Apple and Microsoft both tried to build ad businesses, but when they weren't as successful as Google, they turned lemons into lemonade by launching data privacy PR campaigns against Google.
Meanwhile, Apple and Microsoft quietly censor their products in China, surrender data to Chinese authorities, and now we find Apple is intentionally leaving iCloud data insecure.
Presumably Google was under the same pressure from US law enforcement, but somehow Google delivered end-to-end encrypted Android backups in October, 2018. And Google did it without all of Apple's self-congratulatory media hoopla.
Just a reminder, Apple ceded control of its iCloud management in China to a state-controlled company, in addition began storing its encryption keys in China in order to "comply with local regulations". So whether or not your backups are encrypted is almost a moot point, given that the government can submit a lawful demand for your data at any time..
"It's not happening in my country" is a naive argument. You might not care if human rights activists and HK protesters are affected. But Apple's actions in China set a precedent for other countries to follow. If a country demands that Apple "comply with local laws" by providing encryption keys or else risk losing access to that marketplace, Apple will comply, regardless of its effect on user privacy.
There was no need to misinterpret the comment and write things like '"It's not happening in my country" is a naive argument.'
I didn't say that Apple is right to do it in China or elsewhere. I merely pointed out that it's happening in one place and asked why that would make it moot elsewhere. I agree with everything you said except for the phrasing of your first sentence.
Dont know why down voted. Even if someone doesnt care for individuals in other legal zones (sad), the extra injustice Apple is accepting in other legal zones is a clear display of what they are willing to do to you eventually.
> Injustice anywhere is a threat to justice everywhere.
Morality is defined by culture, so there is no "universal" morality as such. However, there are certain specific things that are included in almost all moral frameworks.
Apple says the joint venture does not mean that China has any kind of “backdoor” into user data and that Apple alone – not its Chinese partner – will control the encryption keys.
Incorrect. Please see the official Apple Support page [1] that debunks this. It specifically states:
"iCloud services and all the data you store with iCloud, including photos, videos, documents, and backups, will be subject to the new terms and conditions of iCloud operated by GCBD."
And since all Chinese companies are bound by local laws, you can be assured that your data is readily available for access by the government.
That still doesn’t make the original statement that “encryption keys are given to China” correct.
The data that is available in China is not encrypted and would also be available to US authorities.
Can you quote the part of the article that states that Apple must give China private keys? Can you find a citation where a third party has found proof that Apple changed the iMessage architecture?
Apple may still be controlling the encryption keys but this says nothing about sharing the keys if compelled to do so.
> Can you quote the part of the article that states that Apple must give China private keys? Can you find a citation where a third party has found proof that Apple changed the iMessage architecture?
Apple is smarter than to put some text on their official website saying that the Chinese government has access to all your data. The key here is that their Terms and Conditions state that they operate "...in accordance to local laws". This is a cop-out legalese way of saying "We abide by whatever the Chinese government tells us to do".
You need to take a step back, take off your engineering hat, and realize that the issue is not about private keys. This is about a company (Apple) needing to follow the laws of the country that it operates in or else it is banned. It doesn't matter if Apple was selling bread or handbags, they MUST provide the government with data about their customers when compelled. This is the case with all companies operating in China, foreign or domestic.
The only way it could follow the laws of the country would be to rearchitect its entire system and somehow send the private keys to its servers and save them.
While technically they could do that, do you realize how much legal trouble they would be in in the US if they did so without disclosing it?
Alternatively, they would have to have a special build of iOS for China.
Also, none of the “citations” make mention that the Chinese law forces Apple to give private keys to China.
The questions you are posing make it clear that you don't understand the issue at hand, much less the broader context behind these data laws. Companies have invested much more $$$ and resources for much less reward. Also, everything is legal as long as your lawyers sign off.
I perfectly understand how public/private key encryption works. Can you find any citations to support your specific claims that Apple is sending user’s private keys from their devices and giving those keys to China?
It doesn’t by itself - but you have neither shown that Apple has surreptitiously uploaded user’s private keys in China or that it was required to do so.
I think the overlooked answer in this conversation is that Apple doesn't need to modify their service for China at all. In in all countries, they hold the encryption keys for most user data. Only these things are E2E encrypted[1]:
Home data
Health data (requires iOS 12 or later)
iCloud Keychain (includes all of your saved accounts and passwords)
Payment information
QuickType Keyboard learned vocabulary (requires iOS 11 or later)
Screen Time
Siri information
Wi-Fi passwords
You might say "what about iMessage". The link has that answer, too:
>Messages in iCloud also uses end-to-end encryption. If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your Messages if you lose access to iCloud Keychain and your trusted devices.
