Does Apple protect its users from the NSA?

With the release of iOS 8, Apple claims it can’t access the personal data on your iPhones and iPads and it can’t give it to authorities. But it seems there’s a catch.

Like it or not, we are living in a world where governments have ample opportunity and reasons to either control the whole digital space or at least closely monitor its inhabitants. Specifically, the notorious National Security Agency, according to some rumors, is very well funded and has boundless possibilities for research, development, bribery and other activities that contribute to effective surveillance. Fortunately, there are forces that can withstand organizations of this kind.

In the current situation, all we can do is use VPN, Tor, or some other tools that tend to make Big Brother’s job a bit more difficult. Corporations are able to keep the NSA and other pro-government organizations away from us and help to protect our privacy. Only a year ago this “protection” consisted mainly of weak statements like “we are not affiliated with the NSA” or “we are acting within the law”, but now the companies have finally moved from words to actions.

A striking example is Apple Inc., which recently published Tim Cook’s open letter about the new user data policy as well as other privacy and security oriented documents. One of these papers stated that since the release of iOS 8, “it’s not technically feasible” for the company to extract any personal data from devices running the newest iOS and give it to any third parties, including law enforcement organizations.

What exactly has Apple done?

To put it simply, according to the official documents posted on the website, Apple actually got rid of the spare key to your safe, making you the only person who can access its content: on iOS 8 devices, all of your personal data like photos, messages, emails, contacts, notes, etc. is protected by the user’s passcode, which Apple now cannot bypass. This means that the company cannot access the data on your device and therefore cannot transfer it to any one else. Here comes the tricky part: all of this does not necessarily mean that authorities don’t have a way to see what you’re keeping on your iPhone or iPad. But I’ll come back to that a bit later.

ios-security-guide-sept-2014-10 (2)

There are more security and privacy additions to the new iOS worth discussing. For example, there’s a feature that randomizes MAC addresses, so they can’t be used to persistently track a device by passive observers of Wi-Fi traffic. Additionally, the Always-on VPN option makes corporate IT security guys’ jobs way easier.

In his message, Tim Cook stated that Apple “has never worked with any government agency from any country to create a backdoor” in any of its products or services, and has never allowed access to Apple’s servers and never will.

It doesn’t matter if Apple has worked with the NSA or not. Now it’s all about if Apple can protect its customers from surveillance.

Why did Apple do all this?

The infamous leak of celebrities’ photos wasn’t the only reason why Apple decided to emphasize its concerns about user privacy. There is something more important. Of course, you remember Edward Snowden: a bunch of NSA documents that he declassified last year featured a number of large companies including Apple. That story left a pretty notable smudge on the company’s reputation, and Apple had to do something to change that. Now it doesn’t matter if Apple has worked with the NSA or not, it’s now all about if Apple can protect its customers from surveillance. The trend is quite simple these days: if a company doesn’t care enough about users’ privacy and personal data, then something is wrong with that company and it may not be trustworthy. You’re either with users, or against users.

008 (2)

Obviously, Apple is too beloved and too respected to instantly become an enemy to millions of customers, but it doesn’t mean that it should not act as soon as possible. Especially, when the company is about to launch the smart watch and a payment system— two developments that many security experts have concerns about.

What does it mean for customers?

Besides some improvements, such as enhanced data protection, there is another, far more significant positive factor to all this. By changing its user data policy, Apple is likely to inspire other companies to move in the same direction, i.e. paying more attention to security and the privacy of their customers. Of course, no company will declare war on the NSA or the authorities, but it may not actually be necessary: all they need to do is make personal data more secure and more difficult to collect or steal.

All of these changes in the user data policy are about making your data more difficult to reach, but not about making it unavailable to the police or other forms of law enforcement.

What is the catch then?

To answer this question you need to understand two important things. Apple, like any other corporation, will always think about the bottom line first. It will always act within the local laws if breaking them can somehow damage the business. Therefore, if local authorities come to Apple and legally ask for a user’s personal data, the company has a pretty simple choice: obey or experience problems. It’s not a secret that the vast majority of companies choose the first option, and Apple is not likely to be an exception.

This doesn’t mean that Apple lied when it said, “it’s not technically feasible” to transfer personal data to police. It’s really not, but there are some details that are still very important.

First, all of these changes in the user data policy are about making your data more difficult to reach, but not about making it unavailable to the police or other forms of law enforcement. This added security applies only to iOS devices but doesn’t work for cloud storage (which now has two-factor authentication). Therefore, as soon as your data backs up in iCloud, copying itself onto Apple’s servers, it can be legally reached by the government. It will take some time and effort, but it works.

Second, Tim Cook’s speech about the integrity of the servers does mean that Apple won’t allow anybody to access them, but at the same time no one says that Apple won’t take the data into its own hands and share it with authorities if need be. It is like your bank account: it’s safe and secure, but everyone can take money from it if you allow it to happen.

So did Apple make your personal data a bit more secure? Yes, without a doubt! Did it make it unavailable for NSA and other authorities? Definitely not.

Businesses Should Strive to be Cyber-Resilient

Cyber-resilience is the ability to sustain damage, but ultimately succeed. In order to be resilient, businesses need to have a plan. One organization is dealing with attacks today that another will deal with tomorrow. There are ways businesses can help each other become cyber-resilient.