Apple computer announced that it is now going to provide end-to-end encryption for the items customers store in its cloud.[1] For some data, but not for all.
End-to-end encryption for messaging today only works if both recipients use an Apple device (IOS or MacOS). If the text box is blue then the message was encrypted when transmitted, although not stored encrypted on the device. If it is green, then one of the devices is not Apple and the transmission of the message was not encrypted. Prior to the recent announcement, it was assumed that messages were stored securely in the cloud. Now they will be.
One might wonder why Apple Mail was excluded from the announcement. Perhaps there is not a way for Apple to encrypt messages sent or received from a non-Apple mail program? But what about between Apple products? Wouldn’t it be better to build in an option to encrypt a message when it is created, so that while stored either locally or “in the cloud” it remains private, and only an authorized recipient could decrypt?
Other communication platforms that provide encryption, with or without back doors, still have the same problem sets of not being able to protect beyond their own offerings.
Much of the media attention to privacy and security of communications has focused on breaches of data by third parties, or “bad actors. We hear of these breaches daily, whether it is the exfiltration of data, or ransom demands. But there are also nation states and criminal organizations seeking data from identifying the communications of dissidents to wreak harm or pressure upon them, to the theft of intellectual property. Much has been disclosed recently about the insider threat of employees being subverted by these actors, which we will discuss at another time.
What is really needed is end-to-end encryption of everything from creation through its end of life. This should include not only text messages but documents, video calls and voice calls. Regardless of the technology being used by sender and receiver, whether a mobile device or computer, and/or stored locally or in the cloud.” None of these factors should matter. The privacy of the USER must always be protected.
