I've been trying to point this out to people but YouTube personalities have a louder voice than anyone else so you end up with bad information.
Props to Apple for offering an (albeit low entropy) onion router on their own infrastructure. I can't imagine this is going to win them any friends in government circles but it's definitely a step in the right direction.
I'd also really like to see Apple come clean about the iCloud backup encryption debacle. A lot of people are trusting it to be something it's not and it should really be clarified on-device what it is and is not before opting in.
It's why I only use my Apple ID for grabbing apps from the app store. I have disabled all the `cloud storage` features of iCloud. iCloud is a privacy nightmare.
I utterly agree that other direct-to-consumer options are in the same boat - but Apple is quite heavy-handed in it's messaging about, well, messaging being encrypted and private and no-one (including Apple) being able to read your messages. That's only true if you don't backup to iCloud.
I would expect most people on HN to be aware of all of this of course but when you're so strongly selling your privacy protections as part of your brand, it's a pretty glaring window to leave wide open.
By that logic though, Google Drive, OneDrive, AmazonS3, they are all privacy nightmares. And you might agree, but Apple is hardly alone.
And like the article says, they didn’t want to poke the bear anymore. Of course the FBI has congressional friends. It is possible that Apple saw the risk of it backfiring and making things worse as too great.
Google does end-to-end encryption of Android backups. And Apple knows how to do it too, but they intentionally restricted their implementation to only cover backups of Keychain passwords and a few other things, apparently because they don't have the courage to stand up to the FBI, according to Reuters. Strange considering their public stance against the FBI in the San Bernardino case and on privacy issues in general. Especially since iCloud backup totally defeats the highly touted end-to-end encryption in iMessage.
Yes, backups, and Apple should get on that. However, your photos in Google Photos, your location data, your uploads in Google Drive (equivalent to iCloud Drive OP is talking about), not end to end encrypted and no option for it.
I think market share is another sign. Does anyone use actual Android Backup, or do they use the unencrypted “backups” in G Photos and elsewhere? For that reason should the FBI care? Maybe I’m wrong but I believe actual Android Backup is much less used than iCloud and confusingly named alternative “backups” within Google apps.
Let's be really frank about it - no large company is going to offer end-to-end encryption of photos because of what kind of photos might end up on their infrastructure if they do. And honestly I don't blame them at all.
I'd just like to see Apple be more transparent with this one particular issue because it undermines so much of what they're advertising to the consumer.
A transparency label for iCloud backup showing what is and is not E2E before enabling would do. Most people (myself included) would be quite happy with photos being encrypted by an Apple-held key (I'm not worried about the police seeing my boring lunch pics, I just don't want photos of my kids being readily accessible to everyone else).
It should be made clear if they're offering E2E for some features that other settings will render it pointless is all I'm saying.
Are you really arguing that because child pornography exists, no large company should offer ETE photos?
Despite there been reasonable solutions like bloom filters and client sided hash detection, so that known child abuse material can be detected, without it needing to compromise the privacy of 99.99999% of users?
And that photos present some of the most sensitive materials on your device:
- geo-IP location showing basically everywhere you have taken a photo in, ever since the dawn of time
- people's consensual sex tapes
- photos of passwords, account recovery codes, private keys, seed words
In the bloom filter example, what device calculates the hash inputs for the bloom filters? If it's the server, then the server needs a copy of the image to check. So is it the client? If so, how can you prevent a malicious client from forging their hashes to be those of known-safe images?
Not saying it's not possible to build an E2E image storage service that also has the protections society tends to demand. Just saying that I haven't seen anyone do it yet, because these problems are subtle.
Apple has direct-from-bootloader control over all of their hardware, unless you boot Linux on a Mac (in which case you don't get iCloud).
So a 'malicious client' doesn't need to be part of the threat model here. And also, if you really stretch your argument, that's like saying we need to outlaw Linux and open source software because malicious actors can modify the code.
The whole idea that society demands content providers compromise ETE just because of child pornography isn't something I've heard of being 'accepted as common truth' outside of this post.
Some politicians demand it, but I thought at least amongst tech, there's the recognization that strong, *unbreakable* encryption is important.
There's an implicit obligation to build services and technology that is resistant to abuse, but that isn't an argument to not implement ETE.
Thanks for the "how" - I guess if you fully control the client and server, there's some extra checks you could implement client-side based on the cryptographic root of trust.
FWIW, I wasn't really trying to make a prescriptive statement about how the world ought to be, I was more trying to describe what (I think) the perspective of these corporations has been on the matter.
