple Planning?

First off, Apple scanning images stored in your iCloud would set a terrible precedent – it would mean that Apple can take control of people’s phones without asking permission. Client-side scanning was also being held up by governments as an example of technology that could be used to detect child sexual abuse material (CSAM).

Naturally, everyone agrees CSAM is an extremely serious problem that needs tackling urgently, but client-side scanning is not the way to do it because it suffers from serious drawbacks, as we previously reported. The fact that Apple has discontinued its plans to develop this technology will make it harder for governments to claim that it is a solution that already exists, and therefore should be implemented widely.

Second, Apple’s other major announcement concerns end-to-end encryption:

iCloud already protects 14 sensitive data categories using end-to-end encryption by default, including passwords in iCloud Keychain and Health data. For users who enable Advanced Data Protection, the total number of data categories protected using end-to-end encryption rises to 23, including iCloud Backup, Notes, and Photos. The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.

The most important addition to the list of data categories using end-to-end encryption by default is iCloud Backup. This is essentially a copy of all the data on a user’s device, and therefore of great interest to law enforcement, since it potentially allows them to search through the contents of a device without needing the device itself.

In the wake of Apple’s latest move, even if the company agrees to share the iCloud data with the authorities, it will be encrypted in such a way that only the owner can decrypt it – Apple doesn’t hold the relevant key.

Governments Want Access to Your Individual Privacy

Governments around the world are fighting to undermine end-to-end encryption. They claim that law enforcement must have ready access to everything, if necessary, but end-to-end encryption makes that impossible.

One of nations in the vanguard of the attack against individual privacy is… the UK. The Online Safety Bill is in the final stages of the legislative process, and contains measures that would seriously undermine encryption. A legal analysis commissioned by Index on Censorship explains what the law says in this area:

Companies in scope will be forced to monitor and analyse private communications en masse to avoid the risk of facing fines of up to £18 million [around $22 million] or 10% of a company’s global annual turnover – whichever is higher. This inevitably will include the choice of whether to comply with back-door requests and give just UK users less protection for their private messages, or to pull out of the UK altogether if the requirements are incompatible with companies’ own red lines on encryption technology and the services they provide.

The UK Is Not The Only Country Against Individual Privacy

One of the most vocal critics of the proposed law is WhatsApp, owned by Meta. Its UK boss, Will Cathcart, has said: “The hard reality is we offer a global product. It would be a very hard decision for us to make a change where 100% of our users lower their security.” The only alternative would be to withdraw WhatsApp from the UK altogether. Although that is a drastic move, it reflects the fact that there are no magic solutions whereby governments can be given access while ensuring that users’ privacy is fully protected.

Unfortunately, the UK is far from alone is bringing in a new law that would effectively ban end-to-end encryption. As we reported in October, the European Union is well advanced with its own plans to require providers to search all private chats, messages, and emails for “suspicious content”. What has been dubbed “chat control” by its opponents would require companies to break end-to-end encryption in order to carry out those searches.

Abandoning the UK market is perhaps something that companies might contemplate, given its relatively small size, but leaving the much larger EU is probably not something they would be willing to do.

Another key market is India, not least for its future potential as a new economic superpower alongside the US, EU and China. It, too, is discussing a new law that would require Internet companies to make the contents of currently encrypted conversations available to the authorities. As the Hindustan Times explains, Section 24 of the draft law “empowers the government to be able to intercept messages, calls on platforms such as WhatsApp and Signal, which are encrypted — meaning that they are not stored and remain private between users, according to company policy.”

The US Might Lead the Fight For Individual Privacy

In the US, things are not quite so bad, but there is still a threat to end-to-end encryption in the form of the “Kids Online Safety Act” (KOSA), currently under discussion. At the end of November, a coalition of over 90 organizations sent a letter to Congress explaining why KOSA is likely to be harmful to children. It includes the following reason:

by creating strong incentives to filter and enable parental control over the content minors can access, KOSA could also jeopardize young people’s access to end-to-end encrypted technologies, which they depend on to access resources related to mental health and to keep their data safe from bad actors.

Against that background, Apple’s move to add end-to-end encryption to its iCloud Backup is significant. It will alert many people to the need for this feature – Google seems to have noticed – and make it harder for governments to call for its weakening or removal.

Quite how this epic battle between trillion-dollar companies and national law enforcement agencies will conclude is still unclear; but what is certain is its importance for the future of digital privacy.

Featured image created with Stable Diffusion.