I'm curious why Apple has let it get this far that court cases are underway and WaPo is writing an article about it.
What's in it for Apple? Surely it's easy enough to define some kind of verification process based on various pieces -- phone number, credit card, purchase receipt, etc. -- and requiring a police report to be filed or something.
And this isn't like Google or Facebook where accounts are free, preventing manual account recovery from being scalable. People spend thousands of dollars on Apple devices across phones and laptops and more. People who don't spend money on Apple generally aren't keeping their data in iCloud.
I'm confused because it seems like the rational, profitable thing for Apple to do here is to have these procedures for account recovery. So what's stopping them? Is there some kind of huge liability question if they ever facilitate giving access to the wrong person?
If Apple can unlock the account from your stolen iPhone they can also unlock your account for the gestapo. Whether it's worth throwing normal people under the bus to protect a few dissidents is a matter of values on which people are going to have differing opinions of course.
That doesn't make sense. This isn't a technical hurdle, is it? Apple already can unlock your account "for the gestapo" if they choose to.
If the users have enabled Advanced Data Protection and don't have another Apple device, then I can understand why it would be lost for good. But that doesn't seem to be the case in these lawsuits. They make it clear that Apple has access to the data, and could transfer/restore it if they wanted to.
Not sure why this is getting down-voted. There are several high-profile instances of Apple refusing to assist law enforcement in gaining access to devices. I recognize this is cold comfort, and provides only marginal reassurance for the future. That said, for the moment, "But they don't," is a perfectly accurate assessment.
Not all data. Not storing location history data is an example of not opening this for gestapo by ommision. For e.g. Apple does not furnish user location info on geo fence warrants because it can't.
I believe Google just made a change towardssm this direction too.
It's a fine line on what data to keep to unlock for a warrant and how to make services better based off centralized user data.
This irks me A LOT and is simplified to the point of being incorrect, yet lots of people here make the same logical errors.
Protecting the contents of peoples devices and accounts with strong encryption and hardware security is great for the individual and protects them from thieves and governments alike. If Apple designed their devices so that they cannot unencrypt the content without the users secret passsword, that's sensible for a lot of users.
But E-Mail Addresses and Accounts are derivatives of your identity and companies should have ways of returning your accounts to you, even if the content is lost, in case of stolen identities.
I am pretty paranoid about this stuff and only store private data using encryption and on trusted devices running mostly hardened FOSS software (Graphene OS, Fedora Secure Blue, OpenSuse MicroOS, etc.) and my backups are rcloned encrypted to the cloud. Yet for my most important e-mail that is bound to paypal, banking, shopping etc. I use posteo. They do this exactly right. I have personally tested contacting their support to return access to the e-mail address in case of a "lost password". After some validation, they returned access for it to me, but the encrypted content was unrecoverable. That is exactly what any responsible company should do.
The people suing didn't turn on E2E encryption. The government could already get access to their data via subpoena. Apple already has access to their data as well. Apple just doesn't want to be forced into doing basic customer service.
Your opinion seems to be to trivialize how important this can be, which fine you do you, but I think saying it only protects "a few dissidents" is a bit ridiculous.
Every protest I've filmed at I hit the lock button 5 times so it forces a passcode. I feel secure knowing the police can't just take it and start scrolling - they need a warrant or they're bust.
You don't have to be a dissident to need your privacy.
I think the point here is that either Apple has the technical ability to access your account (in which case they will be forced to do it by the government regardless) or they don't (in which case this lawsuit is ridiculous).
The middle ground option where Apple has the ability to do this but is also somehow able to take a stand against the government is kind of difficult to support, because it doesn't make much sense.
I didn’t know what that meant - so I googled it. And it says something entirely different….
Quote:
Pressing the lock button (or side button) five times quickly on an iPhone or many Android devices will activate Emergency SOS. This will prompt a countdown and eventually, if not cancelled, initiate a call to emergency services, potentially alerting emergency contacts and sharing your location.
I just tried on my iPhone and it does not do that, there is no countdown. It will force a passcode and give you the option to call SOS, shut off your phone or show your medical id.
It's a setting (Settings > Emergency SOS). It used to be on by default and do a little siren sound before calling emergency services.
Personally, I just open the slide-to-turn-off phone screen instead (hold volume + side button for a couple seconds). Once that screen is loaded, it'll require a passcode to unlock after you cancel out.
> Is there some kind of huge liability question if they ever facilitate giving access to the wrong person?
This is what I was thinking as I read the article. Imagine what will be written about them when they do give iCloud access to an impostor. Depending on what's on their account thieves could dedicate a ton of time to social engineering Apple into recovering the account. The article mentions police reports being "proof", but that doesn't seem like solid evidence considering how easy it could be to fake a police report from one of the tens of thousands of jurisdictions in the US. This is a problem for a lot of industries actually, i.e. banks and death certificates.
> Surely it's easy enough to define some kind of verification process based on various pieces -- phone number, credit card, purchase receipt, etc. -- and requiring a police report to be filed or something.
Apple has such a process in place: https://support.apple.com/en-us/118574 (The details aren't all laid out on that web page, but Apple support may ask for information like purchase records to confirm ownership.)
What I think is at issue here is that it will only restore access to an account which is not currently being accessed. If an account is being accessed from a logged-in device, Apple is unwilling to cut off the current user's access to that account and hand it over to another party.
And, quite honestly, I can see where Apple is coming from with this policy. Arbitrating access to a contested account can get really messy (e.g. consider a scenario where an abusive partner is trying to access the victim's online accounts).
