Apple will soon encrypt iCloud emails in transit between service providers

Posted:
in iCloud edited June 2014
Apple on Friday said it is working to implement an in-transit encryption solution for its email domains, offering additional protection for iCloud customers sending and receiving messages from people using other providers like Gmail.



Word of Apple's initiative came in a statement provided to NPR after the broadcaster ran a report on its blog looking into the steps big tech firms take to protect users' data privacy.

The story was based on an Electronic Frontier Foundation survey that asked companies like Apple, AT&T, Facebook, Google, Twitter and more about the encryption policies implemented in their products. Specifically, the EFF asked if the firms follow a recommended five-step plan the organization believes keeps consumer data safe.

Specifically, the group looks wants companies to use HTTPS, HSTS , forward secrecy, STARTTLS, and encryption of email while in transit.

While Apple's iMessage inherently supports end-to-end encryption, the company's other text-based communication methods are less secure. Users of Apple's iCloud email service enjoy protections similar to iMessage as long as the conversation is with another iCloud address, but there is currently no encryption method being used for emails in transit between other providers like Google.

As the publication noted in its follow-up, however, Apple is working on the issue and will soon have a solution ready to go.
After we published, the company told us this would soon change. This affects users of me.com and mac.com email addresses.
At issue is the STARTTLS extension, which allows for the encryption of text connections between providers. The caveat in using STARTTLS is that both sending and receiving email services must be using it in order to work.


Source: Google


Apple did not offer a timeline on when it plans to roll out end-to-end email encryption outside of iCloud, though Google has started offering specifics on who does and does not support in-transit encryption. As seen above, Google's Safer Email transparency report shows iCloud accounts are also unencrypted, though Apple has not commented on plans to upgrade emails coming and going from those domains as well.
«1

Comments

  • Reply 1 of 32
    magman1979magman1979 Posts: 1,292member
    Wow, recently Apple has been jumping on the security bandwagon big time, and I couldn't be happier about this! The more security systems and encryption they pack into their devices and services, the better off everyone will be!

    Side note, screw you Google!
  • Reply 2 of 32
    bighypebighype Posts: 148member

    Apple knows that privacy and security are two of the Google's biggest weaknesses. Google tracks  everything you do online and it stores everything you type or visit or upload and they encrypt nothing on their servers (because then they couldn't serve you ads and make their billions) so Apple is quickly becoming anti-Google.

     

    Google Nest and their watch will display ads to you and will track you while Apple's products and services will be quite the opposite. That's Apple's biggest advantage and they're finally fully capitalizing on it.

  • Reply 3 of 32
    SpamSandwichSpamSandwich Posts: 33,407member

    This will also have the effect of undermining Google's ability to scan e-mails and integrate targeted ads. Go Apple!

  • Reply 4 of 32
    solipsismxsolipsismx Posts: 19,566member
    bighype wrote: »
    Apple knows that privacy and security are two of the Google's biggest weaknesses. Google tracks  everything you do online and it stores everything you type or visit or upload and they encrypt nothing on their servers (because then they couldn't serve you ads and make their billions) so Apple is quickly becoming anti-Google.

    Google Nest and their watch will display ads to you and will track you while Apple's products and services will be quite the opposite. That's Apple's biggest advantage and they're finally fully capitalizing on it.

    That's BS. Google uses advanced security and encryption techniques. What you're talking about, targeted ads on Gmail.com have nothing to do with a lack of encryption.
  • Reply 5 of 32
    maestro64maestro64 Posts: 5,043member
    Quote:
    Originally Posted by SpamSandwich View Post

     

    This will also have the effect of undermining Google's ability to scan e-mails and integrate targeted ads. Go Apple!


    Not if you send the email to a gmail account. It looks like apple will encrypt it if some how they know the recipient is using a Apple mail client. Once the email ends up in a gmail account google is free to read it. I am just curious if you use a apple mail client to retrieve your mail if the actual mail file on google servers will stay encrypted until you retrieve it.

     

    This will just keep it from the prying eyes of your ISP, meaning that when the government ask your ISP to forward all your email to them, it will be encrypted and they will have to use more computing resources to see what you are up to.

  • Reply 6 of 32
    solipsismxsolipsismx Posts: 19,566member
    Confession: I foolishly assumed that encryption had been set up between all these different mail services.
  • Reply 7 of 32
    bighypebighype Posts: 148member
    Quote:

    Originally Posted by SolipsismX View Post





    That's BS. Google uses advanced security and encryption techniques. What you're talking about, targeted ads on Gmail.com have nothing to do with a lack of encryption.

