Apple Dropped iCloud Encryption Plan After FBI Pressure – Report

AuthentificationJusticeLegalMobilityRegulationSecuritySmartphonesSurveillance-IT
icloud

Privacy versus security. FBI complaint two years ago halted Apple’s plans to fully encrypt iCloud backups, it is alleged in a new report

Apple allegedly dropped its plans to fully encrypt iCloud backups after a complaint from the US Federal Bureau of Investigation (FBI).

The FBI were concerned the move would harm investigations, according to an exclusive report by Reuters, which cited six sources familiar with the matter.

Apple and the FBI (and US Justice Department) are currently locked in another argument over a locked iPhone belonging to a dead terrorist. Last week US President Donald Trump rounded on Apple, saying the iPad maker “refuse to unlock phones used by killers, drug dealers and other violent criminal elements.”

Pensacola terrorist

That came after after US Attorney General William Barr in a press conference on the issue, had accused Apple of refusing to provide ‘substantive assistance’.

That case centres over a mass shooting at a US Naval Air Station in Pensacola (Florida) on 6 December 2019.

Saudi military trainee Mohammed Alshamrani opened fire in a classroom and killed three American sailors and wounded eight others. Alshamrani was later killed in a shoot out with police.

The FBI is seeking Apple’s assistance in unlocking two iPhones (an iPhone 7 and an iPhone 5) that belonged to Alshamrani. The FBI has obtained court authorisation to search the phones but failed to gain access by guessing the passwords.

Both phones are locked and encrypted. One of the phones was shot when Alshamrani was killed, but authorities believe data is still recoverable from it.

The FBI wants to see who Alshamrani was communicating with, before he went on his rampage.

The US attorney general indicated that he intends to use the Alshamrani case to push for a solution to the DoJ’s struggle to bypass Apple security features.

Apple for its part has said that it had in fact turned over the shooter’s iCloud backups in the Pensacola case, and it rejected the characterisation that it “has not provided substantive assistance.”

End-to-end encryption

Into this mix Reuters has reported that Apple dropped the end-to-end encryption plan for iCloud Backup after a FBI complaint.

Apple’s decision was apparently made two years ago, after the iPad maker told the FBI that it planned to offer users end-to-end encryption when storing their phone data on iCloud.

This is according to one current and three former FBI officials and one current and one former Apple employee, Reuters reported.

“Under that plan, primarily designed to thwart hackers, Apple would no longer have a key to unlock the encrypted data, meaning it would not be able to turn material over to authorities in a readable form even under court order,” the Reuters report stated.

“Legal killed it, for reasons you can imagine,” another former Apple employee was reported as saying. He was not told of any specific mention of why the plan was dropped or if the FBI was a factor in the decision.

That person told Reuters the company did not want to risk being attacked by public officials for protecting criminals, sued for moving previously accessible data out of reach of government agencies or used as an excuse for new legislation against encryption.

“They decided they weren’t going to poke the bear anymore,” the person said, referring to Apple’s court battle with the FBI in 2016 over access to an iPhone used by one of the suspects in a mass shooting in San Bernardino, California.

Encrypted or not?

It should be noted that nearly all types of iCloud data are encrypted, both in transit and on Apple’s servers.

That said, only certain Apple services (iCloud Keychain password manager, Wi-Fi passwords etc) get the extra protection of end-to-end encryption.

When end-to-end encryption is applied, Apple doesn’t have a key to unlock the data and therefore cannot hand over a decrypted version to law enforcement.

And it seems that Messages is a special case, as while Messages itself has end-to-end encryption, the iCloud Backup apparently includes a copy of the key protecting a person’s Messages.

Therefore, if a person wants to fully protect their Messages, they should disable iCloud Backup and back their iOS device onto their computer instead.

This is a point recognised by cybersecurity expert Jake Moore at ESET.

“Encrypting data is essential and companies usually offer help and support when protecting data, so this news comes as a shock to me,” said Moore. “However, it doesn’t mean your back-up and data can’t be encrypted. You will still be able to make an encrypted back-up on your home computer and store it there. As always, users should also be reminded that their data needs to be protected with a strong and complex password.”

“The balance between law enforcement and tech companies protecting data comes into question quite often,” said Moore. “However, this balance is extremely difficult to fine-tune. Typically, users want the easiest route if they care about their data security, so encryption should be handed to them on a plate.”

San Bernardino

For a bit of context, Apple has clashed with the US DoJ previously over its refusal to unlock an encrypted iPhone protected by a passcode.

In 2016, the FBI tried to force Apple to help it unlock an iPhone that had been used by a terrorist in San Bernardino, California.

Apple refused, with CEO Tim Cook saying the implications of the demand were “chilling”.

Cook also said that the FBI’s request at the time to create a new operating system, was the “software equivalent to cancer” – a privacy stance that was backed by tech rivals at the time.

This led to a prolonged clash with the FBI and US government, and in the end FBI paid an undisclosed group more than $1 million (£750,000) to help it access the phone.

It should be noted that ALL American firms can be compelled on ‘national security grounds’ to hand over data on their servers when requested by US officials.

Apple says it cannot unlocked a “permanently inaccessible” iPhone when there has been ten failed attempts to guess the passcode.

Another point to note is that Apple, like other US tech firms, are not allowed to disclose the specific number of unlocking requests it receives from US authorities.

Quiz: How well do you know Apple?

Read also :
Author: Tom Jowitt
Click to read the authors bio  Click to hide the authors bio