Government Surveillance, Privacy & Data
Apple’s End-to-End Encryption of Cloud Data a Victory for Privacy, Security and Safety
Apple’s new features and service commitments that provide broader accessibility of strong end-to-end encryption are a victory for privacy and security, including safer online services for children.
CDT is encouraged that Apple has taken onboard our and other advocates’ and experts’ advice in moving away from client-side scanning, which introduced surveillance and security risks (What Could Go Wrong?) in addition to fundamental civil liberties concerns (Bugs in our Pockets). We are also encouraged that Apple is moving towards ongoing protections for children, parents and other users to protect data stored in the cloud and provide on-device cues for safer communication.
In addition, Apple will offer stronger protections for authenticating accounts and communications and, most importantly, the option of end-to-end encryption of most data that users back up to their iCloud service.
End-to-end encryption of iCloud data, in which no one but the end user – not even Apple itself – can access the data in the cloud, provides a protection (only opt-in for now) for backing up files, notes, photos and other sensitive data to the cloud without risking access by either hackers or government actors. Those are important protections for consumers and businesses, and can also provide important protections for intimate imagery that could be leaked and abused.
Apple plans to offer these encrypted backup services in the U.S. by the end of this year, extending to other countries next year. We look forward to seeing fully end-user encrypted cloud storage technology rolled out worldwide, as these protections are also especially important for people living in countries with authoritarian, unaccountable governments.
Along with offering the protections of end-to-end encryption for photos, notes and backed up files, Apple has also expressed interest in expanding features, for their software and for third-party apps, to detect and inhibit the sharing of intimate photos through messaging to or from a child.
This effort is important, but the exact implementation details matter a lot – detecting nudity can be complex and any unwanted disclosure of messages could be harmful to children. The approach of local-only “speed bumps” is promising. When parents opt in, local software can attempt to detect when an intimate image is about to be sent and include a warning to the child, explaining the risks and suggesting contacting a trusted adult instead.
We believe that speed bump warnings around sending intimate imagery, done properly, can empower users to have agency over their confidential communications without introducing the expansive risks of client-side scanning or cloud-service scanning. Locally controlled speed bumps on receiving potentially explicit imagery are also welcome, for children and many other people.
Proposals for client-side scanning, where a user’s own device would scan content to detect illegal or violative content before messages are encrypted, have been proposed before and will be proposed again. Earlier this year, Meta made clear that they would not pursue client-side scanning for their end-to-end encrypted messaging services (including WhatsApp) because of the risks of abuse and the violation of privacy expectations (Expanding End-to-End Encryption Protects Fundamental Human Rights).
We call on other companies to follow the examples of Apple and Meta in rejecting client-side scanning schemes that create the potential for harms for users as their applications or device operating systems are turned against them and their best interests. And we call on other companies to join Apple in providing strong end-to-end encryption for more of the data that people store in cloud services. We anticipate more services will compete to provide users with this additional privacy and security protection.
These announcements do not mean that the work is complete. In particular, securing data with end-to-end encryption is most effective when done by default and for all kinds of data, so that most users can benefit without having to decide in advance that they should opt-in to protection against a hack or government-compelled access that can be hard to predict.
This announcement is a step towards providing the protection of end-to-end encryption to more users and more of their data. We look forward to the continued industry-wide project of making end-to-end encryption strong, usable and interoperable and of designing technology to help support children without intrusive surveillance. That ongoing project must be industry-wide and must include experts and advocates. We are pleased that such advice made a difference here.