Apple has added additional methods to help users recover their end-to-end encrypted data / Apple. In an interview with Wall Street Journal ,...
 |
| Apple has added additional methods to help users recover their end-to-end encrypted data / Apple. |
The expanded end-to-end encryption system, an optional feature called Advanced Data Protection, would keep most data secure that is stored in iCloud, an Apple service used by many of its users to store photos, back up their iPhones or save specific device data such as Notes and Messages. The data would be protected in the event that Apple is hacked, and it also wouldn’t be accessible to law enforcement, even with a warrant.
While Apple has drawn attention in the past for being unable to help agencies such as the Federal Bureau of Investigation access data on its encrypted iPhones, it has been able to provide much of the data stored in iCloud backups upon a valid legal request. Last year, it responded to thousands of such requests in the U.S., according to the company.
With these new security enhancements, Apple would no longer have the technical ability to comply with certain law-enforcement requests such as for iCloud backups—which could include iMessage chat logs and attachments and have been used in many investigations.
The company said the security enhancements, which were announced Wednesday, are designed to protect Apple customers from the most sophisticated attackers.
“As customers have put more and more of their personal information of their lives into their devices, these have become more and more the subject of attacks by advanced actors,” said Craig Federighi, Apple’s senior vice president of software engineering, in an interview. Some of these actors are going to great lengths to get their hands on the private information of people they have targeted, he said.
The FBI said it was “deeply concerned with the threat end-to-end and user-only-access encryption pose,” according to a statement provided by an agency spokeswoman. “This hinders our ability to protect the American people from criminal acts ranging from cyberattacks and violence against children to drug trafficking, organized crime and terrorism,” the statement said. The FBI and law enforcement agencies need “lawful access by design,” it said. A spokesman for the Justice Department declined to comment.
Former Western law-enforcement and intelligence officials said they were surprised by Apple’s decision in part because the company had refrained in the past from rolling out such encryption settings for iCloud. The officials said Apple would sometimes point authorities to the iCloud as a possible means of collecting information that could be useful for criminal investigations.
Ciaran Martin, former chief of the U.K.’s National Cyber Security Centre, said the announcement by Apple could pose legal complications for the company in multiple democracies that in recent years have adopted or weighed restrictions on technology that can’t be responsive to law-enforcement demands.
“Things will only be clearer when further technical details are given,” Mr. Martin said. “But on the face of it, existing legislation in Australia and looming legislation in the U.K. would seem to give those governments the power to tell Apple in those countries effectively not to do this.”
Last year, Apple proposed software for the iPhone that would identify child sexual-abuse material on the iPhone. Apple now says it has stopped development of the system, following criticism from privacy and security researchers who worried that the software could be misused by governments or hackers to gain access to sensitive information on the phone.
Mr. Federighi said Apple’s focus related to protecting children has been on areas such as communication and giving parents tools to protect children in iMessage. “Child sexual abuse can be headed off before it occurs,” he said. “That’s where we’re putting our energy going forward.”
Apple released a feature in December 2021 called “Communication Safety” in Messages, which offers tools for parents that warn their children when they have received or attempt to send photos that contain nudity. The option is part of Apple’s “Screen Time” parental-controls software.
The new encryption system, to be tested by early users starting Wednesday, will roll out as an option in the U.S. by year’s end, and then worldwide including China in 2023, Mr. Federighi said.
“This development will prompt questions at home and abroad, including whether the government of China will really accept a loss of data access,” said Sumon Dantiki, a former senior FBI and Justice Department official who worked on cyber investigations and is now a partner at the King & Spalding law firm. U.S. officials have long pointed to China’s increasingly strict demands for access to data on companies that operate within its borders as a national-security concern.
In addition to Advanced Data Protection, Apple is also modifying its Messages app to make it harder for messages to be snooped on, and it will now allow users to log in to their Apple accounts with hardware-based security keys made by other companies such as Yubico.
Privacy groups have long called on Apple to strengthen encryption on its cloud servers. But because the Advanced Protection encryption keys will be controlled by users, the system will restrict Apple’s ability to restore lost data.