Move to Nextcloud?
You can run your own server on pretty much anything from a raspberry pi on up, or pay a provider. They’re working on E2E encryption.
Of course you lose the benefits of tight integration with the OS, but if you need it, sounds like it will be there.
… and it’s now baked into the Finder in Catalina.
• Mac security guy Rich Mogull indicates you still can, and added a little nuance to the story; he tweeted, “I’ve long relied on local encrypted backups instead of iCloud backups, even though I have nothing to hide, due to the lack of encryption. If this story is true it is disappointing. But I do appreciate advanced users still have a protected option. However, I did hear years before the FBI dustups that there was concern over using a key Apple can’t recover for iCloud backups since that could easily lead to customers losing everything. Thus I suspect multiple factors in the decision”
• Rene Ritchie of iMore tweeted today that there is encryption, " in transit from your device to the server, and stored encrypted on the server. But Apple can recover them for you if you lose your password, which also means they can be legally compelled to share them as well… May be true, or part of the truth, but I heard at the time (and have repeated often since) that the main reason backups aren’t E2E encrypted is that, for most people, losing access to data is a much higher risk than having data stolen or subpoenaed."
• Backups are still encrypted, it’s just that Apple has got the keys stored somewhere. To steal them you have to steal the keys too. So your backups are protected… excepting government subpoenas. And there’s no reason why Apple would give anyone the keys, including US agencies. They would just decrypt the backup that they had received a subpoena for and provide that decrypted data.On the whole, I’m okay with that.
If you are really interested in security I recommend you read “The Shadow Factory” by James Bamford. It tells the story of 9/11 and the U.S. government’s response in extreme detail, but it almost reads like a Jason Bourne novel. It’s a great read.
IMO, when you discover how much data about us the U.S. government has been collecting for almost two decades, it put things like encrypted iCloud backups in an entirely different light.
First: thanks @MacSparky for your blog post! I agree 100%.
This will be interesting to watch in the future. Yes, I knew beforehand that iCloud backups are not encrypted, but for some reason, nobody really talked about that in Europe. It has been more like a muffled discussion. This Reuters report has put this topic back into the limeight. It will be difficult to make it “undone”.
Under GDPR regulations, the use of iCloud is basically problematic at best. For us, it is very difficult to legally store personal data in a cloud where it is not protected by European law (I am talking about data of other individuals than yourself: photos, contact data and what not). If this data is being encrypted, you can argue that it is a non-issue. If it is being stored unencrypted in the US, it is problematic at best and illegal at worst.
It would be nice to use iCloud without having legal issues.
100% true. I’d argue that the majority of people that use Macs and iOS devices in their businesses don’t even know when data is leaving their devices. It is nowhere advertised in the AppStore if an app stores data in iCloud, unless the app developer points it out in the description or offers a setting.
The legal rules were put in place by people that couldn’t fully grasp the technological side, it seems.
As a “natural personin the course of a purely personal or household activity” you can legally store personal data of a third party without abiding to GDPR regulation (e.g. you can use the stock contacts app on your devices with iCloud sync on). Apple (and other companies of course), on the other hand, might not be compliant to GDPR if those data (regarding EU citizens) are stored in the USA.
edit: to clarify, a business, whether it is European or not, it’s subject di GDPR regulation if stores EU citizens personal data, and therefore it should be aware of the tools it uses and how they work.
I’m pretty sure they were aware of the tech side of things, but translating anything in a law it’s a difficult thing to do, on a technical level (translating in “natural” language that should fit a variety of cases something) and on a political level.
Sorry. “Us” = citizens of member states that belong to the European Union.
As a “natural personin the course of a purely personal or household activity” you can legally store personal data of a third party without abiding to GDPR regulation (e.g. you can use the stock contacts app on your devices with iCloud sync on). Apple (and other companies of course), on the other hand, might not be compliant to GDPR if those data (regarding EU citizens) are stored in the USA.
Correct! As long as you are using your device for personal purposes only, the GDPR regulations are not relevant. So, no business contacts, no business data. And you are fine. So, you basically need two devices: one for business stuff and one for personal stuff. Or you have to comply with GDPR regulations for everything, if you do not want to carry two phones with you.
I really do not want to dive deeper into the legal mumbo-jumbo because those asterisks to every statement are bit exhausting.
the problem is that company X says they’re compliant with GDPR but they might not be (Dropbox, to name one, says they’re compliant, but if you dive in things become more confused: you don’t really know where data are stored, metadata are stored in the US and so on and so forth). Add to the equation 25+ different jurisdictions (plus EU “super-jurisdiction”) saying what is right or wrong and you get where weird ideas come from
As long as you are using your device for personal purposes only, the GDPR regulations are not relevant. So, no business contacts, no business data. And you are fine. 
