or Connect
AppleInsider › Forums › Mobile › iCloud › Apple retains master decryption key for iCloud
New Posts  All Forums:Forum Nav:

Apple retains master decryption key for iCloud

post #1 of 76
Thread Starter 
A new analysis of Apple's iCloud service has revealed that the company holds a master decryption key and retains the right to screen for "objectionable" content or hand over information to legal authorities.

Ars Technica several security experts about iCloud about whether user data is secure with Apple. According to the report, a source recently indicated that Apple has the ability to "decrypt and access all data" store on its iCloud servers.

Separately, security researcher Jonathan Zdziarski agreed with the claim. "I can tell you that the iCloud terms and conditions are pretty telling about what the capabilities are at Apple with respect to iCloud, and suggests they can view any and all content," he said.

The iCloud Terms and Conditions contain provisions for Apple to "pre-screen, move, refuse, modify and/or remove" content that is found to be objectionable. The company also retains the right to "access, use, preserve and/or disclose" account information and content to law enforcement authorities. The report noted that Apple's Terms allow it to check content for copyright infringement as per the Digital Millennium Copyright Act.

"If iCloud data was fully encrypted, they wouldn't be able to review content, provide content to law enforcement, or attempt to identify DMCA violations," Zdziarski told the publication.

Rich Mogull, CEO of security firm Securosis, said that iCloud data is encrypted "only for transport." Even if Apple did encrypt the data on its own drives, it would need to have the key, he added.

"If you can access something with a webpage, that means the webserver has the key," Mogull said. "Thus we know that Apple could access at least anything iCloud related that shows in the browser."

Even so, Echoworx vice president of products Robby Gulri said Apple is using best practices in the industry, such as transmission using SSL, on-disk encryption with 128-bit keys and the discontinuation of developer access to Unique Device IDs.

Gulri did, however, identify a few areas that Apple could lead the industry in data security. For instance, he recommends asymmetric PKI encryption and third-party audits to further bolster security.

Though an earlier report by the publication found iCloud to be safe for "most" users, author Chris Foresman doesn't recommend the service for "the more stringent security requirements of enterprise users, or those paranoid about their data being accessed by authorities."




Apple plans to integrate iCloud even more deeply into its OS X file system later this year. For instance, OS X 10.8 Mountain Lion will offer iCloud as an option when saving new files. iCloud documents will be tied with their respective applications to protect them from malicious software.

iCloud launched last October alongside iOS 5. As of February, over 100 million users had signed up for the service.

Apple CEO Tim Cook said in February that iCloud will be the center of the company's strategy "for the next decade or more." The Cupertino, Calif., company recruitment strategy reflects the focus on iCloud, as it is aggressively hiring engineers to work on the product.

[ View article on AppleInsider ]
post #2 of 76
I'd prefer greatly if Apple didn't have that capability.

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #3 of 76
Quote:
Originally Posted by Tallest Skil View Post

I'd prefer greatly if Apple didn't have that capability.

They are not as bad as Google.
post #4 of 76
Quote:
Originally Posted by Tallest Skil View Post

I'd prefer greatly if Apple didn't have that capability.

If it bothers you, don't use iCloud.

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #5 of 76
Tim Cook knows about your 1.6 GB collection of LOLcats. The horror!

Now do a story on how Facebook and Google sell your personal data for advertising revenue.
post #6 of 76
Quote:
Originally Posted by charlituna View Post

If it bothers you, don't use iCloud.

I agree.
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
post #7 of 76
Quote:
Originally Posted by Dunks View Post

Tim Cook knows about your 1.6 GB collection of LOLcats. The horror!

Now do a story on how Facebook and Google sell your personal data for advertising revenue.

Exactly.
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
post #8 of 76
Quote:
Originally Posted by I am a Zither Zather Zuzz View Post

They are not as bad as Google.

That doesn't make it okay. Everyone needs to be held to the same accountability.

Quote:
Originally Posted by charlituna View Post

If it bothers you, don't use iCloud.

Hey, MJ1970.

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply

Originally Posted by helia

I can break your arm if I apply enough force, but in normal handshaking this won't happen ever.
Reply
post #9 of 76
Quote:
Originally Posted by Tallest Skil View Post

I'd prefer greatly if Apple didn't have that capability.

I don't treat iCloud any differently from the Internet.
Encrypt your data before you upload to iCloud.

Problem: solved

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #10 of 76
This is a non-issue. If you trust someone else to encrypt your data, they're going to have a key to your data. Microsoft does it with its Rights Management Services, Apple does it, and so does any other company that provides an encryption service. It's standard and expected.