An account is supposed to belong to a single person. If you are able to definitively prove that you are that person (for example, by showing up to an Apple store with your ID card), you should be able to restore access to it. An abusive partner won't have access to that.
Refusing restoration when someone else has access to it is understandable, but it works the other way around as well: an abusive partner would be able to prevent the legitimate owner from accessing the account.
I think it's far more likely that Apple just can't be bothered. Dealing with stuff like this is messy and complicated, and they aren't going to lose any revenue from those few thousand people a year losing their account and all their data.
> Surely it's easy enough to define some kind of verification process based on various pieces -- phone number, credit card, purchase receipt, etc. -- and requiring a police report to be filed or something
Given the stakes, Cupertino may have decided that it does not wish to arbiter such disputes. Requiring a court order shifts the dispute to that forum.
In the primary case on that page, the court ordered Apple to assist the FBI or provide a reason why it would be an undue burden. Apple provided a reason it was an undue burden. A hearing was scheduled. The FBI withdrew the request and the order was vacated.
That's not exactly the same as refusing to comply with a court order.
They don’t want to give these powers to a large number of customer service reps who can be bribed or coerced or socially engineered into transferring accounts to bad guys.
Look what happened to the mobile carriers and sim-jacking.
My gut tells me that they don't want to either set the precedent or let it be known that they can access your data and give/revoke access remotely, because it pokes a hole in their E2E encryption claims and opens the door to demands for backdoor access from governments.
It doesn't "poke a hole" in anything. The only way you get the full E2E encryption Apple talks about is if you enable "Advanced Data Protection", which none of the people in the article did, per the article. Apple could decrypt and return the data because Apple has the keys. Apple is refusing to do so.
I think corporate responses to most things like this is to deny and avoid until forced to get involved. It should not take WaPo getting involved but it seems to be the norm for big tech companies.
>People spend thousands of dollars on Apple devices
As long as the people cut off from the walled garden amount to less than a rounding error in Apple's bottom line, they simply don't care. They will only care when a judge forces them to care, as we had to find out the hard way in a class action lawsuit against Apple. We won, but they lost us as lifetime customers. My wife even owns Apple stock and refuses to buy anything else from them and warns others against it. They could have made it right for practically no cost to them, but they chose the dick move, and they were forced to pay out in the end anyway.
My cousin’s phone was stolen in San Francisco. My mom’s phone was hooked up to the same account. Somehow the thief was able to change the account password and email account to something else.
Now my mom cannot reset her phone because she doesn’t have access to the thieves account.
> Somehow the thief was able to change the account password and email account
That would be the fact that Apple lets anybody that knows the passcode reset the iCloud password as well, without any further authentication. And the passcode can be shoulder surfed by the thief...
It seems like a good step forward but still not perfect, and I believe it's not on by default.
On the other side, with Advanced Data Protection, it seems shockingly easy to permanently lock oneself out of an iCloud account: As far as I understand, there is absolutely no way to recover an account protected that way if the recovery code is lost – not even by deleting all data currently stored on it and starting from scratch (e.g. from a local backup).
Given the fact that an iCloud account doesn't only contain a big pile of data, but access to some purchased products and services (subscriptions, app purchases, iTunes songs, the Apple Card etc.), that seems like a pretty big oversight.
> That would be the fact that Apple lets anybody that knows the passcode reset the iCloud password as well, without any further authentication
Doesn't this require at least one other device to allow access and provide a one-time code?
I can't log in to iCloud in a browser, update payment information, or do anything even remotely sensitive with just one device and my screen lock mechanism(s).
EDIT: I stand corrected. On a device that's designated as "trusted" you can indeed change the password using only the screen unlock using the instructions at https://support.apple.com/en-us/102656
Admittedly we in security do a very poor job on equipping users with useful threat models: i.e. the number of times people either don't turn on any sort of security, or turn on extremely aggressive security but don't write down and store a recovery code is too damn high.
And it's made even worse by companies not wanting to deal with meatspace. Secure account recovery isn't too difficult if you're willing to do ID verification in physical stores, but no tech company wants to do that.
For those interested in the silver bullet to backup iCloud.
Get a Mac mini with enough space for your photo library and wire it into your network. Sign into iCloud.
For photos open the app and change the settings to store full res photos locally.
Enable iCloud desktop and documents sync.
Two options
1 - Sign up for Backblaze and ensure you map the folders from iCloud and photos that are being synced to the device. Let it run and do a full sync. I use this option.
2 - Buy an external drive with a lot of space and use Carbon Copy Cloner to mirror your drive. The caveat is your at the mercy of a local copy that a home fire or electrical incident can destroy.
I like Backblaze for the sheer constant syncing it does and they allow me to set up an encryption key so they don’t have access to my data.
I do that, and I'm also planning to use icloud photos downloader [0], a python script to download photos, so I can download those directly on another machine running Linux.
The 3-2-1 rule is wisdom of the ages. The "2" in the rule is all about having your data in at least two different types of "media". A modern read on this is anything tied to the same account counts as the same type of "media". So, you need at least one copy of your data not tied to your Apple ID.
A few things you can do here:
- Own a mac with enough storage to download your entire iCloud / Apple Photos data set. Configure your mac to do so. Your mac is still activation locked to your Apple ID though, so backup that local copy through Time Machine or the service of your choice (e.x. Backblaze). A NAS is very helpful to automate this.
