Apple Expands iCloud Encryption, Moves Away From Client-Side Scanning

Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images

SOPA Images/LightRocket via Getty Images

Apple has announced plans to expand end-to-end encryption of iCloud data in a move that’s been welcomed by digital rights groups.

A new Advanced Data Protection feature will allow users to encrypt new categories of data, including device backups, messages, photos, notes, chat histories and more.

The only major iCloud data categories not covered, says Apple, are iCloud mail, contacts, and calendar, because of the need to interoperate with the global email, contacts, and calendar systems.

The new feature is aimed at politicians, celebrities and, indeed, anybody concerned about privacy. It will be available on the iPhone, iPad, and Apple Mac, with iOS 16.2, iPadOS 16.2, and macOS 13.1, in the US by the end of this year, with it extending to other countries in 2023.

“Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices,” says Ivan Krstić, Apple’s head of security engineering and architecture.

The announcement also represents a move away from client-side scanning (CSS), which Apple announced last year – but which was roundly slammed by cyber security experts.

That involved searching individual devices’ iCloud photo libraries for child sexual abuse material (CSAM) using a technology called NeuralHash and then comparing them with known CSAM material and reporting suspect images to the police.

Instead, the company now says it plans to focus on opt-in tools for parents.

As a result, the new data protection feature has been broadly welcomed by campaigners.

“Encryption is one of the most important tools we have for maintaining privacy and security online,” says Joe Mullin, a policy analyst at the Electronic Frontier Foundation (EFF). “We’re also pleased to hear that Apple has officially dropped its plans to install photo-scanning software on its devices, which would have inspected users’ private photos in iCloud and iMessage.”

He says he would, though, like to see Apple go further by turning on the new features by default.

Meanwhile, the Center for Democracy and Technology (CDT) says the new child protection plans should make it easier to accurately detect and inhibit the sharing of intimate photos through messaging to or from a child.

“The approach of local-only ‘speed bumps’ is promising. When parents opt in, local software can attempt to detect when an intimate image is about to be sent and include a warning to the child, explaining the risks and suggesting contacting a trusted adult instead,” write the CDT’s Mallory Knodel and Nick Doty.

“We believe that speed bump warnings around sending intimate imagery, done properly, can empower users to have agency over their confidential communications without introducing the expansive risks of client-side scanning or cloud-service scanning.”

However, not all are so happy. In a statement to The Washington Post, the FBI said said it was ‘deeply concerned’ about the move. “This hinders our ability to protect the American people from criminal acts ranging from cyber-attacks and violence against children to drug trafficking, organized crime and terrorism,” it said.