[Edited because it now seems unclear which Apple policies have changed.]
Apple has clearly stated that its system was not compromised.
The user reset questions were socially engineered meaning it is irrelevant whether or not the data is encrypted. From Apple's perspective the owner of the data is downloading it.
Yep, you're right. My point, perhaps poorly stated, is that if Random Hacker X can figure out the answers to the iCloud reset questions, so can a law enforcement agency. Then they can log into that account. Impersonating someone this way is legal -- or at least has not been ruled to be illegal -- as long as it's done under court supervision under the Wiretap Act or similar legal authority authorizing prospective surveillance.
Possibly related: I disclosed last year that the Feds have demanded that major Internet companies divulge targeted users' stored passwords, and in some cases the algorithm used and the salt:
Answers about very famous people. Wikipedia will not tell me your mothers maiden name.
Also, as much as I sympathise with the women whose accounts were breached, actors aren't always the sharpest tools in the shed, and phishing schemes are a common tool for gaining access to other peoples accounts. One of them (I don't remember which) publicly claimed iCloud backup for her iPhone was "too complicated" a while ago. Given that it's as complicated as "turn it on, and make sure it gets plugged into power with Wifi every so often", I don't doubt some of them would fall victim to even a very simple phishing scam.
"On devices running iOS 8, your personal data such as photos,
messages (including attachments), email, contacts, call history,
iTunes content, notes, and reminders is placed under the
protection of your passcode."
Well, no shit. If they did that I'd log into my Gmail web interface and see encrypted gobbledygook instead of my emails.
Also note that today's announcement says Mail and Notes are "encrypted in transit" only. In other words the December 2013 page remains current.
[Edit] - Clearly something is off here. iPhone keeps a copy of the last several hundred emails downloaded from my IMAP server, I would expect an iCloud backup of those emails would be "under the protection of the passcode" (a.k.a encrypted).
That doesn't mean Apple is somehow encrypting the messages stored on my IMAP server. Likewise, it doesn't mean Apple is encrypting customer emails stored on their @iCloud.com (or whatever) email servers....
I'm going to assume there are just some wires crossed here, but I do hope they clean up the document and clarify this.
I think companies like apple and google are undertaking PR exercises like this in the hopes of finding that sweet-spot between the sense of crisis (excitement?) that smart phone ownership brings and the banal integration of technology into everyday life. There _are_ government requests, but they do not affect _you_. maybe. So my question: Is government surveillance now officially part of the iPhone experience?
To the extent that a debate exists, apple is engaging and steering that discussion. This is just pure organizational reflex. And it's cynical in some sense, but apple doesn't really have a choice in the matter either. Ultimately it is what the US officials consider to be an acceptable level of visible surveillance, which is a political consideration.