Apple will introduce end-to-end encryption for iCloud backups, resolving longstanding criticism over the absence of the safeguard for a key way users store data. The “Advanced Data Protection” mode will be available for all iCloud data including backups, photos and notes, the company announced Wednesday.
Apple already offers end-to-end encryption for iMessage and other iCloud data such as health data. The expanded protections, expected to be rolled out in early 2023, will help users safeguard all iCloud data from unwanted access such as data breaches.
“Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices,” said Ivan Krstić, Apple’s head of Security Engineering and Architecture.
Apple has drawn sharp criticism in the past for its failure to encrypt all iCloud data, leaving it vulnerable to hackers and law enforcement requests. To enable encrypted back-ups, users will have to opt-in, meaning that some unencrypted back-up data may still be available to law enforcement requests.
The expanded features have been hailed by privacy groups as welcome but long overdue.
“Much of the data users store on iCloud is just a court order away from becoming a policing tool. With these changes, Apple will keep up with the privacy best practices that other companies have followed for years,” Surveillance Technology Oversight Project Executive Director Albert Fox Cahn said in a statement. “But it’s disappointing that users have to opt-in to many of these new protections, leaving the vast majority at risk.”
The changes heighten conflict between Apple and law enforcement agencies, who argue that the embrace of encryption technologies has made it more difficult for police to secure digital evidence. By enabling the encryption of back-ups, Apple will have less data available to hand over.
The FBI criticized the move, saying in a statement that the bureau wants to see technology companies embrace “responsibly managed encryption — encryption that providers can decrypt when served with a legal order and provide that information to law enforcement.” The spread of increasingly sophisticated encryption will hamper investigations, and “the FBI and law enforcement partners need ‘lawful access by design’ to keep pace with adversary tradecraft,” the bureau said.
Technologists and civil society groups maintain that building so-called “lawful access” tools into encryption systems fatally undermines them, exposing them to attack and putting user data at risk.
“The ability to opt-in to encrypted iCloud backups is a really big win for users and bad news for law enforcement, who loved to request iCloud backups to save them the trouble of breaking into a phone,” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, wrote on Mastodon.
Apple will also introduce a “Contact Key Verification” for journalists, government officials, human rights activists and other groups potentially vulnerable to state-sponsored cyberattacks. The tool allows users to verify the identity of the individual they are chatting with. The encrypted messaging app Signal offers a similar service.
The feature also alerts users if an “exceptionally advanced adversary” succeeded in breaching servers to eavesdrop on the conversation. Apple said that it wasn’t aware of any attack of that level of sophistication occurring.
Updated Dec. 8, 2022: This article has been updated with a statement from the FBI.