- Use app(s) on your phone that will copy of your data to the location of your choice, such as Photo Sync.
It took me a minute to figure out how this works, but it must have something to do with using a "lost password" email reset on the iCloud account, and having the relevant email account logged in (or saved to the password manager) on the phone itself, so that all you need is the passcode to get into the iCloud account. Something like that?
One of the big distinctions I make in my life is whether a passcode is being typed in frequently and in view of the public. And since these are shorter codes, the entity on guessing from a distance is much lower.
My daughter had her iPhone stolen in L.A. — she immediately wiped it remotely. The thieves were unable to access it.
I got her a new iPhone pretty fast (the budget one) and she was back in business, back in her iCloud account. (She was one of those that saw her device head to Asia. She got a handful of text messages pleading with her to remove the stolen device from her account but she ignored them.)
Yeah, that's why I'm having to think at it some to figure out what's going on here. Usually I need my iCloud password to do anything related to that account, so I guess they're using some kind of iCloud password reset bypass that relies on the phone having access to necessary reset-related accounts (like email—though, IDK, I don't think I've ever tried to "lost password" reset my iCloud account, so I'm not sure if even that's enough)
I believe “She” here refers to the original owner (the victim). Apple offers a feature to remotely wipe your device if lost, and that was what I understood the owner to have done. I’ve done the same thing for a stolen iPhone.
Is there a consensus on what you should actually do in the event your phone is stolen? Someone I know's phone was stolen and I helped them through it (remotely) in real time, and I remember looking up what to do and having to sort through a lot of straight up bad advice, including articles that seem naive as to what actually happens in real life when thieves steal a phone.
In this case, the phone was marked as lost immediately, but a couple of days later the thieves started trying to reset the password on the owner's iCloud account using various methods, the first of which produced 1st party push notifications asking to confirm the account password reset that were sent to the owner's other signed-in devices that were still in their possession. In the moment, it would be so easy for a confused & stressed person to accidentally or mistakenly tap those notifications and enable their own account hijacking.
The thieves then evidently called Apple Support and tried to get the iCloud account password reset over the phone, but by this point the owner had already gotten a new phone and SIM for their phone number, which meant that Apple Support's 2FA SMS codes were received by their replacement phone (in their possession) instead of the stolen phone (in the thieves' possession, and which no longer had cell service). It seems like if they had delayed in getting their new phone and left the stolen device with functional cell service, the hijacking might have succeeded at this point.
Apple's own "What to do if your iPhone is stolen" page [0] has no info these tactics that are actually used in the moment by phone thieves. That page does link to a page about social engineering scams [1] but approaches that in a general sense.
I think Apple's way of handling it should be way more intuitive. For example, they should differentiate between phones that are lost and stolen. If your phone is lost, you want to protect against someone finding it and being able to access the phone's contents. If your phone is stolen, the thieves will most likely try to hijack your iCloud account as well, and they'll try and social engineer both the owner and Apple Support to do so, so add a "Mark as Stolen" option that also adds protections against iCloud account hijacking.
> In the moment, it would be so easy for a confused & stressed person to accidentally or mistakenly tap those notifications and enable their own account hijacking.
That won't give them access. When you respond to the reset password notifications, it then asks for a new password on the same device you responded on, not on the device that requested the reset.
Apple has no adequate way to actually verify who anybody is without (a) forcing them to physically visit one of a small number of offices (it can't be every store), and (b) probably charging a significant fee to cover the cost of doing real verification.
And even that demands assuming that the identifying information on the account is right.
For account recovery in store verification is viable. They're already collected data on their customers via payment processors.
I would also force users to watch a video explaining the security features and quiz them before turning them on. You can't expect users to immediately understand how the security model works.
> Apple has no adequate way to actually verify who anybody is without (a) forcing them to physically visit one of a small number of offices (it can't be every store), and (b) probably charging a significant fee to cover the cost of doing real verification.
My bank is able to verify me remotely to login to their app from a new device in under 15 minutes, just with a photo of my ID card and a video of my face. And the bank is liable for any losses caused if they misidentify me.
Your bank verifies that against the copy of your ID that was collected in person when you opened the account (unless you're using some fly-by-night FinTech "bank", anyway). At a minimum, the bank has already collected, and checked, a bunch of other information that it can use to verify you (more than Apple can collect without mass user rebellion). It has reasonable confidence you haven't lied about that information. The bank can use that information to look up more about you in public records (which the bank knows how to do because, unlike Apple, it doesn't operate in every jurisdiction in the world). And I suspect that the ID/video check is on top of proving you already know a password.
Perhaps even more important, the bank knows exactly what liability it's assuming, and what risk it's exposing you to. There's a limit on how much money the app will let you move (even if the bank doesn't tell you what it is). All the transactions you can do are defined by the bank, it knows what's going on at all times, and it can and does apply extra checks for risky-looking transactions.
And bank transactions in general have a whole reversal-based security layer on top of all that.
On the other hand, people use their Apple accounts to log into God-knows-what third party systems with God-knows-what risks and God-knows-what other security measures or lack thereof.
Oh, and also the bank charges you ongoing overt or hidden fees specifically to cover the costs of securing your money. And of insurance if it fails to do so.
Identity is a really hard problem to solve. Just about any scheme you can think of to verify identity, some smart criminal can think of a way to exploit or circumvent/abuse the system.
Is there a security model that's both highly secure, and foolproof regardless of the mental faculties of potentially billions of diverse users? I think the answer is, "Obviously not," so the real question is whether or not the necessary compromises made here represent acceptable measures.
