Comment by romanovcode
1 month ago
The flaw is that they had those keys to begin with. What's the point of encryption if key is available and free to use? Same with iCloud Email.
Privacy cannot come from human-made laws and regulations because they get abused on they change. Privacy comes from mathematics which do not care for laws and regulations.
The main threat model here is a stolen/lost device or an unscrupulous repair shop not a government agency with a warrant.
You also do not have to backup keys in the cloud, however for most users it’s the best solution since for them data recovery in case of a hardware failure is more important than resiliency against state level adversaries.
I am an Apple ecosystem lifetime participant. I have recovery and legacy contacts. What I would love is for those contacts to have the encryption key(s) for my data shared with them so they can provide me with recovery options if needed, but Apple cannot.
Certainly, nation state actors could pursue those people to obtain access to key material, but that is a different hill to climb than simply sending requests to Apple, especially for contacts outside of the jurisdiction or nation state reach. Perhaps Shamir's secret sharing would be a component of such an option (you need X out of Y trusted contacts to recover, 2 out of 3 for easy mode, 3 out of 5 for hard mode).
Don't include iCloud in this.
https://www.youtube.com/watch?v=BLGFriOKz6U&t=1993s
Apple can recover your keys also unless you enable ADP.
With MSFT cloud backup of keys is an opt-in. With Apple it’s an opt-out.
I will include iCloud in this because their email has nothing to do with ADP and is accessible by any agency that would ask.
Mailbox encryption is near pointless since at the least it needs to be encrypted at both ends not to mention relays.
For email each individual message should be encrypted if you want any confidentiality and even then the meta data is in the clear.
And this is because in order to send or receive an email the provider needs to access it. If they put it into a box later on to which they do not hold the key that is just security theater at that point.
Dude thats from 9 years ago.
A lot has changed since then and it is common knowledge that Apple regularly give government agencies access to their systems and hides it from the public until a whistleblower leaks it.
https://www.reuters.com/technology/cybersecurity/governments...
In a statement, Apple said that Wyden's letter gave them the opening they needed to share more details with the public about how governments monitored push notifications. "In this case, the federal government prohibited us from sharing any information," the company said in a statement. "Now that this method has become public we are updating our transparency reporting to detail these kinds of requests."