Apple announced Wednesday a suite of data security improvements it plans to roll out in the coming months that aim to protect consumer data and ward off hackers.
The three data security features include iMessage Contact Key Verification, Security Keys for Apple ID and Advanced Data Protection for iCloud. In a company announcement, Apple Senior Vice President of Software Engineering Craig Federighi said the new features will provide users with "three powerful new tools to further protect their most sensitive data and communications."
Of the three improvements, however, the feature making most waves is the company's expansion of end-to-end encryption in its iCloud backups, a move that is drawing concerns from law enforcement.
Data security in its cloud service is not new, as the company has employed encryption to protect 14 "sensitive data categories using end-to-end encryption by default, including passwords in iCloud Keychain and Health data." The new Advanced Data Protection feature expands the number of categories to 23 and includes E2E encryption for iCloud Backup, Notes and Photos, the release states. The protection will not cover iCloud Mail, Contacts and Calendar so they can continue to interoperate with other non-Apple, global systems.
Apple has long provided robust encryption protections on its devices, including iPhone, iPad and Mac computers. The device protections drew heated criticism from law enforcement, particularly the U.S. Federal Bureau of Investigation, after the San Bernardino terrorists attacks in 2015.
'Apple vs. FBI'
The so-called "Apple vs. FBI" debates lasted several months as the agency sought a backdoor into iPhones to conduct its high-profile investigation. At the 2016 IAPP Global Privacy Summit, then FBI General Counsel Jim Baker described the "going dark problem" that encryption allows. He said as encryption "spread throughout the world, as it's become easier to use, and become the default, more people will use it." But, he added, "With terrorism, we have a zero failure rate."
The FBI eventually did get access to the San Bernardino terrorist's phone, though at the time it did not share with Apple how it did so. "We love encryption," Baker said in 2016. "I've been a victim of privacy crimes several times, including at the (U.S. Office of Personnel Management). I wish that data had been encrypted."
With Apple's new expansion of encryption to iCloud, a service that users must enable, the FBI is once again expressing its concerns. The FBI told The Wall Street Journal this week that it was "deeply concerned with the threat end-to-end and user-only-access encryption pose. ... This hinders our ability to protect the American people from criminal acts ranging from cyberattacks and violence against children to drug trafficking, organized crime and terrorism," adding that law enforcement needs "lawful access by design."
In a keynote speech at the 2022 IAPP Global Privacy Summit, Apple CEO Tim Cook said protecting privacy is not easy, but "it is one of the most essential battles of our time." He also reiterated that Apple continues to "stand up for encryption without backdoors — because we know that if you install a backdoor, anyone can use it."
In its announcement this week, Apple said, "Enhanced security for users' data in the cloud is more urgently needed than ever before." In conjunction with the announcement, the company released a white paper written by professor Stuart Madnick. "The Rising Threat to Consumer Data in the Cloud" found that the number of data breaches worldwide has more than tripled between 2013 and 2021. Additionally, more than 60% of the 1,000 largest companies in the U.S. have been breached, and in 2021, more than half of organizations surveyed experienced a ransomware attack.
Cybercrime is a multi-billion dollar business as more and more customers and businesses conduct their business online.
CSAM plans halted
According to Wired, Apple has also ceased plans to scan user photos for child sexual abuse material that are stored in iCloud. Last year, the company drew criticism from privacy advocates on the plan, and in September 2021 said it would pause the rollout "to collect input and make improvements before" the release. In response to the feedback it has received, "the CSAM-detection tool for iCloud photos is dead," the report states.
Apple will now focus its anti-CSAM work on its "Communication Safety" features. In a statement provided to Wired, the company said, "Children can be protected without companies combing through personal data, and we will continue working with governments, child advocates, and other companies to help protect young people, preserve their right to privacy, and make the internet a safer place for children and for us all."
Additional security measures
Apple is also rolling out iMessage Contact Key Verification and Security Keys. Though helpful for the average user, these robust protections are aimed at "users who face extraordinary digital threats - such as journalists, human rights activists, and members of government," the report states.
Users who enabled into the iMessage service will "receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications."
Finally, Security Keys will allow users to leverage third-party hardware security keys to enhance data security protections in iCloud. "This takes our two-factor authentication even further," the Apple release states, "preventing even an advanced attacker from obtaining a user's second factor in a phishing scam."
In a thread on Twitter, Matthew Green, a cryptography professor at Johns Hopkins University, characterized the roll out as a "big deal."
"Why is this a big deal?" he asked. "Because Apple sets the standard on what secure (consumer) cloud backup looks like. Even as an opt-in feature, this move will have repercussions all over the industry as competitors chase them."