"Apple Inc. is planning to significantly expand its data-encryption practices, a step that is likely to create tensions with law enforcement and governments around the world as the company continues to build new privacy protections for millions of iPhone users.
The expanded end-to-end encryption system, an optional feature called Advanced Data Protection, would keep most data secure that is stored in iCloud, an Apple service used by many of its users to store photos, back up their iPhones or save specific device data such as Notes and Messages. The data would be protected in the event that Apple is hacked, and it also wouldn't be accessible to law enforcement, even with a warrant.
While Apple has drawn attention in the past for being unable to help agencies such as the Federal Bureau of Investigation access data on its encrypted iPhones, it has been able to provide much of the data stored in iCloud backups upon a valid legal request. Last year, it responded to thousands of such requests in the U.S., according to the company.
With these new security enhancements, Apple would no longer have the technical ability to comply with certain law-enforcement requests such as for iCloud backups -- which could include iMessage chat logs and attachments and have been used in many investigations.
The company said the security enhancements, which were announced Wednesday, are designed to protect Apple customers from the most sophisticated attackers.
"As customers have put more and more of their personal information of their lives into their devices, these have become more and more the subject of attacks by advanced actors," Craig Federighi, Apple's senior vice president of software engineering, said in an interview.
Some of these actors are going to great lengths to get their hands on the private information of people they have targeted, he said.
The FBI said it was "deeply concerned with the threat end-to-end and user-only-access encryption pose," according to a statement provided by an agency spokeswoman. "This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime and terrorism," the statement said. The FBI and law enforcement agencies need "lawful access by design," the statement said.
A spokesman for the Justice Department declined to comment.
Former Western law-enforcement and intelligence officials said they were surprised by Apple's decision in part because the company had refrained in the past from rolling out such encryption settings for iCloud. The officials said Apple would sometimes point authorities to the iCloud as a possible means of collecting information that could be useful for criminal investigations.
Ciaran Martin, former chief of the U.K.'s National Cyber Security Center, said the announcement by Apple could pose legal complications for the company in multiple democracies that in recent years have adopted or weighed restrictions on technology that can't be responsive to law-enforcement demands.
"Things will only be clearer when further technical details are given," Mr. Martin said. "But on the face of it, existing legislation in Australia and looming legislation in the U.K. would seem to give those governments the power to tell Apple in those countries effectively not to do this."
Last year, Apple proposed software for the iPhone that would identify child sexual-abuse material on the iPhone. Apple now says it has stopped development of the system, following criticism from privacy and security researchers who worried that the software could be misused by governments or hackers to gain access to sensitive information on the phone.
The new encryption system, which early users began testing Wednesday, will roll out as an option in the U.S. by year-end, and then worldwide including China in 2023, Mr. Federighi said.
"This development will prompt questions at home and abroad, including whether the government of China will really accept a loss of data access," said Sumon Dantiki, a former senior FBI and Justice Department official who worked on cyber investigations and is now a partner at the King & Spalding law firm. U.S. officials have long pointed to China's increasingly strict demands for access to data on companies that operate within its borders as a national-security concern.
In addition to Advanced Data Protection, Apple also is modifying its Messages app to make it harder for messages to be snooped on, and it will now allow users to log in to their Apple accounts with hardware-based security keys made by other companies such as Yubico.
Privacy groups have long called on Apple to strengthen encryption on its cloud servers. But because the Advanced Data Protection encryption keys will be controlled by users, the system will restrict Apple's ability to restore lost data.
To set up Advanced Data Protection, users will have to enable at least one data-recovery method. This could be a recovery key -- a long list of numbers and characters that users could print out and store in a secure location -- or the user could assign a friend or family member as a recovery contact.
Over the past two decades, businesses and consumers have moved much of their data off computer systems that they control and onto the cloud. That trend has made these cloud systems an attractive target for cyber intruders.
Mr. Federighi said that Apple isn't aware of any customer data being taken from iCloud by hackers but that the Advanced Data Protection system will make things harder for them. "All of us in the industry who manage customer data are under constant attack by entities that are attempting to breach our systems," he said. "We have to stay ahead of future attacks with new protections."
As Apple has locked down its systems, governments worldwide have become increasingly interested in the data stored on phones and cloud computers. That interest has led to friction between Apple and law-enforcement agencies, along with a growing market for iPhone hacking tools. In 2020, then-Attorney General William Barr pressured Apple for a way to crack the iPhone's encryption to help with a terror investigation into a shooting that killed three people at a Florida Navy base.
Advanced Data Protection will reduce the amount of iCloud information that Apple can provide to law-enforcement agencies, which frequently request iPhone data from Apple as part of their investigations. Apple received requests for information on 7,122 Apple accounts from U.S. authorities in the first six months of 2021, the last period for which the company has provided information.
Apple had already offered end-to-end encryption for some of its services, but the protection will now extend to 23 services, including iPhone backups and Photos. However, three services -- Mail, Contacts and Calendar -- won't qualify for Advanced Data Protection because they use older technology protocols, Mr. Federighi said.
Mr. Federighi said Apple believes it shares the same mission as law enforcement and governments: keeping people safe." [1]
1. Apple Beefs Up User Security, Risking Law Enforcement Ire
McMillan, Robert; Stern, Joanna; Volz, Dustin. Wall Street Journal, Eastern edition; New York, N.Y. [New York, N.Y]. 08 Dec 2022: A.1.
Komentarų nėra:
Rašyti komentarą