Apple Brings End-to-End Encryption to iCloud Backups, Photos, and More


On Wednesday, Apple announced it is in the process of giving users the much awaited end-to-end encryption for iCloud backups. The company released three security features, including Advanced Data Protection for encryption of cloud backups, Notes, Photos, and more.

Apple already allows users to secure 14 data categories with end-to-end encryption, including passwords, financial and payment information such as credit cards, WiFi passwords, health data, etc. The iPhone maker is now expanding its scope to include 23 data categories, including iCloud backups, photos and more, that can be safeguarded using end-to-end encryption.

Apple is also rolling out iMessage Contact Key Verification which enables users to verify that they are conversing with the person they intended, and Security Keys for Apple ID, which is meant to strengthen Apple’s two-factor authentication with an extra verification step using a physical key.

Apple prizes itself as a privacy-centric maker of consumer electronics, so Advanced Data Protection, which disallows anyone (including Apple) to access user data stored on Apple’s servers, certainly seems like the right step.

Under Advanced Data Protection, users can encrypt device backups, iCloud Drive, messages backups, Photos, Notes, Safari bookmarks, Siri Shortcuts, Reminders, Voice Memos, and more.

Only iCloud Mail, Contacts, and Calendar remain outside the purview of end-to-end encryption because it requires interoperability with multiple email, contacts, and calendar systems services by other global vendors.

A spate of cloud breaches necessitating the use of end-to-end encryption

Cloud breaches are becoming increasingly common as the technology’s use becomes more expansive. A recent study by Apple revealed that data breaches surged by 381% between 2013 and 2021 and that 1.1 billionOpens a new window data records were exposed in 5,212 known data breaches globally in 2021.

“The reality is that a person can do everything right and their cloud data can still be just as vulnerable,” Apple noted. End-to-end encryption reduces the risk significantly, even in the event of a data breach.

Basically, end-to-end encrypted data will be accessible only on “trusted devices,” i.e., those where users are signed in with their Apple IDs. For the data that isn’t end-to-end encrypted, Apple can help with recovery since the company retains an encryption key.

“We have never been more reliant on technology than we are today; much of it storing and processing a monumental amount of sensitive data. This data can and has been utilised in improving our everyday lives, but in the wrong hands, can be catastrophic,” Jamie Akhtar, CEO and co-founder of CyberSmart, told Spiceworks.

“It is critical that companies do right by their customers by taking all the necessary precautions to protect data privacy. Indeed, with increased cybersecurity awareness among the general public, cultivating digital trust is imperative to business survival,” Akhtar added. “Unfortunately, the downside of Apple’s latest measures is the requirement for users to ‘opt-in,’ which will likely leave many unprotected as the onus is on them to take action.”

Currently available for the U.S. members of the Apple Beta Software Program and slated to be available for all U.S. users by the end of 2022, the much sought Advanced Data Protection can inconvenience law enforcement, which, if the feature is turned on, may not be able to access said data for investigations.

See More: Apple, Google, and Microsoft Take a Step Closer to a Passwordless FutureOpens a new window

“This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime and terrorism. End-to-end and user-only-access encryption erodes law enforcement’s ability to combat these threats and administer justice for the American public,” the FBI stated, calling for manufacturers to implement “lawful access by design.”

New: FBI responds to Apple’s encryption announcement today, says it needs “lawful access by design” in tech to do its job effectively a new window

— Dustin Volz (@dnvolz) December 8, 2022Opens a new window

Apple previously distinguished itself by being at odds with law enforcement over refusing to help the FBI access the phone data of Syed Farook, the shooter of the December 2015 San Bernardino attack. Apple battled what it considered would open up its users to snooping by the FBI by setting a bad precedent, marking it as one of the most important privacy-centric debates in the country.

“Any steps that protect the privacy of individuals and give them the option to protect their data in transit and in storage is a good move,” Javvad Malik, lead security awareness advocate at KnowBe4, told Spiceworks.

“While many will claim that this will impede law enforcement, there are many ways to pursue criminals without compromising everyone’s privacy. [This is] something that many privacy rights activists have been promoting for a long time, which was likely a major contributing factor to Apple making this decision.

Cryptographer and Johns Hopkins professor Matthew Green speculated that Apple expanding end-to-end encryption to iCloud backups and other data indicates the company might have resolved its differences with the FBI and taken care of the risks associated with user data under Advanced Data Protection.

I can’t tell what’s going on internally, but it looks like Apple has gotten over these concerns sufficiently to (soon) enable full encryption for iCloud backups. This will require users to opt in, and it will include a “social backup” feature in case you lose your passcode. 6/

— Matthew Green (@matthew_d_green) December 7, 2022Opens a new window

Apple recently launched Lockdown Mode to counter spyware threats to users. However, Lockdown Mode focuses on the security of the data available on the device. At the same time, Advanced Data Protection helps users keep cloud data safe from hackers, the government, and even Apple itself.

The Cupertino, CA-based tech giant also decided not to install neuralMatch, a cryptography tool released in August 2021 to detect child sexual abuse material (CSAM). Apple shelved the plans this week after more than a year of delaying its rollout because of pushback from privacy advocacy groups such as the Electronic Frontier Foundation and technical issues detailed here.

Advanced Data Protection will be available for users outside the U.S. in early 2023, while iMessage Contact Key Verification and Security Keys for Apple ID’s global release (including the U.S.) is also slated for early 2023.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock