Ah, Apple the company that all major terrorist organizations around the world recommend for it's member's use.....
And therein lies the rub.
How would Apple protect 500 million iPhone users' privacy... while simultaneously providing law enforcement access to 50,000 terrorists' iPhones?
Imagine what sort of information you could find on people's phones these days: their home address, pictures of their children, their children's school, schedules, emails, access to door locks, garage door openers, health data, etc. Do you really want that stuff to be easily accessible to any common criminal?
I certainly don't. It should be as secure as it can possibly be.
But by keeping that information secure... it also prevents law enforcement from getting into criminals' phones too.
There's no way to selectively make some phones secure while making other phones easy to open.
So what do you think Apple should do?
IMHO it's all or nothing.
In answer to your question ... A sense of false security is worse than none so one could argue zero encryption would make everyone more careful. Then there is the problem you outline, dangerous people could easily know everything about a target's family etc. Also that would inevitably lead to those in power having their systems heavily encrypted for national security reasons anyway. So then we are back to it's better to have billions secure even if thousands of bad people can communicate secretly. At least they are unable to access anyone else. So I come down in favor of Tim by process of elimination. The problem is most people are easily fooled by phishing scams. Witness the so called hacking of iCloud the press so eagerly reported on. The perpetrator admitted this week in court it was a simple phishing scam (as we all suspected here on AI) and there was no hacking involved. There is zero protection against an idiot handing their user name and password out and the world in made up almost entirely of idiots.
So what does this mean for users being able to set up a device from iCloud backup? Will that still be possible or are you sol if you forget your password?
The Apple discussion forums are full of poor souls who forgot their passcode, forgot their security questions, bought a used device and forgot to ask the previous owner to unlock it, and probably forget their own names from time to time. Call them stupid, call them ignorant, laugh at their predicament if you want to, but they are customers. They will be sol and they will be angry that Apple can’t help them. What good is a backup if you can’t access it? This is a real problem and I wonder what solution is available fro these types.
So what does this mean for users being able to set up a device from iCloud backup? Will that still be possible or are you sol if you forget your password?
The Apple discussion forums are full of poor souls who forgot their passcode, forgot their security questions, bought a used device and forgot to ask the previous owner to unlock it, and probably forget their own names from time to time. Call them stupid, call them ignorant, laugh at their predicament if you want to, but they are customers. They will be sol and they will be angry that Apple can’t help them. What good is a backup if you can’t access it? This is a real problem and I wonder what solution is available fro these types.
I wonder if biometrics are not the solution. That said, these 'poor souls' wouldn't do it a second time I'd hope.
We can cheer Apple on, but if the government wins and decides to fine Apple per iPhone for not being able to circumvent encryption, this could cause Apple to price the iPhone out of most people's reach.
The biggest setback would be other countries not trusting Apple anymore.
The government cannot and should not win this.
But they could trust Google’s Android or Blackberry? Is that what you’re saying? It’s only Apple that gets the shaft if the government “wins?”
Ah, Apple the company that all major terrorist organizations around the world recommend for it's member's use.....
And yet, those ISIS terrorists used PlayStation 4 and clear communication to plan and conduct the Paris attacks. And these terrorists were in watch list and their photos were in the ISIS magazine. Where CT intelligence asleep or were they looking for information in the wrong place? I swear, these intelligence agencies are so worried about encrypted communication that terrorists find alternate channels and avoid detection. I am not saying that you are wrong, but even with iPhones, the NSA can go to the Telecom companies with a court order and request business records. With all that metadata and a bright analyst, CTs should be able to connect dots. But say that the FBI succeeds at forcing Apple to weaken encryption and then continues weakening other encryption, then nobody will use encryption. NOBODY. Terrorists will communicate via couriers and face to face or find other less than obvious communication methods. The general public will stop using the internet for sensitive data transfer. A double whammy. With weakened encryption, the world infrastructures such as power, water and defense will be more exposed to cyber attacks. Hackers and governments will be able to easily mount attacks to shut down power, open dams, maybe redirect drones....imagination is the limit.
To be clear, the data stored on Apple's servers is encrypted. Should Apple's servers ever be "compromised" your data is still safe. The biggest difference between data on the iPhone and that stored in the cloud is that Apple knows the encryption key to your iCloud account. They have to in case you forget your password and it needs to be reset. This is also how they're able to hand over that data to law enforcement officials.
To be clear, the data stored on Apple's servers is encrypted. Should Apple's servers ever be "compromised" your data is still safe. The biggest difference between data on the iPhone and that stored in the cloud is that Apple knows the encryption key to your iCloud account. They have to in case you forget your password and it needs to be reset. This is also how they're able to hand over that data to law enforcement officials.
But if you use 2FA and don't have your recovery key I think you're sol, correct?
So what does this mean for users being able to set up a device from iCloud backup? Will that still be possible or are you sol if you forget your password?
You are SOL if you forget your password, just like if you forget the passcode of your iPhone.
To be clear, the data stored on Apple's servers is encrypted. Should Apple's servers ever be "compromised" your data is still safe. The biggest difference between data on the iPhone and that stored in the cloud is that Apple knows the encryption key to your iCloud account. They have to in case you forget your password and it needs to be reset. This is also how they're able to hand over that data to law enforcement officials.
But if you use 2FA and don't have your recovery key I think you're sol, correct?
Yes, you're SOL. When you use 2FA you're basically telling Apple, "Under no circumstances are you allowed to ever reset this account without me giving you the recovery key."
They'll have to move iCloud servers outside the US if they want real security with strong encryption.
