Advanced Data Protection for iCloud
Apple (MacRumors, Hacker News):
Apple today introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data.
[…]
“Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.” For users who opt in, Advanced Data Protection keeps most iCloud data protected even in the case of a data breach in the cloud.
It’s off by default, primarily, I believe, for customer support reasons. With standard iCloud data protection, customer data is encrypted in transit and in storage on iCloud’s servers, but Apple holds keys that can be used for recovery in case a customer loses access to their account.
I’m guessing it also can’t be enabled if your account has devices with older OS versions, though I haven’t seen any documentation about this.
Starting with iOS 16.2, iPadOS 16.2 and macOS 13.1, you can choose to enable Advanced Data Protection to protect the vast majority of your iCloud data, even in the case of a data breach in the cloud.
With Advanced Data Protection, the number of data categories that use end-to-end encryption rises to 23 and includes your iCloud Backup, Photos, Notes, and more.
This also finally makes iMessage actually end-to-end encrypted because the cloud backup that stores the key is now end-to-end encrypted, too. Of course, your messages are only actually protected if everyone that you message with opts in.
If you enable Advanced Data Protection and then lose access to your account, Apple will not have the encryption keys to help you recover it — you’ll need to use your device passcode or password, a recovery contact, or a personal recovery key.
It seems not great that it’s all protected by the device passcode. Mine is shorter than I’d like because I have to thumb-tap it in frequently when Face ID fails. Presumably there’s a key stored in the cloud in case I lose all my devices, and I wish that could be encrypted with a longer password. [Update (2022-12-08): Apple doesn’t quite say this in writing, but the video with Federighi strongly implies that a passcode is not enough; if you lose your trusted device you need a recovery contact or recovery key.]
Some metadata and usage information stored in iCloud remains under standard data protection, even when Advanced Data Protection is enabled. For example, dates and times when a file or object was modified are used to sort your information, and checksums of file and photo data are used to help Apple de-duplicate and optimize your iCloud and device storage — all without having access to the files and photos themselves.
[…]
iWork collaboration, the Shared Albums feature in Photos, and sharing content with “anyone with a link,” do not support Advanced Data Protection. When you use these features, the encryption keys for the shared content are securely uploaded to Apple data centers so that iCloud can facilitate real-time collaboration or web sharing. This means the shared content is not end-to-end encrypted, even when Advanced Data Protection is enabled.
[…]
When Advanced Data Protection is enabled, access to your data via iCloud.com is disabled by default. You have the option to turn on data access on iCloud.com, which allows the web browser that you're using and Apple to have temporary access to data-specific encryption keys provided by your device to decrypt and view your information.
Robert McMillan and Joanna Stern:
Mr. Federighi said that Apple isn’t aware of any customer data being taken from iCloud by hackers but that the Advanced Protection system will make things harder for them. “All of us in the industry who manage customer data are under constant attack by entities that are attempting to breach our systems,” he said. “We have to stay ahead of future attacks with new protections.”
[…]
Mr. Federighi said Apple believes it shares the same mission as law enforcement and governments: keeping people safe. If sensitive information were to get in the hands of an attacker, a foreign adversary or some other bad actor, it could be disastrous, he said.
Possible next steps:
- Support for third-party cloud backups.
- A way to fully turn off pushed OS updates, as these potentially offer a backdoor in the event that Apple ever does consent to making a special OS version that weakens security.
Previously:
- Security Keys for Apple ID
- FBI Guide to Getting Messaging Data
- Safari Bookmarks [Not Actually] End-To-End Encrypted
- Data Privacy Day at Apple
- Data Security on Mobile Devices
- Reminder: iMessage Not Meaningfully E2E
- Where Is End-to-End Encryption for iCloud?
- Apple Dropped Plans for End-to-End Encrypted iCloud Backups After FBI Objected
- iCloud in China and on Google’s Cloud
- Apple’s iMessage Metadata Logs
- Apple Working on Removing iOS Backdoor
- FBI Asks Apple for Secure Golden Key
- Secure Golden Key
- Can Apple Read Your iMessages?
Update (2022-12-14): Rosyna Keller:
The new optional end-to-end encryption features requires that you have all devices using an iCloud account be on iOS 16.2/macOS 13.1/watchOS 9.2/audioOS 16.2/iCloud for Windows vNext/et fam or later. If a device doesn’t comply, you must de-iCloud it.
While every single one of these is exciting, one announcement stands above the others. This is Apple’s decision to roll out (opt-in) end-to-end encryption for iCloud backups. While this is only one partial step in the right direction, it’s still a huge and decisive step — one that I think will substantially raise the bar for cloud security across the whole industry.
[…]
I am struggling to try to find an analogy for how crazy this is. Imagine your country held a national referendum to decide whether most citizens should be compelled to photocopy their private photos and store them in a centralized library — one that was available to both police and motivated criminals alike. Would anyone vote in favor of that, even if there was technically an annoying way to opt out? As ridiculous as this sounds, it’s effectively what we’ve done to ourselves over the past ten years: but of course we didn’t choose any of it. A handful of Silicon Valley executives made the choice for us, in pursuit of adoption metrics and a “magical” user experience.
[…]
I wish I could tell you that Apple’s announcement today is the end of the story, and now all of your private data will be magically protected — from hackers, abusive partners and the government. But that is not how things work.
But as good as those protections are, there are still a few more places where the company could enact additional security and privacy measures to help make sure that your data stays in your control.
While privacy groups and apps applaud Apple for the expansion of end-to-end encryption in iCloud , governments have reacted differently. In a statement to The Washington Post, the FBI, the largest intelligence agency in the world, said it’s “deeply concerned with the threat end-to-end and user-only-access encryption pose.” Speaking generally about end-to-end encryption like Apple’s Advanced Data Protection feature, the bureau said that it makes it harder for the agency to do its work and that it requests “lawful access by design.”
See also: MacRumors, Slashdot, TidBITS.
Update (2023-05-29): Jesse Squires:
Both iOS and macOS prompt me to do this “Security Settings Verification” like every 2-4 weeks or so. This started after enabling iCloud E2EE.
On every device you have to give your password / pincode multiple times a month. It sucks.
Update (2023-06-01): Ezekiel Elin:
Wonder if the advanced data protection is more related to people also setting up a recovery key - that’s not required though for ADP but many people did both at the same time
I say because I’ve not seen these prompts and I did NOT set up a recovery key.