But in general, the way that most humans "naturally expect" such things to work is simply incompatible with the usually-extremely-convenient nature of computer accounts and cloud services.
"It works well for everyone else, why are you being so weird by not doing what everyone else does?"
Grant the megacorporations control over your entire life.
Your government will protect you from the megacorporations.
"Self hosting? Open source? Linux? You're weird, just get an iPhone."
The megacorporations never make mistakes.
The government never makes mistakes either.
"What's wrong with you? Are you seriously too poor to afford an iPhone? Get a blue bubble already."
The megacorporations never lie to you, they never manipulate you.
Even if they tried, your trustworthy government would stop them.
This message brought to you by social conformity norms that are most certainly NOT subtly reinforced by the same billionaires and trillion dollar companies that benefit from them.
Not exactly helpful, but I have little sympathy for people who put their digital lives in the control of a free service from a company, that, frankly, doesn't care about you at all - 'consumers are the product', etc etc.
It's not a free service. One of them had a 2TB+ iCloud account. That has a monthly cost. Not free. The free plan only gives you 5GB storage. Apple is not an advertising company. We pay for the phone and we pay for iCloud.
Have you ever tried to fully backup data from iCloud?
I try to do it every month because I am that type of techie. They don’t make it easy.
For photos, i have a 2TB family plan. There is no export functionality I can centrally backup my families photos and shared albums
The supported way to do this is to use a Mac, force it to store all images locally in settings, then highlight all your albums and File->export
This takes hours. I need to stay connected to my network drive because I don’t have 4TB of local storage on my laptop. If there is a failure it’s game over. You can’t resume or even know what failed. There is a tiny progress bar icon to work with. That’s all
iCloud Drive? Same thing. You need to force it to sync all your files, and there is no way to know if it’s hung or what. You can’t do this as family account owner for everyone.
What about all that app data that is saved to iCloud? I don’t even know how to access that to back it up.
Apple makes many things very easy and other things practically impossible.
Backing up your entire iCloud data for disaster recovery is one of those things that’s basically impossible.
For whatever it’s worth, insanely enough iCloud for windows makes it really easy to download all of your iCloud stored photos into folders. I have a windows box that I back up my important photos with that way and then move them to secondary backup.
I've found it much easier to request a copy of my data and download it all in 25gb chunks. It's still not great, the download speeds are extremely slow and they are prone to failure. For being something that I (used to) pay for, this was one of the reasons I stopped.
The data isn't full E2E encrypted and unreachable in all these cases in the article. The iCloud default is not to encrypt things such that Apple can't decrypt the data; a user has to enable "Advanced Data Protection" for that to happen.
Apple could decrypt and return all the user data in all the cases in the article. They aren't doing that. Some folks are rightly pointing out "what is the point of storing all my stuff in your cloud if you're going to lock me out if I lose my phone?" That's not a backup, that's just paying a monthly fee to store more than what your phone alone can store.
Then delete that data and let the user start over. How come Apple gets to hold iTunes purchases (apps, movies etc.) and somebody's email address hostage just because they also happen to store some end-to-end encrypted data on the same cloud account?
Just imagine Google letting people "brick" their accounts because they have a password protected PDF in their Google Drive they don't remember the password for...
And that's to say nothing about the not end-to-end encrypted data, which is still the default for most things in iCloud accounts (without ADP enabled).
Read the article, that's not true by default, the only way you get that level of cryptographic protection is if you enable "Advanced Data Protection". None of the people in the article did that, all of them can trivially prove they are who they say they are via government documents, Apple could decrypt their data and return it, but Apple is refusing to do so.
I'm curious why Apple has let it get this far that court cases are underway and WaPo is writing an article about it.
What's in it for Apple? Surely it's easy enough to define some kind of verification process based on various pieces -- phone number, credit card, purchase receipt, etc. -- and requiring a police report to be filed or something.
And this isn't like Google or Facebook where accounts are free, preventing manual account recovery from being scalable. People spend thousands of dollars on Apple devices across phones and laptops and more. People who don't spend money on Apple generally aren't keeping their data in iCloud.
I'm confused because it seems like the rational, profitable thing for Apple to do here is to have these procedures for account recovery. So what's stopping them? Is there some kind of huge liability question if they ever facilitate giving access to the wrong person?
If Apple can unlock the account from your stolen iPhone they can also unlock your account for the gestapo. Whether it's worth throwing normal people under the bus to protect a few dissidents is a matter of values on which people are going to have differing opinions of course.
That doesn't make sense. This isn't a technical hurdle, is it? Apple already can unlock your account "for the gestapo" if they choose to.
If the users have enabled Advanced Data Protection and don't have another Apple device, then I can understand why it would be lost for good. But that doesn't seem to be the case in these lawsuits. They make it clear that Apple has access to the data, and could transfer/restore it if they wanted to.
> Apple already can unlock your account "for the gestapo" if they choose to
But they don't.
Not sure why this is getting down-voted. There are several high-profile instances of Apple refusing to assist law enforcement in gaining access to devices. I recognize this is cold comfort, and provides only marginal reassurance for the future. That said, for the moment, "But they don't," is a perfectly accurate assessment.
Not all data. Not storing location history data is an example of not opening this for gestapo by ommision. For e.g. Apple does not furnish user location info on geo fence warrants because it can't. I believe Google just made a change towardssm this direction too. It's a fine line on what data to keep to unlock for a warrant and how to make services better based off centralized user data.
