Better cloud security from Apple … will Microsoft follow?

Apple is making a great move, their iCloud storage is getting full encryption, meaning only the user can access their backups, photos and other data.  Microsoft 365 customers will be asking if Microsoft will do the same.

The announcement means that iCloud data will be encrypted with only access available to the customer via their login.  Though there will be a recovery process available, the user will be responsible for keeping their password and two-factor recovery available.

Source: Apple

Happily, “Advanced Data Protection” is an option.  That’s good because it puts more responsibility on the customer to protect their login and two-factor authentication options.  Some people might not feel the need for greater security and prefer the easier recovery options.

Noone else will be able to read the iCloud data.  Not even Apple itself.  Governments and law enforcement can’t access info either, no matter how many laws or court orders are issued.

Some iCloud data is already protected this way, such as Keychain (passwords) Maps (location) and Health data.

The new ‘Advanced Data Protection’ expands that to Backups, Photos and Notes.  Mail, Calendar and Contacts can’t get the new protections because that info has to work with other mail systems which aren’t sufficiently secure.

Testing of  “Advanced Data Protection” has begun and US customers should be able to select it before the end of the year.  A gradual public rollout during 2023 to other countries (some might not be possible due to local laws).

Office Watch for Apple

Keep up with the latest Microsoft Office news and tips specifically for Mac computers (M1 and Intel) iPad and iPhone. The same independent help, tips and money saving advice we’ve given in Office Watch for over two decades.
Click here to get the next, free, issue

The “Full encryption” myth

Maybe you think that your data is already secure, after all there’s lots of talk about “full encryption” when it’s not entirely true.  There’s encryption while data is being transferred – that should be a given these days.  Your files should be encrypted when saved on cloud servers (aka ‘data at rest’), but the key is held by the company – not the customer.  Microsoft overemphasises that their cloud drives are Bitlocker secured but the key is held

 “Advanced Data Protection” is described by Apple as “end to end encryption” which is true.  However other companies use the same “end to end encryption” about their current security arrangements!  A lot of privacy and security phrases sound great but have very slippery meanings.

At the moment, most online storage is NOT customer encrypted when it’s saved on the cloud servers.  That means the storage company (Apple, Microsoft, Dropbox etc) can read any files saved on their servers.  The companies might promise not to do that, but it’s only a promise with no consequences.  Microsoft has, in the past, read customers cloud data for their own purposes. 

Some people make their own security arrangements by saving encrypted documents or backups to OneDrive or similar.  Companies and governments can still copy the files but can’t open them without the password.

Many governments have laws that allow them to snoop on data saved in the cloud. In many cases, the companies have to comply and NOT notify the customer of the intrusion.  These laws are often justified as powers needed to combat terrorism, organized crime and child abuse, however the data access laws don’t limit the powers to those areas.

The OneDrive ‘Personal Vault’ has no greater cloud encryption than regular OneDrive. The Vault lets the customer add a layer of login security to some files but those same files are still accessible to Microsoft and governments.

Will Microsoft add full encryption to OneDrive?

Microsoft should follow Apple’s lead and fully secure their OneDrive and SharePoint storage in the same way.

Corporate customers are already pushing for exclusive access to server data encryption, the same options should be available to small organizations and individuals who are just as entitled to proper security.

Alas, most likely they’ll try to obfuscate by pointing to their current setup and suggest that it’s enough – which it definitely is not.

Microsoft’s track record on privacy has always been to put hype ahead of action. A lot of talk about how secure their services are while reluctantly adding the necessary protections due to customer and competitive pressure.

In other words, Microsoft 365 customers might eventually get fully secure cloud storage with customer-only key access, but don’t hold your breath.
Image privacy breach still in Microsoft Office.
Apple Privacy tags don’t tell the whole story with Office
Microsoft clarifies cloud service privacy, is it enough?