If you want to control the keys used to encrypt your data, then stand-up your own certificate authority.
post #11 of 76
Anyone surprised by this is an idiot.

And if you don't like it, don't use iCloud. If it really bothers you, maybe there's a startup in it for you.

Just don't count on most people caring. Because most people do not, and despite what scaremongers will tell you, for the most part they have no need to.

MacBook Pro 15" | Intel Core2 Duo 2.66GHz | 320GB HDD | OS X v10.9
Black/Space Grey iPad Air with Wi-Fi & LTE | 128GB | On 4GEE
White iPhone 5 | 64GB | On 3UK

Reply

MacBook Pro 15" | Intel Core2 Duo 2.66GHz | 320GB HDD | OS X v10.9
Black/Space Grey iPad Air with Wi-Fi & LTE | 128GB | On 4GEE
White iPhone 5 | 64GB | On 3UK

Reply
post #12 of 76
Quote:
Originally Posted by I am a Zither Zather Zuzz View Post

They are not as bad as Google.

Google isn't the worst offender, they're only the first and largest. They just showed the rest how to do it and now that's the standard way to run a net business. If you offer a free service that becomes wildly successful and the fine print says you should stop considering anything in their service as private, people will surprisingly still use it. Everyone is using Google as an excuse for why it's acceptable to do it, and now it is.

There's no way to use any service anymore and have your data not scanned for content unless you encrypt it yourself. Everyone does it.
post #13 of 76
Commence investigation from Al Franken & his buddies, you know cause better this than to work on the budget they haven't passed in like 3 years. Nice story, now I'm gonna go waste my time on something more interesting.
post #14 of 76
I would wonder how serious this is when it comes to speaking about political matter. Maybe saying that they don't like a certain politician or president. Maybe they will be put on a list of suspicious people. Will this come to be like the Soviet Union or the Days of the Nazi regime? But I wonder if this is mainly for terrorist activity? Hard to say.
An Apple man since 1977
Reply
An Apple man since 1977
Reply
post #15 of 76
Quote:
Originally Posted by Tallest Skil View Post

That doesn't make it okay. Everyone needs to be held to the same accountability.

I'm not entirely sure what you want to mean by that.

Let's use child porn as the example (objectionable content). Apple would be accountable for storing the content. If we apply the same level of accountability to the user, then what is the issue. Apple isn't pretending that they can do a "megaupload" service and shrug.

This differs in every way from a company selling access to you, your content and behaviours.
you only have freedom in choice when you know you have no choice
Reply
you only have freedom in choice when you know you have no choice
Reply
post #16 of 76
Quote:
Originally Posted by jlandd View Post

Google isn't the worst offender, they're only the first.../snip

So tell us about the cloud service Google offered in 2000 when Apple first launched iTools?

I'm fascinated to hear your rewrite of history.
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #17 of 76
There are good business and legal reasons to have data security and encryption. Patient medical data has to be backed up remotely and encrypted. Same with financial data. Public disclosure can spend the end of the business or profession. In my own case, I have preferred to actually have physical control of the back up data in addition to any sort of encryption.

iCloud, Google, etc should be used to back up stuff that has no commercial value. I imagine that folks like IBM do provide very secure services to corporations, banks, etc.
post #18 of 76
He who controls the clouds controls the weather.
He who controls the weather controls the battlefield.
He who controls the battlefield controls the battle.
He who controls the battle controls the war.

He who controls the war gets to do some cool shit.
My car keeps crashing whenever I do 150mph. It's a design flaw. People tell me to slow down and drive normally but I should be able to use it as I wish.
Reply
My car keeps crashing whenever I do 150mph. It's a design flaw. People tell me to slow down and drive normally but I should be able to use it as I wish.
Reply
post #19 of 76
Here we go again, but this time with iCloudSecurityGate (or lack thereof).

This same discussion (if you can call it that) happened over at Dropbox, as well. Someone reveals that data can be decrypted, and all of a sudden, people are up in arms that their data is not secure. It's a laugh. And based on this AI article, there's a lot of assumptions being made. They may be true, but they are still assumptions until Apple themselves confirms them.

And these same people that will hold Apple over the fire for "being so irresponsible" are happily sending private documents and passwords by email around the planet.

