Reuters is reporting that Apple reversed plans two years ago to fully encrypt iCloud data when it was met with fierce opposition from the FBI and law enforcement officials. The company had planned to allow users to fully encrypt their iPhone backups but changed course based on that opposition.
Apple has long maintained a stance that "privacy is a fundamental human right," and to that end, it has stood firmly on the side of strong encryption. It has even engaged in public battles with law enforcement over requests for assistance in decrypting iPhones belonging to criminals or terrorists. Just this month, Apple has said that it is unable to unlock two older iPhones belonging to the deceased shooter at a Pensacola, Florida Naval Base, despite a public call by the Attorney General, William Barr.
At the same time, Apple has made a point that it cooperates with law enforcement requests for information, and even providing information on its servers in the Pensacola case. We now know the reason that was possible--Apple doesn't provide end-to-end encryption for your iPhone backup.
That's likely to surprise many people who associate Apple with being a defender of privacy. The fact that the information you send to Apple's servers isn't fully encrypted is a big deal. That doesn't mean your information is just sitting there waiting to be hacked. To be clear, Apple still uses encryption on that information, however, it holds the encryption key--meaning it is able to decrypt it. So when the FBI requests it, Apple can be forced to turn it over, whether you like it or not.
On the other hand, information like passwords or Apple Pay, along with other highly sensitive data is processed on your device and is protected by what Apple calls "Secure Enclave." That includes Face ID or Touch ID, as well as your device passcode. What that means is that if your iPhone backup is somehow hacked, no one is going to start charging things on your Apple Card.
At the same time, this news is also a reality check that Apple can only push the line so far before it invites unwanted scrutiny. While the report from Reuters says that it isn't clear exactly when or why Apple changed course, it also includes a statement from a former Apple employee who says that "the company did not want to risk being attacked by public officials for protecting criminals, sued for moving previously accessible data out of reach of government agencies or used as an excuse for new legislation against encryption."
That's certainly a valid concern. Apple has already been on the receiving end of public pressure by the Department of Justice in the last two administrations, most recently with Barr's public statements calling for legislation to require backdoor access to encrypted devices. Apple understandably would want to avoid poking the bear too much, since bad things happen when the bear decides to bite.
Still, it's not a good look for a company that preaches privacy to make your information less private at the behest of law enforcement. At a minimum, if Apple has decided it can't offer the protection people would reasonably expect from a company that has made privacy a core marketing principle, it owes it to its users to be upfront about the reality and the reasons behind it.