{"id":945,"date":"2016-06-07T05:47:02","date_gmt":"2016-06-07T05:47:02","guid":{"rendered":"http:\/\/www.dogoodsoft.com\/blog\/?p=945"},"modified":"2024-12-23T07:57:11","modified_gmt":"2024-12-23T07:57:11","slug":"customer-headaches-could-curtail-apples-encryption-push","status":"publish","type":"post","link":"https:\/\/www.dogoodsoft.com\/blog\/customer-headaches-could-curtail-apples-encryption-push-945\/","title":{"rendered":"Customer Headaches Could Curtail Apple\u2019s Encryption Push"},"content":{"rendered":"

\"Customer<\/a><\/p>\n

At an event held during Apple\u2019s fight with the FBI over whether it should help unlock a dead terrorist\u2019s iPhone, CEO Tim Cook promised \u201cWe will not shrink\u201d from the responsibility of protecting customer data \u2014including from government overreach.<\/p>\n

Yet the obvious next step for the company could be hard to take without inconveniencing customers.<\/p>\n

Apple is currently able to read the contents of data stored in its iCloud backup service, something at odds with Cook\u2019s claims that he doesn\u2019t want his company to be capable of accessing customer data such as mobile messages.<\/p>\n

Apple has not denied reports it is working to change that. And the company is expected to make some mention of its security technology at its World Wide Developers Conference next week, as it did at March\u2019s iPhone event in March.<\/p>\n

But redesigning iCloud so that only a customer can unlock his data would increase the risk of people irrevocably losing access to precious photos and messages when they lose their passwords. Apple would not be able to reset a customer\u2019s password for them.<\/p>\n

\u201cThat\u2019s a really tough call for a company that says its products \u2018Just work,\u2019\u201d says Chris Soghoian, a principal technologist with the American Civil Liberties Union\u2014referring to a favorite line of Apple\u2019s founder, Steve Jobs.<\/p>\n

Cook has boasted of how the encryption built into Apple\u2019s iPhones and iMessage system keeps people safe by ensuring that only they can access their data. FBI director James Comey has complained about it.<\/p>\n

But the design of iCloud means that Apple can read much of its customers\u2019 data, and help the government do so, too. The service is enabled by default (although you can opt out), and automatically backs up messages, photos, and more to the company\u2019s servers. There the data is protected by encryption, which Apple has the key to unlock. The company\u2019s standoff with the FBI happened only because the backups Apple handed the agency from San Bernardino shooter Syed Farook\u2019s iPhone ended six weeks before the shooting, because he had turned them off.<\/p>\n

Apple could lock itself and law enforcement out of iCloud data by encrypting each person\u2019s iCloud backups using a password under his control, perhaps the same one that locks his iPhone.<\/p>\n

The company has not denied reports from the Financial Times and Wall Street Journal that it is working on such a design. Passwords and credit card details stored using an iCloud feature called Keychain are already protected in this way. But taking this approach would prevent Apple from being able to reset a person\u2019s password if he forgets it. The data would be effectively gone forever.
\nIt is probably impractical for Apple to roll out that approach for everyone\u2019s data, as the company did for the security protections built into the iPhone, says Vic Hyder, chief strategy officer with Silent Circle, which offers secure messaging, calls, and data sharing for corporations.<\/p>\n

\u201cIt puts control on the customer but also responsibility on the customer,\u201d he says. \u201cThis will likely be an option, not the default.\u201d<\/p>\n

Soghoian of the ACLU agrees. \u201cI think they will probably offer it as an option, but be reluctant to advertise that feature much,\u201d he says. \u201cMore people forget their passwords than get investigated by the FBI.\u201d<\/p>\n

Bryan Ford, an associate professor at the Swiss Federal Institute of Technology in Lausanne, says Apple could take steps to reduce the risk of accidental data loss.<\/p>\n

The company\u2019s FileVault disk encryption feature for PCs offers the option to print out a recovery key. A similar process could be used for iCloud encryption, says Ford.<\/p>\n

Apple could also implement other safeguards, he says. For example, people could have the option of distributing extra encryption keys or passwords to several \u201ctrustees,\u201d who could help recover data if the original password was lost. To prevent abuse it could be required that a certain number of trustees, say, three of five, came forward to unlock the data.<\/p>\n

The cryptography needed for such a design is well understood, says Ford. He recently designed a similar but more complex system intended to help companies such as Apple prevent their software updates from being abused (see \u201cHow Apple Could Fed-Proof Its Software Update System\u201d).<\/p>\n

Alan Fairless, cofounder and CEO of SpiderOak, which offers companies fully encrypted data storage, says he thinks companies like Apple will eventually make truly secure cloud storage accessible to consumers.<\/p>\n

Encrypted messaging was clunky and hard to use until recently, but is now widespread thanks to Apple and WhatsApp, he points out. Encrypting stored data is more challenging, but Apple has shown itself willing to spend significantly on encryption technology, for example by adding new chips to the iPhone, says Fairless.
\nHowever, he also thinks Apple and its customers aren\u2019t yet ready for encrypted iCloud backups to be the default. \u201cIt\u2019ll take consumer technology a while to catch up,\u201d says Fairless.<\/p>\n","protected":false},"excerpt":{"rendered":"

At an event held during Apple\u2019s fight with the FBI over whether it should help unlock a dead terrorist\u2019s iPhone, CEO Tim Cook promised \u201cWe will not shrink\u201d from the responsibility of protecting customer data \u2014including from government overreach. Yet the obvious next step for the company could be hard to take without inconveniencing customers. … Continue reading Customer Headaches Could Curtail Apple\u2019s Encryption Push<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[60,52,175],"class_list":["post-945","post","type-post","status-publish","format-standard","hentry","category-news","tag-apple","tag-encryption","tag-iphone"],"_links":{"self":[{"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/posts\/945","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/comments?post=945"}],"version-history":[{"count":1,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/posts\/945\/revisions"}],"predecessor-version":[{"id":947,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/posts\/945\/revisions\/947"}],"wp:attachment":[{"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/media?parent=945"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/categories?post=945"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/tags?post=945"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}