Apple using iCloud to negate the benefits of encryption
Apple has been gaining steady applause for its introduction of making their products encrypt data by default. So much so, that even law enforcement cannot extradite any data from the device even with a warrant. The Cupertino behemoth claims that even they themselves could not extract data even if forced to. However, if recent news is to be believed Apple has been using a sneaky little trick as a backdoor.
This backdoor has been rumored for some time and now has been confirmed by an incident involving a security researcher nonetheless. Jeffrey Paul the man in question, realised after he had upgraded the OS on his MacBook that all of his personal files were available to him, even though they were encrypted by him on his local machine and never uploaded to iCloud. “This is unacceptable,” thundered Paul, “Apple has taken local files on my computer not stored in iCloud and silently and without my permission uploaded them to their servers – across all applications, Apple and otherwise.”
He was not alone in either his frustration or surprise. Johns Hopkins University cryptographer Matthew D. Green tweeted his dismay after realizing that some private notes had found their way to iCloud. Bruce Schneier, another prominent cryptography expert, wrote a blog post calling the automatic saving function “both dangerous and poorly documented” by Apple.
Feature turns flaw
The cloud backup feature is very useful in earnest. It lets you access all of your files across multiple Apple devices. And in the misfortune that your device gets stolen, you wouldn’t have lost all of your data. But experts are now asking, are we paying with our privacy for the sake of convenience ? TechWorm has already pondered about the whole encryption story to be an eyewash in this article. This very feature is probably the root cause behind the entire iCloud hacks leaks fiasco.
Just in case you didn’t know, iCloud Hacks was the name given to a major hacking event, in which explicit photos of a number of HollyWood celebrities were accessed, stolen and leaked on the internet. The hackers said at the time, that they were able to access the iCloud accounts of these celebrities. And what are the odds, that these actresses knew that their iPhones was secretly sending every image they ever clicked onto the cloud without their knowledge ?
This encryption feature was supposed to be Apple’s protection against NSA spying program PRISM. Apparently, not only has Apple made a mockery of their customer’s privacy, it has just opened the flood gates to more of such incidents. And Apple has yet to reply to these accusations. The only reply the company gives, is directed to a support article which explains how the cloud feature works. The gist of it being, that iCloud will store data from various apps to the location provided by the user. But as is common practice, most users will not do this before running an application, so where does the data go ?
The Supreme Court ruled in June that cell phones deserve a high level of protection from police searches, requiring in most cases that a court find probable cause and issue a warrant seeking specific evidence. But the issue is less clear when it comes to information found on cloud services; many companies require warrants but no definitive legal standard has yet emerged for law enforcement access to such information. Encryption was to serve this point. But with Apple backing up data even before it can be encrypted, it just made its very own backdoor. Not to sound accusative, but it looks like Apple WANTS to help intelligence agencies like the NSA willingly, even going to the extent of such an eyewash.
Green, the Johns Hopkins cryptographer, long has used TextEdit as an easy way to take notes that he thought were safe on his hard drive, only later giving them a file name. For Paul, he used the same program as a way to create the computer equivalent of a Post-it Note – a handy place to jot a range of information, including passwords, private information, even the occasional love letter. By the time he discovered the files were being uploaded to iCloud without is sayso, the deed was already done. And though Paul recalled activating iCloud Drive, he could recall any warning or indication that it would operate in this way. “I enabled iCloud Drive knowingly. What I didn’t sign up for was my local private data outside of a specific part of my system being synchronized without additional consent, automatically” says Paul.
Another sinister twist in the tale
As the news by these researchers traveled the cyber space, another interesting fact came to light. This support document was uploaded even before the latest version of MacOS was released. Which can mean that either the cloud functionality has been changed and gone unnoticed or that this flaw has been happening for much longer that thought. If the latter is the case, it means that Apple may have stored much more data on iCloud that we might realize.
This is at the core of the complaints by Paul and Green. If a document is going to be transmitted across the Internet to a cloud server, they want to be warned first – and have a chance to object if they deem it too private.
It’s an option other users – even those who don’t study security issues for a living – might well want if they understood what was happening to their files. But how many do?
Paul wrote in an e-mail, “If you take 100 people and sit them down in front of a factory-new machine running Yosemite with iCloud Drive and have them open TextEdit, create a new window, type their darkest secrets into that window, and power the machine off without saving it anywhere – how many of those 100 would believe that the data hadn’t left the room?”
This a opinion report on Apple’s iCloud and encryption by Delwyn, a self professed privacy maniac