A security firm has found a hidden feature that threatens the privacy of Apple iPhone and iCloud users. Forbes magazine reported:
"Whilst it was well-known that iCloud backups would store call logs, contacts and plenty of other valuable data, users should be concerned to learn that their communications records are consistently being sent to Apple servers without explicit permission, said Elcomsoft CEO Vladimir Katalov. Even if those backups are disabled, he added, the call logs continue making their way to the iCloud, Katalov said... All FaceTime calls are logged in the iCloud too, whilst as of iOS 10 incoming missed calls from apps like WhatsApp and Skype are uploaded..."
Reportedly, the feature is automatic and the only option for users wanting privacy is to not use Apple iCloud services. That's not user-friendly.
Should you switch from Apple iCloud to a commercial service? Privacy risks are not unique to Apple iCloud. Duane Morris LLP explained the risks of using cloud services such as Dropbox, SecuriSync, Citrix ShareFile, and Rackspace:
"Users of electronic file sharing and storage service providers are vulnerable to hacking... Dropbox as just one example: If a hacker was to get their hands on your encryption key, which is possible since Dropbox stores the keys for all of its users, hackers can then steal your personal information stored on Dropbox. Just recently, Dropbox reported that more than 68 million users’ email addresses and passwords were hacked and leaked onto the Internet... potentially even more concerning is the fact that because these service providers own their own servers, they also own any information residing on them. Hence, they can legally access any data on their servers at any time. Additionally, many of these companies house their servers outside of the United States, which means the use, operation, content and security of such servers may not be protected by U.S. law. Furthermore, consider the policies regarding the sharing of your information with third parties. Among others, Dropbox has said that if subpoenaed, it will voluntarily disclose your information to a third party, such as the Internal Revenue Service."
Regular readers of this blog know what that means. Many government entities, such as law enforcement and intelligence agencies besides the IRS issue subpoenas.
This highlights the double-edged sword from syncing and file-sharing across multiple devices (e.g., phone, laptop, desktop, tablet). Sure, is a huge benefit to have all of your files, music, videos, contacts, and data easily and conveniently available regardless of which device you use. Along with that benefit comes the downside privacy and security risks: data stored in cloud services is vulnerable to hacking and subject to government warrants, subpoenas, and court actions. As Duane Morris LLP emphasized, it doesn't matter whether your data is encrypted or not.
Also, Forbes magazine reported:
"Katalov believes automated iCloud storage of up-to-date logs would be beneficial for law enforcement wanting to get access to valuable iPhone data. And, he claimed, Apple hadn’t properly disclosed just what data was being stored in the iCloud and, therefore, what information law enforcement could demand."
Well, law enforcement, intelligence agencies, and cyber-criminals now know what information to demand.