According to Reuters sources, Apple abandoned plans to offer iCloud backup encryption, out of fear of government retaliation or even spawning new anti-encryption legislation.
On the other hand, GP is responding to:
> Nobody who is at risk for this is doing iCloud backups. That's something you can already turn off.
And indeed, if you turn off iCloud backups, there is no "backdoor" into iMessage. You can also set up your phone to do encrypted backups locally to your laptop, if you want that instead.
And look at all the other potentially sensitive data that is not end-to-end encrypted in the backups. Photos, notes, reminders, calendars, the list goes on.
Yes, that really does mean that Apple can decrypt your messages.
I don’t think so:
Apple doesn’t log the contents of
messages or attachments, which are protected
by end-to-end encryption so no one but
the sender and receiver can access them.
Apple can’t decrypt the data.
When a user turns on iMessage on a device,
the device generates encryption and signing
pairs of keys for use with the service. For
encryption, there is an encryption RSA
1280-bit key as well as an encryption EC
256-bit key on the NIST P-256 curve. For
signatures, Elliptic Curve Digital Signature
Algorithm (ECDSA) 256-bit signing keys are
used. The private keys are saved in the
device’s keychain and only available after
first unlock. The public keys are sent to
Apple Identity Service (IDS), where they are
associated with the user’s phone number or
email address, along with the device’s APNs
address.
It's not something that has evidence - what they mean is that even if you have iCloud backups disabled, everyone you talk to might not. The point of e2ee is that both ends must have it encrypted - not just you and the server, but more abstractly, the communication partners.
That is a novel and quite broad interpretation of E2EE. In typical E2EE only endpoints of a (logical) communication channel can decrypt messages on that channel. But E2EE does not say anything about what an endpoint can do with those messages once they decrypted them -- they could print them at the public library and leave them there, they can forward them to the FBI, they can post them on reddit, etc.
If you do not trust your communication partner to safeguard your messages, E2EE will not help you at all.
The point is that many people have iCloud Backups enabled without any awareness whatsoever of the implications, as iCloud Backups are opt-out and there is zero disclosure within the OS (only an Apple Support webpage nobody will visit).
It leads to E2E being systemically weakened, since most of your iMessage conversations will get immediately scooped up by Apple and alpbabet agencies, dragnet-style.
I understand that, I didn't mean the concept of e2ee requires the endpoints to never share it at all. What I meant was, commonly people will disable iCloud backups hoping to regain some privacy, but it does nothing because most of your communication partners use iCloud backups. Just like people who switch to eg. Protonmail - if you only ever talk to GMail users, it doesn't really give you much extra privacy.