This irks me A LOT and is simplified to the point of being incorrect, yet lots of people here make the same logical errors.
Protecting the contents of peoples devices and accounts with strong encryption and hardware security is great for the individual and protects them from thieves and governments alike. If Apple designed their devices so that they cannot unencrypt the content without the users secret passsword, that's sensible for a lot of users.
But E-Mail Addresses and Accounts are derivatives of your identity and companies should have ways of returning your accounts to you, even if the content is lost, in case of stolen identities.
I am pretty paranoid about this stuff and only store private data using encryption and on trusted devices running mostly hardened FOSS software (Graphene OS, Fedora Secure Blue, OpenSuse MicroOS, etc.) and my backups are rcloned encrypted to the cloud. Yet for my most important e-mail that is bound to paypal, banking, shopping etc. I use posteo. They do this exactly right. I have personally tested contacting their support to return access to the e-mail address in case of a "lost password". After some validation, they returned access for it to me, but the encrypted content was unrecoverable. That is exactly what any responsible company should do.
The people suing didn't turn on E2E encryption. The government could already get access to their data via subpoena. Apple already has access to their data as well. Apple just doesn't want to be forced into doing basic customer service.
>to protect a few dissidents
Your opinion seems to be to trivialize how important this can be, which fine you do you, but I think saying it only protects "a few dissidents" is a bit ridiculous.
Every protest I've filmed at I hit the lock button 5 times so it forces a passcode. I feel secure knowing the police can't just take it and start scrolling - they need a warrant or they're bust.
You don't have to be a dissident to need your privacy.
I think the point here is that either Apple has the technical ability to access your account (in which case they will be forced to do it by the government regardless) or they don't (in which case this lawsuit is ridiculous).
The middle ground option where Apple has the ability to do this but is also somehow able to take a stand against the government is kind of difficult to support, because it doesn't make much sense.
>hit lock button 5 times so it forces a passcode
I didn’t know what that meant - so I googled it. And it says something entirely different….
Quote: Pressing the lock button (or side button) five times quickly on an iPhone or many Android devices will activate Emergency SOS. This will prompt a countdown and eventually, if not cancelled, initiate a call to emergency services, potentially alerting emergency contacts and sharing your location.
I just tried on my iPhone and it does not do that, there is no countdown. It will force a passcode and give you the option to call SOS, shut off your phone or show your medical id.
It's a setting (Settings > Emergency SOS). It used to be on by default and do a little siren sound before calling emergency services.
Personally, I just open the slide-to-turn-off phone screen instead (hold volume + side button for a couple seconds). Once that screen is loaded, it'll require a passcode to unlock after you cancel out.
> Is there some kind of huge liability question if they ever facilitate giving access to the wrong person?
This is what I was thinking as I read the article. Imagine what will be written about them when they do give iCloud access to an impostor. Depending on what's on their account thieves could dedicate a ton of time to social engineering Apple into recovering the account. The article mentions police reports being "proof", but that doesn't seem like solid evidence considering how easy it could be to fake a police report from one of the tens of thousands of jurisdictions in the US. This is a problem for a lot of industries actually, i.e. banks and death certificates.
> Surely it's easy enough to define some kind of verification process based on various pieces -- phone number, credit card, purchase receipt, etc. -- and requiring a police report to be filed or something.
Apple has such a process in place: https://support.apple.com/en-us/118574 (The details aren't all laid out on that web page, but Apple support may ask for information like purchase records to confirm ownership.)
What I think is at issue here is that it will only restore access to an account which is not currently being accessed. If an account is being accessed from a logged-in device, Apple is unwilling to cut off the current user's access to that account and hand it over to another party.
And, quite honestly, I can see where Apple is coming from with this policy. Arbitrating access to a contested account can get really messy (e.g. consider a scenario where an abusive partner is trying to access the victim's online accounts).
I think you're jumping the gun here.
An account is supposed to belong to a single person. If you are able to definitively prove that you are that person (for example, by showing up to an Apple store with your ID card), you should be able to restore access to it. An abusive partner won't have access to that.
Refusing restoration when someone else has access to it is understandable, but it works the other way around as well: an abusive partner would be able to prevent the legitimate owner from accessing the account.
I think it's far more likely that Apple just can't be bothered. Dealing with stuff like this is messy and complicated, and they aren't going to lose any revenue from those few thousand people a year losing their account and all their data.
> Surely it's easy enough to define some kind of verification process based on various pieces -- phone number, credit card, purchase receipt, etc. -- and requiring a police report to be filed or something
Given the stakes, Cupertino may have decided that it does not wish to arbiter such disputes. Requiring a court order shifts the dispute to that forum.
Will Apple obey court orders? Have they ever?
> Will Apple obey court orders? Have they ever?
What on earth are you referring to?
https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...
In the primary case on that page, the court ordered Apple to assist the FBI or provide a reason why it would be an undue burden. Apple provided a reason it was an undue burden. A hearing was scheduled. The FBI withdrew the request and the order was vacated.
That's not exactly the same as refusing to comply with a court order.
The part where the judge sided with Apple and found the FBI requests were found to be unsupported by law?
They don’t want to give these powers to a large number of customer service reps who can be bribed or coerced or socially engineered into transferring accounts to bad guys.
Look what happened to the mobile carriers and sim-jacking.
Bad actors have compromised the government systems already: https://krebsonsecurity.com/2024/11/fbi-spike-in-hacked-poli.... If Apple complies with those, it means bad actors can also use these vectors.
