In plain language, what Apple decided to do was to encrypt data on the iPhone in a way that can’t be decrypted by anyone who doesn’t know the passphrase. Now let’s dig into the story a bit:
The new security in iOS 8 protects information stored on the device itself, but not data stored on iCloud, Apple’s cloud service. So Apple will still be able to obtain some customer information stored on iCloud in response to government requests.
Google has also started giving its users more control over their privacy. Phones using Google’s Android operating system have had encryption for three years. It is not the default setting, however, so to encrypt their phones, users have to go into their settings, turn it on, and wait an hour or more for the data to be scrambled.
That is set to change with the next version of Android, set for release in October. It will have encryption as the default, “so you won’t even have to think about turning it on,” Google said in a statement. [Emphasis mine]
Google must have used a crystal ball when it decided to add the same feature that Apple added to Android phones a year and a half before anyone had heard of Edward Snowden. And since Jennifer Lawrence has taught us that it’s pretty damn hard to keep your data out of iCloud, and other news coverage has shown that cellular carriers collect a massive amount of data about your locations, calls and texts, encrypting your mobile device is really the sleeves of a vest when it comes to privacy and the NSA. What Snowden’s leaks showed was that the NSA was gathering data from cloud services, not from some exploit targeted at individual devices. So, if Apple’s decision to encrypt the iPhone is a response to any branch of government, it’s local law enforcement, who are used to downloading the entire contents of a suspect’s phone at will. Never mind all that, though, because anything that ever happens related to data security in the last year or so is due to Snowden.
Similarly, since the narrative is that the Clintons hate the media, every time a reporter doesn’t have the access they want to the Clintons, it’s due Hillary and Bill’s irrational hatred of the press.
different-church-lady
Unless you don’t use iCloud.
Or you could just keep insisting on your misunderstanding.
MattF
Also, it’s important to bear in mind that ‘metadata’ is data:
http://kieranhealy.org/blog/archives/2013/06/09/using-metadata-to-find-paul-revere/
And this is what NSA collects and collates.
Citizen_X
Jesus Heironymous Christ, could you decrypt this post, please, or at least have another cup of coffee and try revising? Apple added features to Android phones? Sleeves of a vest? Is that bit about Snowden and data security sarcastic?
I think I understood it up through that point (after several readings) but what does that have to do with “narrative” and the Clintons?
Doc Sportello
Awhile back, I read Apple’s statement in regards to what information can be given to law enforcement, and I think the Times got it wrong.
i think pretty much everything in the iCloud (with the exception of songs and third-party data) is now being encrypted.
As were Jennifer Lawrence’s photos, so the onus is on the user to come up with a (very) strong password, something that Keychain Access (or any decent password manager) can help out with.
I’ll pull Apple’s statement and read it again.
ruemara
@MattF: details are irrelevant when we have our own narrative.
Chris
I certainly can’t imagine why the Clintons would want to stick up their middle finger at a media that spent most of the nineties obsessed with Hillary’s hairdo and Bill’s sex life, ended the decade by repeatedly calling for his resignation or impeachment, and turned into a full fledged arm of the Bush campaign throughout the year 2000.
(And I’ve loved the way Obama treats them as the irrelevant nuisance they are. Hoo boy, are the howls loud on THAT count).
Villago Delenda Est
I’m sorry, but hatred of the scum of the Village is not irrational. It’s perfectly sensible and logical.
My nym. Again and again.
Wipe them out…all of them.
Howard Beale IV
Microsoft’s BitLocker encryption has been on by default since the launch of Windows Phone in October 2010.
Emma
@Villago Delenda Est: I used to think you were too harsh. Now I think you’re not harsh enough. Wipe them out, burn every building to the ground, salt the spaces.
Villago Delenda Est
@different-church-lady: The moral of the story is don’t use someone else’s computer to store any of your data. Because once it’s on their computer, it’s out of your control. I thought we all learned this from the Anthony Weiner misadventure.
