Advanced Data Protection is very secure, just don’t lose your Recovery Key
A Minnesota man is suing Apple for failing to do enough after having his iPhone stolen, demanding access to 2 terabytes of data and at least $5 million in damages.
The loss of a smartphone can be devastating to a person, especially when it’s the center of their digital existence. However, while there are ways to recover data, such as that stored on iCloud, sometimes the remedies that are available are not enough.
In a filing at the U.S. District Court for the Northern District of California in January, surfaced by the Washington Post in April, Michael Mathews of Minnesota is suing Apple for access to his data and compensation.
After his iPhone was stolen by pickpockets in Scottsdale, Arizona, Mathews claims he lost access to his photos, music, tax returns, and work-related research. As a consequence, his tech consulting firm apparently had to shut down.
In the suit, Mathews wants access to approximately 2 terabytes of data that forms his “entire digital life, including that of his family,” and at least $5 million in damages.
Unrecoverable Recovery Key
Mathews’ problems all focus around the Recovery Key, a feature of Advanced Data Protection which is used to reset the password and recover the account. It is a 28-digit key that Apple recommends users store safely for future use.
However, in this case, it’s apparently being used by the thief. If the thief can gain access to the iPhone, such as by discovering the passcode to unlock it, they can then change the password to the Apple ID to make it harder to recover.
In some cases, a thief could also enable ADP and create the Recovery Key. It’s also possible for a thief to change an already existing Recovery Key, if they know the passcode and can use it.
The upshot for Mathews is that the account is no longer recoverable in such cases.
Without ADP, it is possible to recover accounts, in part because of the way Apple deals with encrypted data stored on its servers. Apple itself has a copy of encryption keys between the user’s device and iCloud, and they can be recovered easily, just not under ADP.
While under ADP the Recovery Key is needed, the suit insists that Apple is still capable of doing something about the situation. Mathews’ lawyer K. Jon Breyer says it is “indefensible” for Apple to hold onto the data “they don’t own.”
That suit has now entered a discovery phase, which can take between six and eight moths to complete.
Apple didn’t comment about the case specifically, but told the report it sympathizes with victims of crime. The statement adds “We take all attacks on our users very seriously, no matter who rare.”