The iCloud Loophole

Walt Mossberg, writing for The Verge:

Apple has drawn a line in the sand over keeping its customers’ iPhones encrypted and secure. It’s fighting the FBI in a California court over the Bureau’s demand that it create a special, weaker version of iOS that would make it easier for government computers to crack the passcode on a phone and thus reveal its contents. This week, the company won a big victory when a federal judge in New York strongly upheld its objections in a similar case. But the battle is far from over and is likely to be settled in either the Supreme Court or Congress…

But there’s an exception, a loophole, in Apple’s unyielding stance on privacy and encryption: its iCloud service, and, specifically, iCloud Backup — the convenient and comforting automatic way in which iPhones and iPads back themselves up to the cloud daily…

Unlike the iPhone hardware itself, Apple retains the ability to decrypt most of what’s in an iCloud backups. And the company on occasion turns the contents of iCloud backups over to the FBI and other law enforcement agencies when a proper legal warrant or court order is presented.

It is an important point to make that Apple can and will turn over iCloud backups to the FBI and other government agencies. While the data on your phone stays on your phone, most information, including app data and messages, is saved to an iCloud backup on most peoples devices.

Apple actually tried to give the FBI the San Bernandino shooter’s iCloud backup, but for a yet to be explained reason, the FBI reset the shooter’s Apple ID, meaning they could’t get a brand new backup. This is a major point in the argument that the FBI may be trying to set up Apple on a precedent, not actually care about what is on the phone.

The company says its security policies for the phone are based on the fact that it’s a physical object that can be lost or stolen, so the need to protect the mass of personal data a typical iPhone contains compels the strongest possible measures.

However, in the case of iCloud, while security must also be strong, Apple says it must leave itself the ability to help the user restore their data, since that’s a key purpose of the service. This difference also helps dictate Apple’s response to law enforcement requests. The company’s position is that it will provide whatever relevant information it has to government agencies with proper, legal requests. However, it says, it doesn’t have the information needed to open a passcode-protected iPhone, so it has nothing to give. In the case of iCloud backups, however, it can access the information, so it can comply.

Walt has some good information on what other companies policies are and what you can do to turn off iCloud backups, it’s worth a read.