“The Cloud” is ITmarketdroid speak for “someone else’s computer”.
Starfish
@Citizen_X: Apple phones have a new feature attributed to security needed after Snowden exposed how insecure everything is. However, this feature was available in Android phones before any of us had heard of Snowden so the story about the reason behind the phone’s feature is fake.
different-church-lady
@Villago Delenda Est: Yes, I understand. I agree. But it would appear Mister is still under the impression that Apple will store your stuff in iCloud in some automatic form without your even having an iCloud account.
Which, ironically seems to be a minor instance of the same sickness he’s criticizing.
Villago Delenda Est
Yet, as Atrios points out:
It’s because the worthless vermin of the Village are royalist scum who should all be put on tumbrels and shipped to the Place de la Concorde for processing.
Baud
I never turned on the encryption on my android because I thought it would slow the phone down. Does anyone have any experience with using that feature?
Villago Delenda Est
@different-church-lady: Well, yeah, you’re quite right about that.
If you opt in to the iCloud, well, you’re on you’re own, kid. I’m not so much worried about NSA as I’m worried about ravenous corporations selling my profile data to pen!s pill and breast enlargement spammers. Or financial services spammers. Or Russian dating spammers. Or….well, you get the idea.
Mike in NC
The media are busy at work shaping the narrative that 2016 will be the new 1996. Get used to hearing a lot of sound bites from Newt Gingrich and Dick Morris.
MattF
@Villago Delenda Est: And once you’re on their mailing lists, you’re there forever.
jehrler
Apple has had encryption on the iPhone for years, just like Android.
They have just said that they are no longer going to have a way to break that encryption to respond to a valid search warrant. Good.
But it is not clear from Google’s statement if their encryption, soon to be on by default, will also be impervious to lawful warrant requests.
I assume so but nothing I’ve read states that unequivocally.
Baud
@Villago Delenda Est:
Ha. WSJ sent out a news alert to those who have their app. Did a facepalm when I saw that.
MattF
@Villago Delenda Est: Because it suggests that Chelsea Clinton has sexual organs and has engaged in sexual activity.
different-church-lady
@Baud:
The “toy-ification” of news. It’s been going on for years.
jehrler
@Baud: It shouldn’t slow it down because symmetric encryption is quite fast and the phone processors are more than capable of keeping up.
I don’t believe, unlike Apple’s new encryption, that Android encrypts the individual files on the fly as well. That adds overhead but, at least on iOS, it is of nil importance.
grillo
@Baud: It is almost undetectable to me. I have used it on two different Nexus phones, including the ancient Nexus S. And I saw no real difference.
Fred Fnord
@Doc Sportello: Everything in iCloud is encrypted, but most or all of it can be decrypted by Apple or they couldn’t do the iCloud sharing stuff.
However, it’s quite easy to control what is in iCloud. If you back up your phone to your local computer, then it is only the stuff that you turn on iCloud storage for.
grillo
@grillo: The big worry of course is if you forget your password you are going to have a bad time. So don’t forget your password.
Mike J
@Baud:
If your phone is newish (3-4 years?) any speed loss should be negligible. For older devices it can be noticeable.
different-church-lady
@Fred Fnord: But Jennifer Lawrence taught us that’s wrong! It says so right there in Mistermix’s narrative!
Mike J
@different-church-lady: I would certainly never give any information I cared about to Apple to take care of, but I can’t blame the technologically naïve for believing them when told their stuff was secure.
Baud
Thanks, all. I’ll try it.
different-church-lady
@Mike J: No, Jennifer Lawerence “taught us” that Apple’s gonna stick your data on iCloud, regardless of whether it’s secure:
That’s his narrative and he’s sticking to it.
gene108
If I were the Clintons, I’d demand the media sign loyalty oaths, when they attend Clinton hosted events.
Mike J
@different-church-lady: I do recall that at least one of the victims had deleted her data from iCloud, yet it was still there and hackable. You can blame her for allowing it to go up in the first place, but she should have been able to rectify that mistake.
