By: Kendall Casey
Apple has rolled out a new way to protect data. Previously, Apple promised that iPhone data was end-to-end encrypted, meaning only the user could access it. However, once the iPhone backed up to iCloud, Apple could access it, and, therefore, the data could be subject to a warrant from law enforcement. As cloud storage has increased significantly over the years, Apple has decided to close the loophole – by offering Advanced Data Protection for iCloud. While the policy will protect people’s information from data breaches and unwanted eyes, it will also affect data collection and processing for e-discovery professionals and law enforcement.
End-to-end encryption is a method that prevents third parties from accessing or retrieving data while it transfers from one device to another. On an Apple device, data is end-to-end encrypted, meaning Apple cannot access it because the user retains the Apple ID and password. Under Apple’s Standard Data Protection, fourteen categories, including iMessage, Facetime, and Health data, are end-to-end encrypted. However, when the iPhone backs up to the cloud, Apple retains the key and can access and retrieve the data.
This provided a powerful loophole for law enforcement. If law enforcement could not compel a person to unlock their phone, they could obtain a warrant and obtain the data from Apple directly. For example, the FBI and Apple had a drawn-out legal battle in 2016 when Apple refused to break the encryption on the iPhone that belonged to the gunman involved in the San Bernardino mass shooting. However, the FBI and law enforcement later realized that the iCloud backup was not encrypted, so they could obtain the data there.
In December, Apple launched new security features to provide users with the highest level of cloud security. One of which is the Advanced Data Protection for iCloud which, when turned on, allows the user to retain exclusive access to the encryption key. This provides the same end-to-end encryption as the Standard Data Protection, but increases the number of data categories from 14 to 23 and now includes iCloud Backups. Since Apple does not keep the key, users are the only ones who can recover their data using a device passcode, recovery contact, or recovery key. Apple also released the Security Key, a hardware security key that would provide added protection by requiring the physical key in conjunction with the device passcode to access their cloud data.
The Advanced Data Protection is beneficial because it allows people to protect their data from hackers and unwarranted government intrusion. It also protects people from data breaches, which have increased immensely. For example, between 2013 and 2021, the total number of data breaches tripled, exposing 1.1 billion personal records in 2021 alone. The new protection provides people with privacy to their documents in an increasingly digital age by keeping hackers and others out.
While the Advanced Data Protection aims to protect people’s privacy, it simultaneously hinders professionals’ efforts to obtain information. Law enforcement argues that end-to-end encryption “hinders [their] ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime and terrorism. . . .” The Advanced Data Protection also raises evidentiary and e-discovery issues. E-discovery professionals will need to obtain the key to access the information on the cloud. If the key is lost or forgotten, Apple will not be able to help recover the key or the data.
When considering Apple’s new policy, it is essential to weigh user privacy and public safety. The new policy provides privacy to people who want it and protects people from hackers and data breaches. However, it also takes away a valuable tool for law enforcement. Nevertheless, the new policy will not completely inhibit law enforcement efforts. Instead, it will simply be an extra hurdle in protecting people’s privacy from those who should not have access to it.
With the increase in cloud storage, Apple has rolled out a new way to protect data: Advanced Data Protection for iCloud. Data stored on an iPhone is end-to-end encrypted and can only be accessed by the user entering the decryption key. However, when the phone is backed up to iCloud, Apple retains the decryption key and, therefore, can obtain the data subject to a warrant from law enforcement. The new Advanced Data Protection will provide privacy to users but will also make law enforcement and e-discovery more difficult. In an increasingly digital age where most people use iCloud, the Advanced Data Protection will help protect people’s privacy from data breaches and unwanted eyes.
Student Bio: Kendall Casey is a second-year law student at Suffolk University Law School. She is a staff writer for the Journal of High Technology Law. Kendall received a Bachelor’s of Science in Business Management and a Bachelor’s of Arts in Spanish Studies from the University of Delaware.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.