Apple has long promised that what’s on your iPhone stays on your iPhone. But that promise came with the caveat that if the police had a warrant for someone’s iCloud account, Apple could provide a file of unencrypted messages, photos, and notes.
Now the company plans to close that loophole.
On Wednesday, Apple said it was expanding its end-to-end encryption system to keep most iCloud data unreadable, even if it’s stored in data centers. The heightened protections, which are optional, aim to make the sensitive data inaccessible to hackers and governments. Previously, encryption only covered certain information, such as passwords, payment and health data.
The change creates a potential conflict with the US government and other governments that have clashed with Apple over access to data on criminals’ iPhones. While Apple has refused to help law enforcement unlock iPhones over the years, it has granted thousands of requests each year for iCloud backups of unencrypted messages and photos.
Law enforcement has been able to obtain confidential communications in high-profile cases, including the 2016 prosecution of former President Donald J. Trump’s campaign chairman Paul Manafort. In the first six months of last year, the company received applications for 7,122 iCloud accounts in the United States. These security upgrades would close that access.
“It’s great to see companies prioritizing security, but we have to keep in mind that there are trade-offs, and one that’s often not considered is the impact it has on reducing law enforcement access to digital evidence ,” Sasha O’Connell, an executive in residence at American University and a former department chief at the Federal Bureau of Investigation. “The big question is: who decides on that consideration? It remains in the hands of Apple.”
Apple had not fully encrypted iCloud data because it wanted to make it easier for customers to retrieve information for users who had been locked out or lost access to their accounts. But the number of data breaches has tripled in the past seven years as more data has migrated to the cloud, prompting Apple to improve security.
Apple’s new protections are part of a broader effort by tech companies to improve customer security. Google recently introduced end-to-end encryption for group chats in its Messages app, and Facebook’s WhatsApp started offering encrypted backups a year ago.
Users who opt for enhanced encryption for iCloud, which Apple calls Advanced Data Protection, can also separately increase the security of their account by getting a hardware security key, Apple said. The added protection can be used by anyone, but is designed to protect the data of public figures who could be targeted by hackers, including celebrities, journalists, and government officials.
Only three categories aren’t covered — Apple’s Mail, Contacts and Calendar systems — because they’re tied to outdated technology, the company said.
The program will roll out in the United States later this year and worldwide starting next year, Apple said. It will be available to customers in China, where a Chinese company manages the storage of their iCloud accounts.
A separate plan to scan iPhones for images of child sexual abuse has been abandoned, Apple said. That proposal, introduced last year, faced backlash from privacy activists.
Instead, Apple said, it will update its messaging system in the future to hide nudity in videos. It will also make the technology behind those protections available to other messaging apps.