This means Apple can produce the data a government is looking for in virtually all cases, and that's probably good enough for China.
Maybe the fraction of users who do that is small enough that China won't push them on it. Or (this would be relatively easy to check) they could just hide that option in settings when the device region is China.
Another factor to consider is that SMS and iMessage are rarely used in China due to SMS historically being more expensive than email/data over there.
That brings up another point. How important is iMessage in China? The iPhone’s market share in China is small and statistically when you’re using iMessage you would probably be sending a message to a none Apple device over unencrypted SMS.
Email is the least secure method of sending data and always has been.
I’ve never paid attention to it until now, but you can selectively disable iCloud backups for any of the built in apps and third party apps in settings.
That brings up another point. How important is iMessage in China? The iPhone’s market share in China is small and statistically when you’re using iMessage you would probably be sending a message to a none Apple device over unencrypted SMS.
Email is the least secure method of sending data and always has been.
A good way to figure out whether this kind of claim is marketing bullshit, is to look for a PR claim that goes the other way: that Apple or whoever helps the FBI find uploaded images of child sexual abuse. If they are matching on your data, they can’t be encrypting it; if they’re encrypting it, they can’t be matching on it. It’s one or the other.
And, well, Apple have confirmed that they‘re matching on your data[1]. So, guess what?
"Apple is intentionally leaving iCloud data insecure" ... if you'd done some research you would know that iCloud backups are not end-to-end encrypted. That means you have a choice: backup to iCloud for the convenience and give up some privacy, or turn off the iCloud backup.
It would be nice if Apple was more forthcoming with that fact but there is some onus on the customer these days to understand what's private and what is not.
I don't think you are reading the list right. That is all the stuff that is encrypted both at-rest and in-transit (with keys known to Apple).
The list of E2E is further down, separate from the table, and includes: Home data, Health data (requires iOS 12 or later), iCloud Keychain (includes all of your saved accounts and passwords), payment information, QuickType Keyboard learned vocabulary (requires iOS 11 or later), Screen Time, Siri information, and Wi-Fi passwords. So virtually nothing, by comparison.
Messages, probably the most personal and relevant for legal cases, are end-to-end-encrypted as well, but if you have iCloud Backup enabled, the key is stored in the backup, making this useless.
Involved isn’t the same as guaranteed. I think commenters here are arguing that Apple isn’t being honest about what is available to law enforcement. My guess would be silent updates targeted at individual users who they have search warrants against.
The list of E2E above is quite transparent. The notion of building a special version of the OS to target an individual is just not how the infrastructure works, and totally goes against the entire spirit of privacy that pervades everything you do internally.
Sorry to be blunt (and I am a big fan of Apple's pro-privacy shift of late) but nobody outside Apple can know that with any certainty.
Even the 2016 blackhat talk on youtube, which describes an elaborate signing mechanism for updates, doesn't preclude shipping targeted OS updates to individual users. Maybe I missed something though, and in that case I'd appreciate you pointing it out.
I can tell you that most people inside of Apple would be shocked if such a thing occurred. I doubt the code pathway / infrastructure even exists to do such a thing. There’s always the possibility of strange things happening that only the right 1-2 people know about.... although it’s probably have to be many more given the number of changes that would be needed to be made to propagate a special one off code signed OS OTA. That would likely have a whistleblower somewhere.
The reality is it’s way easier to just exploit a weakness that you can text someone [1].
But if you’re dressed in tin foil hat to toe, then there’s nothing that I can say to convince you. At that point I’d suggest not using any computing technology that you don’t personally build yourself and watch 24/7.
I think I would have once considered this acceptable, that it agrees with the spirit of the law, except that warrants have lost their meaning thanks to FISA rubber stamps.
Apple and Microsoft both tried to build ad businesses, but when they weren't as successful as Google, they turned lemons into lemonade by launching data privacy PR campaigns against Google.
Meanwhile, Apple and Microsoft quietly censor their products in China, surrender data to Chinese authorities, and now we find Apple is intentionally leaving iCloud data insecure.
Presumably Google was under the same pressure from US law enforcement, but somehow Google delivered end-to-end encrypted Android backups in October, 2018. And Google did it without all of Apple's self-congratulatory media hoopla.
e2ee: https://security.googleblog.com/2018/10/google-and-android-h...
Third party security audit: https://www.nccgroup.trust/us/our-research/android-cloud-bac...