Apple Inc. AAPL -1.38% plans to significantly expand its data encryption practices, a move likely to create tension with law enforcement and governments around the world as the company continues to develop new privacy protections for millions of iPhone users.
The advanced end-to-end encryption system, an optional feature called Advanced Data Protection, would keep most of the data stored in iCloud, an Apple service used by many of its users to store photos, their secure Back up iPhones or specific devices to store data such as notes and messages. The data would be protected should Apple be hacked, and it would also not be accessible to law enforcement, even with a warrant.
While Apple has pointed out in the past that it couldn’t help authorities like the Federal Bureau of Investigation access data on its encrypted iPhones, it was able to provide much of the data stored in iCloud backups in response to a valid legal request. Over the past year, it has responded to thousands of such requests across the United States, according to the company.
With these new security enhancements, Apple would not be technically able to honor certain law enforcement requests, such as: B. for iCloud backups – which could contain chat logs and attachments from iMessage and were used in many investigations.
Apple added additional methods to help users recover their end-to-end encrypted data.
Photo: apple
The company said the security improvements, announced Wednesday, are designed to protect Apple customers from the most sophisticated attackers.
“As customers have poured more and more of the personal information from their lives into their devices, they are increasingly subject to attacks by advanced actors,” Craig Federighi, Apple’s senior vice president of software engineering, said in an interview. Some of these actors go to great lengths to obtain the private information of people they target, he said.
The FBI said it was “deeply concerned by the threat of end-to-end and user-only access encryption,” according to a statement from an agency spokeswoman. “This hampers our ability to protect the American people from criminal acts ranging from cyberattacks and violence against children to drug trafficking, organized crime and terrorism,” the statement said. The FBI and law enforcement need “lawful access by design,” it said.
A spokesman for the Justice Department declined to comment.
Former Western law enforcement and intelligence officials said they were surprised by Apple’s decision in part because the company has historically refrained from rolling out such encryption settings for iCloud. Officials said Apple would sometimes point authorities to iCloud as a possible means of gathering information that could be useful in criminal investigations.
Ciaran Martin, former head of Britain’s National Cyber Security Centre, said Apple’s announcement could bring legal complications for the company in several democracies that have introduced or weighed restrictions on non-claims-based technologies in recent years law enforcement can respond.
“Things will only become clearer when more technical details are given,” said Mr. Martin. “But on the face of it, existing legislation in Australia and threatened legislation in the UK appears to give those governments the power to effectively tell Apple in those countries not to do it.”
Last year, Apple proposed software for the iPhone that would identify child sexual abuse material on the iPhone. Apple now says it has halted development of the system after facing criticism from privacy and security researchers who feared the software could be misused by governments or hackers to gain access to sensitive information on the phone.
SHARE YOUR THOUGHTS
What do you think of Apple’s new security feature? Join the conversation below.
Mr. Federighi said Apple’s focus on protecting children is in areas such as communication and providing tools for parents to protect children in iMessage. “Child sexual abuse can be prevented before it occurs,” he said. “This is where we use our energy for the future.”
Apple released a feature called “Communication Safety” in Messages in December 2021, which provides tools for parents to warn their children if they receive or attempt to send photos containing nudity. The option is part of Apple’s Screen Time parental control software.
The new encryption system, which is due to be tested by early adopters from Wednesday, will be rolled out as an option in the US by the end of the year and then globally, including China, in 2023, Mr Federighi said.
“This development will raise questions at home and abroad, including whether the Chinese government will truly accept a loss of data access,” said Sumon Dantiki, a former senior FBI and Justice Department official who has worked on cyber investigations and now a partner at is the law firm King & Spalding. US officials have long pointed to China’s increasingly stringent demands for access to data on companies operating within its borders amid national security concerns.
In addition to Advanced Data Protection, Apple is also modifying its Messages app to make it harder to spy on messages, and now allows users to log in with hardware-based security keys from other companies such as Yubico.
Privacy groups have long urged Apple to increase encryption on its cloud servers. However, because Advanced Protection’s encryption keys are controlled by users, the system limits Apple’s ability to recover lost data.
Apple added additional methods to help users recover their end-to-end encrypted data.
Photo: Uncredited
To set up Advanced Data Protection, users must enable at least one data recovery method. This could be a recovery key – a long list of numbers and characters that users can print out and save in a safe place – or the user could assign a friend or family member as a recovery contact.
Over the past two decades, businesses and consumers have moved much of their data from the computer systems they control to the cloud — data centers full of servers operated by big tech companies. This trend has made these cloud systems an attractive target for cyber intruders.
Mr Federighi said Apple doesn’t know that hackers are stealing customer data from iCloud, but that the advanced protection system will make things more difficult for them. “All of us in the industry that manage customer data are under constant attack from companies trying to break into our systems,” he said. “We need to be one step ahead of future attacks with new defenses.”
With Apple locking down its systems, governments worldwide are becoming increasingly interested in the data stored on phones and cloud computers. This interest has created friction between Apple and law enforcement, along with a growing market for iPhone hacking tools. In 2020, Attorney General William Barr urged Apple to crack iPhone encryption to help a terrorist investigation into a shooting that killed three people at a Florida naval base.
Subscribe to Newsletter
Tech things with Joanna Stern
Everything is a technical thing now. Columnist Joanna Stern is your guide, providing analysis and answering your questions about our always-connected world.
Advanced Protection reduces the amount of iCloud information Apple can provide to law enforcement agencies, who frequently request iPhone data from Apple as part of their investigations. Apple received requests for information about 7,122 Apple accounts from US government agencies in the first six months of 2021, the most recent period for which the company provided information.
Apple had already offered end-to-end encryption for some of its services, but protection will now extend to 23 services, including iPhone backups and photos. However, three services – Mail, Contacts and Calendar – do not qualify for the extended protection because they use older technology protocols, Mr Federighi said.
Mr Federighi said Apple believes it has the same mission as law enforcement and governments: to keep people safe. If confidential information gets into the hands of an attacker, a foreign adversary, or another bad actor, it could be catastrophic, he said.
“We’re giving users the option to keep that key only on their devices, which means that even if an attacker were to successfully break into the cloud and access all that data, it would be nonsense for them,” said Mr. Federighi. “You would lack the key to decrypt it.”
Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8