➡️ The Shortcut Skinny: Closing the back door

• 👍 Apple expanding encryption with optional “Advanced Data Protection” feature

• 🔒 It’ll prevent Apple from accessing almost all iCloud data

• 🚔 Law enforcement and parts of government won’t be happy

• 💬 New iMessage Contact Key feature intended to prevent iMessage snooping

• 🔑 Security keys will now be supported natively for Apple ID login

Apple is making big changes when it comes to encryption of data, identity verification and device security, with part of the update already here for iOS beta users. 

The most significant change has to do with iCloud. The company already offers end-to-end encryption of some iCloud data (Health data and passwords in iCloud Keychain, for example), but other data types have only enjoyed partial protection, like Photos, Wallet passes and, crucially, iCloud Backup, with Apple retaining the encryption keys for them.

Beginning with iOS 16.2 later this year (or now, for iOS beta users), US iPhone owners will see full end-to-end encryption of nine additional data categories, bringing the total number to 23. The feature is promised for the rest of the world in 2023, even, as noted in The Wall Street Journal, in China.

That’s good news for the privacy-conscious, but will likely further strain its relationship with law enforcement, as until now Apple has been able to access certain iCloud data in response to requests from investigators. With this expansion, the company won’t be able to get into iMessage backups, pull data stored on iCloud drive, look at images from the Photos app and more, which government officials may take exception to. Congress has already tried to prevent tech companies from creating this kind of encryption with the Lawful Access to Encrypted Data Act of 2020, which was tabled without a vote in the Senate that same year.

Apple says the Advanced Data Protection feature is opt-in, which could limit adoption, but as Bloomberg’s Apple guru Mark Gurman noted on Twitter today (and as you’ll have seen if you’ve ever been in an Apple Store when someone misplaced the password to their iCloud account), lost passwords to encrypted data is already a headache for Apple. 

• Got a PS5-shaped hole in your life? Keep up with the latest PS5 restock.

iMessage verification and security keys

Apple is also introducing a new feature called iMessage Contact Key Verification. The feature allows iOS users to verify whether the person they’re texting with is truly who they say they are – and that those messages aren’t being surreptitiously intercepted – so long as both parties have iMessage Contact Key Verification turned on. 

Here is the wording from Apple’s press release on the feature’s function:

“Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications.”

Putting aside that seeing the phrase “exceptionally advanced adversary” in an official Apple document is kind of funny, this is a cool feature. The way it appears to work is, if the above scenario happens, a small message appears at the bottom of the iMessage thread, saying, “An unrecognized device may have been added to [name]’s account.”. You’ll then be able to compare a special code, called a Contact Verification Code, in person, on FaceTime, or through another secure call, presumably by tapping the “Options…” link that follows.

Finally, Apple is now supporting hardware security keys on the iPhone. Security keys are small devices that can be used in lieu of, or in addition to, normal two-factor authentication to further and more concretely verify a person has the right to access protected data. Apple will natively support both physical security keys (which plug into a port on your phone) and Near-field communication (NFC) keys to sign into your Apple ID.

Mostly, these features will appeal to the highly security-conscious, and public figures – government officials, celebrities and the like – who find their digital security under concentrated threat. For the average person, these are extreme steps that could cause more undue stress and friction, making the added security potentially an unpleasant trade-off.