iCloud backups are not fully encrypted because the FBI complained

For the past years, Apple has painted itself as a champion of user privacy, as long as said user is also a customer. Its privacy advocacy has become so central to its message that it has, after decades of formal absence, attended CES but only as a panelist in a privacy roundtable. There will always be some who will doubt a for-profit's ulterior motives and they may have just been given a smoking gun that implies Apple did secretly cave in to the US governments wishes to have easier access to iCloud users' unencrypted backups.

It has been more than three years since the very public squabble between the FBI and Apple took place over the latter's refusal (and technical inability) to unlock the San Bernardino shooter's iPhone. That was pretty much the start of Apple's very public campaign to put its customers' privacy first, even at the expense of being called an enabler of crime. What most don't realize, which a former FBI official confirmed, is that most of the time, the two actually get along well.

Around two years ago, sources ranging from Apple employees to FBI officials both current and former disclosed that Apple privately had plans to fully encrypt iCloud backups. Just like with encrypted data stored on iPhones, this would mean that not even Apple, much less authorities, would be able to access data that has been stored there. Naturally, the FBI objected to this plan, also in private, and one year later the whole project was scrapped.

To be fair, the FBI may or may not have had anything to do with the about-face but it can hardly be chalked up to coincidence. Apple apparently chose to only encrypt certain pieces of data backed up on iCloud, like user passwords and health data, leaving the rest, including iMessages text and third-party app data, open to a court order. And judging by Apple's own transparency reports, it does comply with almost all those data requests from the US government.

While this exposé tries to point a chink in Apple's privacy armor, neither the company nor the FBI is willing to confirm the alleged series of events. It probably shouldn't be a surprise, though, because no company, even one not explicitly in the business of collecting or selling user data, might be able to forever deny demands of their home government, especially when terms like "national security" and "interests of justice" are waved around.