WSJ: Apple working to strengthen iCloud encryption without inconveniencing users

icloud drive icon

In the wake of the high-stake fight between Apple and the United States government over encryption and the right to create products with nearly unbreakable security measures, Apple is now working hard to make it impossible for law enforcement to gain access to data inside device backups on iCloud.

As reported today by The Wall Street Journal, Apple executives are “wrestling with how to strengthen iCloud encryption without inconveniencing users.”

Crash course on iCloud security

Although Apple does encrypt iCloud backups along with the rest of iCloud-based data, the company also has the encryption keys in its possession which means it is legally obliged to abide by any court-served data access request by law enforcement.

Apple has complied with thousands of such orders in the past.

“Apple is working to bolster its encryption so that it won’t be able to decode user information stored in iCloud,” wrote author Daisuke Wakabayashi.

But if Apple doesn’t have a copy of the encryption key, there’s nothing government agencies can do to break into encrypted iCloud device backups and other data.

Your iCloud Keychain passwords are safe

It should be noted that Apple does not have the encryption keys that protect some iCloud data, like passwords and credit-card information stored in iCloud Keychain, putting that data out of both Apple’s and the government’s reach.

“Any steps Apple takes to close off access to iCloud backups are likely to further antagonize law-enforcement authorities, for which the backups can be a trove of useful data,” cautions the article.

The New York Times first reported back in February that Apple is said to be trying to make it harder to hack iPhones by not storing encryption keys for users’ iCloud backups on its servers.

As for the iPhone, iPod touch and iPad, data on these devices is encrypted and protected by the user’s passcode. In fact, the user’s iPhone passcode is entangled with a device-specific key and some sauce to crate the encryption key.

The key is stored securely inside the Secure Enclave within the main application processor. It does not get stored on Apple’s servers and the operating system and applications cannot read it.

By contrast, iCloud backups are encrypted but not entangled with your passcode, making it easier for law enforcement to access data without user content.

Increasing security without inconveniencing users

The problem is, if Apple doesn’t have access to the encryption keys for deciphering the data in iCloud device backups, there’s nothing the company could theoretically do in order to permit those who would lose their password to easily retrieve and recover photos and other information stored in their iCloud backups.

“Telling a member of the public that they’re going to lose all the family photos they’ve ever taken because they forgot their password is a really tough sell,” Chris Soghoian, a technology analyst with the American Civil Liberties Union, told the paper.

The NYT story was corroborated by The Financial Times, which reported that Apple is in fact working on new ways to strengthen the encryption of customers’ iCloud backups in a way “that would make it impossible for the company to comply with valid requests for data from law enforcement.”

Source: The Wall Street Journal