Apple retains master decryption key for iCloud
A new analysis of Apple's iCloud service has revealed that the company holds a master decryption key and retains the right to screen for "objectionable" content or hand over information to legal authorities.
Ars Technica several security experts about iCloud about whether user data is secure with Apple. According to the report, a source recently indicated that Apple has the ability to "decrypt and access all data" store on its iCloud servers.
Separately, security researcher Jonathan Zdziarski agreed with the claim. "I can tell you that the iCloud terms and conditions are pretty telling about what the capabilities are at Apple with respect to iCloud, and suggests they can view any and all content," he said.
The iCloud Terms and Conditions contain provisions for Apple to "pre-screen, move, refuse, modify and/or remove" content that is found to be objectionable. The company also retains the right to "access, use, preserve and/or disclose" account information and content to law enforcement authorities. The report noted that Apple's Terms allow it to check content for copyright infringement as per the Digital Millennium Copyright Act.
"If iCloud data was fully encrypted, they wouldn't be able to review content, provide content to law enforcement, or attempt to identify DMCA violations," Zdziarski told the publication.
Rich Mogull, CEO of security firm Securosis, said that iCloud data is encrypted "only for transport." Even if Apple did encrypt the data on its own drives, it would need to have the key, he added.
"If you can access something with a webpage, that means the webserver has the key," Mogull said. "Thus we know that Apple could access at least anything iCloud related that shows in the browser."
Even so, Echoworx vice president of products Robby Gulri said Apple is using best practices in the industry, such as transmission using SSL, on-disk encryption with 128-bit keys and the discontinuation of developer access to Unique Device IDs.
Gulri did, however, identify a few areas that Apple could lead the industry in data security. For instance, he recommends asymmetric PKI encryption and third-party audits to further bolster security.
Though an earlier report by the publication found iCloud to be safe for "most" users, author Chris Foresman doesn't recommend the service for "the more stringent security requirements of enterprise users, or those paranoid about their data being accessed by authorities."
Apple plans to integrate iCloud even more deeply into its OS X file system later this year. For instance, OS X 10.8 Mountain Lion will offer iCloud as an option when saving new files. iCloud documents will be tied with their respective applications to protect them from malicious software.
iCloud launched last October alongside iOS 5. As of February, over 100 million users had signed up for the service.
Apple CEO Tim Cook said in February that iCloud will be the center of the company's strategy "for the next decade or more." The Cupertino, Calif., company recruitment strategy reflects the focus on iCloud, as it is aggressively hiring engineers to work on the product.
[ View article on AppleInsider ]
Comments
I'd prefer greatly if Apple didn't have that capability.
They are not as bad as Google.
I'd prefer greatly if Apple didn't have that capability.
If it bothers you, don't use iCloud.
Now do a story on how Facebook and Google sell your personal data for advertising revenue.
If it bothers you, don't use iCloud.
I agree.
Tim Cook knows about your 1.6 GB collection of LOLcats. The horror!
Now do a story on how Facebook and Google sell your personal data for advertising revenue.
Exactly.
They are not as bad as Google.
That doesn't make it okay. Everyone needs to be held to the same accountability.
If it bothers you, don't use iCloud.
Hey, MJ1970.
I'd prefer greatly if Apple didn't have that capability.
I don't treat iCloud any differently from the Internet.
Encrypt your data before you upload to iCloud.
Problem: solved
If you want to control the keys used to encrypt your data, then stand-up your own certificate authority.
And if you don't like it, don't use iCloud. If it really bothers you, maybe there's a startup in it for you.
Just don't count on most people caring. Because most people do not, and despite what scaremongers will tell you, for the most part they have no need to.
They are not as bad as Google.
Google isn't the worst offender, they're only the first and largest. They just showed the rest how to do it and now that's the standard way to run a net business. If you offer a free service that becomes wildly successful and the fine print says you should stop considering anything in their service as private, people will surprisingly still use it. Everyone is using Google as an excuse for why it's acceptable to do it, and now it is.
There's no way to use any service anymore and have your data not scanned for content unless you encrypt it yourself. Everyone does it.
That doesn't make it okay. Everyone needs to be held to the same accountability.
I'm not entirely sure what you want to mean by that.
Let's use child porn as the example (objectionable content). Apple would be accountable for storing the content. If we apply the same level of accountability to the user, then what is the issue. Apple isn't pretending that they can do a "megaupload" service and shrug.
This differs in every way from a company selling access to you, your content and behaviours.
Google isn't the worst offender, they're only the first.../snip
So tell us about the cloud service Google offered in 2000 when Apple first launched iTools?
I'm fascinated to hear your rewrite of history.
iCloud, Google, etc should be used to back up stuff that has no commercial value. I imagine that folks like IBM do provide very secure services to corporations, banks, etc.
He who controls the weather controls the battlefield.
He who controls the battlefield controls the battle.
He who controls the battle controls the war.
He who controls the war gets to do some cool shit.
This same discussion (if you can call it that) happened over at Dropbox, as well. Someone reveals that data can be decrypted, and all of a sudden, people are up in arms that their data is not secure. It's a laugh. And based on this AI article, there's a lot of assumptions being made. They may be true, but they are still assumptions until Apple themselves confirms them.
And these same people that will hold Apple over the fire for "being so irresponsible" are happily sending private documents and passwords by email around the planet.
Apple owns the servers, they have a right to prevent them from holding illegal information. If you don't like that, don't use cloud services. Don't use email. Don't post anything on any website.... because once you do, your information is being stored beyond your control, and usually without any protection. Apple has the necessary protections in place for "most" people.
Cheers !
They are not as bad as Google.
But Apple could turn on a dime if it had to and be just as bad.
iCloud will never be the hub of my universe.