Yep, exactly that.

I utterly agree that other direct-to-consumer options are in the same boat - but Apple is quite heavy-handed in it's messaging about, well, messaging being encrypted and private and no-one (including Apple) being able to read your messages. That's only true if you don't backup to iCloud.

I would expect most people on HN to be aware of all of this of course but when you're so strongly selling your privacy protections as part of your brand, it's a pretty glaring window to leave wide open.

By that logic though, Google Drive, OneDrive, AmazonS3, they are all privacy nightmares. And you might agree, but Apple is hardly alone.

And like the article says, they didn’t want to poke the bear anymore. Of course the FBI has congressional friends. It is possible that Apple saw the risk of it backfiring and making things worse as too great.

Google does end-to-end encryption of Android backups. And Apple knows how to do it too, but they intentionally restricted their implementation to only cover backups of Keychain passwords and a few other things, apparently because they don't have the courage to stand up to the FBI, according to Reuters. Strange considering their public stance against the FBI in the San Bernardino case and on privacy issues in general. Especially since iCloud backup totally defeats the highly touted end-to-end encryption in iMessage.

Yes, backups, and Apple should get on that. However, your photos in Google Photos, your location data, your uploads in Google Drive (equivalent to iCloud Drive OP is talking about), not end to end encrypted and no option for it.

I think market share is another sign. Does anyone use actual Android Backup, or do they use the unencrypted “backups” in G Photos and elsewhere? For that reason should the FBI care? Maybe I’m wrong but I believe actual Android Backup is much less used than iCloud and confusingly named alternative “backups” within Google apps.

Let's be really frank about it - no large company is going to offer end-to-end encryption of photos because of what kind of photos might end up on their infrastructure if they do. And honestly I don't blame them at all.

I'd just like to see Apple be more transparent with this one particular issue because it undermines so much of what they're advertising to the consumer.

A transparency label for iCloud backup showing what is and is not E2E before enabling would do. Most people (myself included) would be quite happy with photos being encrypted by an Apple-held key (I'm not worried about the police seeing my boring lunch pics, I just don't want photos of my kids being readily accessible to everyone else).

It should be made clear if they're offering E2E for some features that other settings will render it pointless is all I'm saying.

Are you really arguing that because child pornography exists, no large company should offer ETE photos?

Despite there been reasonable solutions like bloom filters and client sided hash detection, so that known child abuse material can be detected, without it needing to compromise the privacy of 99.99999% of users?

And that photos present some of the most sensitive materials on your device:

- geo-IP location showing basically everywhere you have taken a photo in, ever since the dawn of time

- people's consensual sex tapes

- photos of passwords, account recovery codes, private keys, seed words

In the bloom filter example, what device calculates the hash inputs for the bloom filters? If it's the server, then the server needs a copy of the image to check. So is it the client? If so, how can you prevent a malicious client from forging their hashes to be those of known-safe images?

Not saying it's not possible to build an E2E image storage service that also has the protections society tends to demand. Just saying that I haven't seen anyone do it yet, because these problems are subtle.

Apple has direct-from-bootloader control over all of their hardware, unless you boot Linux on a Mac (in which case you don't get iCloud).

So a 'malicious client' doesn't need to be part of the threat model here. And also, if you really stretch your argument, that's like saying we need to outlaw Linux and open source software because malicious actors can modify the code.

The whole idea that society demands content providers compromise ETE just because of child pornography isn't something I've heard of being 'accepted as common truth' outside of this post.

Some politicians demand it, but I thought at least amongst tech, there's the recognization that strong, *unbreakable* encryption is important.

There's an implicit obligation to build services and technology that is resistant to abuse, but that isn't an argument to not implement ETE.

Thanks for the "how" - I guess if you fully control the client and server, there's some extra checks you could implement client-side based on the cryptographic root of trust.

FWIW, I wasn't really trying to make a prescriptive statement about how the world ought to be, I was more trying to describe what (I think) the perspective of these corporations has been on the matter.

