Apple expands end-to-end encryption to iCloud backup, Photos

Apple has announced new security features that would enhance user privacy and protect most iCloud data from cyberattackers and the prying eyes of law enforcement agencies. Apple said late on Wednesday that it is expanding the end-to-end encryption capability of iCloud to 23 sensitive data categories from the current 14. The new additions include iCloud backup, Photos, and Notes, which have a lot of sensitive personal user data.  

Apple also announced a new iMessage Contact key verification feature. Though communication in iMessage is already protected by end-to-end encryption, this new feature will allow users to verify a contact before starting a chat. Apple claims that if advanced spywaremanages to breach cloud servers and eavesdrop on these encrypted communications, users at both ends will be alerted. This is aimed at journalists and human rights activists who are frequently targeted by states with spyware. This feature will roll out globally sometime in 2023. 

Apple is also expanding its two-factor authentication capability and will now allow users to use third-party hardware security keys to provide an extra layer of security to their Apple accounts. It will be available globally early next year. 

“Our security teams work tirelessly to keep users’ data safe, and with iMessage Contact Key Verification, Security Keys, and Advanced Data Protection for iCloud, users will have three powerful new tools to further protect their most sensitive data and communications,” Craig Federighi, senior vice president of Software Engineering at Apple, said in a blog post.  

The end-to-end encryption for iCloud is an optional feature and can be enabled by turning on iCloud’s Advanced Data Protection button, which is currently available only in the US to those users who have signed up for Apple’s Beta Software Program. Apple said it is planning a rollout to all users in the US by the end of the year and in other countries by early next year.  

“Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices,” added Ivan Krstić, head of Security Engineering and Architecture at Apple.  

This means that Apple also cannot access the encrypted data even if it is asked to furnish it by law enforcement agencies. In India, the government has assured companies last year they do not want them to break end-to-end encryption but some of the new rules require them to comply with information requests by law enforcement agencies.  

Apple isn’t the only cloud storage provider that allows users to encrypt data. Google also claims that all files uploaded to Drive or created in Docs are encrypted in transit and in storage with AES256-bit encryption. 

The growing need to protect the cloud data of users with end-to-end encryption stems from the growing cyberattacks targeting user data on cloud platforms. A case in point is the recent phishing attack on Dropbox. In a blog post, published last month, Dropbox said that it was hit by a phishing attack that compromised some of the code stored in GitHub, but its impact on customers was minimal. 

According to an October report by Surfshark, 108.9 million accounts were breached globally in the September quarter, which was 70% more than the June quarter. Around 14 accounts were leaked every second as compared to 8 per second in the June quarter.