Yes, I see your point BUT which country will protect ones digital data. Will that country eventually require Apple to surrender the user data. Very tricky here.
Any country which would not have a problem with strong encryption.
So what does this mean for users being able to set up a device from iCloud backup? Will that still be possible or are you sol if you forget your password?
You are SOL if you forget your password, just like if you forget the passcode of your iPhone.
I'm not sol if I forget my passcode because I can restore from iCloud backup.
Ah, Apple the company that all major terrorist organizations around the world recommend for it's member's use.....
Ah, the pervasive clueless drive-by single commenter. In the unlikely event heshe it or others of their ilk would actually read this far :
There are many other encryption products for Android. Al-Fajr, one of Al-Qaeda’s media arms, released a new Android encryption application early June 2014 on their website. […] GIMF, another media arm of Al-Qaeda, also launched a new version of their Android software since our last post. Interestingly, between these two new product releases this continues the bet on mobile and Android as the preferred platform for these groups. The large availability and affordability of Android phones, especially in underdeveloped countries, is probably the reason for this. https://www.recordedfuture.com/al-qaeda-encryption-technology-part-2/
To be fair, there are some first commenters that actually bring welcomed smart arguments, but they have been the exception in this debate.
So what does this mean for users being able to set up a device from iCloud backup? Will that still be possible or are you sol if you forget your password?
When you set up 2 factor authentication now, Apple is very explicit in telling you that without your encryption key or password you will not be able to access your data and they cannot help you.
They'll have to move iCloud servers outside the US if they want real security with strong encryption.
Why? Let's say Apple gives you the option of using a pass phrase that isn't stored anywhere on Apple servers or even on your iPhone (well, it IS stored on your iPhone, but only a hash is stored, not the original pass phrase).
Whenever your iPhone connects to iCloud to backup data, it firsts get encrypted locally on your iPhone (using your pass phrase) and then gets sent for backup. The iCloud servers would be storing already encrypted data. If someone got hold of this information it would be useless as they don't have the pass phrase to decrypt it (they'd have to brute force decrypt it, which could take some time depending on the pass phrase you chose).
Apple could even take this further. The "username" the data gets stored under isn't your actual Apple ID, but a token that's an encrypted representation of your Apple ID hashed with your iCloud pass phrase. So even Apple employees themselves wouldn't be able to link a set of iCloud data to a specific user or device (like they can do now, presumably because there's an identifier linked to your Apple ID and device).
Hell, let's forget pass phrases altogether. We know that Apple takes your fingerprint and stores a mathematical representation (a hash) of it in the secure enclave, in a format that makes it impossible to reverse back to the original print. What makes it so impressive is you can use a PORTION of your finger at different angles or orientations on the fingerprint sensor and Touch ID still somehow manages to "match" this with the stored hash of your fingerprint. So why not make a fingerprint as the pass phrase that encrypts your iCloud data? Now you can't forget it, and because of the complexity of your fingerprint you'd have the equivalent of a very long pass phrase (impossible to decrypt).
I don't think security rides so much on WHERE the servers are, but on HOW the data is stored. They could be treated as "dumb" servers who simply store information sent to them, without actually knowing anything about the data itself or who it belongs to.
Well, re the Fingerprint Scanner on my 6SPlus does not always work. Either the fingerprint changes or the scanner cannot recognize it.
Yes, I see your point BUT which country will protect ones digital data. Will that country eventually require Apple to surrender the user data. Very tricky here.
Why not just essentially torrent the crap out of it, meaning bitslice it accross 10+ countries.... Only the client knows where the files really are. Each file could even have it's own set of countries... Make it a jurisdictional nightmare to recover, not just an encryption nightmare.
Since you have to have access to the phone to know where the files are, that really ups the ante on recovery :-). Obviously, if you lose your phone your really really screwed, unless you can back the recovery directory in a locally encrypted cache with a long passcode (not the same as your phone hopefully).. No one knows where the files are but you :-)..
I like your first paragraph. Is it my understanding that Apple a couple or few years ago was investigating using torrents for software distribution and/or iCloud backups. Wondered if Apple dropped the ball.
Comments
In answer to your question ... A sense of false security is worse than none so one could argue zero encryption would make everyone more careful. Then there is the problem you outline, dangerous people could easily know everything about a target's family etc. Also that would inevitably lead to those in power having their systems heavily encrypted for national security reasons anyway. So then we are back to it's better to have billions secure even if thousands of bad people can communicate secretly. At least they are unable to access anyone else. So I come down in favor of Tim by process of elimination. The problem is most people are easily fooled by phishing scams. Witness the so called hacking of iCloud the press so eagerly reported on. The perpetrator admitted this week in court it was a simple phishing scam (as we all suspected here on AI) and there was no hacking involved. There is zero protection against an idiot handing their user name and password out and the world in made up almost entirely of idiots.
Yes, you're SOL. When you use 2FA you're basically telling Apple, "Under no circumstances are you allowed to ever reset this account without me giving you the recovery key."
https://en.m.wikipedia.org/wiki/Strong_cryptography
Not going to happen.
where did that title come from?
There are many other encryption products for Android. Al-Fajr, one of Al-Qaeda’s media arms, released a new Android encryption application early June 2014 on their website. […] GIMF, another media arm of Al-Qaeda, also launched a new version of their Android software since our last post. Interestingly, between these two new product releases this continues the bet on mobile and Android as the preferred platform for these groups. The large availability and affordability of Android phones, especially in underdeveloped countries, is probably the reason for this.
https://www.recordedfuture.com/al-qaeda-encryption-technology-part-2/