In the past, I've been an encryption advocate with the knowledge that we (tech) must sacrifice some ability to appease politicians in implementing it. What you're describing sounds like an innovative way to preserve privacy and provide security for at-risk people, which is a perspective I haven't heard before.

> Despite there been reasonable solutions like bloom filters and client sided hash detection, so that known child abuse material can be detected, without it needing to compromise the privacy of 99.99999% of users?

This is not a good argument. “Known child abuse material” is the tip of the iceberg. There’s nothing stopping people from creating new “child abuse material”, and the people who are doing that sort of thing are the ones who are more important to catch.

So because there are pedophiles, we should build backdoors in all cloud image hosting services?

Should we build backdoors in AES because there are terrorists in the world?

> So because there are pedophiles, we should build backdoors in all cloud image hosting services?

That’s not what I’m saying and I can’t possibly imagine how you could infer that in good faith.

I’m arguing that because it exists no company of Apple’s size is going to risk unknowingly hosting it, and I wouldn’t either if I were in their shoes.

I agree with you in terms of photos being some of the most private information we have, but the E2E argument doesn’t ever get won by the tech community without a guarantee of blocking/catching/preventing CP and being able to make that evidence available for prosecution.

To the arguments above: Any processing server side implies no real E2E. Any processing client side is by definition under the control of the client and subject to forgery/hacking/spoofing/tampering.

Absolutely every large company hosts an incredible amount of child pornography and abuse material.

Facebook is the largest platform for child trafficking, and Google is the world's largest resource for finding out how to commit criminal acts.

Crime always exist. We shouldn't build a techno-totalitarian surveillance state just because crime exists.

"It is better that ten guilty persons escape than that one innocent suffer".

Chinese Communists employed similar but opposite reasoning during the uprisings in Jiangxi, China in the 1930s: "Better to kill a hundred innocent people than let one truly guilty person go free".

> geo-IP location showing basically everywhere you have taken a photo in, ever since the dawn of time

Geo-IP is the process of taking an IP address and attributing an location to that IP address.

I think you meant GPS location?

I don't understand this line of reasoning. Why should photo libraries not be end-to-end encrypted?

Are you suggesting that Apple or the government should be able to search your personal photo library stored in the cloud at any time because maybe you might have child porn in there?

I understand that companies need to scan groups and social features that are used for trafficking underage porn. But do we really need to snoop into the private libraries of innocent people just because they might have illegal material?

Having access to millions of peoples photos is such a huge privacy risk that I can't think giving it up is worth while to make it slightly easier to catch a handful of criminals.

Any large company can offer E2E encryption, as long as they don't have extenuating interests that could make them liable for the way I use their services. Unless Apple is harvesting my data on the regular, they should have no problem with me being the sole keyholder for my iCloud account.

I think Apple would need to ship a different OS in China.

Cloud services offered there must store data in the country and be operated by Chinese companies. (Apple is complying with this)

But Chinese companies HAVE TO assist the authorities in obtaining systematic access to private sector data. (This is not possible with E2E for backups and photos)

Apple already does this. All Chinese iCloud data is stored in a mainland datacenter, completely owned and operated by their government. Similar setups exist in Russia and France, where Apple kowtows to local governments at any cost to turn a buck in their hometown.

Apple (and every large company in the world) already ship different features to different regions.

Look at the Reuters article they linked. iCloud backup is the issue. Usage of iCloud backup and Android backup are probably very similar (in percentage terms), why would you expect that Android backup is used less? They are pretty much equivalent features, except that one is end-to-end encrypted and the other is not. In both cases, photos are handled separately.

There are encryption options, just not with the software provided by the storage providers.

iCloud E2E would be great, even if they offer it at double their current Storage price.

But I would be happy with iOS Time Capsule. Or even sell E2E Backup solution only with an iOS Time Capsule. Great way to increase their Services Revenue.