My gut tells me that they don't want to either set the precedent or let it be known that they can access your data and give/revoke access remotely, because it pokes a hole in their E2E encryption claims and opens the door to demands for backdoor access from governments.
Having access but pretending not to seems like the worst of both worlds.
Various entities will still be able to get to the data, while users might incorrectly assume that that's not the case.
In this case it wasn't E2E encrypted in the first place.
It doesn't "poke a hole" in anything. The only way you get the full E2E encryption Apple talks about is if you enable "Advanced Data Protection", which none of the people in the article did, per the article. Apple could decrypt and return the data because Apple has the keys. Apple is refusing to do so.
I think corporate responses to most things like this is to deny and avoid until forced to get involved. It should not take WaPo getting involved but it seems to be the norm for big tech companies.
>People spend thousands of dollars on Apple devices
As long as the people cut off from the walled garden amount to less than a rounding error in Apple's bottom line, they simply don't care. They will only care when a judge forces them to care, as we had to find out the hard way in a class action lawsuit against Apple. We won, but they lost us as lifetime customers. My wife even owns Apple stock and refuses to buy anything else from them and warns others against it. They could have made it right for practically no cost to them, but they chose the dick move, and they were forced to pay out in the end anyway.
[flagged]
My cousin’s phone was stolen in San Francisco. My mom’s phone was hooked up to the same account. Somehow the thief was able to change the account password and email account to something else. Now my mom cannot reset her phone because she doesn’t have access to the thieves account.
> Somehow the thief was able to change the account password and email account
That would be the fact that Apple lets anybody that knows the passcode reset the iCloud password as well, without any further authentication. And the passcode can be shoulder surfed by the thief...
"Stolen device protection" was developed as a response to a wave of such thefts: https://support.apple.com/en-us/120340
It seems like a good step forward but still not perfect, and I believe it's not on by default.
On the other side, with Advanced Data Protection, it seems shockingly easy to permanently lock oneself out of an iCloud account: As far as I understand, there is absolutely no way to recover an account protected that way if the recovery code is lost – not even by deleting all data currently stored on it and starting from scratch (e.g. from a local backup).
Given the fact that an iCloud account doesn't only contain a big pile of data, but access to some purchased products and services (subscriptions, app purchases, iTunes songs, the Apple Card etc.), that seems like a pretty big oversight.
> That would be the fact that Apple lets anybody that knows the passcode reset the iCloud password as well, without any further authentication
Doesn't this require at least one other device to allow access and provide a one-time code?
I can't log in to iCloud in a browser, update payment information, or do anything even remotely sensitive with just one device and my screen lock mechanism(s).
EDIT: I stand corrected. On a device that's designated as "trusted" you can indeed change the password using only the screen unlock using the instructions at https://support.apple.com/en-us/102656
Admittedly we in security do a very poor job on equipping users with useful threat models: i.e. the number of times people either don't turn on any sort of security, or turn on extremely aggressive security but don't write down and store a recovery code is too damn high.
And it's made even worse by companies not wanting to deal with meatspace. Secure account recovery isn't too difficult if you're willing to do ID verification in physical stores, but no tech company wants to do that.
I don’t trust Apple for this exact reason.
For those interested in the silver bullet to backup iCloud.
Get a Mac mini with enough space for your photo library and wire it into your network. Sign into iCloud.
For photos open the app and change the settings to store full res photos locally.
Enable iCloud desktop and documents sync.
Two options
1 - Sign up for Backblaze and ensure you map the folders from iCloud and photos that are being synced to the device. Let it run and do a full sync. I use this option.
2 - Buy an external drive with a lot of space and use Carbon Copy Cloner to mirror your drive. The caveat is your at the mercy of a local copy that a home fire or electrical incident can destroy.
I like Backblaze for the sheer constant syncing it does and they allow me to set up an encryption key so they don’t have access to my data.
I do that, and I'm also planning to use icloud photos downloader [0], a python script to download photos, so I can download those directly on another machine running Linux.
[0] https://github.com/icloud-photos-downloader/icloud_photos_do...
The 3-2-1 rule is wisdom of the ages. The "2" in the rule is all about having your data in at least two different types of "media". A modern read on this is anything tied to the same account counts as the same type of "media". So, you need at least one copy of your data not tied to your Apple ID.
A few things you can do here:
- Own a mac with enough storage to download your entire iCloud / Apple Photos data set. Configure your mac to do so. Your mac is still activation locked to your Apple ID though, so backup that local copy through Time Machine or the service of your choice (e.x. Backblaze). A NAS is very helpful to automate this.
- Use app(s) on your phone that will copy of your data to the location of your choice, such as Photo Sync.
https://archive.is/1NMCR
It took me a minute to figure out how this works, but it must have something to do with using a "lost password" email reset on the iCloud account, and having the relevant email account logged in (or saved to the password manager) on the phone itself, so that all you need is the passcode to get into the iCloud account. Something like that?
Yup, I'm guessing that's it:
https://support.apple.com/en-us/102656
This article seems to make it pretty clear that having a passcode on a signed-in device is enough to reset the password.
That seems like an insane security hole really.
One of the big distinctions I make in my life is whether a passcode is being typed in frequently and in view of the public. And since these are shorter codes, the entity on guessing from a distance is much lower.
The even more insane security hole is allowing someone with physical access and the password to permanently lock out all recovery options.
I still can't figure it out.
