> But I agree with Ben Thompson's point in that blog post, that it's OK to not have strong, unbreakable encryption be the default, and that it's still possible to use an iPhone without iCloud and get full E2E.
I disagree completely on this. For one, users aren't aware that using iCloud means that Apple has your decryption key and can thereby read and share all of your phone's data.
And two, opt-out is a dark pattern. Particularly if you surround it with other hurdles, like long click-wrap and confusing UI, it's no longer a fair choice, but psychological manipulation to have users concede and accept.
Third, as it's hinted, smarter criminals, the ones the FBI should actually worry about, will know to opt-out. So instead the vast majority of innocent users have their privacy violated in order to help authorities catch "dumb" criminals who could have very well been caught through countless other avenues.
disclaimer: I just read Bruce Schneier's "Click Here To Kill Everybody" after the pipeline ransomware attack, and these points come straight from it.
I agree. If Apple wants to go this route, they should abstain from pushing the user towards using iCloud as they currently do, and instead just present a clear opt-in choice.
"Do you want to enable iCloud photos? Your private photos will be uploaded encrypted to Apple's servers, so that only you can access them. Before uploading, your photos will be locally scanned on your device for any illegal content. Apple will only be notified once a sufficient volume of illegal content is detected."
They moved away from the TimeCapsule model. If they were really committed to privacy there would be a small box you can put in your closet that provides iCloud storage functionality.
> Your private photos will be uploaded encrypted to Apple's servers, so that only you can access them.
This would be a large change from the way it works today, where Apple can view your iCloud photos. They’ve not made any statements indicating that is going to change.
I don't see any reason to implement CSAM scanning on-device as opposed to doing it on the server if it wasn't to switch to a model where the server doesn't have access to the data.
Indeed, up until reading these comments I had no idea that iCloud wasn’t encrypted.
Everything about Apples messaging makes you believe otherwise. That seems pretty disingenuous.
Then again, 99% of consumers have very little choice that doesn’t include huddles and complicated setup. We all get the same moon goo, under a differ different brands.
> Indeed, up until reading these comments I had no idea that iCloud wasn’t encrypted.
iCloud data is encrypted at rest (edit: except for Mail apparently). The type of encryption (service or end-to-end [E2E]) is specified here: https://support.apple.com/en-us/HT202303
It can be argued that from a user's viewpoint not having E2E encryption is tantamount to not having encryption at all, but from a technical standpoint the data is encrypted.
It's encrypted at rest, but Apple has the decryption keys, and will give up your customer data when asked to by the government[1]. Also, iCloud photos are not encrypted[2].
They are encrypted at rest. This protects from someone hacking in to Apple, getting the data on disk but somehow not getting the keys, which Apple also possesses.
Apple (and thus, LEO) absolutely can look at your photos on iCloud. What you are missing is that "encrypted at rest" is essentially "not encrypted in any meaningful way".
This is more from Schneier's book, but I would say the most import reason E2E encryption should be the default is that in the event of a data breach, nothing would be lost. If a company's servers are hacked, they'd have access to the symmetrical encryption keys, and therefore all of the data. It also ensures that the company can't be selling/sharing your data, as they don't have access to it in the first place.
Edit: I also meant iCloud backups in my original post and how Apple can decrypt your E2E encrypted iMessages with the key the backups contain. But I posted it last night and couldn't edit it once I caught the error. It would be amazing for other iCloud services to have E2E encryption so long as the implications of iCloud backups having your encryption keys is stated front and center when choosing to opt-in.
What are the advantages of having unencrypted cloud backups? The only advantage is that authoritarian governments can better control their citizens. Apple is playing on the side of dictators instead of protecting their users.
As someone who frequently has to help older family members recover from lost passwords and broken phones, I sincerely hope they leave strong encryption of backups to be "opt out".
It's fine if you know you want to be the sole person in the world who can get to your data and have the discipline to store master passwords, and you accept Apple support cannot help you even if you have a purchase receipt for the device. But for the average older person that's not a good default.
> help older family members recover from lost passwords and broken phones,
Apple just needs to design good UX to help these people.
Perhaps a large cardboard 'key' comes with every phone. When first setting up the phone, you scan a QR code on it to encrypt your data with the key, and then you tell the owner that of they ever lose the key to their phone, they won't be able to get in again.
People understand that - it's like losing the only key to a safe.
From time to time you require them to rescan the key to verify they haven't lost it, and if they have, let them generate a new one.
Well if the alternative is the current situation where Apple has access anyway, a key that Apple may know is still a better idea.
For even better security they can instead provide an NFC smartcard or hybrid NFC + USB (like a Yubikey) where the key is stored in hardware and can't be extracted.
Far easier to develop a culture of using something physical like yubikeys - over flimsy cardboard QR codes. The key metaphor makes a lot more sense that way, too.
