Apple to extend end-to-end encryption, add other security features
On Wednesday Apple announced some major new security initiatives that the company will be rolling out from now through later in 2023. The biggest one is the addition of nine Apple services to end-to-end encryption, meaning that Apple can’t access cloud data even if authorities demand it:
iCloud already protects 14 sensitive data categories using end-to-end encryption by default, including passwords in iCloud Keychain and Health data. For users who enable Advanced Data Protection, the total number of data categories protected using end-to-end encryption rises to 23, including iCloud Backup, Notes, and Photos. The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.
iCloud Backup is the centerpiece of this, because unencrypted iCloud Backups have been used to provide access to data (like Messages conversations) that are otherwise encrypted. Other items that can be end-to-end encrypted are iCloud Drive, Notes, Photos, Reminders, Safari bookmarks, Shortcuts, Voice Memos items, and Wallet passes.
While it’s certainly been convenient that Apple has been able to provide law-enforcement entities with unencrypted data under subpoena, another reason Apple has fought against encrypting all the things is that it has some serious side effects for users, most notably that Apple can’t unlock your data if you no longer have the password to your Apple ID. To solve this problem, Apple is placing these new nine encryption services in a new feature called Advanced Data Protection that isn’t on by default and, according to Joanna Stern of the Wall Street Journal, requires that users generate at least one additional method of unlocking their account. (Methods include a printout of a very long string that can be stored somewhere secure, or the designation of a different Apple ID as having the authority to unlock the account.)
Stern’s interview with Apple’s Craig Federighi also suggests that the company has entirely given up on its plan to scan for child sex-abuse media in iCloud Photos.
According to Apple, Advanced Data Protection will be available for OS beta users today and will be available to everyone—including in China, according to Stern—by the end of the year. This is a big step with potentially huge ramifications for Apple’s relationship with governments around the world that might expect Apple to provide access to data on its users devices. (A slight mitigating factor is that the feature is off by default.)
Finally, let’s not gloss over the two other security additions Apple plans on adding in 2023, which—like Lockdown Mode—are more focused on potential targets such as journalists, human rights activists, and diplomats. iMessage Contact Key Verification appears to alert users when unknown devices are added to an Apple ID, which might indicate that some other party has breached one of the IDs and may be monitoring an iMessage conversation. And Security Keys adds support for hardware security keys such as a Yubikey for Apple ID authentication.
