The more charitable interpretation is that for most people losing their photos and messages is a bigger threat than the government spying on them. For those who might have a different tradeoff there is Advanced Data Protection.
I'm glad ADP exists now, but you have to make sure everyone you message has it enabled too, or your messages are still Apple's to read whenever they choose. Meanwhile Google's equivalent backup feature (whatever other faults it may have) has been end-to-end encrypted by default for everyone since long before ADP was even available at all. The risk of losing access is practically nonexistent because the password is your screen lock code, the same one you enter on your lock screen literally every day.
Also, is government spying the only reason Apple decrypts messages? We don't know. They don't disclose that they do it for the government, but we know they do from other sources. What other purposes might they not be disclosing?
The concern is if you lose your devices with E2EE enabled then you are locked out permanently. Grandma won't know how to use a Yubikey (which is the alternative Apple provides for this eventuality with ADP enabled) and will be out of luck.
This is not a requirement with Google's solution. After losing all your devices you only need your lock screen code to decrypt your backup, as I said. This is achieved using a secure element on the datacenter side to protect against brute-force attacks on the screen lock code.
You mean the one that by default is a 4 digit number and therefore trivially brute forcable?
And neither android hardware nor the google servers have any kind of secure element enforcing brute force protections like '3 tries then we wipe the keys'.
I'm not sure how different devices implement it, but the security chip can simply count the time it was powered on, it doesn't have to rely on wall clock time.
(Relying on wall clock time caused a bug in an early iOS version of this feature, where it would show a really long delay when the clock was reset, and there was no way to set the clock correctly)
So now you just need to fake a cell tower and a GPS constellation so that the phone gets a new time on power cycle. Which would be about 60s minimum, to boot and acquire.
And that’s with a power cycle, so 14,000 a day? I’ll not going to assume the button will last more than 100,000 presses, so I don’t see many combinations being tried.
> ADP is a total joke if it doesn't also disable plaintext backups for the people you're talking to
Do you consider all security to be a joke then? If you send me a message, how will you actually guarantee that I do not make a copy of it once it's on my own computer?
There's no guarantee, but some apps intended for security actually make at least a minimal effort to be excluded from plaintext backups, rather than intentionally sending their encryption keys to the backup service that just happens to be run by the same company...
Ok. So you concede that there is no way for you to ensure that messages you send me, that I can decrypt, are left unreadable by anyone but me.
So what secure communication system should we be using given that none of them can guarantee that the recipient doesn't leak information to another country by choosing to use a compromised version of the client?
My complaint is not about guarantees, it's about defaults. Default non-e2e-encrypted backups of message encryption keys are the problem here. No system can guarantee absolute security, but that doesn't mean they're all equivalently bad. Some are definitely more secure than others, and defaults have a lot to do with it!
You are attacking a straw man. The risk is the your correspondent does not have ADP enabled, as it is not on by default, and not even offered in some authoritarian countries like the U.K., so even without their cooperation they can still get their key. I don’t know if iMessage implements Perfect Forward Secrecy, but at the very least they will be able to read all your messages moving forward.
Yes, your backup is e2e encrypted after you enable the off-by-default ADP. But some of your friends probably didn't enable ADP, and the keys to decrypt your messages to them are stored in their backups which Apple can read at will.
There are some fundamental different between two ecosystems.
On Google, the Google Drive and Photo are encrypted to a key owned by google.
On iCloud, the iCloud Drive and Photo are encrypted to your account key. In which, without ADP, this key is shared with Apple. When ADP is enabled, Apple does not store this key. iCloud Backup is stored with the same technology as iCloud Drive.
When it comes to lost password account recovery:
- Google can just reset your password, and your drive and photo are still accessible. All barrier are procedural, not technical.
- iCloud (with ADP), they can still reset your password, but then your icloud drive and icloud photo are loss forever.
There are some trade off ..:
- Lost password recovery experience. _Some_ user will lost their password anyway. How high should the bar be?
- Cloud first? or local device first with cloud backup?
- Are you giving the cloud data same protection as local device?
In google's solution, they put the google drive data at risk...
In apple's solution, it need extra steps to ensure you have proper account recovery flow covered.
That's all fine, but tangential to my complaint, which is about iMessage specifically. iMessage, as a system that strongly promotes e2ee as a core feature, should not be backing up its encryption keys to non-e2ee iCloud backup in any scenario. Messages should fall in the same category as keychain passwords and (yes!) Memoji, backups of which are always end-to-end encrypted even when ADP is not enabled.
In fact I would say calling iMessage an e2ee system is false advertising until this is corrected. Reasonable people would assume that an Apple system advertised as e2ee would make an effort to prevent Apple servers from having the keys to decrypt most iMessages, while the reality is with these defaults it's likely that a large majority of iMessages can be decrypted by Apple servers at will.
You aren't understanding the point being made in OP. Everyone here understands the crypto for ADP vs non-ADP, there's no need to explain it.
The simple fact of the matter is that if I have ADP enabled, my chats should be excluded from the backups of those I'm communicating with (it should be as an opt-in basis at the very least).
Not having this renders ADP useless for the purpose of its stated threat model.
Why does your desire for complete privacy and _control_ outweigh mine to keep a complete history of my communications?
Why can you reach into my phone and wipe data you sent to me?
Why are _you_ the final arbiter?
Once you send a message it is _out of your hands_. You do not own that message. You do not have the right to dictate to others what they can do with what you send to them. That’s life, that’s reality.
If you want to be able to delete your sent messages from other’s devices, there are many apps out there that can provide it to you and both you and the person you are talking to can go in “eyes wide open” to what you agreeing to (I can delete messages I sent to you and you have no record).
The potential for abuse of this is high and the vast majority of users would _not_ want this feature. The same way that mostly people probably shouldn’t use ADP due to the risks, this type of feature will cause way more issues IMHO. It doesn’t take much imagination to get to “Grandpa pressed the wrong button and deleted years (decades) of conversation from everyone’s phone”.
I am not interesting my normal conversations potentially disappearing. That was not the agreement that we had and changing the rules later on that is gross to me. If you want disappearing chats or the ability to wipe all the messages you’ve sent there are other apps (with their own pitfalls, what if I keep my phone offline and never get the update to clear out your conversations?).
