Apple will let users choose whether or not to encrypt their iCloud backups in order to thwart hacker attacks. But also to limit requests for user data by law enforcement.
The new Data Protection feature for iCloud will allow users to encrypt data on Apple’s servers. This is enough to prevent Apple from accessing a user’s content. New content types that will support end-to-end encryption (E2EE) include iCloud backups, Notes, and Photos.
Until then, 14 categories of data were protected by E2EE (end-to-end encryption) by default, such as iCloud Keychain, Health data, Messages in iCloud, Maps, and Safari history. Now the categories are expanded to 23.
The option will be available in future versions iOS 16.2, iPadOS 16.2 and macOS 13.1
As Apple points out, with this data protection, only a user’s trusted devices have access to these categories of data. This will protect user content, even if attackers compromise iCloud servers.
This encryption extension will be available to US users by the end of the year and will begin rolling out to the rest of the world in early 2023. The option will be available in future versions of iOS 16.2, iPadOS 16.2 and macOS 13.1.
“This is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so it can’t be be decrypted only on their trusted devices,” said Ivan Krstić, head of engineering and security architecture at Apple, in an announcement.
The EFF congratulates, the FBI laments
Digital rights group Electronic Frontiers Foundation (EFF) has welcomed iCloud E2EE backups, a measure it has long campaigned for. Tim Cook previously explained that Apple did not encrypt iCloud backups because users sometimes lose their private key and then ask Apple for help regaining access to their data.
“Encryption is one of the most important tools we have to maintain online privacy and security,” said EFF’s Joe Mullin. “Apple’s encryption on devices is strong, but some particularly sensitive iCloud data, like photos and backups, continues to be vulnerable to government demands and hackers. »
Categories that remain unprotected by E2EE include iCloud Mail, Contacts and Calendar, due to the need to interoperate with global mail, contacts and calendar systems, according to Apple.
“For users who choose this option, Advanced Data Protection keeps most iCloud data protected, even in the event of a cloud data breach,” Apple notes.
But not everyone is satisfied. According The Washington Post, the FBI said it was “deeply concerned” about the threat posed by end-to-end encryption and one-time encryption, saying they hinder their investigative work. Many governments and law enforcement agencies are concerned that the increasing use of end-to-end encryption will make it more difficult for them to access information.
Additional security measures for risky accounts
For security-conscious and risky public figures, Apple is also introducing support for third-party hardware security keys, along with two-factor authentication for Apple ID. The security key becomes one of two factors and is required to access the account. It helps prevent phishing attacks that compromise the second factor.
Another security enhancement for public figures and others who may be targeted by attackers is iMessage ignition key verification. This feature allows users to verify that they are only sending messages to the people they want to contact.
Once a user has enabled iMessage’s Ignition Key Verification feature, they receive automatic alerts if an attacker manages to break into Apple’s servers, insert their own device, and listen in on communications encrypted. According to Apple, users of iMessage’s Ignition Key Verification feature can also compare a contact verification code, over FaceTime or through another secure call.
Source: ZDNet.com