So you are suggesting making everyone life more cumbersome with the very likely potential of losing all the data on your phone because you lost a piece of cardboard or forgot a key for which benefit exactly? Being hypothetically safe for government scrutiny concerning information they could a dozen other way?
I really like E2E encryption of messages with proper backups on my end. It's good to know the carrier of my messages can't scan them for advertising purpose. But for my phone if I know there is no way to easily get the data back if I have an issue that seems like a major hassle with very little upsides.
I dunno, when I read the choices in iTunes about backups, I didn’t feel particularly manipulated. It seemed straight forward. Trade offs were clear to me.
I guess some people just see dark patterns where I don’t.
The least of the biases at play, here, is the change aversion bias.
Making things "opt-out", without even making it hard, dramatically increases the number of people who opt-in. It can be used for many reasons.
For example, the UK switched it’s organ donation laws from opt-in to opt-out.
Another example, my government has decided that them selling their citizen's personal information to garages, insurance companies, etc, when we buy cars, should also be opt-out.
So they freely sell the car make, acquisition date, buyer's name,… [1][2]
Unless it has changed with GDPR. I’ve never bought a car.
While we're on the topic of GDPR, that is exactly why it insists on making cookies, tracking, and the "sharing of information with partners" opt-in.
And that is without hiding what you’re doing, making it unclear or confusing, or requiring multiple actions to change it.
Because you only have to express it for it to be respected.
Which is the bare minimum if you want others to be able to even consider respecting it.
The default choice being, in the absence of any information, the one that increases chances of survival of actually living humans doesn’t seem misguided to me.
——
If you want compulsory and overreaching (although not necessarily bad. Got no opinion on that aspect) rules, over here we:
- can’t disinherit a descendant. The state decides the minimum each one of your genetic or legal relatives can get from your assets
- have to financially support our adult children until an arbitrary time decided by the law
- have to support and assist our parents and grand-parents if they can’t provide for themselves
- basically can be legally compelled to financially assist any ascendant or descendant
- may end up having to pay up after a divorce, even if you had an iron-clad contract, to compensate for the loss of QoL of the spouse with a lesser income
Because you only have to express it for it to be respected.
... and if you do not know that an opt-out is required to not have your organs removed, then how can it be said that you have willingly contributed them. And if your organs are removed by default, without you actually willing that this be the case, then how can this practice be called "donation"?
So instead, shall we call it "organ retrieval", "organ harvesting" and so on? All rather ugly words. But when the words that accurately describe what you are doing appear ugly, instead of looking for words which inaccurately describe what you are doing, perhaps you should ask yourself if you should be doing what you are doing.
so, basically your only problem is that the possibility of opt-out may not be adequately communicated? and, i think everyone would agree that changing the law but not telling anyone would be bad and wrong. but, spoiler alert, that didn't happen. and if we found someone who could or did not understand, the default would be to not use their organs.
They're dead, so it's often a bit tricky to find out. What you could do is have some way of recording that people have been told about the opt-out, then they could carry a card around with them that says "I have been informed of the opt-out and choose not to, please take my organs". Only take the organs if they are carrying such a card.
And I'd be interested to know of the percentage of UK adults who are aware of the opt-out. I had a search around but couldn't find any surveys, are you aware of any?
good question. every household got a big blue envelope with large print writing in it saying something like 'important information about organ donation changes' (or similar, can't find my copy now) and a pamphlet inside. like i said, this was sent to every household, so it does miss the homeless, illiterate and non english speakers (although the pamphlet had instructions in other languages explaining how to access more information) and there were press, radio, tv, internet and outdoor adverts, as i recall. i mean, only covid-19 health information dissemination has been more extensive recently. but, you're right, would be interesting to know how effective the campaign was, and im sure they checked, since it cost a fair bit of public money, so the information should be available somewhere online...
There’s a reason why they strongly encourage people to make their preference clearly known to family & friends.
Because most often, when there’s even the sliver of a doubt on the deceased one's wishes, the corpse will keep all it’s organs to the grave / incinerator.
I disagree completely on this. For one, users aren't aware that using iCloud means that Apple has your decryption key and can thereby read and share all of your phone's data.
And two, opt-out is a dark pattern. Particularly if you surround it with other hurdles, like long click-wrap and confusing UI, it's no longer a fair choice, but psychological manipulation to have users concede and accept.
Third, as it's hinted, smarter criminals, the ones the FBI should actually worry about, will know to opt-out. So instead the vast majority of innocent users have their privacy violated in order to help authorities catch "dumb" criminals who could have very well been caught through countless other avenues.
disclaimer: I just read Bruce Schneier's "Click Here To Kill Everybody" after the pipeline ransomware attack, and these points come straight from it.