Archive for December 7, 2022

Wednesday, December 7, 2022

Advanced Data Protection for iCloud

Apple (MacRumors, Hacker News):

Apple today introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data.


“Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.” For users who opt in, Advanced Data Protection keeps most iCloud data protected even in the case of a data breach in the cloud.

John Gruber:

It’s off by default, primarily, I believe, for customer support reasons. With standard iCloud data protection, customer data is encrypted in transit and in storage on iCloud’s servers, but Apple holds keys that can be used for recovery in case a customer loses access to their account.

I’m guessing it also can’t be enabled if your account has devices with older OS versions, though I haven’t seen any documentation about this.


Starting with iOS 16.2, iPadOS 16.2 and macOS 13.1, you can choose to enable Advanced Data Protection to protect the vast majority of your iCloud data, even in the case of a data breach in the cloud.

With Advanced Data Protection, the number of data categories that use end-to-end encryption rises to 23 and includes your iCloud Backup, Photos, Notes, and more.

This also finally makes iMessage actually end-to-end encrypted because the cloud backup that stores the key is now end-to-end encrypted, too. Of course, your messages are only actually protected if everyone that you message with opts in.

If you enable Advanced Data Protection and then lose access to your account, Apple will not have the encryption keys to help you recover it — you’ll need to use your device passcode or password, a recovery contact, or a personal recovery key.

It seems not great that it’s all protected by the device passcode. Mine is shorter than I’d like because I have to thumb-tap it in frequently when Face ID fails. Presumably there’s a key stored in the cloud in case I lose all my devices, and I wish that could be encrypted with a longer password. [Update (2022-12-08): Apple doesn’t quite say this in writing, but the video with Federighi strongly implies that a passcode is not enough; if you lose your trusted device you need a recovery contact or recovery key.]

Some metadata and usage information stored in iCloud remains under standard data protection, even when Advanced Data Protection is enabled. For example, dates and times when a file or object was modified are used to sort your information, and checksums of file and photo data are used to help Apple de-duplicate and optimize your iCloud and device storage — all without having access to the files and photos themselves.


iWork collaboration, the Shared Albums feature in Photos, and sharing content with “anyone with a link,” do not support Advanced Data Protection. When you use these features, the encryption keys for the shared content are securely uploaded to Apple data centers so that iCloud can facilitate real-time collaboration or web sharing. This means the shared content is not end-to-end encrypted, even when Advanced Data Protection is enabled.


When Advanced Data Protection is enabled, access to your data via is disabled by default. You have the option to turn on data access on, which allows the web browser that you're using and Apple to have temporary access to data-specific encryption keys provided by your device to decrypt and view your information.

Robert McMillan and Joanna Stern:

Mr. Federighi said that Apple isn’t aware of any customer data being taken from iCloud by hackers but that the Advanced Protection system will make things harder for them. “All of us in the industry who manage customer data are under constant attack by entities that are attempting to breach our systems,” he said. “We have to stay ahead of future attacks with new protections.”


Mr. Federighi said Apple believes it shares the same mission as law enforcement and governments: keeping people safe. If sensitive information were to get in the hands of an attacker, a foreign adversary or some other bad actor, it could be disastrous, he said.

Possible next steps:


Update (2022-12-14): Rosyna Keller:

The new optional end-to-end encryption features requires that you have all devices using an iCloud account be on iOS 16.2/macOS 13.1/watchOS 9.2/audioOS 16.2/iCloud for Windows vNext/et fam or later. If a device doesn’t comply, you must de-iCloud it.

Matthew Green (tweet):

While every single one of these is exciting, one announcement stands above the others. This is Apple’s decision to roll out (opt-in) end-to-end encryption for iCloud backups. While this is only one partial step in the right direction, it’s still a huge and decisive step — one that I think will substantially raise the bar for cloud security across the whole industry.


I am struggling to try to find an analogy for how crazy this is. Imagine your country held a national referendum to decide whether most citizens should be compelled to photocopy their private photos and store them in a centralized library — one that was available to both police and motivated criminals alike. Would anyone vote in favor of that, even if there was technically an annoying way to opt out? As ridiculous as this sounds, it’s effectively what we’ve done to ourselves over the past ten years: but of course we didn’t choose any of it. A handful of Silicon Valley executives made the choice for us, in pursuit of adoption metrics and a “magical” user experience.


I wish I could tell you that Apple’s announcement today is the end of the story, and now all of your private data will be magically protected — from hackers, abusive partners and the government. But that is not how things work.

Dan Moren:

But as good as those protections are, there are still a few more places where the company could enact additional security and privacy measures to help make sure that your data stays in your control.

Sami Fathi:

While privacy groups and apps applaud Apple for the expansion of end-to-end encryption in iCloud , governments have reacted differently. In a statement to The Washington Post, the FBI, the largest intelligence agency in the world, said it’s “deeply concerned with the threat end-to-end and user-only-access encryption pose.” Speaking generally about end-to-end encryption like Apple’s Advanced Data Protection feature, the bureau said that it makes it harder for the agency to do its work and that it requests “lawful access by design.”

See also: MacRumors, Slashdot, TidBITS.

Update (2023-05-29): Jesse Squires:

Both iOS and macOS prompt me to do this “Security Settings Verification” like every 2-4 weeks or so. This started after enabling iCloud E2EE.

Kevin Renskers:

On every device you have to give your password / pincode multiple times a month. It sucks.

