As tensions escalate in a public spat between Apple and federal officials over the company’s apparent refusal to unlock two iPhones belonging to the Pensacola shooter, a new report claims that Apple recently killed a plan to fully encrypt iPhone backups in iCloud following pressure from government agencies.
Citing Apple and FBI sources familiar with the matter, Reuters reported Tuesday that the company approached the FBI “more than two years ago” to inform the agency that it planned to allow users to end-to-end encrypt the backups, a security measure that would better protect user data but would mean Apple would not be able to access it. Of course, this would also mean that Apple would no longer be able to hand over data to law enforcement officials, a fact that evidently did not sit well with the FBI.
Reuters reported that the project, which it said was “variously code-named Plesio and KeyDrop,” was killed sometime after. While a former Apple employee told Reuters the encryption plan could have been killed for reasons unrelated to the FBI talks, such as users struggling to access to their own data, two former officials with the agency told Reuters that Apple was swayed by the FBI’s position that access to iPhone data can prove to be of paramount importance in some investigations.
Currently, data access can be tricky for the FBI, and relies on a range of tools that can’t always do the trick. Besides exploiting unpatched vulnerabilities to gain access to an iPhone, one of the non-Apple resources that the FBI uses to brute-force its way into iPhones is a tool called GrayKey, a kind of password-cracker. But the process for this tool can be limited by the specific password settings on the phone, such as the length of passcode and whether it’s alphanumeric.
The biggest argument against giving law enforcement a key for the data stored on iPhones is that it could open up devices to attacks by bad actors. In a statement to Gizmodo last week, Apple said “there is no such thing as a backdoor just for the good guys. Backdoors can also be exploited by those who threaten our national security and the data security of our customers.”
Apple’s ditched plans for end-to-end iCloud encryption is, as Reuters noted, a massive benefit to the FBI, which hasn’t been able to get into two phones belonging to the shooter in the Pensacola case. Officials have engaged in some highly questionable dramatics over the company’s refusal to unlock the phones. Yet Apple said last week, specifically with respect to the Pensacola, that FBI requests for data “resulted in many gigabytes of information that we turned over to investigators. In every instance, we responded with all of the information that we had.”
Cryptographer Matthew Green made a really good argument in a 2012 blog post about Apple’s encryption process, namely that it behooves Apple to create a cloud service that prioritizes “recoverability over security.” Much like the current one in place. But that also means that, quite unfortunately, Apple holds your data for you and can share it with the government as it sees fit, as evidenced by the 1,568 cases in which it handed data over user data to the government during the first half of last year alone. It’s not necessarily a backdoor, but it definitely feels like one.
Apple has positioned itself repeatedly as a benevolent data lord that prioritizes the privacy of its users above all else. And certainly in many ways, it does. But with respect to the end-to-end encryption plan, one former FBI official who spoke to Reuters said “Apple was convinced” of the agency’s arguments for maintaining some level of access to iPhone data.
“Outside of that public spat over San Bernardino, Apple gets along with the federal government,” the official said.
We’ve reached out to Apple for comment and will update should we hear back.