The real lynchpin here is not hardware, but iCloud. Apple can pull data out of an iCloud backup, and the only reason the San Bernadino case even got off the ground is because somebody at the county screwed up and effectively prevented the backup from occurring.
iCloud backups can be secured so not even Apple can get in them, but it is fundamentally much harder to secure (can't be hareware-entangled and still restore to a new device), and it would significantly complicate iCloud password changes. I'm sure they are working on it, but it is nontrivial.
That (software) problem is the real reason 99% of users are still exposed, as you say the hardware and secure enclave holes are basically closed.
> iCloud backups can be secured so not even Apple can get in... I'm sure they are working on it, but it is nontrivial.
There is no way they are working on this. It is an intentional design decision that Apple offers an alternative way to recover your data if you lose your password.
Or if you die without telling your next-of-kin your password. Most people do not actually want all of their family photos to self-destruct when they die because they didn't plan for their death "correctly". That would be a further tragedy for the family. (Most people don't even write wills and a court has to figure things out.)
Making data self-destruct upon forgetting a password (or dying) is not a good default. It's definitely something people should be able to opt-in to in particular situations, but only when they understand the consequences. So it's great news that in iOS 9.3 the Notes app will let you encrypt specific notes with a key that only you know. But it's opt-in, not the default.
Has Apple even given access of someone's iCloud account to next-of-kin after they died? I've never heard of this, and I don't expect Apple to be responsible to preserve photos. You already can have shared photo streams, and there are many solutions for other data that could be potentially lost that don't involve Apple getting directly involved in these cases.
The idea of Apple (or some other big corporation) providing my protected personal data to my next-of-kin is more frightening than the idea that the government has the ability to spy on me while I'm alive. It's the most morbid kind of subliminal marketing that could possibly exist.
"Hey, we're really sorry about fluxquanta's passing. Here is his private data which he may or may not have wanted you to see (but we'll just assume that he did). Aren't we such a caring company? Since we can no longer count on him to give us more money when our next product comes out, keep us and our incredibly kind gesture of digging through the skeleton closets of the dead in mind when shopping for your next device."
The thing is, you can opt in to destroy-when-I-die security. You can encrypt notes or use a zero-knowledge backup provider (backblaze offers this). But for most people that's the wrong default for things like decades of family photos.
In absence of a will it would be terrible to assume that a person meant to have all their assets destroyed instead of handed down. It should be an explicit opt-in. The default should be, your stuff is recoverable and inheritable.
> But for most people that's the wrong default for things like decades of family photos.
That seems like a weird assumption, that there'd be a single person with access to an account containing the only copies of decades of family photos. If someone else has account access or if there are copies of the photos elsewhere, then "destroy-when-I-die" isn't a big problem.
On the other hand, it also violates the way that I think things would usually work in the physical world. That is, if there's a safe that only the deceased had the combination to, I can still drill it to access the contents.
Far from a "weird assumption", that is exactly how most families operate. There's a family computer with all the photos on it that's always logged in, but maybe only dad or mom knows the iCloud password ("hey mom what's the password again?..") Or maybe they are split between family member iPhones, and they just show them to each other when they want to see them.
It would be a pretty big bummer for most families if when a family member passed away so did all those memories. That's probably not what they would have wanted. Or even if they just forgot their password.. that when they reset it all their photos go poof.
You are I might understand the consequences, but for most people it should really be a clear opt-in to "you can turn on totally unhackable encryption, but if you lose your pw you are totally screwed".
Do you have non-anecdotal evidence for that? Among my own friends and family, there are some images that only exist on one device or account, but most of the stuff likely to draw interest ends up somewhere else (a shared Dropbox account, e-mail attachments, on Facebook, copied onto some form of external storage).
There are likely some demographic groups that are more likely to behave one way than the other, and that could perhaps account for our differing experiences.
On second though, it is the easiest way to use the account (each person having an account on each device). I wonder what percentage of people that would benefit from it actually use the Family Sharing option?
I see what you're saying, and I know that I'm the odd man out here. My original comment stems mostly from my own messed up familial situation. My parents, (most) siblings and I don't get along very well, and I'm single.
If I were to die today I wouldn't want my personal photos, online history, or private writing to fall into the hands of my family. Hell, I don't really even want my physical assets to go to them (something I really should address in a will one of these days to donate it all to charity).