Emma
Jesus. Sounds like some of you woke up to find The Sainted Reagan pissed on your bowl of Fiber One.
different-church-lady
@Mike J: Which is (a) a perfectly good point and (b) different that the assertion Mistermix is making.
kindness
The Republican machine knows all it has to do is grind away at a target and don’t stop. Worked for the Big Dog. Worked for Obama. It’ll work for Hillary and they’ve already started.
Mike J
@different-church-lady: Making things impossible to delete means it is “pretty damn hard to keep your data out of iCloud,”
randy khan
@Villago Delenda Est: If you’re worried about your profile being sold, then the company you need to worry about is Google. To paraphrase some media genius, if you’re getting something for free, you’re not the customer – you’re the product.
Apple has been pretty clear that it’s never sold or shared customer profile data. One of the problems Apple has had in selling iAds for apps and subscriptions for electronic versions of magazines and newspapers has been its steadfast unwillingness to give any of the data to the people buying the ads or selling the e-publications. It’s even been criticized in the business press for its unwillingness to do so.
On the original topic, I think Apple’s decision was a response to the increasing concerns about hacking, not to law enforcement. Sticking a thumb in the FBI’s eye may have been a bonus, though. Apple, Google, Yahoo and Microsoft (among others) are pretty tired of getting blamed for surveillance that they can’t stop because it’s authorized by warrants, etc., after all.
different-church-lady
@Mike J: No, it means it’s hard to get it out of iCloud, not hard to keep it out of iCloud.
This goes back to his statements on his first iCloud threads, where he asserted that Apple puts your data in into iCloud by default.
Anoniminous
@Villago Delenda Est:
Bingo.
Josie
I clicked on that column of Cillizza’s a day or so ago without realizing whose it was. As I was reading it, I started thinking how stupid and wrong it was. Then I checked for author and saw his name and thought, well, duh. That’s a few minutes of my life I’ll never get back – what a hack he is.
JR in WV
Fibre One sounds more like insulation product than food.
There’s nothing on my phone I wouldn’t allow on a billboard in Times Square.
Pretty much same for my Android tablet, which has legal music, purchased or freely downloadable books, mostly.
My life is boring to outside observers. In here where I live, tho, is exciting. That’s probably not that good a thing.
Tractor work or plumbing, which would be better on a pretty fall day? Or furniture building, the giant shelving project needs finishing work, gluing veneer tape on edges of plywood, then sanding, then polyurethane… Save that for rainy fall days. Plumbing too.
Cookie Monster
First iPhone to offer local storage encryption was the 3GS, which came out in June 2009 — so, Apple has offered optional encryption on iPhones for five years.
Snowden’s identity was released to the public in June 2013.
jeffreyw
Thread is in bad need of moar kitteh. Bea in her own personal habanero cloud.
different-church-lady
@Anoniminous: refinement: “The Cloud” is ITmarketdroid speak for “
someone else’s computerpay us to use someone else’s computer”.Redshift
@Mike in NC: Apparently Dick Morris has a new book about Obama’s secret plan to destroy the GOP (I wish!) and democracy. I learned about it on a NewsMax radio ad, which was inexplicably running on the satellite radio liberal channel.)
MattF
@Redshift: Well, c’mon– Dick “Dick” Morris is a striver, trying to earn his keep.
Baud
@Redshift:
It all starts with winning Ohio. Amirite, Dick?
Robert Sneddon
@different-church-lady: XKCD has the most succinct explanation of what the Cloud actually is and just how fragile it is too.
http://xkcd.com/908/
schrodinger's cat
@jeffreyw: She looks like a queen!
Howard Beale IV
@Baud: Not an issue. ARM-based processors used in smartphones have supported forms of AES acceleration in silicon since the v8 spec-you have to have a pretty low-end and older phone to not have that.
And even if you don’t the impact from the UI side is neglibible.