My daughter had her iPhone stolen in L.A. — she immediately wiped it remotely. The thieves were unable to access it.
I got her a new iPhone pretty fast (the budget one) and she was back in business, back in her iCloud account. (She was one of those that saw her device head to Asia. She got a handful of text messages pleading with her to remove the stolen device from her account but she ignored them.)
Yeah, that's why I'm having to think at it some to figure out what's going on here. Usually I need my iCloud password to do anything related to that account, so I guess they're using some kind of iCloud password reset bypass that relies on the phone having access to necessary reset-related accounts (like email—though, IDK, I don't think I've ever tried to "lost password" reset my iCloud account, so I'm not sure if even that's enough)
Some thieves will force you to give up the passcode.
I’ve read a couple stories where someone was held in an alley while an accomplice went to an ATM to withdraw as much cash as they could.
You got lucky with dumb thieves.
> she immediately wiped it remotely > She was one of those that saw her device head to Asia
What, the guy just jumped into the Pacific and started swimming?
I believe “She” here refers to the original owner (the victim). Apple offers a feature to remotely wipe your device if lost, and that was what I understood the owner to have done. I’ve done the same thing for a stolen iPhone.
Presumably they will need mail notifications enabled on the Lock Screen as well.
The described attack in TFA seems to involve learning the phone owner's passcode (for the phone), so no lock screen shenanigans needed.
Is there a consensus on what you should actually do in the event your phone is stolen? Someone I know's phone was stolen and I helped them through it (remotely) in real time, and I remember looking up what to do and having to sort through a lot of straight up bad advice, including articles that seem naive as to what actually happens in real life when thieves steal a phone.
In this case, the phone was marked as lost immediately, but a couple of days later the thieves started trying to reset the password on the owner's iCloud account using various methods, the first of which produced 1st party push notifications asking to confirm the account password reset that were sent to the owner's other signed-in devices that were still in their possession. In the moment, it would be so easy for a confused & stressed person to accidentally or mistakenly tap those notifications and enable their own account hijacking.
The thieves then evidently called Apple Support and tried to get the iCloud account password reset over the phone, but by this point the owner had already gotten a new phone and SIM for their phone number, which meant that Apple Support's 2FA SMS codes were received by their replacement phone (in their possession) instead of the stolen phone (in the thieves' possession, and which no longer had cell service). It seems like if they had delayed in getting their new phone and left the stolen device with functional cell service, the hijacking might have succeeded at this point.
Apple's own "What to do if your iPhone is stolen" page [0] has no info these tactics that are actually used in the moment by phone thieves. That page does link to a page about social engineering scams [1] but approaches that in a general sense.
I think Apple's way of handling it should be way more intuitive. For example, they should differentiate between phones that are lost and stolen. If your phone is lost, you want to protect against someone finding it and being able to access the phone's contents. If your phone is stolen, the thieves will most likely try to hijack your iCloud account as well, and they'll try and social engineer both the owner and Apple Support to do so, so add a "Mark as Stolen" option that also adds protections against iCloud account hijacking.
[0] https://support.apple.com/en-us/120837
[1] https://support.apple.com/en-us/102568
> In the moment, it would be so easy for a confused & stressed person to accidentally or mistakenly tap those notifications and enable their own account hijacking.
That won't give them access. When you respond to the reset password notifications, it then asks for a new password on the same device you responded on, not on the device that requested the reset.
This sounds a lot like "I forgot my ultimate recovery password, but its someone else's fault."
A security model that the user does not understand and contains traps is not a good security model.
OK, but what model would you suggest?
Apple has no adequate way to actually verify who anybody is without (a) forcing them to physically visit one of a small number of offices (it can't be every store), and (b) probably charging a significant fee to cover the cost of doing real verification.
And even that demands assuming that the identifying information on the account is right.
For account recovery in store verification is viable. They're already collected data on their customers via payment processors.
I would also force users to watch a video explaining the security features and quiz them before turning them on. You can't expect users to immediately understand how the security model works.
I have a hard time believing this when they also have Apple Cash and Apple Pay.
Even with their strong privacy fundamentals they know more about their account holders than any single business should.
> Apple has no adequate way to actually verify who anybody is without (a) forcing them to physically visit one of a small number of offices (it can't be every store), and (b) probably charging a significant fee to cover the cost of doing real verification.
My bank is able to verify me remotely to login to their app from a new device in under 15 minutes, just with a photo of my ID card and a video of my face. And the bank is liable for any losses caused if they misidentify me.
Why can my bank do it but apple cant?
Your bank verifies that against the copy of your ID that was collected in person when you opened the account (unless you're using some fly-by-night FinTech "bank", anyway). At a minimum, the bank has already collected, and checked, a bunch of other information that it can use to verify you (more than Apple can collect without mass user rebellion). It has reasonable confidence you haven't lied about that information. The bank can use that information to look up more about you in public records (which the bank knows how to do because, unlike Apple, it doesn't operate in every jurisdiction in the world). And I suspect that the ID/video check is on top of proving you already know a password.
Perhaps even more important, the bank knows exactly what liability it's assuming, and what risk it's exposing you to. There's a limit on how much money the app will let you move (even if the bank doesn't tell you what it is). All the transactions you can do are defined by the bank, it knows what's going on at all times, and it can and does apply extra checks for risky-looking transactions.
And bank transactions in general have a whole reversal-based security layer on top of all that.
On the other hand, people use their Apple accounts to log into God-knows-what third party systems with God-knows-what risks and God-knows-what other security measures or lack thereof.
