Skip to main content

Mossberg: The iCloud loophole

Mossberg: The iCloud loophole

/

Your iPhone may be nearly impermeable, but its online backup isn’t

Share this story

Photo by Bryan Thomas/Getty Images

Welcome to Mossberg, a weekly commentary and reviews column on The Verge and Re/code by veteran tech journalist Walt Mossberg, now an Executive Editor at The Verge and Editor at Large of Re/code.

Apple has drawn a line in the sand over keeping its customers’ iPhones encrypted and secure. It’s fighting the FBI in a California court over the Bureau’s demand that it create a special, weaker version of iOS that would make it easier for government computers to crack the passcode on a phone and thus reveal its contents. This week, the company won a big victory when a federal judge in New York strongly upheld its objections in a similar case. But the battle is far from over and is likely to be settled in either the Supreme Court or Congress.

The special software sought by the FBI — which Apple, with its marketing flair, is calling "GovtOS" — is, in essence, a backdoor to the encrypted phone, because the passcode is the user’s encryption key, and Apple has deliberately designed the iPhone so the company itself lacks any other key to decrypt it.

the battle is far from over

Even before the court order in California ignited the current fight, I opposed the idea of any encryption backdoor on grounds that it could also help criminals and repressive foreign governments. And I stand with Apple in its dispute with the FBI over the demand for special passcode-cracking software, for the same reasons.

The iCloud loophole

But there’s an exception, a loophole, in Apple’s unyielding stance on privacy and encryption: its iCloud service, and, specifically, iCloud Backup — the convenient and comforting automatic way in which iPhones and iPads back themselves up to the cloud daily.

Unlike the iPhone hardware itself, Apple retains the ability to decrypt most of what’s in an iCloud backup. And the company on occasion turns the contents of iCloud backups over to the FBI and other law enforcement agencies when a proper legal warrant or court order is presented.

Apple says a fresh iCloud backup would have given the FBI what it needed

In fact, in the California case, which involved an iPhone used by a terrorist in a horrific mass shooting, Apple gave the FBI the last iCloud backup it had for the phone, which was made about six weeks before the attack. It has said that a fresh iCloud backup would have given the FBI what it needed (it turned out that, due to a password change by local authorities, a fresh backup wasn’t possible. The FBI disputes that the backup would have been sufficient.)

Not only that, but if you use other companies’ cloud services on your Apple device, anything you store on most of them as well may either be unencrypted or subject to decryption by keys the provider holds.

And all cloud services are potentially vulnerable to things like phishing attacks, password-reset tricks, and of course major hacks and attacks. For instance, celebrity nude photos stored on iCloud were leaked via a targeted attack on user credentials in 2014, even though Apple denied the attack involved a "breach" of iCloud. And too few people use two-factor authentication, offered by Apple and many others, which adds an extra layer of security.

One solution to maximizing your security: back up your iPhone locally.

Two different approaches

Why does Apple treat iCloud differently from the phone itself?

According to an Apple official familiar with the company’s philosophy on privacy, Apple sees the privacy and security issues with the phone itself as being different from those surrounding iCloud.

a key purpose of iCloud is restoring data

The company says its security policies for the phone are based on the fact that it’s a physical object that can be lost or stolen, so the need to protect the mass of personal data a typical iPhone contains compels the strongest possible measures.

However, in the case of iCloud, while security must also be strong, Apple says it must leave itself the ability to help the user restore their data, since that’s a key purpose of the service. This difference also helps dictate Apple’s response to law enforcement requests. The company’s position is that it will provide whatever relevant information it has to government agencies with proper, legal requests. However, it says, it doesn’t have the information needed to open a passcode-protected iPhone, so it has nothing to give. In the case of iCloud backups, however, it can access the information, so it can comply.

It’s not just Apple

This isn’t so different from the position of some other companies. I asked a Google spokesman, Aaron Stein, if Google can turn over a user’s data from Gmail, Google Drive, Google Docs, and Google Calendar. He emailed: "We are able to comply with valid legal requests [for] data in Gmail, Drive, Docs [and] Calendar." In a further email, he elaborated: "If we get a valid legal request from law enforcement (for example, a warrant), we're able to decrypt this data and provide it. In other words, Google retains a 'key.'" But, he added, echoing Apple: "That's to be distinguished from a full-device encrypted Android phone, for example. Even if we get a valid legal request in that case, we're not able to remove data that is stored locally on that device and provide it. Only the device owner has a key; Google doesn't."

And Dropbox states: "Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that's the rare exception, not the rule."

What’s in a backup?

What exactly is in an iCloud backup? In an interview with ABC News, Apple CEO Tim Cook said "you can think of it as making a picture of almost everything on the phone — not everything, but almost everything."

According to the company, some things aren’t included in iCloud backups because it’s assumed the user can easily restore them via other means. These things include email stored on servers and cached content that can be easily restored, like books stored by the Amazon Kindle app.

any iMessages and texts stored on the device are backed up and can be decrypted

In a few other cases, information in iCloud backups is considered so sensitive that, like information on the phone itself, Apple includes it but can’t decrypt it. Such things include Wi-Fi passwords, Apple Keychains (encrypted collections of passwords) and passwords for third-party services.

But, in general, an iCloud backup is, as Mr. Cook says, a good picture of what the phone contains. For instance, any iMessages and texts stored on the device are backed up and can be decrypted. (This only refers to messages you save on the phone, not those in transit or "at rest" on the end server. Apple can’t get your texts if you delete them before a backup.)

I don’t want to give the impression that Apple turns over iCloud backup data to governments frequently or casually. Apple’s published explainer on government data requests says only 6 percent of them were related to account information, versus stolen phones. It adds that "Not only are a minuscule number of accounts actually affected by information requests, but our stringent review meant Apple only disclosed content in response to 27 percent of the total US account requests we received during the period from July 1st, 2014 to June 30th, 2015."

Solution: go old-school

But what if you’d rather not trust Apple with your backup, for any reason? You can take your iPhone’s backup out of Apple’s hands, by doing it the old-fashioned way, via a cable and a Mac or PC.

As most of you know, you can back up an iPhone or iPad locally, to your own computer, using Apple’s iTunes program. In fact, that was the only way to back up your iPhone before Apple introduced iCloud Backup in iOS 5 in 2011. It was originally introduced with the iPod many years before.

using a local backup won’t totally shield your data from a legitimate law enforcement request

This method is clumsy, slow, and requires you to remember to use it. But it still works. You can even opt to encrypt this local backup. And it keeps the contents of your phone available for restoring, but out of the cloud and out of Apple’s control.

Of course, using a local backup won’t and shouldn’t shield your data from a legitimate US law enforcement request. The government would just have to serve its papers on you, instead of Apple. And I am in no way advocating any solution that would evade a properly executed court order.

But there’s no doubt that iCloud backups, and other cloud services, while convenient, aren’t as secure as the latest iPhones are. So this might be a good time to review your use of iCloud and other cloud services, and reconsider your own balance of convenience, security and privacy. And you should definitely turn on two-factor authentication.