Howard Beale IV
@different-church-lady: How ironic that what was state-of-the-art in computing/business technologies back in the 1960s/70s (Service bureaus with their own machines) has resurfaced with a new label.
Sorta like taking a copy of some piece of software off the shelf and slapping a new label on it – “Cloud Freindly”
jeffreyw
@schrodinger’s cat: Queen Bea!
schrodinger's cat
@jeffreyw: Indeed, and she also looks a bit annoyed.
schrodinger's cat
BTW I wrote you guys a post about poetry and stuffz and did not eated it.
Violet
Speaking of clouds, it’s cloudy here today and it wasn’t supposed to be. Stupid weather forecasters.
Jim, Foolish Literalist
@jeffreyw: I’ve tried flowering plants that don’t look that good, so I googled thinking that habanero plants might make attractive deer repellent. Google says attractive deer bait.
Rafer Janders
@JR in WV:
I’m assuming you use your phone for email and texting, right? In that case, your phone also has all the communications that dozens or hundreds of your friends and family have sent to you, some of which may contain information that is private and personal to them. Your phone doesn’t just store your data — it stores their data, too.
Jasmine Bleach
iCloud is easy to avoid when setting up a new iPhone or iPad or Mac–there is no automatic sign up and you have to explicitly set it up when activating your piece of hardware. (Having said that, Apple IS making more and more features rely on iCloud–such as Find My Phone and the related ability to kill the phone remotely, easily synching across multiple devices, etc., so if you do not use iCloud, you are missing out on some stuff.)
It’s pretty clear that Apple is responding to both Google/Facebook/Amazon coagulation of data on individuals and government snooping, and is taking active measures to making that harder. Besides this latest encryption-by-default thingy, look what else Apple has done recently:
–Made Macintosh computers by default create and pass randomized MAC addresses (these are computer ID numbers–PCs have them too) to WiFi networks so a single computer cannot be tracked across networks. With a little work, law enforcement (and 3 letter agencies, and corporations) had been able to see when a certain individual computer had logged on to a Starbuck’s WiFi network, and then later in the day logged onto the WiFi network for a hotel, etc. Apple’s change makes tracking this impossible because each time your computer logs on, it uses a random MAC address.
–Apple Pay, where Apple gets almost none off your data, nor does the retailer get much of any data. Only your bank gets details in the process of what you bought, what your credit card numbers are, etc. This one is mostly against corporations tracking you (obviously, law enforcement could request information from banks pretty easily). It seems banks actually prefer Apple Pay versus, say, Google Wallet, because with Google Wallet, Google gets almost all the information the banks have and the company uses it to build a profile on you and pass that along much of that to marketers. Banks think this is a potential security risk to have the information in more than one place, and so they have been heavily promoting Apple Pay.
–Adding DuckDuckGo as a selectable search engine. Google, Bing, and Yahoo build profiles on you when you use their search services. DuckDuckGo does not keep records on anything, so they are unable to respond to law enforcement requests for search information.
These and a few other things Apple is doing (Touch ID, etc.) are making it harder for anyone to invade your privacy, which is a great thing in my opinion. Glad to see Android following suit to a certain extent, although Google’s business model relies upon getting information from consumers, so they’ll never be able to lock things down to the extent Apple can.
None of it is illegal, so law enforcement should shut the hell up and get warrants instead.
Doc Sportello
Here’s a link to Apple’s current set-up for privacy on iCloud. Everything is encrypted except for songs.
There are some vulnerabilities for things like photos, which are shared via iCloud.
“Apple wants you to be able access your photos and other information from your desktop while the phone is locked – for ease of use. This, unfortunately, also opens up the capability for law enforcement to also use this mechanism to dump:
Your camera reel, videos, and recordings
Podcasts, Books, and other iTunes media
All third party application data.”
But — there are ways to seal up these vulnerabilities.
