Apple today launched Advanced Data Protection, a new optional end-to-end encryption scheme that prevents data in a customer’s iCloud from being decrypted on an “untrusted” device. Specifically, Advanced Data Protection would keep most data in an iCloud account safe even if Apple were hacked and, as a Wall Street Journal article points out, would prevent Apple from accessing phone backups. from iCloud in response to requests from law enforcement.
Currently available in the US to members of Apple’s Beta Software Program and coming to all US users by the end of the year (with the rest of the world to follow in 2023), Data Protection Advanced gives iCloud users’ trusted devices (for example, iPhones and Macs) exclusive access to the encryption keys for most of their data. (For the uninitiated, encryption keys are random strings of bits generated specifically for encrypting and decrypting data.) Once the feature is enabled, Apple’s servers cannot modify certain iCloud settings on behalf of users or access data stored in iCloud backups, Photos, Notes, and CloudKit fields that third-party developers choose to to mark as encrypted.
Before the release of Advanced Data Protection, iCloud users couldn’t prevent Apple from reviewing the content of their device backups, including text messages and contacts, if they wanted to. Readers may recall the tech giant’s fight with the FBI over the encrypted data on the San Bernardino shooter’s iPhone, during which the agency tried to force Apple through the courts to unlock a protected iPhone. At the time, Apple argued that the FBI could access the data it sought through unencrypted iCloud backups on its servers.
Image Credits: Apple
In particular, Advanced Data Protection doesn’t work with iWork collaboration tools, Shared Albums in Photos, iCloud Mail, Contacts, or Calendar; Apple blames interoperability requirements. And to enable the feature, users need to enroll in two-factor authentication for their Apple ID and set a password or passcode on their devices, as well as update those devices to the latest available software (iOS 16.2, iPadOS 16.2, macOS 13.1, tvOS 16.2, watchOS 9.2, and the latest version of iCloud for Windows).
Advanced Data Protection is not yet supported for Managed Apple IDs and child accounts, Apple clarifies in a support document.
A word to the wise, the penalty for not establishing a recovery method for advanced data protection is quite high. Apple notes that if the recovery fails, for example, if a recovery contact’s information is out of date, all encrypted iCloud data will be lost.
Along with advanced data protection, Apple this morning announced two other security-related capabilities coming to its ecosystem of products: iMessage Contact Key Verification and Security Keys.
Contact Key Verification in iMessage allows users “facing extraordinary digital threats,” such as journalists and members of the government, to choose to further verify that they’re messaging only with the people they’re addressing. Apple says iMessage Contact Key Verification will send an alert if an adversary breaches cloud servers to eavesdrop on encrypted communications and will allow users to compare a special ID verification contact verification code in person, at FaceTime or through a secure call.
Meanwhile, Security Keys builds on Apple’s existing two-factor authentication system by requiring a hardware security key as one of the two factors to authenticate a person’s Apple ID credentials. Hardware keys come in a variety of flavors and price points, and typically use Bluetooth, NFC, or USB to authenticate.
Apple says that both iMessage contact key verification and Apple ID security keys will be available globally starting in 2023.