Net-Security.org have an interesting article. Typically, with announcements on topics that touch national security, the CEOs in the US are very selective in their wording. So, it makes sense to indeed look at the wording to find out, what they omit or which interpretation they leave open – and most probably that analysis points more to the truth.
“The changes were made predominantly to cover new features in iOS 8, or to provide additional information on current use of data such as your date of birth or information you’ve provided about others,”
the company explained in the introduction.
Okay. They claim they won’t be able to unlock phones (encrypted when switched off, decrypted, when switched on). Fine. One could interpret it this way: So the work they have spent in allowing themselves to access any kind of data while the unsuspecting user doesn’t know about it, since iOS4, has finally paid off: It doesn’t need to be unlocked any more, because the backdoors work extremely well. Except, if they are forced to lie in what Tim Cook said, because of an NSL that prohibits him to tell the full truth.
According to the source, the change was accompanied with a message from Apple CEO Tim Cook:
A few years ago, users of Internet services began to realize that when an online service is free, you’re not the customer. You’re the product. But at Apple, we believe a great customer experience shouldn’t come at the expense of your privacy.
Well, Apple products are hardly for free, it is some Apps that are. Apart from what Apple might or might not be doing, the user privacy is being under siege from third parties which piggyback on Apps from the store. So the sentence means: “we at Apple might think so, but we don’t really care about Flurry or other companies doing that, because that’s actually the users responsibility, and the App-devs business model and we can’t be bothered.”
Our business model is very straightforward: We sell great products. We don’t build a profile based on your email content or web browsing habits to sell to advertisers. We don’t “monetize” the information you store on your iPhone or in iCloud. And we don’t read your email or your messages to get information to market to you. Our software and services are designed to make our devices better. Plain and simple.
There isn’t anything wrong with stating that, but it doesn’t even touch on the responsibilty of Apple, as the producer that never lets go of your iDevice, for example with the purported kill-switch for Apps they don’t want the user to continue having. And having the mentioned business model, does not mean a thing, as Tim Cook goes on to say he was just not telling the full truth:
Well, yes, sure: indeed, it might not be iAd, that gets this kind of information, it is the whole operating system, that allows that, especially the backdoor services, that have been growing since years and that Apple have failed to explain in why it would need these – all explanations are lame, to say the least.
Cook then continued by saying that the company has never worked with any government agency from any country to create a backdoor in any of their products or services, and that they have also never allowed access to our servers and that they don’t plan to, ever.
Oh, well. Same old, same old. Apple has never shown any transparency in their security bulletins, and it boils down to “this fix covers an issue with security”, unlike Microsoft, who have adopted a much better and transparent policy, stating exactly, which fix covers what vulnerability.
The sentiment was reiterated in a webpage dedicated to explaining how they deal with government information requests.
With iOS 8, Apple claim, they have made sure that it’s impossible for them to extract information protected by the passcode set by the user, as they will no longer keep the encryption keys created with the selection of the passcode.
“On devices running iOS 8, your personal data such as photos, messages (including attachments), email, contacts, call history, iTunes content, notes, and reminders is placed under the protection of your passcode. Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data. So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”
As net-security.org states, they could still be legally forced to turn over data that the user stores in the iCloud. And while the device is not switched off, it takes only a brief moment, to connect it to a forensic system that sucks out anything of value. While the user still carries it, it can still be used as a microphone, all the movements of its owner are being tracked and stored and all relevant information may be accessed and potentially extracted at will by the authorized parties through the back-doors Apple claims aren’t there for this purpose.
Here is what Forbes say about this particular topic (just to quote one arbitrary source):
“In his original talk (slides now available online) Zdziarski reports services such as ‘lockdownd’, ‘pcapd’ and ‘mobile.file_relay’ have “been around for many years”, run completely hidden from the user and can bypass encrypted backups to obtain data including logins, contacts, voicemails and photos. Intercepting this data can be done over WiFi, USB and even potentially 3G and 4G data.”
Summarizing, the official announcements are carefully crafted, equally well as the tax-declaration that allows Apple to pay taxes which are by far lower than those of much smaller companies. The data, Mr. Cook is referring to, can be accessed by a variety of ways, and the users assumption, data would now be safe from third party access, is plainly misleading. He might have found a way to ward off any of these time-consuming and unprofitable ‘search warrants’, that cause Apple to do the unlocking for police or any agency on demand by stating it is not possible anymore. This has only Apple in mind, not the users data privacy.
Update: While Apple keeps their mouths shut about what exactly they have been doing exactly, Jonathan has worked on a detailed analysis that can be found here.
Update: iOS 8 security content explained here.