Oh, and also the bank charges you ongoing overt or hidden fees specifically to cover the costs of securing your money. And of insurance if it fails to do so.
> Why can my bank do it but apple cant?
Banks write off tens of billions of dollars of fraud costs a year. They can do this because money is fungible.
The person in the article who has their whole professional life in a stolen Apple account would probably be happy to visit Apple HQ in person.
They do, they simply choose not to as a business. They should be forced to.
Digital identity is an essential aspect of modern life.
The fact that the government doesn’t have a great standard for identity and it’s left to banks and tech companies is crazy.
Identity is a really hard problem to solve. Just about any scheme you can think of to verify identity, some smart criminal can think of a way to exploit or circumvent/abuse the system.
Yes, this is literally one of a handful of core government functions.
Is there a security model that's both highly secure, and foolproof regardless of the mental faculties of potentially billions of diverse users? I think the answer is, "Obviously not," so the real question is whether or not the necessary compromises made here represent acceptable measures.
Security requires education. A new purely mechanical lock took two weeks before it was routine.
Yes.
But in general, the way that most humans "naturally expect" such things to work is simply incompatible with the usually-extremely-convenient nature of computer accounts and cloud services.
Then it is too convenient.
Trust the megacorporations.
Trust your government.
"It works well for everyone else, why are you being so weird by not doing what everyone else does?"
Grant the megacorporations control over your entire life.
Your government will protect you from the megacorporations.
"Self hosting? Open source? Linux? You're weird, just get an iPhone."
The megacorporations never make mistakes.
The government never makes mistakes either.
"What's wrong with you? Are you seriously too poor to afford an iPhone? Get a blue bubble already."
The megacorporations never lie to you, they never manipulate you.
Even if they tried, your trustworthy government would stop them.
This message brought to you by social conformity norms that are most certainly NOT subtly reinforced by the same billionaires and trillion dollar companies that benefit from them.
/s
Social Credit Score++
Not exactly helpful, but I have little sympathy for people who put their digital lives in the control of a free service from a company, that, frankly, doesn't care about you at all - 'consumers are the product', etc etc.
It's not a free service. One of them had a 2TB+ iCloud account. That has a monthly cost. Not free. The free plan only gives you 5GB storage. Apple is not an advertising company. We pay for the phone and we pay for iCloud.
You pay to rent the phone I'm pretty sure.
I don't know what you are talking about. You can buy an iPhone. They sell 200 million iPhones every year. Just go to the shop and buy one.
Why should Apple open this can of worms and give users access to locked out data. How would this process even work on a larger scale?
In the end if you dont backup your data locally, then its not your data and you risk losing it.
If your business shuts down because you lost your phone its your own fault for not mitigating this type of risk enough.
Have you ever tried to fully backup data from iCloud?
I try to do it every month because I am that type of techie. They don’t make it easy.
For photos, i have a 2TB family plan. There is no export functionality I can centrally backup my families photos and shared albums
The supported way to do this is to use a Mac, force it to store all images locally in settings, then highlight all your albums and File->export
This takes hours. I need to stay connected to my network drive because I don’t have 4TB of local storage on my laptop. If there is a failure it’s game over. You can’t resume or even know what failed. There is a tiny progress bar icon to work with. That’s all
iCloud Drive? Same thing. You need to force it to sync all your files, and there is no way to know if it’s hung or what. You can’t do this as family account owner for everyone.
What about all that app data that is saved to iCloud? I don’t even know how to access that to back it up.
Apple makes many things very easy and other things practically impossible.
Backing up your entire iCloud data for disaster recovery is one of those things that’s basically impossible.
For whatever it’s worth, insanely enough iCloud for windows makes it really easy to download all of your iCloud stored photos into folders. I have a windows box that I back up my important photos with that way and then move them to secondary backup.
I've found it much easier to request a copy of my data and download it all in 25gb chunks. It's still not great, the download speeds are extremely slow and they are prone to failure. For being something that I (used to) pay for, this was one of the reasons I stopped.
Use rclone...
This isn’t that hard, you can just automate this with a script and cron job running on a cheap Mac mini.
The data isn't full E2E encrypted and unreachable in all these cases in the article. The iCloud default is not to encrypt things such that Apple can't decrypt the data; a user has to enable "Advanced Data Protection" for that to happen.
Apple could decrypt and return all the user data in all the cases in the article. They aren't doing that. Some folks are rightly pointing out "what is the point of storing all my stuff in your cloud if you're going to lock me out if I lose my phone?" That's not a backup, that's just paying a monthly fee to store more than what your phone alone can store.
Apple’s encryption, is designed with end-to-end encryption for many types of data.
Some facts:
Apple chose privacy over convenience. Sue all you want, you're going to lose.Then delete that data and let the user start over. How come Apple gets to hold iTunes purchases (apps, movies etc.) and somebody's email address hostage just because they also happen to store some end-to-end encrypted data on the same cloud account?
Just imagine Google letting people "brick" their accounts because they have a password protected PDF in their Google Drive they don't remember the password for...
And that's to say nothing about the not end-to-end encrypted data, which is still the default for most things in iCloud accounts (without ADP enabled).
Read the article, that's not true by default, the only way you get that level of cryptographic protection is if you enable "Advanced Data Protection". None of the people in the article did that, all of them can trivially prove they are who they say they are via government documents, Apple could decrypt their data and return it, but Apple is refusing to do so.