In the past, I've been an encryption advocate with the knowledge that we (tech) must sacrifice some ability to appease politicians in implementing it. What you're describing sounds like an innovative way to preserve privacy and provide security for at-risk people, which is a perspective I haven't heard before.
> Despite there been reasonable solutions like bloom filters and client sided hash detection, so that known child abuse material can be detected, without it needing to compromise the privacy of 99.99999% of users?
This is not a good argument. “Known child abuse material” is the tip of the iceberg. There’s nothing stopping people from creating new “child abuse material”, and the people who are doing that sort of thing are the ones who are more important to catch.
I’m arguing that because it exists no company of Apple’s size is going to risk unknowingly hosting it, and I wouldn’t either if I were in their shoes.
I agree with you in terms of photos being some of the most private information we have, but the E2E argument doesn’t ever get won by the tech community without a guarantee of blocking/catching/preventing CP and being able to make that evidence available for prosecution.
To the arguments above: Any processing server side implies no real E2E. Any processing client side is by definition under the control of the client and subject to forgery/hacking/spoofing/tampering.
Absolutely every large company hosts an incredible amount of child pornography and abuse material.
Facebook is the largest platform for child trafficking, and Google is the world's largest resource for finding out how to commit criminal acts.
Crime always exist. We shouldn't build a techno-totalitarian surveillance state just because crime exists.
"It is better that ten guilty persons escape than that one innocent suffer".
Chinese Communists employed similar but opposite reasoning during the uprisings in Jiangxi, China in the 1930s: "Better to kill a hundred innocent people than let one truly guilty person go free".
I don't understand this line of reasoning. Why should photo libraries not be end-to-end encrypted?
Are you suggesting that Apple or the government should be able to search your personal photo library stored in the cloud at any time because maybe you might have child porn in there?
I understand that companies need to scan groups and social features that are used for trafficking underage porn. But do we really need to snoop into the private libraries of innocent people just because they might have illegal material?
Having access to millions of peoples photos is such a huge privacy risk that I can't think giving it up is worth while to make it slightly easier to catch a handful of criminals.
Any large company can offer E2E encryption, as long as they don't have extenuating interests that could make them liable for the way I use their services. Unless Apple is harvesting my data on the regular, they should have no problem with me being the sole keyholder for my iCloud account.
I think Apple would need to ship a different OS in China.
Cloud services offered there must store data in the country and be operated by Chinese companies. (Apple is complying with this)
But Chinese companies HAVE TO assist the authorities in obtaining systematic access to private sector data. (This is not possible with E2E for backups and photos)
Apple already does this. All Chinese iCloud data is stored in a mainland datacenter, completely owned and operated by their government. Similar setups exist in Russia and France, where Apple kowtows to local governments at any cost to turn a buck in their hometown.
Look at the Reuters article they linked. iCloud backup is the issue. Usage of iCloud backup and Android backup are probably very similar (in percentage terms), why would you expect that Android backup is used less? They are pretty much equivalent features, except that one is end-to-end encrypted and the other is not. In both cases, photos are handled separately.
iCloud E2E would be great, even if they offer it at double their current Storage price.
But I would be happy with iOS Time Capsule. Or even sell E2E Backup solution only with an iOS Time Capsule. Great way to increase their Services Revenue.
Nowhere in the linked site that I’ve been able to find does it explain clearly that iCloud backup undermines on-device encryption.
The point is that the deep compromises made inside iCloud Backup are hidden from the user and (at best) buried deep in technical documentation. So deep in fact that I can’t find any mention of it on that site at all.
Storing an essentially plain text copy of your entire phone on an Apple server is the default setting. You have to actively find the setting to enable the security feature (not having Apple give your data to any gov they want) by disabling another feature that makes no mention of security (backups). iOS is not safe.
OP is talking about the security of iCloud backups and that using this feature cancels out a lot of the end-to-end encryption that Apple talk about heavily in their marketing.
I have very little respect for Youtube personalities (thinking of LTT in particular) when it comes to talking about Apple in particular. They are so wedded to their "everyone, except us, is evil" perspective that their knee-jerk reaction to almost anything from Apple, privacy or otherwise is negative. (LTT spent the first bit trashing Apple for making marketing claims about the M1, instead of letting them do, then refused to back off when numbers backed up their claims, continue to trash anything with Apple and privacy, etc).
Apple is not without sin. If we get out of this entire epic lawsuit (another company not without sin) with consumers winning the ability to side-load, it's a win. But for the most part, Apple has a multi-decade history of usually working for customers in above-board ways, as opposed to Facebook, Googles and other(s).
