iMessage Contact Key Verification, Security Keys for Apple ID, and Advanced Data Protection for iCloud provide users with important new tools to protect their most sensitive data and communications

Apple today introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data. With iMessage Contact Key Verification, users can verify they are communicating only with whom they intend. With Security Keys for Apple ID, users have the choice to require a physical security key to sign in to their Apple ID account. And with Advanced Data Protection for iCloud, which uses end-to-end encryption to provide Apple’s highest level of cloud data security, users have the choice to further protect important iCloud data, including iCloud Backup, Photos, Notes, and more.  As threats to user data become increasingly sophisticated and complex, these new features join a suite of other protections that make Apple products the most secure on the market: from the security built directly into our custom chips with best-in-class device encryption and data protections, to features like Lockdown Mode, which offers an extreme, optional level of security for users such as journalists, human rights activists, and diplomats. Apple is committed to strengthening both device and cloud security, and to adding new protections over time.  “At Apple, we are unwavering in our commitment to provide our users with the best data security in the world. We constantly identify and mitigate emerging threats to their personal data on device and in the cloud,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “Our security teams work tirelessly to keep users’ data safe, and with iMessage Contact Key Verification, Security Keys, and Advanced Data Protection for iCloud, users will have three powerful new tools to further protect their most sensitive data and communications.”

iMessage Contact Key Verification

Apple pioneered the use of end-to-end encryption in consumer communication services with the launch of iMessage, so that messages could only be read by the sender and recipients. FaceTime has also used encryption since launch to keep conversations private and secure. Now with iMessage Contact Key Verification, users who face extraordinary digital threats — such as journalists, human rights activists, and members of government — can choose to further verify that they are messaging only with the people they intend. The vast majority of users will never be targeted by highly sophisticated cyberattacks, but the feature provides an important additional layer of security for those who might be. Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications. And for even higher security, iMessage Contact Key Verification users can compare a Contact Verification Code in person, on FaceTime, or through another secure call.

iMessage Contact Key Verification on iPhone 14 Pro.

Security Keys

Apple introduced two-factor authentication for Apple ID in 2015. Today, with more than 95 percent of active iCloud accounts using this protection, it is the most widely used two-factor account security system in the world that we’re aware of. Now with Security Keys, users will have the choice to make use of third-party hardware security keys to enhance this protection. This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government. For users who opt in, Security Keys strengthens Apple’s two-factor authentication by requiring a hardware security key as one of the two factors. This takes our two-factor authentication even further, preventing even an advanced attacker from obtaining a user’s second factor in a phishing scam.

Two-factor authentication using Security Keys for Apple ID on iPhone 14 Pro.

Advanced Data Protection for iCloud

For years, Apple has offered industry-leading data security on its devices with Data Protection, the sophisticated file encryption system built into iPhone, iPad, and Mac. “Apple makes the most secure mobile devices on the market. And now, we are building on that powerful foundation,” said Ivan Krstić, Apple’s head of Security Engineering and Architecture. “Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.” For users who opt in, Advanced Data Protection keeps most iCloud data protected even in the case of a data breach in the cloud.  iCloud already protects 14 sensitive data categories using end-to-end encryption by default, including passwords in iCloud Keychain and Health data. For users who enable Advanced Data Protection, the total number of data categories protected using end-to-end encryption rises to 23, including iCloud Backup, Notes, and Photos. The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.  Enhanced security for users’ data in the cloud is more urgently needed than ever before, as demonstrated in a new summary of data breach research, “The Rising Threat to Consumer Data in the Cloud,” published today. Experts say the total number of data breaches more than tripled between 2013 and 2021, exposing 1.1 billion personal records across the globe in 2021 alone. Increasingly, companies across the technology industry are addressing this growing threat by implementing end-to-end encryption in their offerings.

Advanced Data Protection for iCloud on iPhone 14 Pro.

Availability

  • iMessage Contact Key Verification will be available globally in 2023.
  • Security Keys for Apple ID will be available globally in early 2023.
  • Advanced Data Protection for iCloud is available in the US today for members of the Apple Beta Software Program, and will be available to US users by the end of the year. The feature will start rolling out to the rest of the world in early 2023.
  • A complete technical overview of the optional security enhancements offered by Advanced Data Protection can be found in our Platform Security Guide, along with the data breach research “The Rising Threat to Consumer Data in the Cloud” by Dr. Stuart Madnick, professor emeritus at MIT Sloan School of Management.
Apple advances user security with powerful new data protections
iMessage Contact Key Verification, Security Keys, and Advanced Data Protection for iCloud provide users important new tools to protect data.

