It’s great that Apple is asserting the importance of privacy. But if they’re really, really serious they’ll stop enabling the Chinese government direct access to Chinese users’ iCloud data. And they’ll secure data on iCloud so that government agencies can’t just request Apple to hand over our WhatsApp, iCloud, Notes, and other data that Apple holds the keys to unlocking and turning over to whomever comes with a warrant. I’m not holding my breath on the former, nor the latter.
Matt Green has a good writeup of the confusion associated with Apple’s decision to relocate Chinese users’ data to data centres in China. He notes:
Unfortunately, the problem with Apple’s disclosure of its China’s news is, well, really just a version of the same problem that’s existed with Apple’s entire approach to iCloud.
Where Apple provides overwhelming detail about their best security systems (file encryption, iOS, iMessage), they provide distressingly little technical detail about the weaker links like iCloud encryption. We know that Apple can access and even hand over iCloud backups to law enforcement. But what about Apple’s partners? What about keychain data? How is this information protected? Who knows.
This vague approach to security might make it easier for Apple to brush off the security impact of changes like the recent China news (“look, no backdoors!”) But it also confuses the picture, and calls into doubt any future technical security improvements that Apple might be planning to make in the future. For example, this article from 2016 claims that Apple is planning stronger overall encryption for iCloud. Are those plans scrapped? And if not, will those plans fly in the new Chinese version of iCloud? Will there be two technically different versions of iCloud? Who even knows?
And at the end of the day, if Apple can’t trust us enough to explain how their systems work, then maybe we shouldn’t trust them either.
Apple is regarded as providing incredibly secure devices to the public. But as more and more of the data on Apple devices is offloaded to Apple-controlled Cloud services it’s imperative that the company both explain how it is securing data and, moreover, the specific situations under which it can disclose data it is stewarding for its users.
Jon Brodkin, writing for Ars Technica:
Unfortunately, it’s kind of a mess. iCloud Keychain does accomplish the most basic things you’d expect a password manager to do, but it often does so in an awkward manner. Important functionality is hard enough to find that it may be effectively hidden from the average user, particularly on iPhones and iPads.
Ultimately, iCloud Keychain can be put to good use if you’ve carefully examined what it does well and doesn’t do well. It works best as a complement to a complete service like 1Password or LastPass, but it just isn’t convenient and robust enough to act as a standalone password manager.
I think it’s a bit harsh to call it a “mess”, but Brodkin provides a good overview of what iCloud Keychain does. Complaining that it’s not as full-featured as 1Password is like complaining that iPhoto doesn’t do everything Lightroom or Aperture do.
Comparing iCloud Keychain and Lightroom is a bit odd. One helps to manage the security of one’s online life and is meant to resolve a security problem for anyone who uses the Web. Lightroom is a specialist product that caters to experts in a particular field. The two products may have an overlapping user base (i.e. individuals who want secured usernames and passwords) but otherwise bear little resemblance to one another.
I still think [Apple] should go back to Dropbox with a blank check and just ask how many zeros they need to put at the end to make it happen.
I think that this is on the mark, in the sense that iCloud is gross and Apple needs to do better. I also hope it never comes to be, given how much I use Dropbox on non-Apple devices and products.