I have not changed the subject. Apple clearly delineates which data is e2e encrypted and which data is not. Those same standards apply in the US and China - unless you have evidence otherwise.
I no more trust my privacy to the US government than a Chinese citizen should trust China.
You started this thread by responding to somebody discussing the Chinese government's access to all iCloud data, but you changed the subject to talk about systems where the private key is on device, which does not apply to iCloud. You absolutely did change the subject.
> Those same standards apply in the US and China - unless you have evidence otherwise.
Those same standards don't actually protect your data from whoever controls the iCloud server or whoever controls the iMessage key server. In the US, that is Apple, so Apple has access to that data. In China, that is the Chinese government. Therefore, the Chinese government has access to all Chinese iCloud and iMessage data.
> I no more trust my privacy to the US government than a Chinese citizen should trust China.
Then you are unfamiliar with the laws of both countries.
The laws of the US say a lot of things. But the facts are that all the government has to do is scream “terrorism”, “drugs”, “or think about the children” and they can easily get a warrant. The law states that one branch of government has to ask another branch of government for a warrant. You have to believe that the judicial branch actually would safe guard privacy and keep law enforcement from overreaching.
> You have to believe that the judicial branch actually would safe guard privacy and keep law enforcement from overreaching.
These warrants become public record. I don't have to blindly believe it. I can look at the records and see that the US is not even close to China as far as government access to user data.
You started this thread by responding to somebody discussing the Chinese government's access to all iCloud data
If some of the data is e2e encrypted using private keys,China doesn’t have access to “all data”
Those same standards don't actually protect your data from whoever controls the iCloud server or whoever controls the iMessage key server.
If the private key is generated by the same entity or “key server” that generates the public key, and then transmitted to the client. That kind of defeats the entire purpose of public/private key encryption.
I’ve never seen an implementation of public/private key encryption where the client device doesn’t create the key pair and send only the public key to encrypt data.
> If some of the data is e2e encrypted using private keys,China doesn’t have access to “all data”
You have two mistakes in this sentence.
1. None of the iCloud data (mail, docs, drive, etc.) is E2E encrypted. Some of the data stored in iCloud (like keychain backups) is encrypted prior to being sent to iCloud (using symmetric encryption, not with asymmetric key pairs). China has access to the data that was ultimately sent to iCloud.
2. The way Apple implements E2E encryption for services like iMessage that are E2E encrypted allows China access to that data.
> If the private key is generated by the same entity or “key server” that generates the public key, and then transmitted to the client.
That's the point. Since Apple's implementation relies on a key server to distribute public keys, it is straightforward for the key server to generate its own key pair and serve a fraudulent public key to the recipient, decrypting and re-encrypting messages that the iMessage servers relay. Apple relies on the technical illiteracy of its users to get away with its deceptive and often plain false marketing claims. Now you know better.
The “key server” does not in fact “generate public keys”. It distributes public keys. But you can’t decrypt a message with public keys - that’s kind of the point...
But after reading research from security experts you have found a citation where Apple is generating a key pair from its servers and sending the private key to the client?
> The “key server” does not in fact “generate public keys”.
That's the point. It should not, but the security model of iMessage allows the key server to get away with it, which is almost certainly happening in China right now. Try reading the article and following the example.
> But after reading research from security experts you have found a citation where Apple is generating a key pair from its servers and sending the private key to the client?
No, it sends the public key. Encrypting messages is done with the recipient's public key. Go read the Wikipedia article on asymmetric encryption. Because the owner of the keyserver can send its own public key, it can decrypt messages with its own private key before re-encrypting with the intended recipient's public key.
Again, if it Apple were in fact creating their own key pairs on their server and sending users the key pair, don’t you think someone would have discovered.
But since it’s in a Wikipedia article, I guess that kind of closes the case.
> [If] Apple were in fact creating their own key pairs on their server and sending users the key pair, don’t you think someone would have discovered.
You once again misunderstand the vulnerability. The vulnerability is that China does this because China controls the keyservers in China.
As far as anybody discovering this, that would be very difficult because Apple does not let you install your own apps on the device and would not approve an app designed to detect this.
But even more, why would they bother? People who care about their privacy will simply avoid closed source software and especially closed systems like Apple's instead of trying to use a known compromisable system safely.
>But since it’s in a Wikipedia article, I guess that kind of closes the case.
I was pointing you to a place where you could learn about cryptography because you seem not to understand the basic concepts. The Wikipedia article does not describe this particular vulnerability.
> Those same standards don't actually protect your data from whoever controls the iCloud server or whoever controls the iMessage key server. In the US, that is Apple, so Apple has access to that data. In China, that is the Chinese government. Therefore, the Chinese government has access to all Chinese iCloud and iMessage data.
Seeing as how Apple complies with FBI and law enforcement requests to get iCloud data, that is definitely not the case in the US.
