2016 WSJ Story on Apple’s Plans for E2E Encryption for iCloud Data

Daisuke Wakabayashi, reporting for The Wall Street Journal four years ago:

Apple Inc. has refused federal requests to help unlock the phone of San Bernardino gunman Syed Rizwan Farook. But the company turned over data from his phone that Mr. Farook had backed up on its iCloud service.

Soon, that may not be so simple. Apple is working to bolster its encryption so that it won’t be able to decode user information stored in iCloud, according to people familiar with the matter.

But Apple executives are wrestling with how to strengthen iCloud encryption without inconveniencing users. Apple prides itself on creating intuitive, easy-to-use software, and some in the company worry about adding complexity.

If a user forgets a password, for example, and Apple doesn’t have the keys, the user might lose access to photos and other important data. If Apple keeps a copy of the key, the copy “can be compromised or the service can be compelled to turn it over,” said Window Snyder, a former Apple security and privacy manager who is now chief security officer at Fastly, a content-delivery network.

If Apple were to implement E2E encryption for iCloud backups, there’s no “might” about it — if the customer forgets their password, they would lose access to the data. That’s the entire point of this debate.

Given that this was four years ago, something clearly interrupted this plan. I’ve heard from a few additional sources at Apple (or very recently at Apple), and all believe that Apple’s reluctance to use end-to-end encryption for iCloud backups is about how frequently customers don’t know their password but need to access their backups. My idea is to make it optional, but every additional option makes a feature more complicated. No one expects to forget their password — even if this were only an option, some number of iCloud users would turn it on because it’s more secure, forget their password, and be forever locked out of their backups. If it weren’t optional — if backups were E2E encrypted with the keys solely in the hands of users — thousands of iCloud users would be forever locked out of their data each year.

Also, let me emphasize that with the sole exception of email — which is expected — all iCloud data is encrypted both in transit and in storage on Apple’s servers. (Email is encrypted in transit, of course, just not in storage.) The difference is whether Apple also has a key to the data. End-to-end encryption is when only the user controls the keys. Just plain “encryption” is when Apple also has a key.

Wednesday, 22 January 2020