As Apple proudly claim, “Privacy is a fundamental human right and we design apple products to protect your privacy and give you control over your information”. This article points out the data privacy policies of iCloud data storage and if it serves the purpose.
What is the purpose of the iCloud drive?
The iCloud drive is a feature of Apple. Which stores the data from any Apple gadget automatically and saves it for the user. Although the user can turn off the automatic backup with our comfort, through settings. This saved data is easily accessible by users from “icloud.com”, through apple ID and password, anytime. The user can share, delete, organise or rename the data if need be. By doing this the user share their data and information with the company eventually. Starting with their contacts, media files, safari tabs, keychain and passwords to keynotes.
Does user enjoy Data security and Privacy as claimed by the Company?
ICloud claims to protect the information by encrypting it while it is in transit. Which stores it in an encrypted form:
- End to End Encryption: Apple uses end-to-end encryption. This allows “only”, the user to access the information, on the device, when he signed in into iCloud. Not even Apple has the authority to access the end to end encrypted information, as claimed!
There are cases when there is a third party other than the user and apple, who has access to the user’s privacy and information. Because such third party helps in storage:
iCloud uses third party partner servers such as amazon web services or google cloud platform to store the data. But Apple claims these partners do not have the keys to decrypt the data stored on their servers.
How does end-to-end encryption work?
For using end-to-end encryption the user has to turn on the two-factor authentication for their Apple ID.
The two-factor authentication asks to enter two pieces of information from the user. One is the password and the other is a six-digit verification code. Such information automatically appears on the display of the user’s trusted device. Trusted devices are iPhone, iPad, iPod touch with iOS 9 and later, or Mac with OS X El Capitan). If the trusted device is unavailable, the information is sent to the user’s trusted phone number. In case of a login.
iCloud grants access after the user enters, such a password or verification code. Interpreted as user’s consent to the new device.
The idea behind this authentication process is to improve the security of iCloud. Along with securing the personal information stored in iCloud.
Does iCloud protect all of the user’s data through end-to-end encryption, while iCloud transit and when it reaches the server?
The backup data. Safari history (requires iOS 13 or later). Bookmarks. Calendars. Contacts. Find (my device &people). iCloud Drive. Messages in iCloud. Notes. Photos. Reminders. Siri information. Apple Card transactions (requires iOS 12.4 or later). Home data. Health data (requires iOS 12 or later). iCloud Keychain (includes all of your saved accounts and passwords). Maps Favourites. Collections and search history (requires iOS 13 or later).Memo Ji (requires iOS 12.1 or later). Payment information. Quick Type Keyboard learned vocabulary (requires iOS 11 or later). Screen Time. Wi-Fi passwords. W1 and H1 Bluetooth keys (requires iOS 13 or later). Voice Memos. Wallet passes and iCloud.com.
Data contained in these abovementioned apps are safe and encrypted. While it is in transit and on the server.
Exception:
iCloud Mail is safe and end-to-end encrypted while in transit. But iCloud does not encrypt data stored on IMAP mail servers (Gmail). All Apple email clients support optional S/MIME encryption (Outlook).
- Use of secure tokens for authentication: While accessing the iCloud services for the built-in apps of apple. For instance: Mail, contacts and calendar apps on IOS or MacOS, use secure token authentication. Which does not need to store the iCloud password on devices and computers.
Does Apple have an encryption key to iCloud data?
Tim cook answered the similar question. He replied, “Our users have a key there and we have one. We do this because some users lose or forget their key and then expect help from us to get their data back. It is difficult to estimate when we will change this practice. I believe that in the future, it will be handled like on devices. We will therefore no longer have a key for this in the future”.
To which Lance James, Chief scientist at cybersecurity firm flashpoint argued. He said, “Privacy is privacy and Apple shouldn’t have access to either, the device or iCloud”. But the consequences would be losing the data forever.
Does iCloud keep the privacy of the user intact?
iCloud privacy policies are in adherence to the apple privacy policy.
