Security

Report: FBI Got Apple to Roll Over on iCloud Encryption

Apple shelved plans to give iPhone users control over encrypted backups stored on the company’s iCloud service over concerns raised by the FBI and internal sources, Reuters reported Tuesday.

The company made the decision to retain control over iCloud encryption around two years ago, but it came to light just recently, the news service noted, citing six sources familiar with the matter.

The plan would have removed Apple’s ability to decrypt users’ backups. The company dropped it after representatives of the FBI complained that taking that action would deny the agency one of the most effective means of gaining evidence against iPhone-using suspects, Reuters reported.

Government authorities in the United States requested data for 3,619 accounts and received data for 90 percent of them, according to Apple’s latest transparency report, for the first half of 2019. Much of the information used to satisfy those requests wouldn’t have been available if Apple had implemented its end-to-end encryption plan.

Another concern could have played a role in scrapping the plan, Reuters also reported. It would have prevented Apple from assisting customers locked out of their backups.

The FBI declined to comment for this story. Apple did not respond to our request for comment.

Setback for Freedom and Privacy

Because Apple refused to break into iPhones despite intense pressure from the U.S. Justice Department in several high-profile cases, the news of the company’s apparent capitulation on the backup encryption issue puzzled some privacy advocates.

“I’m not sure why Apple did this,” said Roger Grimes, data-driven defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Florida.

“It’s an unfortunate setback for Apple, Apple’s customers, and freedom and privacy in general,” he told the E-Commerce Times.

Law enforcement and governments don’t like default encryption because it makes their jobs harder, Grimes continued.

“I also don’t know of a single case where information learned from breaking encryption was the only lead to the information gained by law enforcement. When encryption is broken, it usually leads to a confirmation and additional evidence, but it is rarely the only evidence,” he said.

“Requiring or allowing a government to always be able to see private conversations is a bad thing for freedom and privacy,” maintained Grimes. “I get that some very bad people will not be arrested or convicted because of encryption, but that’s the same for all our rights.”

Avoiding Diatribes

To some privacy experts, Apple’s actions reflect a consistent policy toward law enforcement.

“Apple generally responds to subpoenas, warrants and legal processes, so this doesn’t surprise me,” said Timothy Toohey, head of the cybersecurity practice at Greenberg Glusker, a law firm in Los Angeles.

“They’re trying to strike a balance between privacy and national security, and so is everyone else. It’s a difficult balance to strike,” he told the E-Commerce Times. “They also don’t want to be on the receiving end of diatribes by Bill Barr and Trump.”

Just how much influence the FBI had over Apple’s decision to forgo user-controlled iCloud encryption isn’t clear, said Tim Erlin, vice president of product management and strategy at Tripwire, a cybersecurity threat detection and prevention company in Portland, Oregon.

“Apple made a decision after they had a conversation with the FBI, but not necessarily because the FBI requested them to do so,” he told the E-Commerce Times. “I have a hard time saying this hurts Apple’s credibility when we don’t have the full story on the decision, and we’re probably not likely to get it either.”

Support problems created by encrypting backups could have been a real problem for Apple, too, Erlin added. “When Apple considered how much they’d have to deal with unhappy customers who couldn’t get access to their data, and how much they’d have to deal with unhappy law enforcement who couldn’t get access to a criminal’s data, that combination may have influenced their decision.”

User Choice Alternative

While support could be a problem with encrypted backups, there are ways to build multiple backups and access protected data, KnowBe4’s Grimes pointed out.

“Microsoft has done it with BitLocker across billions of computers,” he said.

“There are times when Microsoft support has to tell panicked users that the data they encrypted and lost the keys to is lost forever. That’s the potential reality anytime you do encryption,” Grimes continued.

“I think people understand it will happen, and when it happens, it just reinforces that it’s good encryption. It actually builds trust. It doesn’t diminish trust,” he maintained.

Users could have been given the option to encrypt their backups or not, said Kurt Opsahl, general counsel for the Electronic Frontier Foundation, an online rights advocacy group based in San Francisco.

“That gives users the choice of running the risk of losing their data if they lose their key or choosing not to and trusting Apple with access,” he told the E-Commerce Times.

The EFF has been after Apple for some time to give users control over encrypting data in iCloud.

“Apple has a reputation for providing strong security, but backups are a hole in that security,” Opsahl said.

Making the World a Better Place

For Apple, which has been trumpeting its leadership in protecting the data of its users, this latest development could be a sour note in that riff.

“For a long time people have been looking up to Apple as standing for privacy, noted Liz Miller, principal analyst at Constellation Research, a technology research and advisory firm in Cupertino, California.

“To walk that back is going to get people to scratch their heads and ask, ‘Are you going to protect my data or not?’ With all this back and forth, what’s shaken is the trust between the buyer and the brand that is Apple,” she told the E-Commerce Times.

“From the start, the brand of Apple has always set out to positively change the world,” Miller observed, “so the question becomes, is chipping away at the definition of privacy really leaving the world a better place?”

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Security

E-Commerce Times Channels