Apple reportedly dropped its plans to add end-to-end encryption to iCloud backups, raising both concerns and questions among users and privacy advocates.
Related:
That’s according to several sources within Apple who revealed those dropped plans to Reuters. Per the report, Apple was developing the technology for around two years before dropping it sometime in 2018.
And if you’re like many Apple users, you may be confused about end-to-end encryption or whether iCloud backups were ever encrypted at all.
Here’s what you should know.
End-to-end encryption background
iCloud backups are encrypted, but they’re not end-to-end encrypted.
If you aren’t familiar, end-to-end encryption is a system that allows two people (or computers) to communicate in a way that prevents anyone other than the sender and recipient from accessing the contents of their communications.
Normally, this is achieved by creating a decryption key that is only present on the devices of the sender and the recipient. According to Apple, its system is based on a key “derived from information unique to your device, combined with your device passcode, which only you know.”
In the case of iCloud backups, this would have meant that Apple wouldn’t have the decryption key on its servers.
Many of Apple’s systems and services use end-to-end encryption, the most notable of which is probably iMessage. Other end-to-end encrypted systems include iCloud Keychain data, Health data, Home data, and anything recorded by Siri.
But, contrary to what some users might think, Apple has never offered end-to-end encryption for its iCloud backups.
The Reuters report suggests that Apple was considering it as a future feature, but eventually dropped it due to law enforcement concerns.
It’s also worth noting that other iCloud-related features, such as mail and iCloud photos, are similarly not end-to-end encrypted. They never were. And if Apple was planning on adding end-to-end encryption down the line, it probably has stopped those plans now.
What this means for you
Apple appears to be strongly pro-privacy, but there are some exceptions to that policy.
The use of the terms encryption and end-to-end encryption is obviously where most of the confusion comes from.
All of the data stored in iCloud is encrypted on Apple’s servers, both during storage and when in transit. That offers some security benefits to breaches and potential attacks.
But that data isn’t end-to-end encrypted. If it were, Apple wouldn’t have the decryption key necessary to make sense of that data. It would not be readable for anyone other than the user.
As it turns out, since iCloud backups are not end-to-end encrypted, it means that Apple technically has the ability to decrypt them. (More specifically, it appears that iCloud backups can include the decryption key for iMessages.)
As a result, a law enforcement entity could theoretically produce a subpoena and get decrypted copies of your iCloud backups — and all of the information stored within them.
That has some worrying implications for privacy- and security-conscious users. While your iMessages may be end-to-end encrypted, government agencies could still read all of your messages if they are stored in iCloud and you use iCloud backups. They’d just need to pressure Apple to hand over your iCloud backups.
For most law-abiding citizens, this change isn’t going to mean much. Apple still protects your data from hackers and other prying eyes on its servers. Government agencies will still need a warrant to see your decrypted iCloud backups.
But, of course, the move plays into a larger encryption debate. There are some obvious concerns when it comes to government overreach, surveillance and the privacy rights of users.
Options for privacy- and security-conscious users
If you don’t want prying eyes snooping on your iCloud backup information, consider using local and encrypted iTunes backups.
As we mentioned, there are users who have serious concerns about privacy and security. To be clear, this report doesn’t change anything about Apple’s systems. But it does bring to light some of the inherent flaws in its security and privacy architecture.
For example, if you’re concerned about the data in your iCloud backups, you can simply disable that feature entirely. We still highly recommend backing up your device, but you can try encrypted iTunes backups as an alternative.
As for Apple’s other non-end-to-end services, you’ll have to research what works for you. ProtonMail may be a good option for iCloud mail users (or Gmail users, for that matter).
If you’d like to continue using iCloud backups and you have sensitive security needs, then we’d recommend disabling Messages in iCloud so that your texts aren’t stored in the cloud.
What are your thoughts around end-to-end encryption? Let us know using the comments below.
Mike is a freelance journalist from San Diego, California.
While he primarily covers Apple and consumer technology, he has past experience writing about public safety, local government, and education for a variety of publications.
He’s worn quite a few hats in the journalism field, including writer, editor, and news designer.
Comments