As part of an ongoing privacy push, Apple said Wednesday it will now offer full end-to-encryption for nearly all the data its users store in its global cloud-based storage system. That will make it more difficult for hackers, spies and law enforcement agencies to access sensitive user information.
The world’s most valuable company has long placed customer security and privacy at a premium. Its iMessage and Facetime communications services are fully encrypted end-to-end and it has sometimes locked horns with law enforcement agencies, including the FBI, over its refusal to unlock devices.
But nearly everything that customers backed up remotely using Apple’s iCloud service — including photos, videos and chats — has not been protected by encryption. That made it far easier for crooks, spies — and criminal investigators with court orders — to get at it.
No longer. The loophole that law enforcement had for getting at iPhone data will now be considerably narrowed.
Quantum computers threaten our whole cybersecurity infrastructure: here’s how scientists can bulletproof it
Apple, which is based in Cupertino, California, did not immediately respond to requests for comment on the timing of the announcement and other issues. Nor did the FBI immediately respond to an emailed request for comment.
Cybersecurity experts have long argued that attempts by law enforcement to weaken encryption with backdoors are ill-advised because they would inherently make the internet less reliable and more dangerous. Last year, Apple announced, then withdrew after a flood of objections, a plan to scan iPhones for photos of child sexual abuse.
“Where Apple was hesitant about deploying encryption features last year … it now feels like they’ve decided to put the gas pedal down,” noted Johns Hopkins cryptography professor Matthew Green on Twitter. Apple’s encryption announcement offers what the company calls Advanced Data Protection, to which users of its devices must opt in. It adds iCloud Backup, Notes and Photos to data categories that are already protected by end-to-end encryption in the cloud, including health data and passwords. Not included in the iCloud encryption scheme are email, contacts and calendar items because they must interoperate with products from other vendors, Apple said.
It said Advanced Data Protection for iCloud would be available to US users by the end of the year and start rolling out to the rest of the world in early 2023.
In a blog post, Apple said “enhanced security for users’ data in the cloud is more urgently needed than ever,” citing research that says data breaches have more than tripled over the past eight years. Other tech products that already offer end-to-end encryption include the world’s most popular messaging app, WhatsApp, and Signal, a communications app prized by journalists, dissidents, human rights activists and other dealers in sensitive data.
Apple announced a few other advanced security features on Wednesday, including one geared toward journalists, human rights activists and government officials who “face extraordinary digital threats” — such as from no-click spyware.
Called iMessage Contact Key Verification, it will automatically alert users to eavesdroppers who succeed in inserting a new device into their iCloud via a breach.
In July, Apple announced a new optional feature called Lockdown Mode that is designed to protect iPhones and its other products against intrusions from state-backed hackers and commercial spyware. Apple said at the time that it believed the extra layer of protection would be valuable to targets of hacking attacks launched by well-funded groups. Users are able to activate and deactivate lockdown mode at will.