    Google encrypts traffic between your browser and their servers. They also encrypt traffic between their servers. But Google DOES NOT encrypt anything they store on their servers! NOTHING!

  • Reply 8 of 32
    solipsismxsolipsismx Posts: 19,566member
    bighype wrote: »
    Google encrypts traffic between your browser and their servers. They also encrypt traffic between their servers. But Google DOES NOT encrypt anything they store on their servers! NOTHING!

    Nothing? Do you have proof of this? Do you have any evidence to show that if Google Server was stolen all the data would be in cleartext, including my username, password and any CC info? I can't imagine that being the case. So does Google offer you targeted ads in your emails? They same way they do it for your search results. They read the data that is being unencrypted on your end in the browser and AdSense then generates ads based on that criteria.
  • Reply 9 of 32
    genovellegenovelle Posts: 1,480member
    solipsismx wrote: »
    Nothing? Do you have proof of this? Do you have any evidence to show that if Google Server was stolen all the data would be in cleartext, including my username, password and any CC info? I can't imagine that being the case. So does Google offer you targeted ads in your emails? They same way they do it for your search results. They read the data that is being unencrypted on your end in the browser and AdSense then generates ads based on that criteria.
    You should take the time to read their user agreement. They were called on this and admitted they scan your emails "to provide better service". Apple can't even open your iMessage files.
  • Reply 10 of 32
    Quote:

    Nothing? Do you have proof of this? Do you have any evidence to show that if Google Server was stolen all the data would be in cleartext, including my username, password and any CC info? I can't imagine that being the case. So does Google offer you targeted ads in your emails? They same way they do it for your search results. They read the data that is being unencrypted on your end in the browser and AdSense then generates ads based on that criteria.


    Google does encrypt customer data on their servers at rest. bighype may be getting confused with the recent(-ish) revelation that their inter-datacenter links were not encrypted. Encryption of data on a hard drive doesn't preclude it's use across devices or services, obviously.

  • Reply 11 of 32
    Quote:

    Originally Posted by genovelle View Post





    You should take the time to read their user agreement. They were called on this and admitted they scan your emails "to provide better service". Apple can't even open your iMessage files.

     

    That's true. However that does not preclude their ability to use encryption on the server side. The data is stored encrypted at rest, but is operationally accessible to Google's network and software in response to internal queries and external (e.g. customer) client requests. Encryption at rest is to prevent the scenario OP mentioned about stolen servers revealing data. Keep in mind that Google utilizes the same Google infrastructure as it's customers - it isn't likely going to put all of that in an insecure environment.

     

    In reference to iMessage, while that's generally accepted, and I personally trust that, we still haven't seen anything that makes Apple interception impossible. Apple hardware and software still manages the keys used for encryption. I would bet that the system is architected such that it would be inappropriately difficult to adhere to any demand or request requiring them to poison the keying system, intercept data, and dump it to some agency.

  • Reply 12 of 32
    ajbdtc826ajbdtc826 Posts: 190member
    I love Apple but GMail is the best IMO. Seemingly infinite storage, quickly accessible from just about any browser, convenient features. iCloud is still a niche that does little besides advertise that someone is an Apple fan.
  • Reply 13 of 32
    rob53rob53 Posts: 3,241member

    http://news.yahoo.com/google-enhances-encryption-technology-email-204813662--politics.html

    dated 3/20/2014, "Lidzborski said that all Gmail messages a consumer sends or receives are now encrypted." I read this to mean they weren't encrypted before this date so gmail encryption is new as of a few months ago. 

     

    http://gizmodo.com/why-doesnt-google-encrypt-all-of-your-data-1148987872

    dated 8/15/2013: "From now on everything you put on Cloud Storage will be automatically encrypted on Google servers."

     

    http://static.googleusercontent.com/media/www.google.com/en/us/a/help/intl/en/security/pdf/message_encryption.pdf

    No date but talks about Google Message Encryption. This is for businesses and uses Postini so not for the rest of you (I don't use gmail).

     

    http://technologyangle.com/2014/03/email-encryption-should-you-pick-google-or-microsoft/

    dated 3/24/2014: "With the Google-for-business email service, your email is encrypted between your device and the Google servers, as well as when Google moves your email between its own data centers.  Google does not encrypt your emails stored “at rest” on their servers." This seems to conflict with the gizmodo article I mentioned earlier.

