Yesterday NYT published an article about tech companies vs. the government on the issue of encryption, and I immediately saw Twitter blowing up with people freaking out that iMessages are stored unencrypted in iCloud.
Except they aren’t.
First off, iCloud is a term that covers a lot of technologies. NYT isn’t sophisticated enough to explain exactly what they mean, but the only place in iCloud that iMessages are stored that I can find reference to in Apple’s iOS Security document is in iCloud backups of iOS devices. And, according to Apple, those are encrypted.
Don’t take my word for it. Read page 38 of the document for yourself. Here, here’s a snippet to make it easy for people who can’t be bothered to download a pdf before freaking out.
There actually IS a potential security issue that might allow Apple to access your messages, or to let a government agency do so, if they were compelled to, but it isn’t about any lack of encrypted storage. Rather, it’s about the way the device public keys are handled, and Matthew Green of Johns Hopkins University details the problem nicely on his blog.
So yes, if you want to use a messaging app that you can be 100% certain can never be compromised by the NSA or the FBI or the CIA, or whoever, Apple’s handling of keys and how they assign them to devices should probably concern you. However, both you and the NYT are wrong if you think that Apple carefully encrypt your iMessages and then just shove plaintext copies of them into iCloud backups. That would be stupid, just like believing that’s what they’re actually doing.