Should iCloud Backups Be More Secure? The EFF Thinks So
Credit: Soundaholic studio / ShutterstockToggle Dark Mode
The Electronic Frontier Foundation is one of the best known champions of user privacy and civil liberties in the modern era, having run the gamut from promoting user awareness to actually launching lawsuits against the government and corporations to defend the rights of online users.
Now the non-profit activist organization is setting its sights on pressuring big tech companies like Apple, Facebook, and Google to address what it considers to be serious and long-standing security issues in their products and platforms.
The campaign, dubbed “Fix It Already” calls out nine tech companies and platforms in total: Android (Google), Apple, Facebook, Slack, Twitter, Venmo, Verizon, WhatsApp, and Windows 10 (Microsoft), focusing on a single major well-known issue on each platform that has a significant impact on user privacy and for which it considers the fix “attainable.”
For example, in Apple’s case, the EFF calls out the lack of encryption for iCloud backups, noting that while data is strongly encrypted on-device, and famously inaccessible even to Apple’s own engineers without knowing the device passcode, backups stored in iCloud don’t have nearly the same level of protection. Since they can be read by Apple, they’re vulnerable to government requests, third-party hacking, and even disclosure by Apple employees.
Apple should let users protect themselves and choose truly encrypted iCloud backups.
Electronic Frontier Foundation
The EFF does give Apple some credit in this area, noting that Apple CEO Tim Cook has already gone on record as saying that encrypting iCloud backups is a good idea, citing an interview with Der Spiegel (Google Translate) where Cook explains that although Apple has avoided encrypting iCloud Backups up to this point “because some users lose or forget their key” and need Apple’s help recovering their data, Cook expects that this will change in the future, although he stopped short of actually providing an estimate for when this might happen.
It’s time to let users choose security and encrypt their iCloud backups so only they have the key.
Electronic Frontier Foundation
The EFF is pressuring Apple to fix this problem sooner rather than later, suggesting that users could simply be given a choice as to whether they want to store their backups with secure encryption, accepting the risks that data could not be recovered if the key was lost.
In fact, Apple already offers this option for backups made locally to a user’s own Mac or PC via iTunes, where users can choose to encrypt the backups that are stored on their own hard drives. This makes the lack of the same security for iCloud backups all the more puzzling, and while Apple does provide an option for security-conscious users who want full encryption of their backups, it’s a cumbersome workaround in an era where tethered connections to iTunes are slowly becoming an anachronism.
To be clear, Apple does encrypt some of the information that is stored in iCloud Backups — a point which the EFF campaign fails to acknowledge. The information that Apple identifies as “End-to-End Encrypted Data”, which includes extremely sensitive items like HomeKit keys, health data, passwords, and payment information, is stored in such a way that the passcode of the user’s original device is also required to gain access to this information from an iCloud Backup — which is information that would not be available to Apple.
For example, while forensic companies like Elcomsoft have advertised their ability to access health data and text messages from iCloud Backups, additional credentials are needed to extract and access this information. For example, in both cases, Elcomsoft stated that to access health and messages data from an iOS 12 device not only was the user’s Apple ID and password needed, but “access to the secondary authentication factor as well as the user’s screen lock password” was also required. Even fully encrypted iCloud Backups will be vulnerable if hackers and forensics experts can gain access to a users’ private security keys.
Still, the EFF’s point is very valid, as a lot of information can still be gleaned from iCloud Backups, particularly from the wide range of third-party apps that also store sensitive personal data, in many cases by developers who don’t take privacy and security nearly as seriously as Apple does. As laudable as it is for Apple to ensure that HealthKit data uses fully secure end-to-end encryption, it does end users little good if they’re also entering personal health information into third-party apps that don’t protect this data in any meaningful way.
Of course, Apple wasn’t the only company castigated by the EFF for needing to address privacy and security issues, and arguably not even the most egregious violation; Android was called out for not allowing users to deny and revoke internet permissions from apps, Facebook for misusing users’ phone numbers for targeted advertising and other purposes, Twitter for being able to read users’ private direct messages, and Verizon for installing spyware on users’ phones.
It’s 2019. We have the technology to fix these problems, and companies are running out of excuses to neglect security and privacy best practices. We hope that with a little more attention, these companies will take these issues seriously and fix them already.
Electronic Frontier Foundation
As the EFF notes, there’s little excuse for companies to be leaving these issues unresolved, and in Apple’s case it certainly seems like offering proper encryption of iCloud Backups would not be a complicated thing to implement, particularly considering that the code already exists to do so in iTunes. The EFF is also seeking feedback from the public at large, asking users to tell their stories via Twitter or Facebook about how these problems have affected them by using the hashtag #FixItAlready.