     

    Who do you trust to have the real information? Who do you trust handling your information? Email has never been private, just like telephone calls. That's why you never ever send any personal information, passwords, credit card numbers or anything else without encrypting them yourself. I believe Yosemite will allow this to be done within Mail on an email by email basis. I used an email encryption service for years at work and we had documented policy on what types of data could be sent without encryption. Using this process was and might still be the only way to keep others from reading you email.

     

    update: I'm not sure how much of the ADC NDA Apple changed but so much was announced via the keynote and all the WWDC videos were available to everyone so I'll assume most of what I'm saying is not covered under the NDA.

     

    I checked Yosemite Mail and you can now set an encryption certificate to encrypt and decrypt emails regardless of whether the email service you're using encrypts them. Of course, you'll need to get a certificate from a trusted certificate authority (CA) and most of these cost money but you'll be able to maintain encryption at least between people who also can decrypt your email (maybe Apple will be providing this service or using your iCloud certificate, I don't know the answer to this). These people will need part of your certificate so both ends know the identity of the other one but this is how we used Entrust at work. Once the email has been sent, it stays encrypted until it gets to the destination and the recipient decrypts it. With Macs, this can be done automatically in Mail and some other email clients using the Keychain. Apple's CoreCrypto modules have been certified but who knows whether NSA has some kind of master decryption key. They shouldn't but we'll probably never know.

  • Reply 14 of 32
    Specifically, the group looks wants companies to use HTTPS, HSTS , forward secrecy, STARTTLS, and encryption of email while in transit.

    I also "looks wants" the companies to use HTTPS, (buzzwords, et al). :lol:
  • Reply 15 of 32
    bighypebighype Posts: 148member
    Quote:

    Originally Posted by rob53 View Post

     

    Google does not encrypt your emails stored “at rest” on their servers.

     

     


     

    That says it all. The fact they encrypt while it's in transport  doesn't mean much. N?? can still get it.

  • Reply 16 of 32
    mhiklmhikl Posts: 471member

    Am now totally Goolies free. Start Page piggybacks off Google to send out your requests so no tracking takes place and a little kick is given to the tender parts of Goolies. SP is working on Mail but will cost a bit. Meanwhile, mail.com is my preference and the adds don’t bother me though for a little coin, they are excluded.

    One of the best encrypted mail accounts is RiseUp but it takes a while to be accepted unless you have a couple cronies already using RU. Won’t know how good it is till I get accepted.

     

    Where there is will and disgust man’s search for a better world truly continues to trod on (such evils as previously thrice mentioned). And what rot has become Hotmail or whatever be the latest incarnation just sprung by MS (spit). The shovels are hard at work in that quagmire. (No offence meant to honest quagmires.)

  • Reply 17 of 32
    solipsismxsolipsismx Posts: 19,566member
    genovelle wrote: »
    You should take the time to read their user agreement. They were called on this and admitted they scan your emails "to provide better service". Apple can't even open your iMessage files.

    Scanning your content for an automated system to supply targeted ads does't means there is no protection on their servers.
  • Reply 18 of 32
    bighypebighype Posts: 148member
    Quote:

    Originally Posted by SolipsismX View Post





    Scanning your content for an automated system to supply targeted ads does't means there is no protection on their servers.

    Who cares there's protection when N?? can get everything without a warrant if you're not from US? And if you are from US, they get it through another FISA warrant.

  • Reply 19 of 32
    solipsismxsolipsismx Posts: 19,566member
    bighype wrote: »
    Who cares there's protection when N?? can get everything without a warrant if you're not from US? And if you are from US, they get it through another FISA warrant.

    You're weakening your argument. You first stated that NOTHING on Google's servers are encrypted which means that anyone with access to the server could access your data, usernames, passwords and CC info. So why would the NSA be involved, especially if previously between mail servers it was already sent unencrypted. It sounds like they already were getting what they want.
  • Reply 20 of 32
    darklitedarklite Posts: 229member
    Quote:



    Originally Posted by genovelle View Post





    You should take the time to read their user agreement. They were called on this and admitted they scan your emails "to provide better service". Apple can't even open your iMessage files.

    You realise that almost every email provider scans your emails "to provide better service" in the form of a spam filter, right?

     

    As of 2013, Apple was filtering emails based on potentially spammy phrases and silently deleting them, rather than moving them to a spam folder a la Gmail:

    http://www.imore.com/apple-filtering-emails-contain-certain-objectionable-phrases

Sign In or Register to comment.