There has been a lot of fighting and backstabbing over who gets what when relatives have died in the past, and the more emotional items (like photographs) have been used to selfishly garner sympathy online through "likes" and "favorites" and it makes me sick. My position is that if you didn't make the effort to get to know a person while they were alive, you should lose the privilege of using their private thoughts for your own emotional gain after they're gone. And I do realize how selfish that sounds on my part, but in my current position I feel like it's justified. If I got a long term partner I would probably change my mind on that.
So yes, an opt-in would be ideal for me, but I don't think many online companies provide that right now.
That's pretty standard, though: once you no longer exist, all your private data, all your private money, all your private goods become part of your estate, to be disposed of by your executor according to your will.
Things like money and personal physical property, sure, I understand that. But I feel like personal protected (encrypted) data should be treated differently. I'm thankful Google at least has options[0] available for their ecosystem, but I guess I'm going to need a will to cover the rest.
In the case of sudden death, there would not have been any way to securely dispose of any private "data". So your private information, diaries, works you purposefully didn't publish, unfinished manuscripts you abandoned - everything was handed down to your estate, and more often than not used against your intent.
I'm not entirely clear whether your will could specify such disposal to be done, or could prohibit people from at least publishing these private notes and letters if not reading them, in any kind of binding and permanent way.
Shared photo streams are only a solution if they are used. Most people don't even write wills.
If you fail to write a will should the state just burn all your assets, assuming that's what you meant? No, that's the wrong default. Burn-when-I-die should be opt-in for specific assets, not the default.
And the good news is Apple is providing opt-in options like secure notes. Perhaps even backups too (3rd parties already do). But only after presenting the user with a big disclaimer informing them of the severe consequences of losing the password.
On the other hand, "turn it on and let it do its thing" is a terrible idea from a forensics standpoint. You want to lock the account down ASAP to prevent potential accomplices from remote wiping your evidence.
The "screwup" grandparent is suggesting is that the county didn't think to disable the setting that would let employees turn off iCloud backups for their devices, however many months or years ago, not that they've messed up during the investigation now.
No, they're probably referring to this, from the second letter,
"One of the strongest suggestions we [Apple] offered was that they pair the phone to a previously joined network, which would allow them to back up the phone and get the data they are now asking for. Unfortunately, we learned that while the attacker’s iPhone was in FBI custody the Apple ID password associated with the phone was changed. Changing this password meant the phone could no longer access iCloud services."
Uhh, well it's probably pretty high. Considering their adoption rate for new software is sitting somewhere around 95%. iCloud backups default to on - just like automatic updates - when the user sets up their phone. Not to mention most Geniuses would ask to turn on iCloud backup when upgrading the device for convenience.
It did have iCloud backups, but the latest was six weeks prior. The FBI requested the iCloud password be reset, which prevented a new iCloud backup they could have subpoenaed.
Uploading the encrypted content has no value as backup, if you don't have keys that can decrypt it. If the keys are backed up as well, all security is gone.
The hardware key is designed to be impossible to extract from the device. That's part of the security, so you can't simply transfer the data to a phone where protections against brute-forcing the user key have been removed.
To spell it out (1) request new encryption key from device (let's call it key4cloud); (2) encryption key generated, displayed for physical logging by the user, & stored in the secure enclave; (3) all normal backups to iCloud are now encrypted via key4cloud; (4) user loses phone; (5) user purchases new phone; (6) new phone downloads data; (7) user enters key4cloud from physical notes & decrypts backup
Yes, it requires paper and a pencil and user education (hence the opt-in). But it's also incredibly resistant to "Give us all iCloud data on User Y."
It can be the same hardware but I believe that not usually meant with "hardware based encryption". The point is that the private keys never leave the hardware of the phone, thus making it secure. So they could employ the same hardware but the hardware does not have the necessary keys.
iCloud backups can be secured so not even Apple can get in them, but it is fundamentally much harder to secure (can't be hareware-entangled and still restore to a new device), and it would significantly complicate iCloud password changes. I'm sure they are working on it, but it is nontrivial.
That (software) problem is the real reason 99% of users are still exposed, as you say the hardware and secure enclave holes are basically closed.