Whether Apple or Google: Is there a back door into your phone’s online backups?

Rob Pegoraro, Special for USA TODAY

When the company behind your smartphone’s software commits to backing up your device’s data online, how far should it go to have your back?

A report Tuesday by Reuters on Apple’s iCloud backups brought fresh attention to this question. Citing “six sources familiar with the matter,” reporter Joseph Menn wrote that the firm “dropped plans to let iPhone users fully encrypt backups of their devices in the company’s iCloud service after the FBI complained that the move would harm investigations.”

What that means is that while the contents of your iPhone remain encrypted on Apple’s servers, you don’t have the only key to unlock them – the Cupertino, California, tech giant also has one.

The company had announced intentions for full encryption of iCloud backups as far back as 2016. Apple did not comment to Reuters about the apparent reversal, nor did it respond to a USA TODAY query sent Wednesday.

Stupid human tricks: The weird and dangerous side of TikTok

'Chicken of the trees' for sale: People are really selling iguana meat on Facebook

Should you worry about Apple (or an adversary infiltrating its iCloud backup system) being able to unlock your backup for you? Maybe not: Without that fallback, forgetting the password to your backups means losing them forever.

Apple offers 5 gigabytes of storage free with iCloud.
Apple offers 5 gigabytes of storage free with iCloud.

Apple iCloud backups

Apple does allow fully-encrypted local backups to your Mac via iTunes or, in macOS Catalina, the Finder, reminding users in a support note that “there's no way to recover your iTunes backups without this password.”

Amazon CEO Jeff Bezos apparently learned this the hard way after the reported hack of his iPhone via a malware-loaded WhatsApp message from Saudi Arabian crown prince Mohammed bin Salman. Investigators Bezos hired could not inspect his local backups without his lost password.

(Many users may also prefer local backup because iCloud only offers 5 gigabytes of free storage – a limit that became inadequate years ago. You can buy more starting at 50 GB for 99 cents a month, or you can ease iCloud’s burden by using the free Google Photos to back up your iPhone pictures.)

“I would certainly want Apple to both encrypt my backups and keep a copy of the key,” emailed Philip R. Reitinger, president and CEO of the Global Cyber Alliance, a Washington trade group. He put in a vote for Apple letting users opt into full encryption: “Apple keeping the key unless the user says otherwise.”

Google Android backups

Google’s Android operating system, however, has offered end-to-end encryption of backups since the 2018 release of Android Pie. The key to this system is your phone’s screen-lock code, pattern or password; forget that and your backups are bust.

Older Android releases lack this backup security. The Mountain View, California, firm did not answer a question sent Wednesday about how many current Android devices run Pie or 10.

But Apple, not Google, has been the target of complaints from the Trump administration for not helping law enforcement. In January, for instance, attorney general William Barr denounced Apple for not giving “any substantive assistance” to investigators of a Saudi pilot’s murder of three people at a naval base in Pensacola, Florida.

Apple pushed back against that, saying the Federal Bureau of Investigation had only requested its help with the shooter’s locked iPhone a week before Barr’s remarks.

Civil libertarians object to Barr demanding that firms like Apple weaken the encryption protecting customers’ data.

Wrote Lindsey Barrett, a fellow at Georgetown University Law Center’s Institute for Public Representation: “His blustering on this issue is willfully disingenuous and ignores what privacy and cryptography experts have been telling law enforcement for years: that strong encryption doesn't ‘protect criminals,’ it protects the privacy and safety of everyone.”

Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, e-mail Rob at rob@robpegoraro.com. Follow him on Twitter at @robpegoraro.

This article originally appeared on USA TODAY: Why Apple needs backdoor access to your iPhone backups on iCloud