Apple introduces its new “Advanced Data Protection.”
Overview
This article discusses Apple’s new Advanced Data Protection, which provides an improved level of encryption and security for stored items. In general, privacy groups applaud Apple’s end-to-end encryption in iCloud. Privacy groups are “disappointed” that users have to opt-in rather than set it up as a default. The F. B. I. said it is “deeply concerned” with the threat it poses to law enforcement. Apple says Advanced Data Protection will be available to all U.S. users by the end of this year.
Advanced-Data Protection
Advanced-Data Protection for iCloud is an optional setting that offers Apple’s highest level of cloud data security. When a user turns on Advanced Data Protection, their trusted devices retain sole access to the encryption keys for the majority of their iCloud data, thereby protecting it with end-to-end encryption. For users who turn on Advanced Data Protection, Apple reports that the total number of data categories protected using end-to-end encryption rises from 14 to 23 and includes iCloud Backup, Photos, Notes, and other categories. Apple also notes that Advanced Data Protection for iCloud will be available to U.S. users by the end of 2022 and will be available to the rest of the world in early 2023.
CloudKit
Advanced Data Protection involves CloudKit, which provides end-to-end encryption for the user. CloudKit is an Apple framework that lets app developers store key-value data, structured data, and assets (large data stored separately from the database, such as images or videos) in iCloud using a hierarchy of keys that match the data. CloudKit supports both public and private databases grouped in containers and is rooted in an asymmetric key called a CloudKit Service Key. All CloudKit Service keys that were generated on device and later uploaded to the available-after-authentication iCloud Hardware Security Modules (HSMs) in Apple data centers are deleted from those HSMs and instead kept entirely within the account’s iCloud Keychain protection domain, offering robust security management. From a deeper technical overview, CloudKit uses a hierarchy of keys that match the structure data, layering encryption that matches the data structure. When data is written to CloudKit, the records are generated on the user’s trusted device and then are wrapped with the appropriate key hierarchy before the data is uploaded to the cloud, as indicated in the figure below. This type of encryption requires the use of the trusted device to decrypt.
The service keys are handled in an end-to-end encrypted, which means Apple nor other outside agencies (e.g., law enforcement) can no longer read or access these keys, as the trusted device is necessary to decrypt the data, thus securing data in the cloud. Advanced-Data-Protection is currently an optional setting and offers Apple’s highest level of cloud data security. When a user turns on Advanced Data Protection, their trusted devices retain sole access to the encryption keys for most of their iCloud data, thereby protecting the data with end-to-end encryption.
Essential End-to-End Encryption
While Apple is planning to expand its data-encryption practices to ward off hackers and protect iCloud Data, there are concerns from law enforcement and governments about the privacy protections for millions of iPhone users. The Advanced Data Protection will keep most user data secure in iCloud, however, it is drawing attention from investigative agencies, such as the FBI, due to Apple’s past for being unable to assist law enforcement with encrypted data.
Cybersecurity experts and cryptographers have argued that attempts by law enforcement to weaken encryption by using backdoors would inherently make the internet less reliable and hurt more vulnerable populations. The “Surveillance Technology Oversight Project (S.T.O.P.), “ is a non-profit advocacy organization and legal services provider that advocates for vulnerable populations weighed in on Apple’s new end-to-end encryption. S.T.O.P.’s primary mission is to litigate and advocate for privacy, working to abolish local governments’ systems of mass surveillance. S.T.O.P. recently called Apple’s Advanced Data Protection both essential and overdue. However, the group indicates that they are concerned that end-to-end encryption requires users to opt in rather than it being set up as a default.
While Apple has touted its privacy record while leaving its users vulnerable to investigations, particularly to law enforcement surveillance, as user data stored on iCloud is a court order away from becoming investigated. With Apple’s end-to-end encryption change, this approach will keep up with the privacy best practices other companies have followed for years.
Catching up
Apple will soon offer end-to-end data protection for its users. Other tech products already offer end-to-end encryption, including WhatsApp, the world’s most popular messaging app, and Signal (a communications app prized by others who work with sensitive data. To this end, Apple announced other advanced security features, including one feature focused on those who “face extraordinary digital threats” — such as from no-click spyware. Apple’s Contact iMessage Contact Key Verification will automatically alert users to eavesdroppers who have succeeded in introducing a new device into the user’s iCloud through a breach.
Law Enforcement Concerns
While privacy groups and apps applaud Apple for expanding end-to-end encryption in iCloud, governments have reacted differently. In a recent US News article (Associated Press), the FBI inferred some discontent and said that while the FBI remains a strong advocate of encryption schemes, however, supported the concept that “lawful access by design” so tech companies “served with a legal order” can decrypt data and give it to law enforcement. The agency said it “continues to be deeply concerned with the threat end-to-end and user-only-access encryption pose,” insisting they hinder the FBI’s ability to protect Americans from crimes ranging from cyberattacks to violence against children, and terrorism.
Johns Hopkins cryptography professor Matthew Green reported on Twitter that “Where Apple was hesitant about deploying encryption features last year — maybe even backsliding a bit with CSAM scanning proposals — it now feels like they’ve decided to put the gas pedal down.”
Summary
While privacy groups applaud Apple’s end-to-end encryption in iCloud, they remain somewhat disappointed in Apple’s opt-in end-to-end encryption setting rather than having it set as a default. In addition, law enforcement has inferred the new encryption method poses a threat to law enforcement’s investigation. Apple says Advanced Data Protection will be available to all U.S. users by the end of this year, with plans to launch globally in early 2023.
References
Apple. (n.d.). Advanced Data Protection for icloud. Apple Platform Security. Retrieved December 8, 2022, from https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web
Apple. (n.d.). ICloud encryption. Apple Platform Security — iCloud encryption. Retrieved December 8, 2022, from https://support.apple.com/guide/security/icloud-encryption-sec3cac31735/web
Associated Press. (n.d.). Apple: Most icloud data can now be end-to-end encrypted. US News. Retrieved December 8, 2022, from https://www.usnews.com/news/business/articles/2022-12-07/apple-most-icloud-data-can-now-be-end-to-end-encrypted
STOP. (n.d.). STOP — Our vision. S.T.O.P. — The Surveillance Technology Oversight Project. Retrieved December 8, 2022, from https://www.stopspying.org/our-vision
WSJ. (2022, December 8). WSJ News Exclusive | Apple plans new encryption system to Ward Off Hackers and protect iCloud Data. Apple Plans New Encryption System to Ward Off Hackers and Protect iCloud Data. Retrieved December 8, 2022, from https://www.wsj.com/articles/apple-plans-new-encryption-system-to-ward-off-hackers-and-protect-icloud-data-11670435635
About the Author
Ron McFarland, PhD, CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security and other Cisco courses and was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications.
CONTACT Dr. Ron McFarland, PhD, MSc, CDNA, CISSP
· CMTC Email: rmcfarland@cmtc.com
· Email: highervista@gmail.com
· LinkedIn: https://www.linkedin.com/in/highervista/
· Website: https://www.highervista.com
· YouTube Channel: https://www.youtube.com/@RonMcFarland/featured