“Fortunately, there are some precautions you can take to ensure your privacy. One small trick is to shut down your iPhone whenever you go through airport security or customs. Why? Because Apple has included a kill switch that prevents your pairing records from being able to unlock your iPhone if it’s been shut down. The pairing record vulnerability only works if you’ve used your phone since it was last rebooted. Secondly, make sure you’re using strong encryption on your desktop / laptops, and make sure your computers are all shut down when not in use… especially when going through airport security. There are a number of forensics tools capable of dumping the memory (and therefore, encryption keys) of your encrypted disk if you’ve left your computer asleep or in hibernate mode. Shut it down.”
Austin Loomis (@aberranteyes)
@Villago Delenda Est:
Fixed that for you.
Eolirin
It should be pointed out that full device encryption on a device that uses fingerprints or a short numeric pin as a passcode is only slightly better than useless. Both are trivially easy to defeat. This is security theater more than anything else.
Jasmine Bleach
@Eolirin:
While there is a lot of truth to this, I’d point out it really depends on the exact situation you’re facing.
Those recent Point of Sale hacker thefts of credit card data and information from Target and Home Depot? If you used Apple Pay (via your fingerprint) you wouldn’t need to worry about it at all.
So, no. Not useless at all. But definitely not 100% secure.
Villago Delenda Est
@randy khan: If your profile can be hacked, it can then be sold by the hacker to some unscrupulous (but I’m being redundant here) corporation that will sell it again and again.
Just because Apple says they won’t sell it doesn’t mean it won’t wind up in the grubby mitts of the V!agra Viva Las Vegas spam team one way or the other, with or without Apple’s knowledge.
Villago Delenda Est
@Redshift: Someone, somewhere, must have a spare 16 Ton weight already on a crane ready to be accidentally dropped on Dick Morris.
I wish they’d hurry up already.
Villago Delenda Est
@MattF: Just like her dear old dad, eh?
Gian
@Doc Sportello:
with the anti-bomb protocol of 1) have your device charged and 2) show that it works I don’t see how most people will stay out of an unpleasant event if they turn the phone off for security.
http://www.digitaltrends.com/mobile/airport-security-new-checks-see-uncharged-tech-devices-banned-flights/
Eolirin
@Jasmine Bleach: Apple Pay is something else entirely, and is, yeah, a big improvement. Just talking about the full device encryption stuff Apple’s rolling out and Google’s turning on by default. File encryption, and even full device encryption, is only as strong as the passcode used to encrypt. Short numeric only pins and Touch ID are incredibly weak passcodes.
mdblanche
The narrative can not fail, the narrative can only be failed. Stop failing the narrative, you dirty blogger.
Doc Sportello
@Gian: Hmmm. Good point.
different-church-lady
@Robert Sneddon:
…damn near anything you can think of!
randy khan
@Villago Delenda Est: It’s true that malefactors can get your profile in any one of a variety of ways, pretty much no matter what any company does about security, particularly if you’re not careful. On the other hand, when a company is in the business of selling your profile, I think it’s fair to say the risks are much higher.
And as to whoever said that a fingerprint scanner is vulnerable, compared to what? It’s actually pretty hard to crack the iPhone one, at least, unless you already have a good fingerprint or, you know, the actual finger, and the fingerprint data is encrypted on the phone and never leaves it.
CONGRATULATIONS!
This is security theater and nothing more. Encrypt all you want. It’s all good unless law enforcement wants a look at your stuff, and then they just get a court order and you can decrypt it for them, or you can rot in jail for contempt of court until you do. Even worse, this principle applies to civil cases as well.
And that’s settled law, for years, with some very rare exceptions.
Encryption only helps with online criminals stealing your personal data and/or nude selfies, which is non-trivial, but it is not even a shell of a defense against the police state and Apple, Google and Microsoft marketing it as such is utterly indefensible.
chelsea530
@Jasmine Bleach:
Well, isn’t that convenient and more profitable for Apple? The fear factor?
Eolirin
@randy khan: Compared to any strong password, the fingerprint scanner sucks. It’d be a lot harder to break a 25 character random alphanumeric password than that thing.
