Apple plans new encryption system to ward off hackers and protect iCloud data
‘Advanced Data Protection’ will offer end-to-end encryption on iCloud backups, Notes, Photos and other services—a step that may draw ire from law enforcement
Apple Inc. is planning to significantly expand its data-encryption practices, a step that is likely to create tensions with law enforcement and governments around the world as the company continues to build new privacy protections for millions of iPhone users.
The expanded end-to-end encryption system, an optional feature called Advanced Data Protection, would keep most of the iCloud’s data secure, even in the event that Apple is hacked. It would also prevent Apple from being able to provide data from iCloud phone backups in response to law-enforcement requests.
While Apple has drawn attention in the past for being unable to help agencies such as the Federal Bureau of Investigation access data on its encrypted iPhones, it has been able to provide much of the data stored in iCloud backups upon a valid legal request. Last year, it responded to thousands of such requests in the U.S., according to the company.
With these new security enhancements, Apple would no longer have the technical ability to comply with certain law-enforcement requests such as for iCloud backups—which could include iMessage chat logs and attachments and have been used in many investigations.
APPLE SUED BY WOMEN WHO CLAIM AIRTAG DEVICES LET STALKERS TRACK VICTIMS
The company said the security enhancements, which were announced Wednesday, are designed to protect Apple customers from the most sophisticated attackers.
Ticker | Security | Last | Change | Change % |
---|---|---|---|---|
AAPL | APPLE INC. | 228.52 | -0.48 | -0.21% |
"As customers have put more and more of their personal information of their lives into their devices, these have become more and more the subject of attacks by advanced actors," said Craig Federighi, Apple’s senior vice president of software engineering, in an interview. Some of these actors are going to great lengths to get their hands on the private information of people they have targeted, he said.
The changes represent a new potential setback for law-enforcement officials. Last year, Apple proposed software for the iPhone that would identify child sexual-abuse material on the iPhone. Apple now says it has stopped development of the system, following criticism from privacy and security researchers who worried that the software could be misused by governments or hackers to gain access to sensitive information on the phone.
Mr. Federighi said Apple’s focus related to protecting children has been on areas such as communication and giving parents tools to protect children in iMessage. "Child sexual abuse can be headed off before it occurs," he said. "That’s where we’re putting our energy going forward."
Through its parental-controls software, Apple can notify parents who opt in if nude photos are sent or received on a child’s device.
The new encryption system, which will be tested by early users starting Wednesday, will roll out as an option in the U.S. by year’s end, and then worldwide including China in 2023, Mr. Federighi said.
TIM COOK SAYS APPLE WILL BUY U.S.-MADE CHIPS BUILT AT TSMC'S ARIZONA FACTORY
In addition to Advanced Data Protection, Apple is also modifying its Messages app to make it harder for messages to be snooped on, and it will now allow users to log in to their Apple accounts with hardware-based security keys made by other companies such as Yubico.
Privacy groups have long called on Apple to strengthen encryption on its cloud servers. But because the Advanced Protection encryption keys will be controlled by users, the system will restrict Apple’s ability to restore lost data.
To set up Advanced Data Protection, users will have to enable at least one data-recovery method. This could be a recovery key—a long list of numbers and characters that users could print out and store in a secure location—or the user could assign a friend or family member as a recovery contact.
Over the past two decades, businesses and consumers have moved much of their data off computer systems that they control and onto the cloud—data centers filled with servers that are operated by large technology companies. That trend has made these cloud systems an attractive target for cyber intruders.
APPLE RESTRICTS AIRDROP FILE-SHARING IN CHINA THAT PROTESTERS HAVE USED
Mr. Federighi said that Apple isn’t aware of any customer data being taken from iCloud by hackers but that the Advanced Protection system will make things harder for them. "All of us in the industry who manage customer data are under constant attack by entities that are attempting to breach our systems," he said. "We have to stay ahead of future attacks with new protections."
As Apple has locked down its systems, governments worldwide have become increasingly interested in the data stored on phones and cloud computers. That interest has led to friction between Apple and law-enforcement agencies, along with a growing market for iPhone hacking tools. In 2020, Attorney General William Barr pressured Apple for a way to crack the iPhone’s encryption to help with a terror investigation into a shooting that killed three people at a Florida Navy base.
Advanced Protection will reduce the amount of iCloud information that Apple can provide to law-enforcement agencies, who frequently request iPhone data from Apple as part of their investigations. Apple received requests for information on 7,122 Apple accounts from U.S. authorities in the first six months of 2021, the last period for which the company has provided information.
CLICK HERE TO GET THE FOX BUSINESS APP
Apple had already offered end-to-end encryption for some of its services, but the protection will now extend to 23 services, including iPhone backups and Photos. However, three services—Mail, Contacts and Calendar—won’t qualify for Advanced Protection because they use older technology protocols, Mr. Federighi said.
Mr. Federighi said Apple believes it shares the same mission as law enforcement and governments: keeping people safe. If sensitive information were to get in the hands of an attacker, a foreign adversary or some other bad actor, it could be disastrous, he said.
"We’re giving users the option to keep that key only on their devices, which means that even if an attacker were to successfully breach the cloud and access all that data, it would be nonsense to them," Mr. Federighi said. "They’d lack the key to decrypt it."