Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Here are the limits of Apple's iOS 8 privacy features

Antone Gonsalves | Sept. 23, 2014
Apple's new passcode-based encryption for the iPhone and iPad can be circumvented and provides only limited protection to data.

The privacy improvements in the latest version of Apple's mobile operating system provide necessary, but limited, protection to customers, experts say.

With the release of iOS 8 this week, iPhones and iPads configured with a passcode would encrypt most personal data, making it indecipherable without knowing the four-number password.

By tying the encryption key to the passcode and making sure the key never leaves the device, Apple placed the burden on law enforcement to obtain a search warrant and go directly to the customer to get data from their device during an investigation.

"Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data," Chief Executive Tim Cook said on the company's new privacy site. "So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8."

Rival Google reacted quickly to Cook's comments, and announced that it would turn on data encryption by default in the next version of Android. The OS has had encryption as an option for more than three years, with the keys stored on the smartphone or tablet.

On Friday, privacy experts said they supported Apple's latest move, which they viewed as putting more control over personal data in the hands of customers.

"The fact that they (law enforcement) now have to go directly to you, and can't do it without your knowledge, is a huge win for Apple's customers in terms of their privacy and security," Jeremy Gillula, staff technologist at the Electronic Frontier Foundation, said.

However, experts also said the protection had its limits, since customers often store on iCloud a lot of the data encrypted on the device, such as photos, messages, email, contacts and iTunes content.

In addition, information related to voice communications, such as call logs, is stored with the wireless carrier, as well as on the smartphone.

Once in iCloud, law enforcement or government officials investigating national security cases could legally force Apple to hand over the data.

Apple's new privacy mechanism also has a weakness. Plugging the iPhone or iPad into a Mac or Windows PC that have been paired with the devices would circumvent the passcode-based encryption.

Unless the devices had been turned off, the password would not be needed to access data from the computers.

"This means that if you're arrested, the police will seize both your iPhone and all desktop/laptop machines you own, and use files on the desktop to dump and access all of the above data on your iPhone," Jonathan Zdziarski, an iOS forensics expert, said in his blog. "This can also be done at an airport, if you are detained."


1  2  Next Page 

Sign up for CIO Asia eNewsletters.