Apple owns the servers, they have a right to prevent them from holding illegal information. If you don't like that, don't use cloud services. Don't use email. Don't post anything on any website.... because once you do, your information is being stored beyond your control, and usually without any protection. Apple has the necessary protections in place for "most" people.
post #20 of 76
Anyone concerned about the data they are transmitting to a free online data storage, should really consider saving their files onto a device that they control, not others. That's just logical reasoning. Anything that I store online has no value to anyone. Apple isn't the worst of the bunch. They are open about what they can do & its spelled out in their T&C. And, they aren't going to exploit that info for commercial benefit. As mentioned, Apple see's this as necessary for keeping themselves protected from DMCA issues. So any congressional committee is going to look like a joke if they open an investigation against a company that is merely trying to follow the law. Probably the worst outcome would be that congress repeals the DMCA. That is if they really try to accomplish something legislative during this year. Let's hope

Cheers !
Cheers !
Reply
Cheers !
Reply
post #21 of 76
Quote:
Originally Posted by I am a Zither Zather Zuzz View Post

They are not as bad as Google.

But Apple could turn on a dime if it had to and be just as bad.

iCloud will never be the hub of my universe.
post #22 of 76
Quote:
Originally Posted by Dunks View Post

Tim Cook knows about your 1.6 GB collection of LOLcats. The horror!

Now do a story on how Facebook and Google sell your personal data for advertising revenue.

I've never heard of Google actively selling YOUR data to any advertisers...perhaps you have some sources...

Oddly I have heard that of Facebook though but that may be FUD as well...just like your post.
post #23 of 76
Quote:
Originally Posted by Cpsro View Post

But Apple could turn on a dime if it had to and be just as bad.

iCloud will never be the hub of my universe.

I've seen my universe... Apple and iCloud will be extremely bored encrypting it! \
/
/
/

Ten years ago, we had Steve Jobs, Bob Hope and Johnny Cash.  Today we have no Jobs, no Hope and no Cash.

Reply

Ten years ago, we had Steve Jobs, Bob Hope and Johnny Cash.  Today we have no Jobs, no Hope and no Cash.

Reply
post #24 of 76
Quote:
Originally Posted by Cpsro View Post

But Apple could turn on a dime if it had to and be just as bad.

Interesting.

Could you provide some examples of this occurring in the past?

Quote:
Originally Posted by AbsoluteDesignz View Post

I've never heard of Google actively selling YOUR data to any advertisers...perhaps you have some sources...

You're quite correct.

Google and your privacy are a match made in heaven!
My car keeps crashing whenever I do 150mph. It's a design flaw. People tell me to slow down and drive normally but I should be able to use it as I wish.
Reply
My car keeps crashing whenever I do 150mph. It's a design flaw. People tell me to slow down and drive normally but I should be able to use it as I wish.
Reply
post #25 of 76
Why is this even news? Hell, any 3rd-party provider of pretty much anything can access your belongings. Be it storage lockers, bank accounts, switzerland, etc.

This is just another example of some clown trying to get bait clicks by using the classic <insert Apple product or name here> scheme.

If you don't want any entity anywhere on the earth to potentially have access to your "stuff", don't give it to them. Period.

Sheesh, this isn't even rocket science. Relating to iCloud, I'm paying for the conveniences they offer and accepting that those conveniences exposes me to an element of risk. It's up to the consumer to determine if the pros outweigh the cons.

No one is putting a gun to your head to use it. Make your own cloud service and this 100% user-securable and see how long that lasts.

*yawn*
post #26 of 76
Quote:
Originally Posted by sflocal View Post

Why is this even news? Hell, any 3rd-party provider of pretty much anything can access your belongings. Be it storage lockers, bank accounts, switzerland, etc.

This is just another example of some clown trying to get bait clicks by using the classic <insert Apple product or name here> scheme.

If you don't want any entity anywhere on the earth to potentially have access to your "stuff", don't give it to them. Period.

Sheesh, this isn't even rocket science. Relating to iCloud, I'm paying for the conveniences they offer and accepting that those conveniences exposes me to an element of risk. It's up to the consumer to determine of the pros outweigh the cons.

*yawn*

Is this a complaint? Or just news?
post #27 of 76
Hmm... Of course they have to do some scanning for illegal content. Like any private person or company they may be made responsible if criminal content is found on their servers. No Big news there. They just do what they have to to prevent legal actions agains Apple.
post #28 of 76
It goes beyond common thinking not to store valuable or sensitive information with third parties. PERIOD.

No complaints from me.
post #29 of 76
I think it's justifiable for Apple to be able to decrypt synced content for law enforcement. My biggest concern when it comes to master decryption keys is that it's often just a matter of time before a 3rd party manages to obtain it, giving someone you don't trust access to all your personal documents and photos. It is less likely that Apple's master key would leak out than one inside a Blu-Ray device as access is far more difficult but anything's possible.
post #30 of 76
Quote:
Originally Posted by GTR View Post

Interesting.