I am running APple's betas for iOS, iPadOS, and macOS right now - I really appreciate their implementing yet more privacy.
re: non-encrypted iCloud storage: I agree with you. I keep medical and financial data encrypted (e.g., their Pages app supports encrypting documents, and you can encrypt PDFs, etc.) but I would rather they did this for me. That said, for the 90% of my files that I would post on a street corner, I find iCloud storage across my devices is handy.
But how secure is encrypted pages and PDF? My understanding was it is not useful against a determined attacker and anyone able to access your iCloud will be in this category.
Apple won't come clean until they can sweep it under the rug like they did with the other debacles (see: keyboards). Being honest about those things undermines their "Apple knows best" image attempt.
> I can't imagine this is going to win them any friends in government circles but it's definitely a step in the right direction.
Apple already has all the friends they need in the "government circles". They're fully enrolled in PRISM and are well-known to kowtow to the demands of corrupt leadership (see: Russian iPhones, Chinese iCloud hosting)
Apple is “fully enrolled” in PRISM just like any other company with U.S. operations, because PRISM is the internal NSA source designation for material acquired via FISA warrants, and complying with FISA warrants is not optional.
You can't not comply with the government of a country unless you are a country. And the citizens of Russia and China would not appreciate that, because they actually like their governments, and don't care what you think.
> I can't imagine this is going to win them any friends in government circles but it's definitely a step in the right direction.
Quite the opposite. Governments probably already have taps to decrypted traffic.
Otherwise how come that would even be legal to run?
If someone commits a crime and government cannot find evidence, because Apple gives shielding, then isn't that making them hypothetically an accomplice?
> Otherwise how come that would even be legal to run?
Why wouldn’t it be? I was under the impression that what isn’t forbidden by law was legal by default. AFAIK, running a VPN platform isn’t illegal.
> If someone commits a crime and government cannot find evidence, because Apple gives shielding, then isn't that making them hypothetically an accomplice?
I hate this argument. It’s lazy and can be used to accuse anybody in any context, and shut down discussions that we should be having. By that standard we are all accomplices for some crimes.
>I was under the impression that what isn’t forbidden by law was legal by default.
Even beyond that, personal privacy from the government is enshrined in the 4th amendment. Just because there was some executive actions and illegal laws made does not mean the 4th amendment suddenly disappears. No person or entity has the right to dragnet all communications.
I'm doing the opposite. Saying that the fed is actively engaging in illegal search and seizure is not ignoring the whistleblowers that brought the scope of the issue to light, it's acknowledging the issue.
The point is that the Constitution is largely meaningless, feel-good fluffery that has no actual bearing on which of our so-called rights are actually available to us.
It's an aspirational document in a largely lawless land, more a historical oddity than the supreme anything. If you wait for legislators and law enforcement to fix personal privacy, you've already lost... the US law enforcement culture is actively hostile towards individual rights because it makes their jobs harder. The only real difference to, say, China, is that we like to pretend otherwise. But the reality in the ground is that nobody on the grid has had meaningful privacy for decades now.
>The point is that the Constitution is largely meaningless, feel-good fluffery that has no actual bearing on which of our so-called rights are actually available to us.
IANAL but this sounds fundamentally wrong in every way I interpret it. The Constitution is a set of laws that cannot be contradicted by any other law, executive action, or judicial action, with the exception of an amendment.
> No person or entity has the right to dragnet all communications.
Indeed. And the fact that this is not recognised as a fundamental human right is a serious limitation of the charter and universal declaration. And yet, it comes up regularly.
By the same logic, I’m the taxpayer who paid to help build the highway that the drug kingpin used to get away during a high speed chase. I’m an accomplice now.
I’m the scientist who purified the water that the criminal used to get enough strength to run away. I’m an accomplice now.
> If someone commits a crime and government cannot find evidence, because Apple gives shielding, then isn't that making them hypothetically an accomplice?
We have recent and specific case law around this. The cherry on top is it was Apple on the other side.
No, this is not how being an accomplice works in the U.S. It’s not how it works anywhere with the rule of law.
Props to Apple for offering an (albeit low entropy) onion router on their own infrastructure. I can't imagine this is going to win them any friends in government circles but it's definitely a step in the right direction.
I'd also really like to see Apple come clean about the iCloud backup encryption debacle. A lot of people are trusting it to be something it's not and it should really be clarified on-device what it is and is not before opting in.