Advanced Data Protection for iCloud Expands Range of Protected Information
Apple will expand the range of data that users can protect with end-to-send encryption in iCloud. Currently, certain types of data – including health information, passwords, and payment card data – can be protected by end-to-end encryption. Apple plans to extend the protection to photos, notes, and iCloud backups. The feature is now available to users in the Apple Beta Software Program. It will be available to all US users by the end of this calendar year and will be rolled out worldwide early next year.
Interesting new features. But before you go ahead and require hardware tokens to access your account: Make sure you have a recovery plan for lost tokens. Apple should allow multiple tokens to be registered. Keep at least one backup in a safe place to protect yourself if your primary hardware token is lost. If implemented correctly, Apple will not be able to help you recover your content.
I’m placing the over/under at 6 months on how quickly a US intelligence or national law enforcement agency will brief the White House on how such end-to-end encryption is thwarting the investigation and apprehension of dangerous criminals. As a side bet, another over/under is 100TB – how much sensitive personally identifiable information will be compromised by then due to lack of use of end-to-end encryption. This is a debate that needs to happen, but we already know the negative impact of lack of use of encryption to protect stored data.
This is simply a continuation of Apple’s plan to protect user privacy by employing end to end encryption. At the end of the day, a good thing for user privacy. Now the debate begins on potential loss of government ability to find and thwart on-line criminal activity against its citizens.
The engineering effort to support taking existing data and running this type of encryption cannot be understated. Anything that goes wrong in the encryption/decryption process could mean tens of millions of backups that are no longer accessible. I want to put out there that this process must have taken a considerable effort and is a significant risk to the company. Kudos to Apple for attempting this at all.
This is device-to-device encryption, not true end-to-end, i.e, person-to-person. The data will likely be in the clear on one or both of the devices. It will resist pervasive surveillance. It will raise the cost of investigation but not defeat it.
William Hugh Murray
Read more in
Bleeping Computer: Apple rolls out end-to-end encryption for iCloud backups
Gov Infosecurity: Apple to Enable End-to-End Encryption of iCloud Backups