Apple has unveiled plans to let users choose to encrypt their iCloud backups in a move that will thwart hackers – and also puts limits on law enforcement requests for user data.
The new feature Advanced Data Protection for iCloud will allow users to encrypt data on Apple’s servers and thus prevent Apple itself from accessing to a user’s content. The new content types to support end-to-end encryption (E2EE) include iCloud backups, Notes, and Photos.
This extends the 14 data categories that by default are protected by E2EE, such as iCloud Keychain, Health data, Messages in iCloud, Maps, Safari history. Now the categories have expanded to 23.
As Apple notes, with Advanced Data Protection, only a user’s trusted devices have access to those categories of data. It will protect user content even in the event attackers compromise iCloud servers.
Advanced Data Protection for iCloud will be available to US users by the end of the year. It will start rolling out to the rest of the world in early 2023. The option will be available in the soon-to-be released iOS 16.2, iPadOS 16.2 and macOS 13.1.
“Apple makes the most secure mobile devices on the market. And now, we are building on that powerful foundation,” Ivan Krstić, Apple’s head of security engineering and architecture, said in an announcement.
“Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.”
Digital rights group the Electronic Frontiers Foundation (EFF) welcomed E2EE iCloud backups — something it’s long campaigned for. Apple chief Tim Cook previously explained Apple hadn’t encrypted iCloud backups because users sometimes lose their private key and then seek help from Apple to regain access to their data.
“Encryption is one of the most important tools we have for maintaining privacy and security online,” said EFF’s Joe Mullin. “Apple’s on-device encryption is strong, but some especially sensitive iCloud data, such as photos and backups, has continued to be vulnerable to government demands and hackers.”
Categories that remain not protected by E2EE include iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems, according to Apple.
“For users who opt in, Advanced Data Protection keeps most iCloud data protected even in the case of a data breach in the cloud,” Apple said.
Not everyone is happy though. According to The Washington Post, the FBI has said it is “deeply concerned” with the threat end-to-end and user-only-access encryption pose, saying that it hinders the agencies ability to protect against criminal acts. Many governments and law enforcement agencies are worried that the increasing use of end-to-end encryption will make it harder for them to gain access to information.
For the security conscious and at-risk public personalities, Apple is also introducing support for third-party hardware security keys with two-factor authentication for Apple ID. The security key becomes one of the two factors and is required to access the account and does prevent phishing attacks that compromise the second factor.
Another security enhancement for public personalities and others who may be targeted by advanced attackers is iMessage Contact Key Verification. This feature lets users verify that they are messaging only with the people they intend.
Once a user enables iMessage Contact Key Verification, they’ll receive automatic alerts if an attacker succeeds in breaching Apple’s servers, inserts their own device in there, and eavesdrops on encrypted communications. iMessage Contact Key Verification users can also compare a Contact Verification Code in person, on FaceTime, or through another secure call, according to Apple.