10 comments

[ 274 ms ] story [ 131 ms ] thread
Taken at face value, this statement seems good enough. Without actually seeing the data they have, we have to take there word for it.
"For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form."

If all of this statement is true, then I'm impressed. I would have thought Apple to keep more information, such as iMessage logs, for the sake of analytics and Ad revenue.

Good.

Apple has never made the iMessage protocol publicly available for review, but from reverse engineering people have not been able to find evidence of end-to-end encryption, just SSL/TLS to and from Apple's servers.

> I do not see anything about retrieving public keys of users you are sending messages to; hence your message is completely readable/editable by someone at apple's servers.

http://security.stackexchange.com/questions/18908/the-inner-...

Further, an iMessage message can be received simultaneously on all your devices. Unless your private key is synced via Apple's servers, how would end to end decryption work?

And finally, there were incidents some time back where people were receiving messages intended for other people, but were able to read them unencrypted.

It would be nice to get some clarification from Apple on this, along with making the protocol and its security public.

If Apple is using the Obama administration's definition of "can't", then "Apple cannot decrypt that data" simply means, "Apple does not decrypt that data".
or at least search words. I'm surprised Apple hasn't made a bigger deal of it than one sentence at the end of an unsigned statement
This is the first time I've heard that iMessage and Facetime are end-to-end encrypted. Can somebody comment on that? I imagine it only works if both ends of the conversation are on iMessage.
That term "direct access" crops up again.

> We do not provide any government agency with direct access to our servers

> The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer’s disease, or hoping to prevent a suicide.

AKA Terrorism