Ars Technica reports on privacy, encryption and Apple’s iCloud service. “Cloud computing” is where you upload, store and access your data at an online service owned or operated by others. Microsoft, Google, Apple and many others offer these services. (Read a previous post for more on privacy and security questions surrounding cloud computing services.) Ars reports:
Ars recently attempted to delve into the inner workings of the security built into Apple’s iCloud service. Though we came away reasonably certain that iCloud uses industry best practices that Apple claims it uses to protect data and privacy, we warned that your information isn’t entirely protected from prying eyes. At the heart of the issue is the fact that Apple can, at any time, review the data synced with iCloud, and under certain circumstances might share that information with legal authorities. […]
In short, Apple is taking measures to prevent access to user data from unauthorized third parties or hackers. However, iCloud isn’t recommended for the more stringent security requirements of enterprise users, or those paranoid about their data being accessed by authorities.
As we noted in our original investigation, Apple can potentially decrypt and access all data stored on iCloud servers. This includes contacts, notes, unencrypted e-mails, application preferences, Safari bookmarks, calendars, and reminders. […]
In particular, [security researcher and forensic data analysis expert Jonathan Zdziarski] cited particular clauses of iCloud Terms and Conditions that state that Apple can “pre-screen, move, refuse, modify and/or remove Content at any time” if the content is deemed “objectionable” or otherwise in violation of the terms of service. Furthermore, Apple can “access, use, preserve and/or disclose your Account information and Content to law enforcement authorities” whenever required or permitted by law. Apple further says that it will review content reportedly in violation of copyright under DMCA statutes.
“If iCloud data was fully encrypted, they wouldn’t be able to review content, provide content to law enforcement, or attempt to identify DMCA violations,” Zdziarski told Ars.
Securosis CEO Rich Mogull agreed that iCloud’s encryption model gives Apple this access.
“iCloud data is encrypted only for transport, and not on a per-user basis for the data itself,” Mogull told Ars. “Apple may still encrypt data on the drives, but they have to have the key.”
In other words, to provide the variety of services Apple offers, Apple must hold the encryption key to your encrypted data. “If you can access something with a webpage, that means the webserver has the key,” Mogull explained. “Thus we know that Apple could access at least anything iCloud related that shows in the browser. This is true of Dropbox, box.net, and nearly everyone else—if you can see it in a browser, they can see it on the server. iCloud data isn’t encrypted with a user-defined key—it’s protected with keys that Apple defines and controls.”