EFF pushes Apple to ‘fix’ iCloud encryption | Cult of Mac

EFF pushes Apple to ‘fix’ iCloud encryption

By

Hacker who tried to extort Apple for $100k is spared prison
Your iCloud data isn’t truly secure because Apple can always access it.
Photo: Jim Merithew/Cult of Mac

In a campaign called “Fix it Already!,” the Electronic Frontier Foundation (EFF) is urging tech giants to remedy nine security and privacy problems in their products. 

In Apple’s case, it wants the iPhone maker to encrypt iCloud backups so that only users can access them. 

iCloud encryption vs. iPhone encryption

Data that’s backed up to iCloud is encrypted, but Apple also has the key. “That makes those backups vulnerable to government requests, third-party hacking, and disclosure by Apple employees,” points out the EFF.

In contrast, data on a passcode-protected iPhone is encrypted so that only the user can access it. 

Consider two well-known criminal cases as examples of how that plays out in real life. Apple couldn’t reveal the contents of an iPhone owned by the San Bernardino shooter, despite an FBI request, because that data had been encrypted with a passcode known only to the owner of the device.  However, Apple could give data from  Roger Stone’s iCloud account to investigators because Apple has the keys to unencrypt this data stored on its servers. If the data was only on Stone’s iPhone then Apple wouldn’t have been able to do anything.

This company grants law enforcement access to iCloud data on a daily basis; all it takes is a court order. Apple never unlocks iPhones for police.

Tim Cook is apparently on board

Apple’s CEO explained last fall why Apple keeps an encryption key to iCloud backups. “Our users have a key and we have one. We do this because some users lose or forget their key and then expect help from us to get their data back,” Tim Cook told Der Spiegel an an interview translated from German.

But the executive also indicated that this practice might change soon.  “It is difficult to estimate when we will change this practice. But I think that will be regulated in the future as with the devices. So we will not have a key for this in the future either.”

The Electronic Frontier Foundation is ready. “It’s time to let users choose security and encrypt their iCloud backups so only they have the key.”

More of the Fix it Already! requests

The EFF takes Facebook to task for re-using customers’ phone numbers to deliver targeted advertising, even if the customer only provided their number for security purposes.

The campaign demands that Google’s Android operating system allow users to deny and revoke network permissions for apps so the software can’t notify the developers of everything users do. This is already easily done in iOS.

Fix it Already! tells Twitter to end-to-end encrypt direct messages and demands that Verizon stop pre-installing spyware on phones.  

It wants Microsoft to improve device encryption in Windows 10. The EFF requests that Slack give free users more control over message retention, and that Venmo allow users to keep their friends lists private. Last but not least, the organization thinks WhatsApp should get your permission before adding you to a group.