FBI Calls End-to-End Encryption 'Deeply Concerning' as Privacy Groups Hail Apple's Advanced Data Protection as a Victory for Users

Apple yesterday announced that end-to-end encryption is coming to even more sensitive types of iCloud data, including device backups, messages, photos, and more, meeting the longstanding demand of both users and privacy groups who have rallied for the company to take the significant step forward in user privacy.

Apple advanced security Advanced Data Protection screen Feature


‌iCloud‌ end-to-end encryption, or what Apple calls "Advanced Data Protection," encrypts users' data stored in ‌iCloud‌, meaning only a trusted device can decrypt and read the data. ‌iCloud‌ data in accounts with Advanced Data Protection can only be read by a trusted device, not Apple, law enforcement, or government entities.

Following its announcements, the EFF or Electronic Frontier Foundation, a group that has long-called for Apple to enable end-to-end encryption and take more steps to safeguard user privacy, put out a statement applauding the new feature and Apple's renewed commitment to privacy.

We applaud Apple for listening to experts, child advocates, and users who want to protect their most sensitive data. Encryption is one of the most important tools we have for maintaining privacy and security online. That's why we included the demand that Apple let users encrypt iCloud backups in the Fix It Already campaign that we launched in 2019.

Meredith Whittaker, CEO of the popular encrypted messaging app Signal, said the decision by Apple to offer end-to-end encryption "is great." "There's been enough pressure and enough narrative work that they see the side of history forming. It's really incredible," Whittaker told The Washington Post.

The Surveillance Technology Oversight Project, or S.T.O.P, called Advanced Data Protection "essential and overdue." Despite the announcement, the group is "disappointed" that end-to-end encryption will require users to opt-in and is not to be enabled by default. Fox Cahn, the group's executive director, said, "it's good to see Apple's privacy protections catching up with its sales pitch, but making these protections opt-in will leave most users vulnerable."

For years, Apple has touted its privacy record while leaving its users vulnerable, particularly to police surveillance. Much of the data users store on iCloud is just a court order away from becoming a policing tool. With these changes, Apple will keep up with the privacy best practices that other companies have followed for years. But it's disappointing that users have to opt-in to many of these new protections, leaving the vast majority at risk.

Fight for the Future, another privacy-focused advocacy group, said on Twitter that Apple's announcement of end-to-end encryption brings the company's marketing of being privacy-focused to reality. "Apple's reputation as the pro-privacy tech company has long been at odds with the reality that ‌iCloud‌ backups aren't secured by end-to-end encryption. This news means people's personal messages, documents, and data will be secure from law enforcement, hackers, and Apple itself." The group is now calling upon Apple to implement RCS messaging into iPhone, a move the group says is a "non-negotiable next step."

appleprivacyad


While privacy groups and apps applaud Apple for the expansion of end-to-end encryption in ‌iCloud‌, governments have reacted differently. In a statement to The Washington Post, the FBI, the largest intelligence agency in the world, said it's "deeply concerned with the threat end-to-end and user-only-access encryption pose." Speaking generally about end-to-end encryption like Apple's Advanced Data Protection feature, the bureau said that it makes it harder for the agency to do its work and that it requests "lawful access by design."

"This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime, and terrorism," the bureau said in an emailed statement. "In this age of cybersecurity and demands for 'security by design,' the FBI and law enforcement partners need 'lawful access by design.'"

Former FBI official Sasha O'Connell also weighed in, telling The New York Times "it's great to see companies prioritizing security, but we have to keep in mind that there are trade-offs, and one that is often not considered is the impact it has on decreasing law enforcement access to digital evidence."

In January 2020, Reuters reported that Apple dropped plans to encrypt user data in ‌iCloud‌ at the behest of the FBI, which was concerned such a move would hinder investigations and its intelligence efforts. In an interview yesterday with The Wall Street Journal's Joanna Stern, Apple's vice president of software engineering, Craig Federighi, labeled the report as inaccurate. "I've heard that rumor, but I don't know where it came from."

In that same interview, Federighi said Apple "deeply appreciates the work of law enforcement and supports the work of law enforcement. We view that we really have the same mission at heart which is to keep people safe." Apple says that Advanced Data Protection will be available to all US users by the end of this year, with plans to launch globally in early 2023.

FBI Calls End-to-End Encryption ‘Deeply Concerning’ as Privacy Groups Hail Apple’s Advanced Data Protection as a Victory for Users
Apple yesterday announced that end-to-end encryption is coming to even more sensitive types of iCloud data, including device backups, messages,...

💡
We publish daily doses of decentralization to over 3900 regular visitors, and boost out on Mastodon, Twitter, Telegram, Tribel and Element (Matrix) to over 4400 daily followers and growing! Please like & share our output. We rely on you for content, so please write for us. We welcome sponsorship and donations to help us continue our work - all major cryptos accepted or maybe buy us a coffee. Contact us at blog@decentralize.today - many thanks for all donations received, much appreciated.
Share this post