When Apple announced a handful of new security features last year, I was excited. Very excited. We can make it more difficult to attack our phones, the messages we send our friends, and our Apple accounts and iCloud backups. The features are optional to use, which is fine considering the chaos that would ensue if Apple just turned them on. But lately I’ve been thinking that the language Apple is using to describe these features is pushing away the people who may need them the most.
In October, Apple announced Lockdown Mode to help “protect devices against extremely rare and highly sophisticated cyber attacks.” No doubt in response to years of reporting on attacks against civil society with commercial spyware, such as Pegasus and Predator. Lockdown Mode does not guarantee that your device will never be hacked, but it does make attacks harder by reducing the attack surface.
Apple has always described Lockdown Mode as “optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats.” It’s not wrong, but it doesn’t tell the whole story: that sometimes the people around these individuals are targeted too. Like the son of journalist Carmen Aristegui, the two partners of slain journalist Jamal Khashoggi, the go-to taxi driver of journalist Khadija Ismayilova.
Apple says “most people are never targeted by attacks of this nature,” and I agree. But calling Lockdown Mode “extreme” does not serve those who could benefit from using it–or the people who support them.
When Apple announced end-to-end encryption for iCloud in December, it called the feature Advanced Data Protection for your “most sensitive iCloud data.” When Google announced a similar feature for Android five years ago, it simply promised to “have your back by protecting your backups.” When WhatsApp announced end-to-end encryption for backups in 2021, it just wanted to give people “an extra, optional layer of security to protect” their data.
Don’t get me wrong, Advanced Data Protection is great. But we don’t need to call it “advanced” or describe it as something limited to your “most sensitive” data. After all, Signal, Facebook, and WhatsApp describe end-to-end encryption as the technology that protects calls and messages, and allows people to speak freely. It doesn’t have to be more complicated than that.
In that same December announcement, Apple said Security Keys will soon be supported for two-factor authentication when logging into your Apple account. Unfortunately, it also said this feature was “designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government.” Meanwhile Google, Twitter, and Facebook just say it’s another way for people to keep hackers out of their accounts.
Supporting journalists and other at-risk groups requires proactive, contextual guidance. I even started a company last year to focus on that work. It’s hard to make this guidance land when Apple’s marketing language includes words like “extreme,” “most sensitive,” and “concerned threats.” To help those who support at-risk people, Apple should instead reframe its marketing to focus on what all these features enable: a way for everyone to enhance, improve, and level up their personal security.
I think Apple is worried about the deluge of support calls they will have to take when users get locked out. The same reason Google does not talk much about their advanced protection.