A twelve year journey to get Apple’s end-to-end encrypted iCloud services for global users
Apple’s end-to-end encrypted iCloud services are becoming available for global users. This was something that was until now reserved to US users. We have been calling for this for twelve years.
On 18th January, it was announced that end-to-end encrypted iCloud services, Advanced Data Protection, would be offered to Apple users globally.
The offer of such level of security globally, while overdue, is a key step to ensuring trust and confidence in today’s world. There are too many threats to our data and our rights. Twelve years ago, we called on Apple to encrypt iCloud storage for users all around the world.
Why this is important
While privacy and security is often portrayed as opposite to each other, they are two sides of the same coin. Privacy is security and security is privacy: we cannot have the one without the other. Without security we cannot protect our privacy, we cannot protect our digital devices that hold today our photos, financial information, medical records and so many other sensitive information. And without privacy our security is not guaranteed.
This is why end-to-end encryption (or E2EE) is key to protecting our data and personal lives from unwarranted intrusions. E2EE ensures that only the sender and the receiver have access to the communications. E2EE cloud security that is relevant here ensures that only ourselves have access to our files and nobody else. That means that companies cannot exploit our data for profit, not even the company whose services we are using. It also protects us from abusive surveillance powers of governments. For example, they would not be able to read our messages if they intercepted our data while in transit.
What is the difference?
Prior to this, Apple was offering what they call “Standard data protection”, which means iCloud data is encrypted but the encryption keys are secured in Apple. This means that the company retains the possibility to access your data and not only the company. For instance, state authorities with a warrant could potentially force Apple to hand over whatever data is stored in the cloud. This also opens opportunities for malicious actors to target this data. Earlier in 2022, it was reported that hackers had forged warrants and got access to data held by Apple.
The “Advanced Data Protection iCloud” offers additional layers of protection, with Apple stating that “your trusted devices will retain sole access to the encryption keys for the majority of your iCloud data”. Data that are additionally protected include messages, iCloud Backup, Photos, Notes and more. This data cannot even be accessed by Apple, as a result, also governments and other state authorities cannot request to access them (not even with a warrant).
Of course we can never forget that it remains possible that someone can still have access to your data if they gain access to your trusted devices in some way. However, Apple’s advanced protection is a key piece to digital security.
What is still to be done
Yet this advanced security is not the default. Apple users need to opt-in, and it remains to be seen. We would love to see E2EE by design.
Also, there is still data that is not protected by end-to-end encryption. Emails and calendar data contain a detailed picture of our personal lives, but are not covered by this advanced protection at the moment.
This is a huge win, and will improve privacy and security for millions around the world but it remains to be seen how this will be facilitated in countries with a very strict attitude toward encryption.
Apple aren’t the first company to offer end-to-end cloud encryption. Other smaller companies such as Proton Drive, Mega, Sync.com also do. However, it is a step in the right direction that a big tech company offers this level of protection for their services, given how many users they have around the world.
We want a world where privacy doesn’t depend on an industry filled with companies that exploit our data for profit. And a world where governments can’t abuse their vast powers to get our data that companies hold.
With verifiable security under our control, we’re getting closer.