back to article Egad, did Apple do something right? End-to-end encryption for (most) iCloud services

Apple says it will provide end-to-end encryption for most iCloud services, having abandoned its previously announced – and then quietly shelved – plan to check the legality of on-device photos prior to cloud synchronization. Cupertino announced three security enhancements on Wednesday, one of which it calls Advanced Data …

  1. DS999 Silver badge

    I have been wanting this for years

    I've been using iTunes for backups, but using iCloud would be a lot more convenient if they just addressed this glaring shortcoming.

    I had kind of given up hope of ever seeing it, I figured that Apple was too concerned about law enforcement backlash if they were no longer able to get an iPhone owner's data even with a warrant. This is opt-in, so probably the majority of people won't take advantage of it. But you have to think the ones who know they are a potential target of law enforcement and have at least three functioning brain cells will, and you have to know that the FBI will keep track of exactly how many cases they serve Apple with a warrant only to be told "sorry, we can't give anything because that customer's iCloud is encrypted". We'll be hearing a lot about this next year, especially with any case related to terrorism or pedophilia.

    So it will be interesting to see how much backlash Apple gets. I would say they must have given this a lot of thought and are prepared for the inevitable backlash from the FBI, and talk about the need for laws mandating magic technology that allows law enforcement access without compromising security. But they obviously weren't prepared for the backlash with the CSAM scheme they had to walk back, so who knows if they are ready for the shitstorm they're going to unleash!

    1. Fred Daggy Silver badge
      Holmes

      Re: I have been wanting this for years

      I think three functioning brain cells mean that you put NOTHING in writing. Not on a cell phone nor written down. Don't carry one with you when you undertake any activity related said event.

      Old fashioned plod just does not exist anymore. If one can't trawl through a mount of data using AI to spot you - well, you're practically invisible.

      (knock knock) - uh oh, i've said too much, bye.

    2. gnasher729 Silver badge

      Re: I have been wanting this for years

      Actually, the biggest treasure trove of data from criminals happened when the FBI (or whoever it was) set up a company that created it's own super secure messaging, and sold it to criminals. Including paying cash back to criminals who convinced their mates to use the software. And reportedly that software was actually very secure, except that it sent everything to law enforcement before encrypting it.

    3. DS999 Silver badge

      The backlash is already starting

      The FBI told the Washington Post they are "deeply concerned":

      https://www.washingtonpost.com/technology/2022/12/07/icloud-apple-encryption/

  2. ChoHag Silver badge
    Facepalm

    If anyone believes Apple permit themselves to lose access to the data then I have the deeds for a large number of bridges that I'm looking to offload.

    1. Alumoi Silver badge
      Coat

      They don't lose access to any data that's important.

      From the TFA: Some iCloud metadata and usage information will remain accessible to Apple – still encrypted, but with keys under Apple's control. That includes file modification timestamps and checksums for file and photo data – hashes that may have some utility for identifying known illegal images or other law enforcement inquiries... Data from iCloud Mail, Contacts, and Calendar apps will also not be fully protected.

      So it's all smoke and mirrors for the suckers.

      Cynical? Moi?

      1. Jan 0 Silver badge

        "From the the fine article"?

        1. Alumoi Silver badge

          Sorry, I was just back from a little trolling on /.

      2. Alumoi Silver badge

        OK, I'll bite so please don't stop the downvotes.

        It's not CSAM on your phone, it's on their cloud. As for the data from your e-mail, contacts and calendar, think for a minute about the PII you're giving them and the wonderful opportunities for more targeted ads.

        Mailing some friend about your next holiday? Bam, couple of ads for that.

        Upcoming birthday for one of your contacts? Hmm, a kind reminder about the best gift shops near you?

        Your next appointment with your dentist? Here's a new toothpaste that will make your appointment useless.

        The only good part about this is that, unlike the other dark side (Google, I'm looking at you), Apple will not sell your info.

      3. NoneSuch Silver badge
        Big Brother

        If it makes Apple money...

        ...they will do it. If encryption and secure privacy sells more iPhones then they'll do it.

    2. gnasher729 Silver badge

      Why on earth would Apple want to read my private emails or documents that I might store in iCloud? How much money would they make from that, compared to the money they would lose if that comes out? How much work would it be to turn my information into money, compared to the work in producing more iPhones to make significantly more money?

      1. DS999 Silver badge

        There's no point in arguing with Apple hating trolls. It is impossible to prove to 100% certainty that someone is NOT doing something, and no amount of reasonable arguments about why it would be a disaster for their business to do this and get caught will change his mind. Apple hatred is a religion with people like that, you might as well try to argue the Pope out of his beliefs.

  3. Anonymous Coward
    Anonymous Coward

    Relies On Persistent Keys And A Process Controlled By Apple........

    "Trust"........Yes......I've heard of it!

    Quote: "...the deletion of encryption keys..."

    Quote: "...and instead kept entirely within..."

    Quote: "...the encryption key gets stored..."

    So....

    (1) Like PGP and other encryption schemes, there are still persistent keys stored somewhere.

    (2) And the encryption mechanism is determined by the service provider.

    Why would a user not wonder if their private communications can still be read using "backdoors" built into the software? Perhaps designed in Fort Meade?

    In 1976 (yup....1976) a mechanism was published which allowed for encrypted peer-to-peer communication with these characteristics:

    (3) The heavy lifting is done on the peer device, not within the network

    (4) No persistent keys

    (5) No key exchange

    (6) A different key for every message

    (7) The key is calculated (not stored) by each peer, and thrown away after the message is processed

    Using this scheme, citizens can encrypt their messages BEFORE a message enters any public channel.

    So...even if service providers implement E2EE...it does not matter if there are "backdoors"...because all the snoops will extract is more encryption (see items #3 through #7 above).

    Note item #3. Citizens can implement an algorithm which they control, because the encryption/decryption is done on peer devices, and is not managed by "someone else", like Apple. This approach also makes services like Proton and Telegram redundant, since Gmail will do just as well!

    Ref A: Diffie/Hellman, see Applied Cryptography, Bruce Schneier, Section 22.1

    Ref B: Diffie/Hellman, see Cryptography Engineering, Ferguson/Schneier/Kohno, Chapter 11

    P.S. A prototype implementation of this approach in a custom application (using prime numbers much larger than 8192 bits) is written in 2500 lines of C, and takes less than a second to process at each end. So easily available to citizens with a clang compiler! (But your mileage may vary -- see all the warnings in Ref B above!)

  4. Phil Koenig Bronze badge

    Daddy fooled you again, iDweebs

    So Apple covers barely more than half dozen specific items with e2ee - making it sound like they're, like, toootally protecting everything on your device from the whole world. But not really.

    They predictably leave all sorts of other highly sensitive things open to exploitation and snooping, as per usual.

    What about browsing history?

    What about contacts?

    What about calendar events?

    What about the boatloads of stuff you gave permission by default for Siri to "learn" about everything you do, every day?

    What about location history/bookmarks/favorites?

    What about active/current email data?

    What about active/current SMS data?

    What about 3rd-party app data?

    What about all that juicy metadata everywhere?

    .

    And that only scratches the surface.

    .

    Last but not least, they quietly pretend to abandon so-called CSAM snooping, while keeping the one piece of metadata that makes that whole regime work: all your image checksums. They could turn that on again tomorrow and have the cops at your door the day after that for their latest fishing expedition.

    .

    .

    When will people ever learn.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like