The Privacy Problems With iCloud

by | Jan 21, 2020 | Privacy | 0 comments

Get posts like this one in your inbox by signing up for our newsletter.

I recently went all-in on the Apple ecosystem, replacing my laptop with a MacBook and my primary computer with an iMac. As such, it made sense for me to switch from Chrome to Safari, but more importantly, I switched from Google Drive to iCloud Drive because the latter is much better integrated into the OS.

The transition was painless and much simpler than I expected; I simply downloaded a few folders from my Google Drive and copied them over to my iCloud Drive, which has its own option built right in to Finder. All of my Google Documents were converted to .docx files, which Pages can open without any problems although I still ended up installing LibreOffice and using that instead. Regardless of which word processor I decide to use, however, I still face the same problem: I’m relying on Apple to keep all of the data in my documents confidential, which I have problems with doing.

Apple’s Pro-privacy View Starts And Ends With Your Device

I trust all of my physical Apple products with keeping the data stored on them secure, such as my iPhone and Macs. I can trust those because Apple can’t access the data stored on them even if they wanted to, which means no one else can coerce Apple into giving them the data. iOS devices are encrypted by default, but you’ll need to enable FileVault on MacOS if you want your data to be encrypted with a password. This encryption prevents anyone who doesn’t have the password from accessing your data, or at least easily accessing it; despite Apple’s best efforts, security bugs are still a thing.

iCloud, however, is a different story. Here, they don’t even try, and only a few of their services offer end-to-end encryption:

  • Home data
  • Health data
  • iCloud keychain
  • Payment information
  • QuickType Keyboard learned vocabulary
  • Screen time
  • Siri information
  • Wi-Fi passwords

End-to-end encryption is important because it means that only you can decrypt the information, regardless of where it’s being stored. So, even though your keychain, for example, is stored on Apple’s servers, they can’t read it because they don’t have the key; only you do. What Apple does use end-to-end encryption for, they do extremely well and seamlessly, which really makes me wonder why they don’t use it for more services, such as your photos and iCloud Drive.

Backups

One of the more concerning things Apple doesn’t use end-to-end encryption for is for Backups. It doesn’t matter how well Apple encrypts everything on your iPhone if someone could just hack into iCloud and get all of the data themselves. In fact, I think it’s more important for Backups to be encrypted that your actual phone, since a hacker would at least need physical access to your phone to extract whatever they wanted.

On the cloud, however, hackers don’t even that; all they need is to find out how to pretend they’re you well enough to get into iCloud, and all of your data is now theirs. In all fairness to Apple, having things this way ensures that their users can still access their data if they need to reset their password, but I don’t see why there isn’t at least an option to enable end-to-end encryption for those of us that understand the risks.

The most annoying thing about the current situation is that Apple did intend on fixing it in 2018, but didn’t end up doing so due to concerns by the FBI that it would hinder their ability to carry out certain investigations. While this is a valid point, and a large part of the encryption backdoor debate, it’s more than a little unnerving that Apple complied with more than 90% of requests to thousands of accounts in the first half of 2019 alone.

Photos

This I really don’t get, as it’s just asking for trouble. All of the nude celebrity leaks that happened could have easily been prevented if Apple had implemented end-to-end encryption for photos stored in iCloud. There’s no good reason I can think of for Apple to have access to all of your photos. In fact, they already have a system for securely storing photos with end-to-end encryption: it’s called iMessage.

When you send someone a photo via iMessage, it’s sent using end-to-end encryption, so only you and the recipient can read it (although, once again, Apple keeps the keys if you use iCloud Backup). As to why they don’t just apply the same end-to-end encryption technique to all photos you take is either Apple being lazy, or as a “convenience” feature in the event that you happen to break your iPhone, have no other backups, and you forget your iCloud password all in the same day.

iCloud Drive

This is what annoys me most; Apple has access to everything you put on iCloud Drive, unless you’ve encrypted it yourself prior to saving it. While this probably isn’t too problematic for you, unless you’re storing your passwords in a Pages document or something, it would be nice to at least have an option to enable end-to-end encryption. Doing so with cloud storage is possible, and has already been implemented by self-hosted solutions (e.g. Nextcloud and Seafile) as well as a few other services (e.g. Tresorit).

The biggest problem with Apple not using end-to-end encryption for things like backups, photos, and iCloud Drive is that in many cases, iCloud is either the only option or the only good option. Sure, you could use another service that does use end-to-end encryption for your photos and possibly even to replace iCloud Drive, but none of them are as seamless as iCloud. Additionally, the only way to create a complete backup of your phone is either through iCloud or iTunes, the latter of which likely hasn’t been used by anyone for a long, long time.

Sources:

Newsletter

Sign up here to be one of the first to know when we publish a post, as well as other exclusive blog updates.