Update (2023-06-01): Ezekiel Elin:

Wonder if the advanced data protection is more related to people also setting up a recovery key - that’s not required though for ADP but many people did both at the same time

I say because I’ve not seen these prompts and I did NOT set up a recovery key.

Security Keys for Apple ID

Apple (MacRumors):

Apple introduced two-factor authentication for Apple ID in 2015. Today, with more than 95 percent of active iCloud accounts using this protection, it is the most widely used two-factor account security system in the world that we’re aware of. Now with Security Keys, users will have the choice to make use of third-party hardware security keys to enhance this protection. This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government. For users who opt in, Security Keys strengthens Apple’s two-factor authentication by requiring a hardware security key as one of the two factors. This takes our two-factor authentication even further, preventing even an advanced attacker from obtaining a user’s second factor in a phishing scam.

Apple (via Maxwell Swadling):

A recovery key is a randomly generated 28-character code that you can use to help reset your password or regain access to your Apple ID. While it’s not required, using a recovery key improves the security of your account by putting you in control of resetting your password. Creating a recovery key turns off account recovery. Account recovery is a process that would otherwise help you get back into your Apple ID account when you don’t have enough information to reset your password


Apple Abandons CSAM Scanning

Apple (via MacRumors):

After extensive consultation with experts to gather feedback on child protection initiatives we proposed last year, we are deepening our investment in the Communication Safety feature that we first made available in December 2021. We have further decided to not move forward with our previously proposed CSAM detection tool for iCloud Photos. Children can be protected without companies combing through personal data, and we will continue working with governments, child advocates, and other companies to help protect young people, preserve their right to privacy, and make the internet a safer place for children and for us all.

This is kind of surprising because it seemed designed to work on-device, alongside the end-to-end encrypted iCloud Photo Library that just arrived.

Lily Hay Newman:

The company told WIRED that while it is not ready to announce a specific timeline for expanding its Communication Safety features, the company is working on adding the ability to detect nudity in videos sent through Messages when the protection is enabled. The company also plans to expand the offering beyond Messages to its other communication applications. Ultimately, the goal is to make it possible for third-party developers to incorporate the Communication Safety tools into their own applications.


Update (2022-12-14): See also: Slashdot.

Update (2023-09-01): Tim Hardwick (Hacker News):

Apple on Thursday provided its fullest explanation yet for last year abandoning its controversial plan to detect known Child Sexual Abuse Material (CSAM) stored in iCloud Photos.

Apple’s statement, shared with Wired and reproduced below, came in response to child safety group Heat Initiative’s demand that the company “detect, report, and remove” CSAM from iCloud and offer more tools for users to report such content to the company.

Ben Lovejoy:

There was no realistic way for Apple to promise that it will not comply with future requirements to process government-supplied databases of “CSAM images” that also include matches for materials used by critics and protestors.

Jeff Johnson:

Apple’s letter is good, but it basically just repeats the reasons that we were all screaming at Apple when they announced on-device scanning. You have to wonder why they decided to ship it in the first place.


Update (2023-09-04): Nick Heer:

What is a little bit surprising is that Apple gave to Wired a copy of the email (PDF) Gardner sent — apparently to Tim Cook — and the response from Apple’s Erik Neuenschwander. In that letter, Neuenschwander notes that scanning tools can be repurposed on demand for wider surveillance, something it earlier denied it would comply with but nevertheless remains a concern; Neuenschwander also notes the risk of false positives.


One of the stories on Heat Initiative’s website concerns a man who abused his then-fiancé’s daughter in photo and video recordings, some of which were stored in his personal iCloud account. It is not clear to me how this case and others like it would have been discovered by Apple even if it did proceed with its proposed local CSAM detection solution as it would only alert on media already known to reporting authorities like NCMEC.


I simply think my own files are private regardless of where they are stored. Public iCloud photo albums are visible to the world and should be subject to greater scrutiny. Apple could do at least one thing differently: it is surprising to me that shared public iCloud albums do not have any button to report misuse.

MarsEdit 5

Daniel Jalkut (tweet):

MarsEdit 5 features a beautiful new icon, a “Microposting” feature for streamlined short-form blogging, enhanced plain-text editing with built-in Markdown syntax highlighting, a completely rebuilt rich text editor based on Apple’s latest WebKit2 technologies, and a variety of nuanced improvements to make your blogging workflow smoother, and more enjoyable than ever.

It costs $59.95 for new users or $29.95 to upgrade.

I like the new find bar and the smaller font for the metadata at the top of the window, as this lets me see more tags before they get clipped.

The new New Micropost command has a default shortcut of Command-Control-P, which overrides my longstanding shortcut for formatting with <p> tags. I was able to change that in System Settings, and then my shortcut worked again.

The Edit with BBEdit feature seems to be broken—MarsEdit doesn’t detect when I close the BBEdit window—but hopefully can be fixed soon. (I think it’s an interaction between BBEdit’s sandboxing and MarsEdit’s new bundle identifier.)


Update (2022-12-14): Daniel Jalkut:

It’s been an exhilarating week releasing @MarsEdit 5. The last thing I expected was that I’d be facing the end of the week still wondering why the app is stuck in Mac App Store app review. Unfortunately I don’t when or if it will be approved. The opacity is very frustrating.

Daniel Jalkut:

MarsEdit 5.0.1 is now available on the MarsEdit site and on the Mac App Store.

BBEdit 14.6.2:

Added MarsEdit 5’s bundle ID to the sandboxing entitlements, so that its “Edit in BBEdit” support works correctly.