Safari: Safari uses intelligent tracking prevention techniques. Such a technique prevents the companies from being able to track users’ activities online and build a profile of them. Safari has a built-in, fingerprinting defence which makes it difficult for the data companies to identify the users while browsing.
Maps: Maps does not ask the users to sign in. Adhering to this, the data associated with location dodges the identification radar and is constantly changing.
Photos: Some services process photos in the Cloud (Data storage), which meanwhile gives them access to the photos. But apple designed “photos” so that images can be processed right on the apple device. Apple through the neural engine and with the A13 chip performs over 100 billion operations per photo. Which recognizes faces and places without ever leaving your device.
Messages: All the imessages are end-to-end encrypted between the sender and the receiver.
Siri: Siri does not ask for login, through Apple ID. This provides immunity to the data and information from touching the identification radar, keeping the identity of the user intact. Even if apple processes any information, they cannot identify the user.
Apple news: This app does not know who the user is. It only shares the content based on users like and interests been so far due to the machine learning techniques.
Wallet and apple pay: Apple does not store information related to credit cards and debit cards. Instead of it, Apple creates a unique device number, whenever the user adds a card So, only the bank has the transaction history.
Health App: In this app, the user can control the information entered by him and who can access it. Data enjoys encryption in this app and can only become accessible when a user enters a passcode, Touch ID or Face ID.
Circumstances when Apple can retain data from iCloud?
While Sharing Data through iCloud: If user uses iCloud to share files in Notes, pages, numbers, keynotes and in certain 3rd party apps. Either publicly or privately. Apple tends to have access to the shared file.
Users first and last name associated with the account becomes available to everyone who has access to the sharing link. Along with the file name.
Through apps that use iCloud to store data: Apps such as WhatsApp can use iCloud to store users’ data and content. If he allows so that he can access the data across all the iCloud-enabled devices.
So, in such cases, the 3rd party apps can request to look you up. Which allows other users of the app to see your first and last name. So, if Someone searches the user by using Apple ID, it reveals the identity of the user.
While using “Find my”: If user requests for the information and location of the device, along with users account details, the device shares with apple too. Which apple can retain for 24 hours. After which Apple deletes the information.
In case, where a friend requests for a users location, and the user shares it. Apple can retain such information for 2 hours.
In case if the user has enabled, “send last location” feature in the device. The Device shares the information regarding its last location with apple, if and when the battery of the device reaches a critically low level.
The device does not require an internet connection for being located. It uses Bluetooth wireless technology to detect the devices. A user can disable such a feature by going to settings.
While collecting data on the use of iCloud: Apple use the IP address to determine the city and country, of device access. To improve the quality of services and resolve customer issues. But they claim not to retain it.
REFERENCES
ICloud security overview, DATA SECURITY (Oct 06, 2020, 10:30AM) https://support.apple.com/en-us/HT202303#:~:text=%20iCloud%20security%20overview%20%201%20Data%20security.,Security%20Guide.%20Information%20about%20products%20not…%20More%20.
Two factor authenticaton for apple ID, APPLE SUPPORT (Oct. 07, 2020, 11:00AM), https://support.apple.com/en-us/HT204915.
Privacy, APPLE.COM ( Oct. 07, 2020, 12:30 PM), https://www.apple.com/privacy/
Disclaimer: “Vestralex assumes no responsibility or liability for any errors or omissions in the content of this Article. The information contained in this article is provided on an “as is” basis as sourced with no guarantees of completeness, accuracy, usefulness or timeliness. This article contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. This article and the information contained herein is not intended to be a source of advice or analysis with respect to the material presented, and the information and/or documents contained in this article do not constitute advice. All copyrights and trademarks contained herein are properties of their respective owners, any representation of such rights and marks is purely for informational purposes only. This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.”
Vestralex Winter Internship Program
Vestralex Winter Internship Program (VWIP) is an initiative undertaken by Vestralex to help raise legal literacy and general awareness about practices and procedures in law through intern participation and content creation.
