Jeffrey Paul is an American security researcher. He recently updated the operating system on his MacBook Pro and then found out that some of his files had been automatically uploaded onto the Apple cloud, iCloud, without his permission. The files were previously only stored on his encrypted hard drive and Paul was outraged when he discovered that his local files had been silently uploaded into the cloud.
The Guardian reports that he wasn’t the only user who suffered from this. Matthew Green, a cryptographer for John Hopkins University, discovered that some of his private notes had been stashed on iCloud. Bruce Schneier, another cryptography expert, called Apple out in a blog post for a dangerous and poorly documented system.
Apple seems to be in the odd position of being simultaneously congratulated and criticised for their security. The firm were praised for their iPhone encryption, supposedly good enough to stop any government snooping. However, on the other hand, the protection placed upon their cloud service, which they are seemingly making a push for, is not a great.
As the cloud only continues to grow in popularity, the distinction between devices and online continues to blur. Microsoft and Google are two of the largest technology companies in the world, both with their own cloud system that they are keen to fully integrate into their product ecosystem. While it provides wonderful benefits, like being able to access your files from wherever you are no matter what device you’re using, it raises security questions.
Concern doesn’t just lie in individual users gaining access to private iCloud accounts, as seemed to be the case with the recent leaked celebrity photos, but from government access. As the NSA revelations demonstrated, the government are willing to access citizen’s private data and they will go to extremes to do so. Making private data appear on the cloud, often without a user’s awareness, is a dangerous game.
When contacted for comment on Paul’s issues, Apple didn’t respond. There is a page on their website which details the automatic iCloud saving function, saying that many apps will store initially created data on iCloud. When these files are named and given a specific location to be stored to, only then are they taken off iCloud. It is also possible to disable iCloud, although presumably one has to be aware to do that first.
Green and Paul both said that they used a program called TextEdit to jot down notes and would often only give them file name some timer later. Unbeknownst to them, these private notes (including passwords), were being sent to iCloud without warning.
Although Paul only noticed this recently when his operating system was upgraded, it seems that this issue goes back further as the Apple support document about iCloud uploading was produced in December 2013. This is a feature that has been around for a while, but one that seems to have gone unnoticed.
“If you take 100 people and sit them down in front of a factory-new machine running Yosemite with iCloud Drive and have them open TextEdit, create a new window, type their darkest secrets into that window, and power the machine off without saving it anywhere,” said Paul. “How many of those 100 would believe that the data hadn’t left the room?”
iCloud Users Voice Privacy Concerns
Comments
No comments yet. Sign in to add the first!