What if Apple had given up full encryption on iCloud for strategic reasons?

Apple is said to have given up deploying end-to-end encryption on iCloud, on all data, allegedly under the influence of the FBI. But in reality, other considerations may have been weighing in the balance. Paradoxically, perhaps it is this abandonment that saved Apple from having to worry about end-to-end encryption on the iPhone.

Remember: in 2016, the press echoed Apple’s desire to raise the bar on IT security even higher. At the time, in the midst of a controversy with the FBI over access to encrypted data on the iPhone of a client involved in a shooting, sources reported plans to make data stored on the iCloud inaccessible to anyone, including Apple, using end-to-end encryption.

Four years later, it appears that this ambitious goal, which would have given its customers’ data in the cloud a very high degree of privacy and security, has been shelved without ever being implemented. Reuters reports in its January 21 edition that the plan was quietly abandoned two years ago To support its claims, the news agency says it has received feedback from six different sources close to the case, which gives the information a good degree of reliability.

The exact reasons that led Apple to stop digging in this direction are unclear.

Around 2018, Apple would have put aside its plan to encrypt everything from start to finish on iCloud. // Source : Zhang Kaiyv

A strategic choice to avoid the worst?

While Reuters notes that during this period, discussions between Apple and the FBI took place, including discussions on the ins and outs of end-to-end encryption on iCloud, the news agency does not establish a causal link between the two sequences. One of the sources suggests that Apple’s withdrawal is partly due to the risk of being accused in the media and the public of helping thugs, of being tried one trial after the other, or of being a convenient pretext for an anti-encryption law.

It’s not a theoretical threat. Already under the Obama administration, legislation was being considered to impose backdoors in encryption systems to access any data that may be required in the course of an investigation. With the controversy between the FBI and Apple, which has recently rebounded with yet another killing in the US, this threat could return to the forefront.

Under these conditions, Apple may have preferred not to jeopardize the building it had already built in terms of computer security by playing one too many tricks. Indeed, if Apple n’t make data backups on iCloud absolutely inaccessible, those on the iPhone are effectively out of reach for anyone who doesn’t have the code to unlock (and thus decipher) the device. So it’s all a question of what’s left on the iPhone and what is transferred to the iCloud as a backup.

L’EFF encourage Apple à faire aussi bien sur iCloud que ce qu’il fait sur l’iPhone en matière de chiffrement.

The EFF encourages Apple to do as well on iCloud as it does on the iPhone when it comes to encryption.

This is one of the points that has long frustrated the Electronic Frontier Foundation (EFF), a powerful American organization defending digital rights and freedoms. While she is pleased that Apple encrypts the data stored on the iPhone, she regrets that when the data is sent to the iCloud, the security mechanism means that Apple is also able to access it – which then allows it to respond to judicial or police requests, for example from the FBI.

“This makes these safeguards vulnerable to government requests, third-party hacking and disclosure by Apple employees. Apple should let users protect themselves and choose truly encrypted iCloud backups,” argues EFF. “It’s time to let users choose the security and encrypt their iCloud backups so that only they have the key. Alas for the NGO, this time will not come in the near future.

Another element that supports the idea of a strategic waiver, so as not to end up in a situation that would also undermine end-to-end encryption on the iPhone, a remark by Reuters, which explains that “instead of protecting iCloud entirely with end-to-end encryption, Apple has decided to focus on protecting some of the most sensitive user information, such as passwords and stored health data.

End-to-end encryption on a case-by-case basis

It should be noted that while iCloud does not offer end-to-end encryption for everything on its servers, this does not mean that its customers’ data is exposed to the four winds. On its page presenting the security of the service, the Cupertino firm reminds that there is a certain level of encryption for the data, whether it is circulating between the iPhone and iCloud, or whether it is already there. In addition, some data is more secure than others.

This is what you can understand by reading carefully Apple’s explanations. “iCloud protects your information by encrypting it as it is transmitted, storing it in the iCloud in an encrypted format and using secure filters for authentication,” writes the California group. But that doesn’t mean that they are unreadable from Apple, even if they are encrypted. Otherwise, Apple would not be able to provide information to the authorities and the judiciary, as evidenced by its transparency reports.

Les données de santé bénéficient d’une protection plus importante que d’autres informations. // Source : Createhealth.com

Health data enjoys greater protection than other information // Source: Createhealth.com

But, Apple continues, “for some sensitive information Apple uses end-to-end encryption. This means that you are the only person who has access to your information, and only on devices connected to your iCloud account. No one else, not even Apple, can access encrypted information from end to end. He goes on to add that it is the “highest level of security for data“, thanks to a key system that does not leave the iPhone.

This level of protection applies to data from the Home app, the Health app, the iCloud keychain (which contains all your registered accounts and passwords), payment information, the vocabulary stored by the QuickType keyboard, screen time, information associated with Siri and Wi-Fi passwords.

Impossible balance

And that’s just one of the other things to take into account: on an iPhone, it is possible to completely refuse any interaction with iCloud. This is just one more service that the American group offers. It is therefore entirely possible to ensure that fully encrypted data on the iPhone does not end up in a situation where it could be read thanks to iCloud backup, which does not enjoy the same degree of security.

By renouncing a device that was finally never implemented on the iCloud, Apple has in fact placed itself in a situation of cooperation with the authorities, by providing the information it has access to on the iCloud. But it may also be the only way not to further crystallize the positions on the end-to-end encryption, and cause too much backlash. It is a delicate balance, necessarily imperfect, which must both protect individuals from abuses of piracy and surveillance, and ensure that investigations move forward and thus allow justice to pass.

Who’s who?

You May Also Like