E2E encrypted communication can be used for nefarious things, that’s a fact. But it’s something that needs to be standardized because the accessibility of any and all private communication or information to so few individuals can be used so much more nefariously. Really wish people were more concerned about data privacy. It’s not about how your data will be use against you… It’s about how OUR data is used against US.
Good. Despite all the mistakes they make, at least Apple seems to be willing to learn from some of ‘em and stand up for their users (even if only a little).
deleted by creator
Are the icloud messages stored in plain text?
deleted by creator
No, they’re encrypted. But Apple stores a copy of your key because most people forget their Apple password at some point (usually after they’ve wiped their phone and are setting up a new one) and need Apple to reset their password/re-enable their encryption key on the new device.
Huh the more you know…
Also know that if you still want iCloud backups but want everything stored encrypted you can enable “Advanced data protection” which means that Apple doesn’t store the encryption key, you do need to setup a recovery method such as a recovery key or recovery contact however if you lose your device and recovery method your data is forever lost and Apple can’t help you like it can in standard data protection mode.
Also note certain sensitive categories such a health and passwords are always encrypted as it’s determined it’s worse for someone else to get access to that data then it is for the user to lose it meanwhile generally a user losing their photos and messages if they forget their password is worse then if a hacker resets the password and gets access.
Isn’t e2ee messaging intended to encrypt data transfer between devices, not provide global security? The default iCloud backups are still encrypted, but the key is stored/recoverable by Apple. This is the ideal sort of encryption for 99%* of the population. For the 1%, an option to forego the Apple stored key is an option.
* yes, I made that number up. I will stand by it.
If you did a random survey of users if they want a secure backup, e2ee encrypted, they will say yes. Overwhelmingly. But if you ask the question based on the outcome of a forgotten password: “If you lose or damage your phone and have forgotten your Apple account password, would you like all of your iCloud photos, messages, emails, contacts, and documents to be instantly destroyed and unrecoverable or should Apple be able to restore everything if you can prove it’s your account?” they will almost certainly choose the latter.
If a user wants more protections there is “Advanced Data Protection” which fully encrypts all iCloud data however Apple knows you might lose your password or something so they require a recovery method before turning it on and make sure you know Apple won’t be able to help you if you lose your password and recovery method.
Also for certain sensitive data such as health data or passwords full end to end encryption is enabled even in standard mode as it’s determined it’s worse for someone else to get access to that data then it is for you to lose it where as generally losing your photos are worse then someone else getting access to them.
deleted by creator
Well yeah, even if they aren’t good at it and are of hypocritical about it, appearing to believe the “what happens on iPhone stays on iPhone” philosophy is important to them.
I wouldn’t say they’re hypocritical. I was in complete shock that they actually scrapped their iPhone scanning plans and now offer E2E for most of iCloud. They aren’t perfect but they definitely are better than most companies
Yeaaaaah maybe read up on some of the E2E stuff. Someone else at the top of this post posted a link to how it works.
It’s generally a question about what’s best for the user, your general user would likely be more mad losing all their messages because they forgot their password then they are calmed by the fact that no one else can read the data. Same for photos and files, however for sensitive categories such as health and passwords they are always end to end encrypted as it’s determined it’s worse for anyone else to get that data then it is for the user to lose it.
For anyone that truly cares to have complete encryption there is advanced data protection but for the general users the defaults are a good balance between security and ease of use.
Yeah, all of that is true. But people who buy iPhones and assume, because the marketing said so, that they’re perfectly secure are worryingly ignorant.
Yeah but his point stands. Here’s the summary:
- If you’re syncing iMessages via iCloud but don’t use iCloud backup without Advanced Data Protection, it’s E2E
- If you have iCloud backup enabled without Advanced Data Protection enabled, iMessage isn’t E2E encrypted
- If you have Advanced Data Protection turned on for iCloud and you’re using iCloud backup, iMessage is E2E encrypted however you look at it.
It’s generally good practice to not use iCloud backups but rather back it up yourself, however, most people don’t care enough.
Cool. Now explain that to the average user.
I think law enforcement should be able to intercept messages on services like WhatsApp, if someone is suspected of criminal activity.
Is it right for criminals to be able to share child abuse material, or plans for terrorism, over something like WhatsApp? Without law enforcement being able to intercept these messages?
I think law enforcement can break into your home if they have a court warrant, right? So why not allow the same thing with electronic communications?
It’s simple.
If it’s possible for WhatsApp to intercept the communications of “bad people” for law enforcement, it’s fundamentally impossible for any communication to be private. The existence of a back door is automatically a gaping security flaw.
There’s no such thing as “securely intercepting” messages. Either they’re secure against all actors or they’re not secure.
Maybe it’s worth having that security hole then. I think it’s a bit crazy that terrorists or child abusers can plan their crimes using WhatsApp without the police being able to intercept their messages.
Also, if we’re able to contact our banks over the internet securely (and obviously the bank can still see everything about our accounts if they want, while criminals hopefully won’t be able to), then surely an equivalent should be possible for things like WhatsApp.
Ok so basic question you should be able to answer then how do you stop a foreign government from spying on other countries citizens? WhatsApp is not just a western world app. For example it’s used in Russia and the US and the UK so if Putin went to Meta and said “I want everything you have on Ex prime minister of the United Kingdom Boris Johnson and you can’t tell them” what reason would meta have to deny his request if the precedent by the UK is that this data needs to have a back door and if you say then the user should be notified then anyone under investigation is just not going to say anything incriminating and if it includes old messages then you risk the political espionage if anything is shared under the assumption everything is end to end encrypted. What about trade secrets, a corrupt government official could get a companies trade secrets for a business friend from anywhere in the world.
There is a great video by Tom Scott that talks about this exact situation when the UK tried to break encryption 5 years ago but that failed because it wasn’t feasible from a security standpoint. There is also a great episode from Last Week Tonight talking about encryption and government attempts to get around it. We’ve seen from things like the Pegasus malware that repressive governments will use this little break in encryption to jail protestors and journalists and spy on their political rivals, having an official way will just make it easier.
I think law enforcement can break into your home if they have a court warrant, right? So why not allow the same thing with electronic communications?
For me, the reason to disallow it is the potential for abuse. There were 864 search warrant applications across all federal agencies in 2022. In 2020, the FBI, specifically, issued 11504 warrants to Google, specifically, for geofencing data, specifically. Across all agencies there are probably millions of such “warrants” for data.
It’s far easier to access your data than your house, so comparing physical and cybersecurity doesn’t really make sense.
In general, criminals can easily just move to an uncompromised platform to do illegal stuff. But giving the govt easy access to messaging data allows for all kinds of dystopic suppression for regular people.
Generally tech companies now have agreements with law enforcement so they don’t have to deal with all the legal mumbo jumbo. Some data does still require a warrant such as if there is any protection laws(such as HIPAA protected data) or if the company considers it highly sensitive data but for a lot of data it’s easier to just hand it over then get legal involved.
