Two Thumbs Up and One Thumb Down on Apple’s Data Protection Announcements
Apple’s surprise move yesterday to get the rest of iCloud data1, including, critically, iCloud Backups, end-to-end encrypted is an unequivocal win for user privacy. But there were a few loose ends that weren’t clear to me from the announcement. Luckily, the corresponding support document offers answers.
For one, there was this stipulation, quoted by many publications, that gave me pause about turning on Advanced Data Protection myself: “iWork collaboration and the Shared Albums feature in Photos don’t support Advanced Data Protection.” Losing access to my Shared Albums would be a non-starter. It’s how I share photos with a bunch of family members after leaving Facebook. But the knowledge base article offers good news here:
When users collaborate on an iWork document, or open an iWork document from a shared folder in iCloud Drive, the encryption keys for the document are securely uploaded to iWork servers in Apple data centers. This is because real-time collaboration in iWork requires server-side mediation to coordinate document changes between participants. Photos added to Shared Albums are stored with standard data protection, as the feature permits albums to be publicly shared on the web.
I take that to mean you can still use Shared Albums and iWork collaboration, but with the understanding that those features will use the old protection model — that is, encryption in transit but not end-to-end. Likewise with “anyone with a link” sharing:
Selecting the “anyone with a link” option when enabling collaboration will make the content available to Apple servers under standard data protection, as the servers need to be able to provide access to anyone who opens the URL.
And then there’s iCloud.com. It would have been a shame if the fancy new iCloud.com design was useless to folks with the additional protection turned on. But that doesn’t seem to be the case:
When a user first turns on Advanced Data Protection, web access to their data at iCloud.com is automatically turned off. This is because iCloud web servers no longer have access to the keys required to decrypt and display the user’s data. The user can choose to turn on web access again, and use the participation of their trusted device to access their encrypted iCloud data on the web.
After turning on web access, the user must authorize the web sign-in on one of their trusted devices each time they visit iCloud.com. The authorization “arms” the device for web access. For the next hour, this device accepts requests from specific Apple servers to upload individual service keys, but only those corresponding to an allow list of services normally accessible on iCloud.com. In other words, even after the user authorizes a web sign-in, a server request is unable to induce the user’s device to upload service keys for data that isn’t intended to be viewed on iCloud.com, (such as Health data or passwords in iCloud Keychain).
I’m glad Apple built this temporary access for getting at your data on iCloud.com. They could have — with much less effort — just said web access was a feature you lose when turning on Advanced Data Protection. Apple wasn’t shy about the fact that you lose a fair bit of convenience when running your device in Lockdown Mode, including blocking most message attachments entirely, for example.
I do wonder what the authentication process will be like. It could be similar to the current two-factor authentication PIN, or maybe something more exotic like a passkey. Perhaps passkeys were one of the final pieces to this puzzle.
On the Abandonment of CSAM Detection
It’s a complex and sticky subject, that people, rightfully, have strong opinions about. I understand the reluctance to having the device you own scanning your photos for images matching known child sexual abuse material, and I appreciate the slippery slope nature of introducing any kind of scanning system like this. But, personally, I thought Apple had proposed a worthy compromise: scan only as part of the transit of photos from your device to Apple’s servers for syncing/backup, and alert authorities only if the number of matches (to a database provided by NCMEC, the globally-respect authority on CSAM) cross a threshold, signifying a very high degree of confidence.
That, plus the fact that Apple would offer users the ability to opt out by turning off iCloud Photos was enough for me to give the feature a thumbs up. I felt it balanced protection and privacy, and prevented Apple from resorting to scanning unencrypted photos on it’s own servers — which, honestly, feels creepier to me.
But Apple has closed the door to on-device detection. And when Advanced Data Protection is turned on, server-side scanning those end-to-end encrypted photos for known CSAM won’t be an option.
Except for iCloud Mail, Contacts, and Calendars which, understandably, can’t be end-to-end encrypted and still work with other global email, contacts, and calendar systems.↩︎