Hacker News new | comments | show | ask | jobs | submit login

If you're an iOS user who becomes the target of an investigation by a law enforcement or intelligence agency, remember your data is likely unencrypted in the cloud. So if your device is inaccessible, your email, your location history, your text messages, your phone call history will probably remain accessible. Apple acknowledges, for example, that "iCloud does not encrypt data stored on IMAP mail servers": http://support.apple.com/kb/HT4865

[Edited because it now seems unclear which Apple policies have changed.]

> though the celeb hacking shows the limits of that approach

Apple has clearly stated that its system was not compromised.

The user reset questions were socially engineered meaning it is irrelevant whether or not the data is encrypted. From Apple's perspective the owner of the data is downloading it.

> The user reset questions were socially engineered

Yep, you're right. My point, perhaps poorly stated, is that if Random Hacker X can figure out the answers to the iCloud reset questions, so can a law enforcement agency. Then they can log into that account. Impersonating someone this way is legal -- or at least has not been ruled to be illegal -- as long as it's done under court supervision under the Wiretap Act or similar legal authority authorizing prospective surveillance.

Possibly related: I disclosed last year that the Feds have demanded that major Internet companies divulge targeted users' stored passwords, and in some cases the algorithm used and the salt: http://www.cnet.com/news/feds-tell-web-firms-to-turn-over-us...

> if Random Hacker X can figure out the answers to the iCloud reset questions

Answers about very famous people. Wikipedia will not tell me your mothers maiden name.

Also, as much as I sympathise with the women whose accounts were breached, actors aren't always the sharpest tools in the shed, and phishing schemes are a common tool for gaining access to other peoples accounts. One of them (I don't remember which) publicly claimed iCloud backup for her iPhone was "too complicated" a while ago. Given that it's as complicated as "turn it on, and make sure it gets plugged into power with Wifi every so often", I don't doubt some of them would fall victim to even a very simple phishing scam.

You don't have to guess -- they specify exactly what is encrypted in iCloud;

  "On devices running iOS 8, your personal data such as photos,
  messages (including attachments), email, contacts, call history,
  iTunes content, notes, and reminders is placed under the
  protection of your passcode."

But "iCloud does not encrypt data stored on IMAP mail servers" or Notes


How is Apple supposed to encrypt data stored on servers they do not own?

> iCloud does not encrypt data stored on IMAP mail servers

Well, no shit. If they did that I'd log into my Gmail web interface and see encrypted gobbledygook instead of my emails.

Like how when you use a password to open an encrypted zip file it's all gobbledygook inside?

Google isn't going to let iCloud embed a decryption UI into their webmail tool.

"Last Modified: Dec 12, 2013".

That December 2013 page is linked to from today's announcement, under "Learn more about iCloud security." See: http://www.apple.com/privacy/privacy-built-in/

Also note that today's announcement says Mail and Notes are "encrypted in transit" only. In other words the December 2013 page remains current.

OK. You win 2 internets. And fuck that highly misleading ad copy, Apple. :-(

[Edit] - Clearly something is off here. iPhone keeps a copy of the last several hundred emails downloaded from my IMAP server, I would expect an iCloud backup of those emails would be "under the protection of the passcode" (a.k.a encrypted).

That doesn't mean Apple is somehow encrypting the messages stored on my IMAP server. Likewise, it doesn't mean Apple is encrypting customer emails stored on their @iCloud.com (or whatever) email servers....

I'm going to assume there are just some wires crossed here, but I do hope they clean up the document and clarify this.

In the end this is not about an information security solution (which is measured by the weakest link). This is about engineering consumer expectations. Privacy and security must be measured in terms of the overall digital-economic ecosystem. Systems at the margins of everyday consumer experience will determine how absolutely secure any computation can be. Consider the baseband processor in each iphone.

I think companies like apple and google are undertaking PR exercises like this in the hopes of finding that sweet-spot between the sense of crisis (excitement?) that smart phone ownership brings and the banal integration of technology into everyday life. There _are_ government requests, but they do not affect _you_. maybe. So my question: Is government surveillance now officially part of the iPhone experience?

To the extent that a debate exists, apple is engaging and steering that discussion. This is just pure organizational reflex. And it's cynical in some sense, but apple doesn't really have a choice in the matter either. Ultimately it is what the US officials consider to be an acceptable level of visible surveillance, which is a political consideration.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact