The headline is misleading. There are two features here, iMessage syncing and iCloud device backups. All Apple has announced is better iMessage syncing with no change in (already maximal) privacy. There's no indication that Apple is going to stop backing things up the way they do now, which is not maximally private but is capable of surviving a forgotten password, which is probably a good default setting for consumer backups.
If Apple has changed backups to function in a more private manner, then they would announce that, not something exclusive to iMessage.
More detail: iMessage syncing has always been maximally private from day one. However a drawback to the current implementation is that new devices cannot sync message history. The reason is that each message is encrypted separately by senders for each currently registered device for the receiver. And yes that means if you have 3 devices on your iCloud account, whenever someone sends you an iMessage, 3 separately encrypted copies get sent. Apple has gone to great lengths to ensure that private keys are never shared by devices.
So what's new is apparently Apple's figured out a way to sync history via iCloud. I'm interested to hear the implementation details, but there can be no doubt that it still respects the design goal of never sharing private keys.
Now, the privacy goals for backups are different. You obviously want them to be as private as possible, but most people generally want to be able to recover their life in the event of a simple forgotten password. There are certainly scenarios where you want to encrypt your backups, but it always should be an informed, opt-in choice. You should clearly be aware that if you forget your password, you lose your backups. So generally it's desirable to default to having a fallback recovery method.
Like I said earlier, if Apple has figured out a fallback recovery method that somehow does not involve storing your data in a manner they can decrypt, that would be something they announce as part of iCloud Backup... not just for iMessage. But it seems almost a fundamental design constraint. You can either have something impossible for anyone else to decrypt or conveniently recoverable backups, not both.
> iMessage has always been maximally private from day one. However a drawback to the current implementation is that new devices cannot sync message history.
No it hasn't and yes they can. I've done it several times. The ability to restore messages to a device is specifically what breaks the otherwise end-to-end encrypted iMessage architecture, which is why Federighi talking about the new iOS 11 capabilities is intriguing.
To your last point, my personal hypothesis is that Apple has designed a cryptosystem that uses a PKI with redundant key pairs to extend the redundant encryption. That shifts the recovery usability solution from redundant trusted devices to redundant keys that are written down.
> I've done it several times. The ability to restore messages to a device...
Interesting. To be clear, you're not just talking about restoring messages to the same device, like after resetting it?
Looking more closely at Apple's security whitepaper, perhaps restoring history on a new device is possible if you enable iCloud Keychain. Looks like that would in fact share the private decryption keys among devices.[1]
Ah, and that more clearly points at what this iMessage change may be: Mandatory iCloud Keychain, at least as far as iMessage keys are concerned. Which would suggest another, hidden improvement: no more need to redundantly encrypt a copy of every message for every recipient device!
I want to add however that this still does not suggest anything about changing the security of backups, which was the implication of the article. Nor would I necessarily characterize iCloud keychain as "breaking" encrypted architecture.
It sure sounds like you're talking about restoring from backups. There's nothing in that article that suggests you'd normally be able to sync iMessages to a new device apart from restoring from a backup. And that's expected behavior.
I just noticed that you misquoted me.. I said iMessage syncing has always been maximally private, and drew a distinction between that and backups. The article you cite mentions the tradeoff between strong cryptography (maximal privacy) and user pain (losing your data forever). Apple has made the intentional design choice of enabling the former for syncing but allowing backups to survive an account password reset. I think it's pretty clear that's a good choice for a consumer device. You can always turn off iCloud backups and back up locally via iTunes if you want maximal backup privacy.
If Apple has changed backups to function in a more private manner, then they would announce that, not something exclusive to iMessage.
More detail: iMessage syncing has always been maximally private from day one. However a drawback to the current implementation is that new devices cannot sync message history. The reason is that each message is encrypted separately by senders for each currently registered device for the receiver. And yes that means if you have 3 devices on your iCloud account, whenever someone sends you an iMessage, 3 separately encrypted copies get sent. Apple has gone to great lengths to ensure that private keys are never shared by devices.
So what's new is apparently Apple's figured out a way to sync history via iCloud. I'm interested to hear the implementation details, but there can be no doubt that it still respects the design goal of never sharing private keys.
Now, the privacy goals for backups are different. You obviously want them to be as private as possible, but most people generally want to be able to recover their life in the event of a simple forgotten password. There are certainly scenarios where you want to encrypt your backups, but it always should be an informed, opt-in choice. You should clearly be aware that if you forget your password, you lose your backups. So generally it's desirable to default to having a fallback recovery method.
Like I said earlier, if Apple has figured out a fallback recovery method that somehow does not involve storing your data in a manner they can decrypt, that would be something they announce as part of iCloud Backup... not just for iMessage. But it seems almost a fundamental design constraint. You can either have something impossible for anyone else to decrypt or conveniently recoverable backups, not both.