Could you provide some examples of this occurring in the past?

Totally unnecessary. The past is past and business is business, and Apple will live up to its agreements, how ever it has to, whenever it has to.
post #31 of 76
Quote:
Originally Posted by Tallest Skil View Post

I'd prefer greatly if Apple didn't have that capability.

Unfortunately, that's not an option:
"The report noted that Apple's Terms allow it to check content for copyright infringement as per the Digital Millennium Copyright Act."

They are required by law to maintain that ability.

I'd suggest that you use "Back to My Mac" to access your files if you're concerned about Apple having them.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #32 of 76
Quote:
Originally Posted by Marvin View Post

I think it's justifiable for Apple to be able to decrypt synced content for law enforcement. My biggest concern when it comes to master decryption keys is that it's often just a matter of time before a 3rd party manages to obtain it, giving someone you don't trust access to all your personal documents and photos. It is less likely that Apple's master key would leak out than one inside a Blu-Ray device as access is far more difficult but anything's possible.

This may indeed be the only concern to have. But this is true for any company that provides third party storage space.
post #33 of 76
Quote:
Originally Posted by Suddenly Newton View Post

I don't treat iCloud any differently from the Internet.
Encrypt your data before you upload to iCloud.

Problem: solved

This is probably a dumb question but how do you encrypt something through my iPhone or iPad before saving it to iCloud. Can anyone provide a step-by-step for pics, email, docs, etc.
post #34 of 76
Quote:
Originally Posted by Cpsro View Post

But Apple could turn on a dime if it had to and be just as bad.

iCloud will never be the hub of my universe.

Quote:
Originally Posted by GTR View Post

Interesting.

Could you provide some examples of this occurring in the past?
...

Quote:
Originally Posted by Cpsro View Post

Totally unnecessary. The past is past and business is business, and Apple will live up to its agreements, how ever it has to, whenever it has to.

Yes, totally unnecessary when you are suggesting things might happen for which there is no reason to think they are even probable. That Apple will start abusing customers' privacy, something there is every business reason for them to actually become more active in protecting, is as likely as Google and Facebook, without government intervention, "turning on a dime" and becoming "just as good" -- i.e., all of these things have a nearly zero probability. Don't confuse the possible (anything that doesn't violate the laws of nature) with the probable (much smaller subset of the possible) or, worse yet, the likely (a tiny subset of the possible).
post #35 of 76
Quote:
Originally Posted by jlandd View Post

Google isn't the worst offender, they're only the first and largest. They just showed the rest how to do it and now that's the standard way to run a net business. If you offer a free service that becomes wildly successful and the fine print says you should stop considering anything in their service as private, people will surprisingly still use it. Everyone is using Google as an excuse for why it's acceptable to do it, and now it is.

There's no way to use any service anymore and have your data not scanned for content unless you encrypt it yourself. Everyone does it.

I guess the difference is Google isn't looking for illegal content to keep themselves in compliance, they want more info on your habits and personal information so they can sell it to advertisers. This is much worse!
post #36 of 76
well, iCloud has become like your family that knows all your secrets...you trust your family to keep your secrets from outsiders.
post #37 of 76
Quote:
Originally Posted by Dunks View Post

Tim Cook knows about your 1.6 GB collection of LOLcats. The horror!

Weird thing is...

That's all that is on my Photo Stream.
post #38 of 76
I simply don't trust Apple or iCloud which is why I don't use it.

I disagree with the comments that people don't care. I think they do which is why many people don't use cloud services, prefering to stick to their PC hard drive or portable hard drive.

The phrase "buyer beware" should be typed in bold red letters above the sign-up page to all cloud services.
post #39 of 76
Quote:
Originally Posted by Shaun, UK View Post

I simply don't trust Apple or iCloud which is why I don't use it.

I disagree with the comments that people don't care. I think they do which is why many people don't use cloud services, prefering to stick to their PC hard drive or portable hard drive.

The phrase "buyer beware" should be typed in bold red letters above the sign-up page to all cloud services.

Then don't use iCloud. Problem solved.

Now, how are you going to keep all your private information out of Google's hands?
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #40 of 76
Quote:
Originally Posted by Cpsro View Post

But Apple could turn on a dime if it had to and be just as bad.

iCloud will never be the hub of my universe.

Unlikely. That would require a complete change of their business model.

Remember, Google makes money off of their users information. Apple makes money off of hardware sales.

It would be different if Apple actually had the capability/interest in using this information for profit
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iCloud
AppleInsider › Forums › Mobile › iCloud › Apple retains master decryption key for iCloud