After years of delay, caused to no small degree by pushback from the FBI and other law enforcement agencies, Apple is bringing end-to-end encryption to iCloud backups. The move brings parity with other competing messaging services, but is likely to face greater legal challenge than usual as government forces scramble to protect their one convenient path into otherwise secure devices.
iCloud end-to-end encryption secures automatic backups sometimes overlooked by users
While it positions itself as the premium security and privacy device brand in the mobile marketplace, Apple nevertheless has a few holes remaining in these areas. Patching up iCloud backups addresses arguably the largest of them, and for the average user this end-to-end encryption covers the primary means by which hackers compromise information from individual devices.
The end-to-end encryption was the biggest news, but Apple has announced it is rolling out several other new data protection elements: a new contact authenticity verification for particularly at-risk espionage targets (such as activists and journalists) that are exchanging messages, the ability to use offline hardware security keys to access iCloud backups and other encrypted device elements, and the gradual relocation of all of its device manufacturing from China to other countries such as Thailand and India.
The iCloud backups element is already facing legal threats from the FBI and other entities, however, who have long complained that end-to-end encryption and other elements of Apple device security make it too hard to crack devices seized from suspects. This battle has raged for nearly a decade, as Apple has habitually refused orders issued by US district courts to unlock user phones and subsequent demands that backdoors for government agencies be placed in their software.
Law enforcement agencies insist on access to iCloud backups
Apple faces likely court challenges from the FBI, and potentially additional law enforcement agencies in other countries. For now the new program is rolling out rapidly, with end-to-end encryption being tested at the moment and promised for US device users by the end of 2022. The rest of the world will gradually have access to encrypted iCloud backups through 2023.
The new system does not offer end-to-end encryption for every facet of Apple’s devices, however. The company says that certain elements cannot be included due to interoperability issues: email, contacts and calendars will not be eligible. Apple will also retain internal access to checksum information that is used to identify child abuse material, though the company has dropped its controversial plan to actively scan user devices for it.
Apple device owners should also consider that their recovery options will now necessarily be more limited due to the inherent restrictions of end-to-end encryption. Apple will no longer be able to directly recover iCloud backups, and users will need to keep hold of their own decryption keys. If they lose their keys, the options are to create a backup recovery key or to authorize a trusted second party to approve account access. Users must also set up a two-factor authentication login to use the new system, which can require its own account recovery preparations.