But to be clear, I was speaking in the context of law enforcement having access to your phone, since that’s what the post was about. That fingerprint scanner is worse than any other method of protecting your stuff from the cops. If they have reason to have your phone, they’ll have good prints.
For anyone else, compared to a numeric only pin, it may be a bit harder to get a good enough print to break the scanner than to brute force the pin, but it’d depend. I can think of any number of ways to acquire a finger print if I can also acquire the phone. With both pins and print scanners you do need the device for these kinds of attacks. I’m not talking about cloud based hacks. You’re not any more or less protected against cloud based hacks by full device encryption; it’s only about securing the physical device from direct access by someone who physically has it.
And honestly, that really is usually only going to be law enforcement. You can remote kill or wipe a stolen phone pretty easily nowadays, and it’s generally not going to take most people that long to notice their phone is missing, so short of corporate espionage, I don’t think it’s ever going to be of serious criminal interest.
Bill Arnold
Does somebody know the apple whole-phone encryption enough to comment on the following?
Passphrases that people pick are generally pretty short and can be brute-force guessed, e.g. there is around 10 or 11 bits of information in a randomly chosen english 4 character word, and roughly, 72 (or maybe 80) bits is starting to get irritating to big budget key-guessing hardware.
Bill Arnold
@Eolirin:
What if it’s in a Faraday bag?
Bill Arnold
@Redshift:
This (the secret plan) is just a side project.
randy khan
@Eolirin: Touch ID allows only 5 attempts before it requires the passcode, so it’s not particularly likely someone would break it. You’d probably be better off with trying to guess the passcode from the start (and you have to enter the passcode every time you turn on the phone or if it hasn’t been used for 48 hours). I don’t know the strength of the encryption on the chip that holds the fingerprint information, though, so it could well be less than the equivalent of a 25-character passcode.
And I have to disagree with fingerprint scanners being a bad way to protect your phone from the police. The techniques necessary to turn a lifted fingerprint (or even one from a ten-card) into a usable fingerprint for the scanner on an iPhone are pretty complicated and in the case of the iPhone also require warming up the substrate the fingerprint is on. This isn’t standard police equipment. Of course, if they have you, they’re likely to be able to get a warrant to force you to unlock the phone, provided they can demonstrate that there’s likely to be information on the phone that’s relevant. (For once, the Supreme Court has done the right thing with its case on phones and warrants last term.) But that’s a different kind of problem – as a technical matter if they can get a warrant for that they probably also can get a warrant to make you input the correct passcode.
randy khan
@CONGRATULATIONS!: Personally, I’m not inclined to pooh-pooh the protection against hackers. That’s the risk that the vast majority of us are more likely to face.
As for the police, you’re right (although at least they will have to get a warrant), with the important note that they’d actually have to have the device in hand. They can get whatever warrant they want to get for the data that Apple, Google, etc. have once it’s encrypted and it won’t do them any good unless they can break the encryption.
I think it’s important to understand in these contexts that there never has been protection for personal records of whatever kind from criminal warrants. In the old paper days, you could have locked everything in a vault and the police still could get a warrant for it and break into the vault if you wouldn’t open it for them. The situation with phones (or computers) is no different. What the Apple and Google actions will do is remove what was effectively a new risk – that law enforcement could get information from the cloud without you even knowing about it.
Jasmine Bleach
@chelsea530:
Ummm. I guess so? Apple is just providing some measures of privacy and stating they don’t market your data (or even try to collect much of it) while pointing out that most of their competitors do. Call it marketing on fear if you will (glass half empty). I guess I’d say it’s marketing on privacy (glass half full).
Of course, probably the majority of people don’t give a flip about their privacy, and many actively seek out targeted ads, etc., and they are welcome to all the potential implications that may result from it–whether it’s people stealing their credit card information, or law enforcement building profiles about them, etc. More power to ’em, I guess. I find it nice to have other options, myself.