22 Jan. 2020
Following the Reuters’s report of Apple dropping plans to encrypt iCloud backups, apparently following pressure from the FBI, John Gruber has published a good analysis on Daring Fireball:
The proof of the pudding is in the eating — let’s see what Apple actually does. Reuters’s report notwithstanding, I would not be surprised if end-to-end encrypted iCloud backups are forthcoming. This should be at the top of our list of hoped-for-features at WWDC 2020.
This isn’t about Apple foiling law enforcement. It isn’t about Apple helping criminals. It’s about Apple enabling its customers to own and control their own data. As things stand, if you use iCloud backup, you do not own and control the data therein.
A highly recommended read to get an overview of the situation.
Two things bother me with this report:
Apple, both from the way it brags about privacy and from this poorly — or greatly, depending which side you’re on — edited page, implies privacy is at the center of what they do. I believe privacy is one of their top priorities, but operating within the law is obviously a higher priority. The lack of clear indicators whether your data is end-to-end encrypted or not has most people assume it is — even people that you would consider tech-savvy — while apparently that is not exactly the case. Apple has to explain itself here.
If the FBI really doesn’t like to see end-to-end encryption implemented for online backups, then why is Google encrypting backups for Android since the end of 2018? It would be a strange double standard.
Considering these: Apple’s stance on privacy and the fact that Google seems to allow end-to-end encrypted online backups, I fully agree with Gruber when he says :
I would not be surprised if end-to-end encrypted iCloud backups are forthcoming.
It is after all possible that they dropped previous plans (on which the Reuters article’s sources worked), while working on a new, different plan to encrypt backups, with a different team.
Either way, I expect much better from Apple in terms of transparency, communication, and encryption. I don’t like learning things about products I use in a news report.
Update: Gruber summarized it well in a following post:
Let me emphasize that with the sole exception of email — which is expected — all iCloud data is encrypted both in transit and in storage on Apple’s servers. […] The difference is whether Apple also has a key to the data. End-to-end encryption is when only the user controls the keys. Just plain “encryption” is when Apple also has a key.