Here’s the Truth About Your iCloud Security

Your iCloud is encrypted. That doesn’t mean the FBI can’t access it

 Getty Images

Security and privacy are not two sides of the same coin. They’re sometimes opposing forces, pitting your desire for privacy against the security of, sometimes, a nation.

That’s often how we view stories about our personal data privacy and law enforcement’s ongoing desire to access it in times of trouble. When a Saudi Air Force officer shot and killed three Americans on a Florida Naval base, law enforcement was desperate to unlock the killer’s iPhones and, when they were unable, demanded Apple do it for them.

Apple reportedly refused but, in the meantime, had already turned over iCloud backups related to one of the phones. Apple was probably able to do this because it already helps consumers regain access to locked accounts when they forget their passwords, as long as they're using two-factor-authentication (2FA).

This ability to recover your iCloud account is a safety measure, designed to ensure Apple customers who forget their iCloud passwords don't permanently lose access to potentially years of data.

It's essentially a failsafe (or loophole) and one that a Reuters report on Tuesday appeared to indicate Apple was considering closing by offering “end-to-end encryption," which would mean not Apple or anyone else without the username and password could ever access encrypted accounts.

Reuters also reported that Apple approached the FBI two years ago to give them a heads up that it planned to close this loophole and the FBI asked them not to. As the Reuters story depicts it, Apple soon after decided to leave iCloud just as it is.

It was a startling story on many counts, but, as a long time Apple watcher and someone who has reported on, spoken to and interacted with Apple over the last 20 years, none of it rang entirely true.

Look, I don’t doubt Reuter’s reporting. I’m certain sources told them these things, but the report has led to a lot of unfounded consumer concerns, which I plan to break down.

So, our iClouds are not encrypted?

They most certainly are. As I read this story I remembered the whole iCloud “breach” mess of 2014, where someone gained access to a bunch of celebrity iCloud accounts and posted nude photos from those accounts all over the Internet. Many assumed a direct iCloud hack, but I can almost guarantee you that it was a bunch of bad security on the users’ side (or people who managed accounts for them). Still, that incident prompted a closer look at iCloud security.

Here’s my problem with this narrative. Apple does not sit down with people and map out specific feature and product updates years (or even months) in advance.

Even six years ago, your iCloud accounts were fully encrypted on Apple’s servers and while the data is in transit between your iPhone and your iCloud account with at least 128-bit AES encryption. The only thing that’s not encrypted on Apple’s servers is some IMAP email.

Sometimes encryption isn’t enough, right?

True, because if you have someone’s username and password, you can still access all that iCloud data as if you were the original user. Well, you could before iOS 9.

After the iCloud Breach Incident, Apple raised its security game in one crucial way: It enabled two factor authentication (2FA) in iOS 9 and macOS El Capitan. This means that if a new device tries to log into your iCloud account, they need a special 4-digit code that is sent to the original device, which Apple knows you own and should be in your hand. It’s effectively foolproof and has been adopted by 75% of iOS users.

Apple iCloud Security
Apple's current iCloud Encryption Table.  Apple

But Apple thought about changing this to protect us more and then didn’t

Here’s my problem with this narrative. Apple does not sit down with people and map out specific feature and product updates years (or even months) in advance. The idea that Apple would walk into the FBI and say, “Hey, we’re thinking about doing something you’ll hate,” does not ring accurate. Apple has leaks, just like every other major tech company, but it does not shout its plans from the rooftop or reveal strategic changes like this to anyone until either they happen or under embargo usually days or just hours before launch.

So, our data is less safe than before

I would say no. Your iCloud is still encrypted but if you lose your password, Apple can still help you recover your account. On the other hand, all signs point to Apple only increasing local device security in the near future (we’ll hear more at WWDC 2020 in June) and in the long term.

In particular, Apple’s focus on healthcare and developing technologies on devices you carry and wear, like your Apple Watch, that can monitor your health and catch health issues early means that protecting your data and privacy is only going to become more important as more health data moves onto our devices.

So, we’re all good and safe

As Apple says on its Privacy Page, it “has never created a backdoor or master key to any of our products or services. We have also never allowed any government direct access to Apple servers. And we never will.”

Law enforcement’s concern about the black box of encryption which as former FBI Director James Comey put it in a 2016 speech, “Child predators love it, organized criminals love it, terrorists love it,” isn’t going anywhere.

Even though the FBI hasn’t commented on the Reuters story, an article that describes their efforts to maintain access to this data when they need it probably helps their cause. The goal is securing our safety and that need inevitably comes at some expense to our privacy. That tension is unlikely to go away.

Overall, I think your iCloud data is, assuming you have a good password and use 2FA, as secure as ever, but if the FBI has a warrant access for access to your iCloud backup data (in the first six months of 2019, they received 3,619 account requests), Apple may supply it.