Apple on Wednesday announced a suite of security and privacy enhancements that the company is introducing as a way to help people protect their data from hackers, including one that civil libertarians and privacy advocates have long championed. weather.
The tech giant will soon allow users to choose to protect more of the data backed up in their iCloud using end-to-end encryption, meaning no one but the user will be able to access that information.
Apple says the changes will help users protect their digital lives from hackers in the rare case that an advanced state actor could breach the company’s servers.
But privacy advocates like Albert Fox Cahn, founder of the Surveillance Technology Oversight Project, say these changes may have a more immediate effect on the types of user data government agencies and law enforcement can obtain from Manzana.
These changes “recognize the massive public backlash against expanded spying on our devices,” particularly after the supreme court struck down federal anti-abortion protections, he said.
“This type of protection is most valuable in protecting not against cybercriminals, but against people who abuse the government’s power to force the company to hand over data,” Cahn said. “Apple has long been in the position where it has had to be the long arm of the police for years. Their law enforcement handbook lists dozens of ways they can help with investigations and now for people who opt for protection. [feature]there will be a safeguard in the future.”
That could be a concern for government agencies looking to protect user data to help with their investigations. Apple declined to comment on whether the company has discussed the changes with law enforcement or government agencies.
Companies like Apple have become an increasingly attractive entity to hackers and law enforcement due to the vast amount of information they hold on individuals.
Recent years have brought an increase in global cyber attacks and data breaches. In the first quarter of 2022, there were 404 publicly reported data breaches, up 14% from the same quarter a year earlier, according to a report from the Identity Theft Resource Center (ITRC). There was a total increase of 68% in data breaches between 2020 and 2021.
The number of government and law enforcement data requests Apple has received has also increased, according to the company’s latest transparency report. Between January and July 2021, the company received more than 12,000 requests for various types of user information, up from more than 10,000 in the last six months of 2020.
The end-to-end encryption of user information stored in iCloud, which Apple calls “Advanced Data Protection for iCloud,” will first be rolled out to a small subset of test users before rolling out widely in the US before end of the year. and globally by 2023. The new offering will mean information like iCloud-backed messages, notes, and photos will be fully encrypted.
However, the change will not cover all data (contacts, calendar information, and email will not be encrypted) and users will have to opt-in to the feature. The encryption key, or the code used to access that secure data, will be stored on the device. That means if a user who opts in for this protection loses access to their account, they’ll be responsible for using their key to regain that access: Apple will no longer store encryption keys in iCloud.
The feature not being turned on for all users by default remains a point of contention for privacy advocates.
“I am less critical of Apple for [not encrypting contacts, calendar information and email] given how difficult it would be to remove so many email programs and calendar tools,” Cahn said. “But I think having a transition to privacy by default for iCloud is the most important step.”
The company says it opted for these features because the system requires users to be responsible for encryption keys and other means of recovering and regaining access to that information. “If you lose access to your account, only you can recover this data, using your device’s passcode or password, recovery contact, or recovery key,” according to Apple’s website.
In addition to iCloud data protection, Apple plans to implement a physical security key system for people who sign in to their iCloud account on any new device. It acts as a hardware-based two-factor authentication system. Those who choose to use this added layer of security will need to plug a physical security key into the phones’ charging port to verify their identity when they sign in to their iCloud account on a new device.
However, users who choose to use this to protect their iCloud accounts will be responsible for keeping those security keys: the primary key and a backup.
Lastly, the company is implementing a code system that allows people to verify that their messages are only being sent to the intended recipient and are not being compromised by a hacker. The process may be familiar to users of the Signal encrypted messaging app. In the case of Apple, two people who have enabled the system will be able to exchange their unique code and their devices will automatically detect if someone with a different code has entered the conversation. Automatic alerts will appear in conversations between users who have enabled this verification feature “if an exceptionally advanced adversary, such as a state-sponsored attacker, ever manages to breach cloud servers and insert their own device to eavesdrop on these encrypted communications.” “. the company said in the press release announcing the products.