Since the end of 2022, Apple has offered all its users an advanced security feature that encrypts the majority of iCloud data on the manufacturer's servers. The option, called Advanced Data Protection, is not enabled by default because it requires the configuration of a recovery method (recovery key or "recovery contact") that the user must always have in their possession.
Unlike classic iCloud backup, Apple does not have any encryption and decryption keys for backups made with Advanced Data Protection. In exchange, the majority of data saved in Apple's cloud is encrypted end-to-end - no one can access it, except of course the user.
This advance in data security does not suit the police around the world. Apple is indeed able to provide authorities who officially request it, through a court order for example, with data from the iCloud cloud. But this is no longer possible with Advanced Data Protection, since the company with the apple logo no longer has any means of accessing a backup.
The British government has however found a way around it: last month, it asked Apple to create a backdoor allowing it to gain access to all data stored in iCloud, for any user. Not just a British citizen, anyone anywhere in the world!
As reported by the Washington Post, this is an unprecedented requirement for a Western democracy. The British authorities are relying on the Investigatory Powers Act of 2016 to demand this backdoor. Rather than responding favorably to this request, which would amount to weakening encryption for all of its users, Apple is reportedly considering simply removing the advanced data protection option in the United Kingdom.
Which will not fundamentally change things, as the UK government wants access to iCloud backups everywhere in the world! The manufacturer can nevertheless challenge this decision (before a secret jurisdiction…), but the appeal procedure does not suspend the application of the measure. A judge can also intervene to assess whether the request is proportionate to the needs of the authorities.
The 2016 Act criminalises the simple fact of revealing the existence of a request for a backdoor. Publicising it is a way of calling the general public to witness and putting pressure on the English authorities to reconsider their copy.
If London were to obtain such access, nothing would stop other countries from requesting a backdoor in turn, transforming end-to-end encryption into real Swiss cheese. At Apple, as with other providers of online backup solutions, such as Google or Meta. Hackers could then exploit this flaw to steal data.
Source: Washington Post
0 Comments